Linux, ECN and old firewalls
ken harris.
ken at boii.com
Sun Apr 29 23:18:43 UTC 2001
>Bumped into a problem where my firewall was refusing connections from a
>linux machine, found the reason and thought I would share:
saw similar problems around last august (i think) .. hotmail was refusing
connections from one of my linux boxes. a bit of research showed me the
following:
: :http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCds23698)
: : Bud ID: CSCds23698
: : Headline: PIX sends RSET in response to tcp connections with ECN
: : bits set
: : Product: PIX
: : Component: fw
: : Severity: 2 Status: R [Resolved]
: : Version Found: 5.1(1)
: : Fixed-in Version: 5.1(2.206) 5.1(2.207) 5.2(1.200)
:
: fixes have been incorporated for a number of different release trains for
: the pix.
:
: Fixed-In Version now covers releases:
: 5.1(2.206), 5.1(2.207), 5.2(1.200), 6.0(0.100), 5.2(3.210)
:
: NB. it has been posted that Raptor filewalls will also apparently fail to
: allow connections with ECN bits set.
the workaround i was using was:
echo "0" >/proc/sys/net/ipv4/tcp_ecn
(though i was kind of pissed i had to even use a workaround and those
sites were being too stubborn to fix their gear).
cheers.
-ken harris.
More information about the NANOG
mailing list