[ale] apache wierdness

Yu, Jerry Jerry.Yu at Voicecom.com
Thu Apr 14 13:26:23 EDT 2005


check out the returned ICMP packet. the MTU is somewhat odd. Note you
have <DF> set.

the 'need to frag'  actually explain why error (404/403/500) can get
through, I think, because that they are small enough to pass w/o being
forced to frag (with one of the interface failed to frag) even with the
smallest MTU in the route.

# -----Original Message-----
# From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On 
# Behalf Of James P. Kinney III
# Sent: Thursday, April 14, 2005 11:58 AM
# To: Atlanta Linux Enthusiasts
# Subject: RE: [ale] apache wierdness
# 
# On Thu, 2005-04-14 at 10:30 -0400, Yu, Jerry wrote:
# > what's the results for /index.html and /cgi-bin/printenv 
# when you try 
# > it from
# > 1) from localhost
# 
# works OK
# > 2) from DMZ  or intranet, aka., behind the firewall which NATs the 
# > apache
# works OK
# > 2) from outside
# Works OK on some ISP's. Speakeasy is NOT one that works. 
# > 
# > apache log: does access_log shows the hang request as an success?
# Log shows connection but no request.
# 
# 
# 216.27.162.82 is my machine, 172.16.10.2 is the DMX internal 
# interface,
# 172.16.10.1 is the web server. 216.27.164.101 is the external 
# interface.
# Here's a tcp dump of the DMZ interface:
# 
# tcpdump: listening on eth1
# 09:19:44.310293 216.27.164.101.53964 > 172.16.10.1.https: S
# 865145535:865145535(0) win 5840 <mss 1460,sackOK,timestamp 
# 150425947 0,nop,wscale 2> (DF)
# 09:19:44.310419 172.16.10.1.https > 216.27.164.101.53964: S
# 2810103798:2810103798(0) ack 865145536 win 5792 <mss 
# 1460,sackOK,timestamp 129832767 150425947,nop,wscale 0> (DF) 
# 09:19:44.329400 216.27.164.101.53964 > 172.16.10.1.https: . 
# ack 1 win 1460 <nop,nop,timestamp 150425965 129832767> (DF)
# 09:19:44.338396 216.27.164.101.53964 > 172.16.10.1.https: P 
# 1:121(120) ack 1 win 1460 <nop,nop,timestamp 150425965 129832767> (DF)
# 09:19:44.338556 172.16.10.1.https > 216.27.164.101.53964: . 
# ack 121 win
# 5792 <nop,nop,timestamp 129832770 150425965> (DF)
# 09:19:44.339059 172.16.10.1.https > 216.27.164.101.53964: P 
# 1:123(122) ack 121 win 5792 <nop,nop,timestamp 129832770 
# 150425965> (DF)
# 09:19:44.364614 216.27.164.101.53964 > 172.16.10.1.https: . 
# ack 123 win 1460 <nop,nop,timestamp 150426001 129832770> (DF)
# 09:19:44.392973 216.27.164.101.53964 > 172.16.10.1.https: P 
# 121:645(524) ack 123 win 1460 <nop,nop,timestamp 150426002 
# 129832770> (DF)
# 09:19:44.425129 172.16.10.1.https > 216.27.164.101.53964: . 
# ack 645 win
# 6432 <nop,nop,timestamp 129832779 150426002> (DF)
# 09:19:44.453231 216.27.164.101.53964 > 172.16.10.1.https: P 
# 645:816(171) ack 123 win 1460 <nop,nop,timestamp 150426081 
# 129832779> (DF)
# 09:19:44.453388 172.16.10.1.https > 216.27.164.101.53964: . 
# ack 816 win
# 7504 <nop,nop,timestamp 129832781 150426081> (DF)
# 09:19:44.458288 172.16.10.1.https > 216.27.164.101.53964: P 
# 123:370(247) ack 816 win 7504 <nop,nop,timestamp 129832782 
# 150426081> (DF)
# 09:19:44.465501 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129832782 150426081> (DF)
# 09:19:44.465655 172.16.10.2 > 172.16.10.1: icmp: 
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:44.531404 216.27.164.101.53964 > 172.16.10.1.https: . 
# ack 370 win
# 1728 <nop,nop,timestamp 150426168 129832782> (DF)
# 09:19:44.531932 172.16.10.1.https > 216.27.164.101.53964: . 1818:3266
# (1448) ack 816 win 7504 <nop,nop,timestamp 129832789 150426168> (DF)
# 09:19:44.532048 172.16.10.2 > 172.16.10.1: icmp: 
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:44.531943 172.16.10.1.https > 216.27.164.101.53964: P 3266:3681
# (415) ack 816 win 7504 <nop,nop,timestamp 129832789 150426168> (DF)
# 09:19:44.569365 216.27.164.101.53964 > 172.16.10.1.https: . 
# ack 370 win
# 1728 <nop,nop,timestamp 150426206 129832782,nop,nop,sack sack 
# 1 {3266:3681} > (DF)
# 09:19:45.545528 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129832891 150426206> (DF)
# 09:19:45.545624 172.16.10.2 > 172.16.10.1: icmp: 
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:47.585536 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129833095 150426206> (DF)
# 09:19:47.585668 172.16.10.2 > 172.16.10.1: icmp: 
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:51.665535 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129833503 150426206> (DF)
