Re: Problems with internet traffic on procurve

vtmarvin · ‎02-18-2009

When users are accessing internet using our procurve 7102dl (with ADSL2+ module) their sessions are terminated frequently and log fills with following events:

2009.02.18 22:19:04 FIREWALL id=firewall time="2009-02-18 22:19:04" fw=router pri=1 proto=http src=192.168.0.101 dst=63.245.209.93 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet Src 1829 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewall

or

2009.02.18 22:19:12 FIREWALL id=firewall time="2009-02-18 22:19:12" fw=router pri=1 rule=5 proto=1773/tcp src=66.77.15.231 dst=yy.yy.yy.yy msg="Invalid sequence number received with Reset, dropping packet Src 443 Dst 1773 from Public policy-class" agent=AdFirewall

192.168.0.0/24 is local subnet on eth0/1
yy.yy.yy.yy is asigned IP of pp1 ADSL interface

Firewall is configured using procurv web interface firewall wizard and web interface VPN wizard.

Any idea where is the problem? Users are quite upset because of "poor" internet connection and I cannot switch firewall off.

Thank you for any idea.

Martin

Pieter 't Hart · ‎02-19-2009

at first glance the "web interface VPN wizard" configuration part should not be used for clients connecting to the internet.

looks like the firewall declares the session down, while the client thinks it's still active!

is the 7102dl the only network component involved?

also take into account
- how many users are connecting to the internet
- what's the speed (up/down) of the adsl-connection?
- how much vpn-connections are active
- how much cpu is used on the switch/firewall

vtmarvin · ‎02-19-2009

Hello,
regarding other involved components see attached "scheme". There is backup line shown on it but problems are same with or without it.

Almost every time user tries to load some web page using IE or FF it generates couple of above mentioned errors. Same when user is using web based software updater - it fails after a while.
From the user side it seems like some web pages are sometimes impossible to load, or some page components (styles, scripts, pictures) are unable to load.

I mentioned VPN wizard because it adds some policies to firewall configuration. I didn't used it to configure firewall. It was used only to configure VPN access. Nothing more.

There are approx. 8 users connecting to internet at the same time plus some irregular server processes (1 or 2) - very small company.
There are max 2 clients connecting through VPN at the same time.

ADSL line speed is 8Mbps/512kbps
Line is ADSL2+ with MTU set to 1454

Max CPU load on router is about 30% average 10% to 15%. It is almost sleeping...

Pieter 't Hart · ‎02-19-2009

can you check if a splitter is used connected?

ftp://ftp.hp.com/pub/networking/software/SR7000dl-Basic-C07-ADSL-Nov2006.pdf
page 7-9 up

Pieter 't Hart · ‎02-20-2009

from the same document page 7-14 :
it may be an idea to change the "training-mode from the default "Multi-Mode" to "ADSL2+".
also you may experiment with the "signal-to-noise ratio (SNR) margin" page 7-15 up (this seems to need manual tuning).

please post "show running-config interface adsl 1/1"

vtmarvin · ‎02-20-2009

Hello,

splitter is connected (also I tried two other splitters from different manufacturers). It seems to work properly - "connectivity errors" are occuring regardless of voice traffic on phone line.

Training mode is set to ADSL2+ at the moment. There was problem with ADSL module 4 months ago when migrating from ADSL line TO ADSL2+ as original module firmware was not able to manage ADSL2+ line. This problem was fixed by new module firmware (J8759A_11_01_04.biz) I am not sure how much this FW is supported, but I find no other version on procurve support site and reply from procurve support took more than 3 months :-/. I will try changing training mode from ADSL2+ to multi-mode, but I have information from my provider that line is already ADSL2+ and line speed is currently slightly below reccomended physical line capability. So they do not expect errors on line. I will try setting training mode when I arrive on site (19:00 CET). I will post result immediately after trying.

Here is running config of ADSL interface, more info about ppp/adsl/atm interfaces in attached file.

You can see current SNR from there - ADSL module firmware need some tuning it shows some strange numbers in place of downstream SNR and attenuation.

show running-config interface adsl 1/1
Building configuration...
!
!
interface adsl 1/1
description "CRA ADSL"
snr-margin showtime-monitor
training-mode ADSL2+
no shutdown
!
end

Btw. there is also one type of error message in log which occurs rarely, but I am not sure, maybe it can provide some keys or maybe it is useless.
2009.02.20 15:37:27 FIREWALL id=firewall time="2009-02-20 15:37:27" fw=router pri=1 rule=5 proto=http src=192.168.0.33 dst=193.226.140.51 msg="Zero bytes transferred for connection Src 33884 Dst 80 from Private policy-class" agent=AdFirewall

vtmarvin · ‎02-20-2009

Hello,

after 3 hours of trying various ADSl settings...

The problem has nothing to do with ADSL. Problem is the same with ADSL interface disabled using only backup WiFi interface.

I have tried to disable rpf-check on all firewall interfaces but problem still persists.

vtmarvin · ‎02-20-2009

One more thing. Problem is not in network infrastructure of our private network. I have connected directly to eth0/1 with my notebook and problem remained the same.
All above means to me that problem is in router unit and its firmware or configuration.

vtmarvin · ‎02-21-2009

I have tried more changes in configuration - none of them helped.
Turning syn-flood check on firewall off.
Turning rst-seq check on firewall off. Strange - according to CLI guide it does not require any parameter but my CLI insists on port number parameter when switching off.
Setting policy-timeout for tcp protocol to 12 hours.
Turning load-sharing on and off.

Re: Problems with internet traffic on procurve

Problems with internet traffic on procurve