[37018] in North American Network Operators' Group
Re: Linux, ECN and old firewalls
daemon@ATHENA.MIT.EDU (ken harris.)
Sun Apr 29 19:23:33 2001
Message-Id: <5.1.0.14.0.20010429191357.0550d8b8@babyblue.boii.com>
Date: Sun, 29 Apr 2001 19:18:43 -0400
To: Lee Watterworth <lwatterworth@rim.net>
From: "ken harris." <ken@boii.com>
Cc: nanog@merit.edu
In-Reply-To: <2E0F497E30A841408418B05A95E6651E9843C6@xch04ykf.rim.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
>Bumped into a problem where my firewall was refusing connections from a
>linux machine, found the reason and thought I would share:
saw similar problems around last august (i think) .. hotmail was refusing
connections from one of my linux boxes. a bit of research showed me the
following:
: :http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCds23698)
: : Bud ID: CSCds23698
: : Headline: PIX sends RSET in response to tcp connections with ECN
: : bits set
: : Product: PIX
: : Component: fw
: : Severity: 2 Status: R [Resolved]
: : Version Found: 5.1(1)
: : Fixed-in Version: 5.1(2.206) 5.1(2.207) 5.2(1.200)
:
: fixes have been incorporated for a number of different release trains for
: the pix.
:
: Fixed-In Version now covers releases:
: 5.1(2.206), 5.1(2.207), 5.2(1.200), 6.0(0.100), 5.2(3.210)
:
: NB. it has been posted that Raptor filewalls will also apparently fail to
: allow connections with ECN bits set.
the workaround i was using was:
echo "0" >/proc/sys/net/ipv4/tcp_ecn
(though i was kind of pissed i had to even use a workaround and those
sites were being too stubborn to fix their gear).
cheers.
-ken harris.
