Linux

linux中的TCP連接重置(奇怪的封包遺失)但在windows上沒有

  • August 31, 2016

在 Windows 上一切都很好,但在 linux 上,當我嘗試檢索特定網頁時,我會等待很長時間,然後出現“對等連接重置”

ping 目標 IP 工作正常。

我試圖將介面 MTU 減少到 1476(使用“ping -c1 -M do -s”找到)甚至更低的值,但它並沒有解決問題。

在目標主機附近的另一台 linux PC 上,沒有問題,所以我懷疑路徑中有一些路由器。

這些是 wireshark 和 tshark 輸出:

帶有連接重置的 Linux:http: //pastebin.com/tpjS5qZc

Windows 沒有問題: http: //pastebin.com/iyN1GDxT

似乎第三個數據包在到目標主機的路徑中失去,並且目標發送回幾個重複的 ack 數據包,但我看不出 windows 和 linux 數據包有任何相關差異。

在您的擷取中,兩台伺服器都設置了“不分段位”。這意味著兩端都在嘗試進行路徑 MTU 發現。

似乎有一個防火牆阻止ICMP Fragmentation Needed您的 Linux 伺服器訪問遠端伺服器。作為一種解決方法,啟用 MSS 箝位:

iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

您也可以嘗試在 Linux 中禁用 P MTU Discovery:

echo  1  |sudo tee /proc/sys/net/ipv4/ip_no_pmtu_disc

iptables手冊頁:

TCPMSS 此目標允許更改 TCP SYN 數據包的 MSS 值,以控制該連接的最大大小(通常將其限制為傳出介面的 MTU 分別為 IPv4 減去 40 或 IPv6 為 60)。當然只能和-p tcp配合使用。

  This  target is used to overcome criminally braindead ISPs or servers which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too
  Big" packets.  The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind  it
  can never exchange large packets:
   1) Web browsers connect, then hang with no data received.
   2) Small mail works fine, but large emails hang.
   3) ssh works fine, but scp hangs after initial handshaking.
  Workaround: activate this option and add a rule to your firewall configuration like:

          iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
                      -j TCPMSS --clamp-mss-to-pmtu

  --set-mss value
         Explicitly  sets  MSS  option  to  specified  value.  If  the  MSS of the packet is already lower than value, it will not be
         increased (from Linux 2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS.

  --clamp-mss-to-pmtu
         Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6).  This may not function as desired where  asymmetric
         routes  with  differing  path MTU exist — the kernel uses the path MTU which it would use to send packets from itself to the
         source and destination IP addresses. Prior to Linux 2.6.25, only the path MTU to the destination IP address  was  considered
         by this option; subsequent kernels also consider the path MTU to the source IP address.

  These options are mutually exclusive.

見: http: //lartc.org/howto/lartc.cookbook.mtu-mss.html

**編輯:**在仔細查看捕穫後,我發現在過濾所有使用 TCP Timestamp 選項的 IP 數據包的路徑上有一個損壞的防火牆。只需在 Linux 機器上執行:echo 0 | sudo tee /proc/sys/net/ipv4/tcp_timestamps

引用自:https://serverfault.com/questions/411629