Solaris

syslog-ng 2.0.9 立即關閉來自某些客戶端的 tcp 連接..?

  • July 5, 2013

我在 2.0.9 上有一個 syslog-ng 實例,它很舊,但是……這是企業 IT 並且升級版本很有趣……在 Solaris 10 上執行。我有一個奇怪的問題,一些客戶端停止能夠保持連接到 TCP 上的伺服器。

當客戶端工作時,我可以在客戶端上啟動 syslog-ng,它連接並發送數據,並保持連接…

12:20:13.200547 IP (tos 0x0, ttl  64, id 13064, offset 0, flags [DF], proto: TCP (6), length: 60) 10.37.128.185.35765 > 10.37.141.31.shell: S, cksum 0xade4 (correct), 1572869826:1572869826(0) win 5840 <mss 1460,sackOK,timestamp 958735818 0,nop,wscale 7>
12:20:13.202279 IP (tos 0x0, ttl  63, id 27707, offset 0, flags [DF], proto: TCP (6), length: 64) 10.37.141.31.shell > 10.37.128.185.35765: S, cksum 0x434d (correct), 3180100791:3180100791(0) ack 1572869827 win 32942 <nop,nop,timestamp 2210148518 958735818,mss 1460,nop,wscale 2,nop,nop,sackOK>
12:20:13.202327 IP (tos 0x0, ttl  64, id 13065, offset 0, flags [DF], proto: TCP (6), length: 52) 10.37.128.185.35765 > 10.37.141.31.shell: ., cksum 0x0499 (correct), ack 1 win 46 <nop,nop,timestamp 958735820 2210148518>
12:20:13.202823 IP (tos 0x0, ttl  64, id 13066, offset 0, flags [DF], proto: TCP (6), length: 140) 10.37.128.185.35765 > 10.37.141.31.shell: P, cksum 0x179d (correct), 1:89(88) ack 1 win 46 <nop,nop,timestamp 958735820 2210148518>
12:20:13.204061 IP (tos 0x0, ttl  63, id 27708, offset 0, flags [DF], proto: TCP (6), length: 52) 10.37.141.31.shell > 10.37.128.185.35765: ., cksum 0x83d6 (correct), ack 89 win 32920 <nop,nop,timestamp 2210148518 958735820>
12:20:13.205558 IP (tos 0x0, ttl  64, id 13067, offset 0, flags [DF], proto: TCP (6), length: 124) 10.37.128.185.35765 > 10.37.141.31.shell: P, cksum 0xc071 (correct), 89:161(72) ack 1 win 46 <nop,nop,timestamp 958735823 2210148518>
12:20:13.206247 IP (tos 0x0, ttl  63, id 27709, offset 0, flags [DF], proto: TCP (6), length: 52) 10.37.141.31.shell > 10.37.128.185.35765: ., cksum 0x839d (correct), ack 161 win 32902 <nop,nop,timestamp 2210148518 958735823>

當客戶端無法保持連接時,我看到伺服器立即通過 FIN 斷開連接……

12:20:02.441949 IP (tos 0x10, ttl  64, id 8231, offset 0, flags [DF], proto: TCP (6), length: 60) 10.37.128.185.46121 > 10.37.141.31.shell: S, cksum 0xeb7e (correct), 1553390564:1553390564(0) win 5840 <mss 1460,sackOK,timestamp 958725059 0,nop,wscale 7>
12:20:02.443817 IP (tos 0x0, ttl  63, id 27678, offset 0, flags [DF], proto: TCP (6), length: 64) 10.37.141.31.shell > 10.37.128.185.46121: S, cksum 0xe379 (correct), 3007391908:3007391908(0) ack 1553390565 win 32942 <nop,nop,timestamp 2210147442 958725059,mss 1460,nop,wscale 2,nop,nop,sackOK>
12:20:02.443840 IP (tos 0x10, ttl  64, id 8232, offset 0, flags [DF], proto: TCP (6), length: 52) 10.37.128.185.46121 > 10.37.141.31.shell: ., cksum 0xa4c5 (correct), ack 1 win 46 <nop,nop,timestamp 958725061 2210147442>
12:20:02.445689 IP (tos 0x0, ttl  63, id 27679, offset 0, flags [DF], proto: TCP (6), length: 52) 10.37.141.31.shell > 10.37.128.185.46121: F, cksum 0x2444 (correct), 1:1(0) ack 1 win 32942 <nop,nop,timestamp 2210147442 958725061>
12:20:02.445737 IP (tos 0x10, ttl  64, id 8233, offset 0, flags [DF], proto: TCP (6), length: 52) 10.37.128.185.46121 > 10.37.141.31.shell: F, cksum 0xa4c1 (correct), 1:1(0) ack 2 win 46 <nop,nop,timestamp 958725063 2210147442>
12:20:02.447244 IP (tos 0x0, ttl  63, id 27680, offset 0, flags [DF], proto: TCP (6), length: 52) 10.37.141.31.shell > 10.37.128.185.46121: ., cksum 0x2441 (correct), ack 2 win 32942 <nop,nop,timestamp 2210147442 958725063>

現在這個問題最初被認為是在不同的客戶端上,但在這種情況下,它是同一個盒子。我通過重新啟動客戶端 syslog-ng 服務生成成功的消息,以及從 telnet 到伺服器埠的不成功消息。

我還在另一個埠上啟動了一個新的 syslog-ng 伺服器實例,在 localhost 上,一個到 514 的 telnet 連接和斷開連接……

$ telnet localhost 514
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection to localhost closed by foreign host

但是在另一個埠上,在一個新程序上,我們可以很好地打開一個連接……

$ telnet localhost 1140
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet
quit
Connection to localhost closed.

因此,syslog-ng 或 Solaris 10 中的某些內容在程序執行未定義的時間段後似乎不喜歡其中的一些連接。這與 tcpwrappers 相關聯,在 hosts.allow 中定義了“syslog-ng: ALL”,我看到的行為類似於 tcpwrappers 阻止我認為的連接時會發生的行為,但我不認為那是系統的故障部分,因為它似乎是通用的。

“本地主機到新程序”行為看起來與遠端連接相同,它看起來不像防火牆妨礙做奇怪的事情或任何事情。我迷路了。

任何猜測,指針表示讚賞!

檢查max-connectionssyslog.conf 中的設置 - 預設為 10,這對您來說可能太低了。

引用自:https://serverfault.com/questions/521068