[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RaQ4 Netstat LAST_ACK Connection Will Not Break

Subject: Re: [cobalt-users] RaQ4 Netstat LAST_ACK Connection Will Not Break
From: flash22@xxxxxxx
Date: Sat Jan 12 11:45:11 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Sat, 12 Jan 2002, Wayne Sagar wrote:

> I've had a connection showing LAST_ACK for about three days, I know they are 
> not connected anymore, just to be sure, I added the ip to my chains rules 
> and blocked it after about the first 18 hrs of it showing..
> 
> tcp        1  59541 www.myserverdomain.com:www  ns1.web.at:39060        
> LAST_ACK
> 
> I've had this before once or twice, there is no pid to kill just a - 
> showing, so that's out.
> 
> Other than rebooting, is there a way to manually make the box "forget" this 
> connection? Is it really a problem?

Ignore it, it's meaningless. Basicly, You had a conection, closed it,
Ack'd the fact that it was closed, but the other end didn't send you
the last bit of the close sequence or it got lost. The kernel remembers
the connection for a while in
this case just in case a stray packet comes along ... it will go away
eventually (days)

It looks something like this (simplified, assumes remote closed)

them	you	what		your state
 --
data ->		some data
     <- ACK	got it
FIN  ->		done, close the connection (FIN_WAIT1)
     <- ACK	saw the FIN,agree	   (CLOSE_WAIT)
     <- FIN	closing my end too	   (FIN_WAIT2)
ACK  ->		saw your FIN also	   (LAST_ACK)  <-- you are here

In effect , you are stuck waiting for the last little piece that agrees
that the connection is really truely closed by both ends, only your end
knows for certain it is closed, the other end never acknowledged that it
got your confirmation that the connection was closed...

The kernel is forced to remember the connection state just in case a stray
packet comes along, it has to reply differently to a packet from a machine
that had a connection than it would from a machine it had never had a
connection to...

Blocking it with ipchains is way overkill, it was probably a perfectly
normal connection...

Bad firewall rules can sometimes excaberate this state, as the ICMP
packets needed to complete connection closes get filtered out...It's more
or less harmless tho...you are at worse wasting a dozen bytes of kernel
memory ;P

gsh

References:
- [cobalt-users] RaQ4 Netstat LAST_ACK Connection Will Not Break
  - From: Wayne Sagar

Prev by Date: RE: [cobalt-users] Site get slow after adding .htaccess
Next by Date: [cobalt-users] RE: ASP expert required - Please
Previous by thread: [cobalt-users] RaQ4 Netstat LAST_ACK Connection Will Not Break
Next by thread: Re: [cobalt-users] RaQ4 Netstat LAST_ACK Connection Will Not Break

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index