# 09:19:51.665681 172.16.10.2 > 172.16.10.1: icmp: 
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 
# 25 packets received by filter
# 0 packets dropped by kernel
# 
# > 
# > # -----Original Message-----
# > # From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On 
# # Behalf 
# > Of James P. Kinney III # Sent: Thursday, April 14, 2005 
# 8:12 AM # To: 
# > rsj at radio.org; Atlanta Linux Enthusiasts # Subject: Re: 
# [ale] apache 
# > wierdness # # On Wed, 2005-04-13 at 21:27 -0400, Randal 
# Jarrett wrote:
# > # > Since the IP address has changed have you made sure that # you 
# > flushed # > all the caches on your browser?
# > # >
# > # Tried from a freshly built machine (2 actually, a linux 
# box and an 
# > XP # Pro) with the same results.
# > # >
# > # > On Wed, 2005-04-13 at 16:46 -0400, James P. Kinney III wrote:
# > # > > Scenario:
# > # > >
# > # > > apache server behind nat firewall.
# > # > > Network changes just occurred.
# > # > > Nat reconfigured to accept new external IP and 
# redirect to DMZ # 
# > > > apache server.
# > # > >
# > # > > Situation:
# > # > >
# > # > > _partial_ connections. If login to web script with bad # user 
# > name or # > > password, system returns the correct "bad username or 
# > password.
# > # > > Login failed" error message from the login script.
# > # > >
# > # > > Using a good combination, I get no response. It looks 
# # like a 
# > server # > > hung on connect. wget eventually times out. BUT! The 
# > person who # > > wrote the app on the server connects just 
# fine with 
# > the # SAME LOGIN # > > THAT FAILS WITH ME?!?!?!
# > # > >
# > # > > Both of us see the same IP address. No errors in the 
# log files.
# > # > >
# > # > > If I try and access a perl script in cgi-bin called printenv 
# > with # > > the perms set to no execute, I get an apache arror # 
# > message telling # > > me it can't be execute. If the perms 
# are fixed, 
# > the # server just sits # > > and does NOTHING.
# > # > >
# > # > > I have never seen something like this before and am # 
# comletely 
# > perplexed.
# > # > >
# > # > > The firewall now has old and new connections on it (i.e. 
# > # old IP and
# > # > > new
# > # > > IP) We are in the process of migrating to a new 
# ISP/data # line 
# > provider.
# > # > >
# > # > > If everything failed to go through, I could understand it # 
# > being the # > > network change. But some stuff comes 
# through. Static # 
# > pages don't happen.
# > # > > Error messages happen.
# > # > >
# > # > >
# > # > > _______________________________________________
# > # > > Ale mailing list
# > # > > Ale at ale.org
# > # > > http://www.ale.org/mailman/listinfo/ale
# > # -- 
# > # James P. Kinney III          \Changing the mobile computing world/
# > # CEO & Director of Engineering \          one Linux user         /
# > # Local Net Solutions,LLC        \           at a time.          /
# > # 770-493-8244                    \.___________________________./
# > # http://www.localnetsolutions.com
# > #
# > # GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) # 
# > <jkinney at localnetsolutions.com> Fingerprint = 3C9E 6366 54FC # A3FE 
# > BA4D 0659 6190 ADC3 829C 6CA7 #
# > 
# > This email and any attached files herein contain 
# information that is intended only for the use of the 
# individual or entity to whom it is addressed and may contain 
# information that is legally privileged, confidential or 
# otherwise exempt from disclosure under applicable laws. If 
# the reader of this message is not the recipient, any 
# disclosure, dissemination, distribution, copying or other use 
# or retention of this communication or its substance is prohibited.
# > 
# > 
# > _______________________________________________
# > Ale mailing list
# > Ale at ale.org
# > http://www.ale.org/mailman/listinfo/ale
# -- 
# James P. Kinney III          \Changing the mobile computing world/
# CEO & Director of Engineering \          one Linux user         /
# Local Net Solutions,LLC        \           at a time.          /
# 770-493-8244                    \.___________________________./
# http://www.localnetsolutions.com
# 
# GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) 
# <jkinney at localnetsolutions.com> Fingerprint = 3C9E 6366 54FC 
# A3FE BA4D 0659 6190 ADC3 829C 6CA7
# 



More information about the Ale mailing list