HPE Community
Operating System - HP-UX
1834218 Members
3877 Online
110066 Solutions
New Discussion

SYN_SENT issue

 
sdip
Advisor

‎12-16-2004 02:19 PM

‎12-16-2004 02:19 PM

SYN_SENT issue

Hi,

We have configured our BigIP (Load balancer) to load balance incoming mail to two HP-UX boxes. We crated one virtual IP in BigIP box and pointed to those servers.

When we tried to connect those servers by the following command then it take more than a minute to connect.

From other server :
telnet 25

Destination server :
tcp 0 1 10.250.43.65.50699 10.250.43.151.113 SYN_SENT
tcp 0 0 10.250.43.65.25 10.250.43.151.52247 ESTABLISHED

After a minuted that SYN_SENT disappears then we have been able to connect that server.

We have added that BigIP's SNAT IP address on those node's /etc/hosts file..

Could anyone please advise what we should do resolve this issue.
0 Kudos
Reply
2 REPLIES 2
Ron Kinner
Honored Contributor

‎12-16-2004 02:54 PM

‎12-16-2004 02:54 PM

Re: SYN_SENT issue

Not sure how to stop it but I can perhaps tell you what is going on. The Syn_sent line indicates that the HPUX is trying to use the IdentD service (port 113) to check out who's talking to it. Obviously your BIGIP doesn't have an IdentD server running so it eventually times out and when that happens it appears to let you connect even tho it never figured out who you were.

From the man:

"DESCRIPTION
identd is a server which implements the TCP/IP proposed standard IDENT user identification protocol as specified
in the RFC 1413 document.

identd operates by looking up specific TCP/IP connections and returning the user name of the process owning the con-
nection. It can optionally return other information instead of a user name."

It appears from:

http://mail-index.netbsd.org/netbsd-help/1996/08/26/0001.html

that the delay problem is in BigIP's lack of response to the IdentD syn packet. Since it doesn't support IdentD it should immediately return ICMP Port Unreachable but instead it does nothing. The ICMP Port Unreachable would tell sendmail to give up and get on with it but since it doesn't get anything it waits for some other timeout. (I think there is a parameter in ndd somewhere for how long to wait for a response to a syn before giving up but that would have an effect on all TCP connections so you shouldn't play with that.) The above article mentions compiling sendmail without the IdentD feature as a possibility but I suspect the proper thing to do would be to lean on the BigIP people until their box responded properly. (I assume we do not have a firewall sitting in the middle that you forgot to mention?)

Ron
0 Kudos
Reply
rick jones
Honored Contributor

‎12-18-2004 04:47 AM

‎12-18-2004 04:47 AM

Re: SYN_SENT issue

I'm not sure if the HP-UX TCP stack will give-up immediately on a port unreachable, but certainly if the BigIP box were to return a RST as TCP should when a SYN arrives for a tuple for which there is no LISTEN endpoint the identd check would terminate immediately, well before tcp_ip_abort_cinterval
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.