On Fri, Jul 28, 2017 at 08:36:49AM +0200, Klavs Klavsen wrote: > The network guys know what caused it. > > Appearently on (atleast some) Cisco equipment the feature: > > TCP Sequence Number Randomization > > is enabled by default.
I didn't want to suggest names but since you did it first ;-) Indeed it's mostly on the same device that I've been bothered a lot by their annoying randomization. I used to know by memory the exact command to type to disable it, but I don't anymore (something along "no randomization"). The other trouble it causes is retransmits of the first SYN when your source ports wrap too fast (ie when installed after a proxy). The SYNs reaching the other end find a session in TIME_WAIT, but the SYN sometimes lands in the previous window and leads to an ACK instead of a SYN-ACK, which the firewall blocks. This was easily worked around using timestamps on both sides thanks to PAWS. But disabling the broken feature is better. And no, "more secure" is not an excuse for "broken". > It would most definetely be beneficial if Linux handled SACK "not working" > better than it does - but then I might never have found the culprit who > destroyed SACK :) Yep ;-) Willy
