Delay and retransmission of SYNs using netfilter conntrack with duplicate tuples

Solution Unverified - Updated -

Issue

  • We use the netfilter TPROXY target as part of a transparent proxy application facilitating connections from multiple clients to multiple servers.

When a client initiates a connection, we see the connection establish as expected. When a client initiates a second connection from a different source port as the first, we see the connection establish as expected. When a client initiates a second connection from the same source port as the first, we see a three second delay in connection establishment.

At the time of the delayed connection, we also see two tuples with the same source port in the output of ss -n -t.

Environment

  • Red Hat Enterprise Linux (RHEL) 6.3
  • netfilter connection tracking with TPROXY target

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content