Wietse Venema:
> I don't know if this is a problem with Windows TCP/IP, or if this
> is a problem with a firewall on the client side. Reportedly, some
> firewalls randomize TCP sequence numbers but don't update the
> sequence numbers in SACK fields. That would be a sure way to mess
> up TCP.
Quoting from the Linux kernel mailing list, December 2007:
The Cisco PIX had a bug with SACK handling (CSCse14419, fixed
in 7.0(7), 7.1(2.34), 7.2(2.2), 8.0(0.141) but perhaps it has
regressed). A simple trace either side of the firewall will
show the inconsistency between the TCP sequence number (which
gets randomised) and the Sack sequence number (which didn't).
You could disable the TCP Sequence Number Randomisation feature
and see if the fault reoccurs.
To disable Selective Ack support:
*BSD: sysctl -w net.inet.tcp.sack.enable=0
L*n*x: echo 0 > /proc/sys/net/ipv4/tcp_sack
Wietse
