Intermittent Connectivity Issue - initial SYN-ACK is not sent

(Doc ID 2119503.1)

Last updated on JULY 29, 2016

Applies to:

Solaris Operating System - Version 10 1/13 U11 to 10 1/13 U11 [Release 10.0]
Information in this document applies to any platform.

Symptoms

Clients of a Solaris 10 system were experiencing intermittent TCP connection failures.    Packet traces indicate the initial SYN-ACK was not sent - for example: :

*** initial SYN (connection request) from the remote Linux client:
1 0.000000 10.xx.xxx.33 10.xx.xx.82 TCP 59783→22 [SYN] Seq=4088891306 Win=14600 Len=0 MSS=1380 SACK_PERM=1 WS=128

*** no response, so the client retransmits it's SYN:
2 0.999654 10.xx.xxx.33 10.xx.xx.82 TCP 59783→22 [SYN] Seq=4088891306 Win=14600 Len=0 MSS=1380 SACK_PERM=1 WS=128

*** Solaris TCP ACKs the SYN - but without the SYN flag. This indicates this is a "dupACK"
*** and implies that Solaris TCP believes it has already sent a SYN-ACK, and it is not yet time to retransmit it's SYN
3 0.999781 10.xx.xx.82 10.xx.xxx.33 TCP 22→59783 [ACK] Seq=3891756925 Ack=4088891307 Win=49248 Len=0

*** here is the SYN-ACK from Solaris - note the Seq value of one less than the earlier ACK,
*** indicating this is a retransmitted SYN-ACK
4 1.136616 10.xx.xx.82 10.xx.xxx.33 TCP 22→59783 [SYN, ACK] Seq=3891756924 Ack=4088891307 Win=49248 Len=0 MSS=1460 WS=1 SACK_PERM=1

The trace continues like this, with SYNs from the Linux client and SYN-ACKs and sometimes just ACKS (depending on whether the backed off TCP retransmit timer has expired) - until 71 seconds elapse, at which time the client gives up an send an RST clearing the connection attempt.

The remote Linux client does not see the SYN-ACK packets, as the customer's firewall drops them as out of sequence" once it sees the ACK without the SYN flag.   While this is technically incorrect on the part of the firewall (there is no ESTABLISHED connection until the SYN-ACK is sent and ACKed by the client here, and nothing above is incorrect behavior by either TCP stack) dropping SYN-ACKs after an ACK is something that some firewalls commonly will do.   The firewall passed all the ACKs w/o the SYN flag, but dropped all the subsequent SYN-ACKs, without which the connection could not be established. 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms