My Oracle Support Banner

Oracle Linux: IPTABLES conntrack Table Gets Stuck with an Entry in SYN_SENT State (Doc ID 2870462.1)

Last updated on MAY 22, 2022

Applies to:

Linux OS - Version Oracle Linux 6.0 and later
Linux x86-64


IPTABLES conntrack table will show stuck entry in SYN_SENT state for applications that reconnect to server reusing the same local port (for example NFS will report: server xxx not responding, timed out). 


TCP conntrack assumes that a syn-ack retransmit is identical to the previous syn-ack. This isn't correct and causes stuck 3-Way Handshakes in some more esoteric scenarios.

tcpdump to illustrate the problem:

This syn-ack has the correct ack number, but conntrack flags it as invalid:
The internal state was created from the first syn-ack seen, so the sequence number of the syn-ack is treated as being outside of the announced window.

Don't assume that retransmitted syn-ack is identical to previous one.
Treat it like the first syn-ack and reinit state.




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.