TCP FIN hangups in encrypted ESP tunnel

[Peter J. Philipp]

Hi,

My VPS at Hetzner has very weird behaviour:

last week it started hanging up scp'ing of large backups, so I worked hard to
get these encrypted if it was a hangup attack.  Well surprise to me too the
hangups are back.  I have tcpdump'ed the enc0 from both sides and the FIN
does originate from the Hetzner VPS.  It's inside the secure channel but I
did not activate it knowingly.  Even a ktrace does not show much, no signal,
no close(), no shutdown().  The connection just drops on FIN and resulting
RST's.  Here is a catpure of the FIN:

seen from pod:

18:02:59.040443 (authentic,confidential): SPI 0xf2d38877: 2a01:4f8:c010:71dd::1 
> 2003:a:60f:ce01::108: 2a01:4f8:c010:71dd::1.1022 > 
2003:a:60f:ce01::108.40358: FP [tcp sum ok] 45961186:45962414(1228) ack 15902 
win 268 <nop,nop,timestamp 2363771869 964842829> [class 0x20] [flowlabel 
0x3fceb] (len 1260, hlim 64) [class 0x20] (len 1300, hlim 64)

seen from arda:

18:02:59.064240 (authentic,confidential): SPI 0xf2d38877: 2a01:4f8:c010:71dd::1 
> 2003:a:60f:ce01::108: 2a01:4f8:c010:71dd::1.1022 > 
2003:a:60f:ce01::108.40358: FP [tcp sum ok] 45961186:45962414(1228) ack 15902 
win 268 <nop,nop,timestamp 2363771869 964842829> [class 0x20] [flowlabel 
0x3fceb] (len 1260, hlim 64) (len 1300, hlim 55)

The download downloads a few MB and then it hangs up.

Has anyone seen this sort of behaviour?  I don't think I changed much in my
pf rules because up until last month backups downloaded flawlessly.  Here is
my dmesg (after my signature):

Best Regards,
-peter


OpenBSD 6.9 (GENERIC.MP) #3: Mon Jun  7 08:21:26 MDT 2021
    
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2080227328 (1983MB)
avail mem = 2001866752 (1909MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5b10 (9 entries)
bios0: vendor Hetzner version "20171111" date 11/11/2017
bios0: Hetzner vServer
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC HPET MCFG
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD EPYC Processor (with IBPB), 2495.71 MHz, 17-01-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,TOPEXT,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,SSBD,XSAVEOPT,XSAVEC,XGETBV1
cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
8-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD EPYC Processor (with IBPB), 2495.40 MHz, 17-01-02
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,TOPEXT,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,SSBD,XSAVEOPT,XSAVEC,XGETBV1
cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 
8-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: smt 0, core 0, package 1
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpimcfg0 at acpi0
acpimcfg0: addr 0xb0000000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpicmos0 at acpi0
"APP0005" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82G33 Host" rev 0x00
vga1 at pci0 dev 1 function 0 "Qumranet Virtio 1.x GPU" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 2 function 0 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci1 at ppb0 bus 1
virtio0 at pci1 dev 0 function 0 "Qumranet Virtio 1.x Network" rev 0x01
vio0 at virtio0: address 96:00:00:a5:ca:09
virtio0: msix shared
ppb1 at pci0 dev 2 function 1 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci2 at ppb1 bus 2
xhci0 at pci2 dev 0 function 0 vendor "Red Hat", unknown product 0x000d rev 
0x01: apic 0 int 22, xHCI 0.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Red Hat xHCI root hub" rev 3.00/1.00 
addr 1
ppb2 at pci0 dev 2 function 2 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci3 at ppb2 bus 3
virtio1 at pci3 dev 0 function 0 "Qumranet Virtio 1.x Console" rev 0x01
virtio1: no matching child driver; not configured
ppb3 at pci0 dev 2 function 3 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci4 at ppb3 bus 4
virtio2 at pci4 dev 0 function 0 vendor "Qumranet", unknown product 0x1045 rev 
0x01
viomb0 at virtio2
virtio2: apic 0 int 22
ppb4 at pci0 dev 2 function 4 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci5 at ppb4 bus 5
virtio3 at pci5 dev 0 function 0 "Qumranet Virtio 1.x RNG" rev 0x01
viornd0 at virtio3
virtio3: apic 0 int 22
ppb5 at pci0 dev 2 function 5 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci6 at ppb5 bus 6
virtio4 at pci6 dev 0 function 0 "Qumranet Virtio 1.x SCSI" rev 0x01
vioscsi0 at virtio4: qsize 128
scsibus1 at vioscsi0: 255 targets
sd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU HARDDISK, 2.5+>
sd0: 39064MB, 512 bytes/sector, 80003072 sectors, thin
virtio4: msix shared
ppb6 at pci0 dev 2 function 6 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci7 at ppb6 bus 7
ppb7 at pci0 dev 2 function 7 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci8 at ppb7 bus 8
ppb8 at pci0 dev 3 function 0 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 23
pci9 at ppb8 bus 9
pcib0 at pci0 dev 31 function 0 "Intel 82801IB LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x02: msi, AHCI 1.0
ahci0: port 0: 1.5Gb/s
scsibus2 at ahci0: 32 targets
cd0 at scsibus2 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 0 int 16
iic0 at ichiic0
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
uhidev0 at uhub0 port 5 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 
2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (7d473b0655b55a88.a) swap on sd0b dump on sd0b