Attention v2.9.16 users!

uldis · March 10, 2006, 8:57am

If you are using v2.9.16 then please change

 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 50ms
tcp-syn-received-timeout: 50ms
...

to

 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
...

spoiler · March 10, 2006, 12:01pm

Nice, 2 hours trying to figure out why nearby servers worked and others not… and why icmp was working with all of them, thought it was a BGP issue…

Just as a note… if you downgrade, setting will keep unchanged!

pekr · March 10, 2006, 12:18pm

guys, isn’t it better to simply release 2.9.17?! Remember - not all ppl do visit this forum …

-pekr-

uldis · March 10, 2006, 3:27pm

Done

changeip · March 10, 2006, 4:23pm

uldis:

If you are using v2.9.16 then please change

 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 50ms
tcp-syn-received-timeout: 50ms
...

to

 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
...

5s? Was previous value something like 1-2m? I think 5s is still too short for many users on slow dialup, cellular, etc. I’m just throwing this out there, not saying 5s is wrong though…

Sam

DirectWireless · March 10, 2006, 4:54pm

We sell MT routers to corporate customers who manage them themselves (we provide consulting support ) and man I had a stack of phone messages this morning when I came in from frantic customers!

samsoft08 · March 16, 2006, 6:42pm

[admin@MikroTik] ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 1m
tcp-syn-received-timeout: 1m

this is my MT setup .. should i change 1m to 5s ?? and why ??

Hammy · March 20, 2006, 2:52am

Same here… suggestions?

aviper · March 20, 2006, 8:52am

Tip: The topic is: Attention v2.9.16 users! …

cmit · March 20, 2006, 8:57am

This value (roughly said) defines the time-span that it may take to completely open a TCP connection. This is started by a SYN packet, and if the SYN-ACK packet doesn’t arrive during the time you can configure here, the “half-open” connection is dropped.

Then main reason to keep this short is that this is one way to run a denial-of-service attack: If your system is waiting 1 minute if some (every) half-open connection will finally become a fully-established connection, it has to keep a rather long table of connections. By just starting to open enough “half-open” TCP connections you can block a system so that it cannot accept legitimate new TCP connections anymore.

So having this value on a unnecesarry high value is kind of dangerous. And 1 minute is too high in my opinion. 5 seconds should be enough to establish a TCP connection - remember: that is not, that everything has to be over in 5 seconds - just that the connection has to be completely established in max. 5 seconds.

Best regards,
Christian Meis

changeip · March 20, 2006, 4:46pm

I’ve seen dialup users take longer than 5 sometimes … 5-10s would be a good middle ground. 1m is definately too long : )

sten · March 21, 2006, 9:01am

30 seconds in my opinion.
it matters to the functions that limit number of connections.