Oracle Linux: IPTABLES conntrack Table Gets Stuck with an Entry in SYN_SENT State
(Doc ID 2870462.1)
Last updated on MAY 22, 2022
Applies to:Linux OS - Version Oracle Linux 6.0 and later
IPTABLES conntrack table will show stuck entry in SYN_SENT state for applications that reconnect to server reusing the same local port (for example NFS will report: server xxx not responding, timed out).
TCP conntrack assumes that a syn-ack retransmit is identical to the previous syn-ack. This isn't correct and causes stuck 3-Way Handshakes in some more esoteric scenarios.
tcpdump to illustrate the problem:
This syn-ack has the correct ack number, but conntrack flags it as invalid:
The internal state was created from the first syn-ack seen, so the sequence number of the syn-ack is treated as being outside of the announced window.
Don't assume that retransmitted syn-ack is identical to previous one.
Treat it like the first syn-ack and reinit state.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document