linux中的TCP連接重置(奇怪的封包遺失)但在windows上沒有
在 Windows 上一切都很好,但在 linux 上,當我嘗試檢索特定網頁時,我會等待很長時間,然後出現“對等連接重置”
ping 目標 IP 工作正常。
我試圖將介面 MTU 減少到 1476(使用“ping -c1 -M do -s”找到)甚至更低的值,但它並沒有解決問題。
在目標主機附近的另一台 linux PC 上,沒有問題,所以我懷疑路徑中有一些路由器。
這些是 wireshark 和 tshark 輸出:
帶有連接重置的 Linux:http: //pastebin.com/tpjS5qZc
Windows 沒有問題: http: //pastebin.com/iyN1GDxT
似乎第三個數據包在到目標主機的路徑中失去,並且目標發送回幾個重複的 ack 數據包,但我看不出 windows 和 linux 數據包有任何相關差異。
在您的擷取中,兩台伺服器都設置了“不分段位”。這意味著兩端都在嘗試進行路徑 MTU 發現。
似乎有一個防火牆阻止
ICMP Fragmentation Needed
您的 Linux 伺服器訪問遠端伺服器。作為一種解決方法,啟用 MSS 箝位:iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
您也可以嘗試在 Linux 中禁用 P MTU Discovery:
echo 1 |sudo tee /proc/sys/net/ipv4/ip_no_pmtu_disc
從
iptables
手冊頁:TCPMSS 此目標允許更改 TCP SYN 數據包的 MSS 值,以控制該連接的最大大小(通常將其限制為傳出介面的 MTU 分別為 IPv4 減去 40 或 IPv6 為 60)。當然只能和-p tcp配合使用。
This target is used to overcome criminally braindead ISPs or servers which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets: 1) Web browsers connect, then hang with no data received. 2) Small mail works fine, but large emails hang. 3) ssh works fine, but scp hangs after initial handshaking. Workaround: activate this option and add a rule to your firewall configuration like: iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --set-mss value Explicitly sets MSS option to specified value. If the MSS of the packet is already lower than value, it will not be increased (from Linux 2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. --clamp-mss-to-pmtu Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6). This may not function as desired where asymmetric routes with differing path MTU exist — the kernel uses the path MTU which it would use to send packets from itself to the source and destination IP addresses. Prior to Linux 2.6.25, only the path MTU to the destination IP address was considered by this option; subsequent kernels also consider the path MTU to the source IP address. These options are mutually exclusive.
見: http: //lartc.org/howto/lartc.cookbook.mtu-mss.html
**編輯:**在仔細查看捕穫後,我發現在過濾所有使用 TCP Timestamp 選項的 IP 數據包的路徑上有一個損壞的防火牆。只需在 Linux 機器上執行:
echo 0 | sudo tee /proc/sys/net/ipv4/tcp_timestamps