Linux, ECN and old firewalls

Hello all,

Bumped into a problem where my firewall was refusing connections from a
linux machine, found the reason and thought I would share:

Bumped into a problem where my firewall was refusing connections from a
linux machine, found the reason and thought I would share:

saw similar problems around last august (i think) .. hotmail was refusing
connections from one of my linux boxes. a bit of research showed me the
following:

: :Cisco.com Login Page)
: : Bud ID: CSCds23698
: : Headline: PIX sends RSET in response to tcp connections with ECN
: : bits set
: : Product: PIX
: : Component: fw
: : Severity: 2 Status: R [Resolved]
: : Version Found: 5.1(1)
: : Fixed-in Version: 5.1(2.206) 5.1(2.207) 5.2(1.200)
:
: fixes have been incorporated for a number of different release trains for
: the pix.
:
: Fixed-In Version now covers releases:
: 5.1(2.206), 5.1(2.207), 5.2(1.200), 6.0(0.100), 5.2(3.210)
:
: NB. it has been posted that Raptor filewalls will also apparently fail to
: allow connections with ECN bits set.

the workaround i was using was:
echo "0" >/proc/sys/net/ipv4/tcp_ecn

(though i was kind of pissed i had to even use a workaround and those
sites were being too stubborn to fix their gear).

cheers.
-ken harris.

Several other higher profile sites (yahoo comes to mind) were doing the
same thing until I also turned that option off.

I have a feeling it's not only the pix that is broken in this respect.

Jason

The PIX isn't 'broken'. It was fixed some time ago. It's just that
some folks don't want to take the time to upgrde their devices.

This same issue applies to older releases of LocalDirector code, as
well. Again, Cisco fixed the problem with alacrity; again, some folks
just don't perform timely upgrades.

Jason Slagle wrote:

Also, turning off ECN for 2.4.x kernels is quite simple:

  echo "0" >/proc/sys/net/ipv4/tcp_ecn

Roland Dobbins wrote: