remove unreplied tcp connections

wirelesswaves · Sun Dec 22, 2013 12:40 pm

Did anyone ever manage to write a script to periodically remove "unreplied" connections from the firewall tracking table.

In the last few months I have seen an increase in this problem, today over 2500 unreplied connections, and whilst these may seem innocent at first, they do seem to stop new connections from being establish all the time they remain in the table.

adairw · Sun Dec 22, 2013 11:49 pm

Are you dropping invalid connections in the forward and input chains?
What is your firewall configuration?

Sent from my SCH-I545 using Tapatalk

wirelesswaves · Mon Dec 30, 2013 11:36 am

anyone?

need help here with a script to run every 5 minutes to delete from tracking table all connections that meet the following criteria.

1: tcp+(!SA)+(!local network ip's)+established

where !SA = assured

Or maybe it just cannot be done!

wirelesswaves · Mon Dec 30, 2013 1:15 pm

oh crap!

Cant we use the flags "unreplied" or "!assured"

ditonet · Mon Dec 30, 2013 7:01 pm

need help here with a script to run every 5 minutes to delete from tracking table all connections that meet the following criteria.
1: tcp+(!SA)+(!local network ip's)+established

Just out of curiosity: Why do you want to remove established connections?

Regards,

wirelesswaves · Tue Dec 31, 2013 11:48 am

It happens periodically, usually after a night of heavy p2p traffic...

The connection tracking table grows to around 5000 connections and 4000 of those are "unreplied".

It wouldn't bother me but there does seem to be a link to customers complaints for 24 hours afterwards (until the connections drop) that some phone lines appear "dead"...

Its a minor issue but an irritating one, those customers affected often restart their voip ATA devices and then the ATA re-establishes a SIP handshake..

I'm curious why a tcp connection can appear "established" in the conn track table, but at the same time remain "unreplied"

And its these random unexplained "un-replied" connections that seem to hog "port space" and prevent some SIP handshaking.

Sadly it appears that the "unreplied" flag is not usable in a script to periodically flush out these nasties.

I vote hat ver7 should have that option.

ditonet · Tue Dec 31, 2013 12:29 pm

Did you try to decrease TCP SYN-timeouts in conntrack settings?

Regards,

wirelesswaves · Tue Dec 31, 2013 12:55 pm

yes. no difference.

ditonet · Tue Dec 31, 2013 2:02 pm

Post your conntrack settings, please.
What is higher 'timeout' value for unreplied connections shown by Winbox?

Regards,

wirelesswaves · Tue Dec 31, 2013 3:09 pm

v5.25 does not have a time out setting for "unreplied" !

ditonet · Tue Dec 31, 2013 5:27 pm

v5.25 does not have a time out setting for "unreplied" !

I've asked about shown values:

unreplied_timeout.PNG

Regards,

wirelesswaves · Tue Dec 31, 2013 5:57 pm

currently anything between 30 minutes and 23.40 hrs

curiously my filter is inverted.

I have to filter>

Unreplied is no........................... not yes as would be expected!

ditonet · Tue Dec 31, 2013 7:42 pm

Unreplied is no........................... not yes as would be expected!

This bug was fixed year ago, in ROS v.6.0rc6 if I remember correctly.

Post your conntrack settings:

ros code

/ip firewall connection tracking export

Regards,

wirelesswaves · Tue Dec 31, 2013 7:51 pm

they are back at the default.

Have you forgotten these are "established" tcp connections with a default 1day timeout.

They have gone through the 4 way handshake protocol but remain "unreplied"

I do not see how any alterations to the tracking values will change anything without also affecting assured established connections.

ditonet · Tue Dec 31, 2013 8:34 pm

Decrease 'tcp-established-timeout' to 5 minutes.

Regards,

P.S. I'm going on New Year's party