httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 48388] mod proxy disabling workers after a single error
Date Tue, 10 Feb 2015 13:45:42 GMT

--- Comment #17 from ---
Here is more information regarding our problem.  It is not a Solaris 11 bug but
a Solaris 11 security hardening.

In Solaris 10, the ougoing TCP ports were chosen sequentially.
In Solaris 11, probably to implement RFC 6056 "Recommendations for
Transport-Protocol Port Randomization", TCP ports are randomly chosen.
But the randomization does not guarantee that the port is not reused within 4
minutes (2 x the TCP Maximum Segment Lifetime, specified in RFC 1122)

The problem is occurring when the server-side of the TCP connection is closing
the connection first, for instance when the HTTP Keep-Alive is disabled with
the HTTP header "Connection: closed".  In this case, the TCP connection stays
in the TIME_WAIT state for a short period on the server-side, but the TCP
connection is immediately CLOSED on the client side.  The Solaris server
accepts a new connection anyway, but the Cisco PIX and ACE firewall in between
rejects them.

A more detailed explanation is available here :        

The RFC6191 specifies that TCP timestamps defined in RFC 1323 can be used to
shorten the TIME_WAIT period for a socket.

To activate it under Solaris, run the following command on the machine
initiating the TCP connections : 
sudo ndd -set /dev/tcp tcp_tstamp_always 1

The firewall must use this TCP field in its heuristics to make it work however.

Otherwise, it is possible to disable port randomization on Solaris 11 by adding
the following line in /etc/system and rebooting the system :

set ip:tcp_random_anon_port=0

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message