客户端通过NAT连接上网,有的客户端可以访问server端,有的不可以,通过访问固定请求的URL抓包排查和解决问题。
1、http contains "/frontend" 过滤出来客户端请求的这个URL。
2、跟踪一下流(follow stream),看请求是否正常。
3、打开客户端的包,发现请求失败的是重传包,过滤一下 tcp.analysis.retransmission
可以看到有四次请求重传
思考:
A、不是云盾问题,因为云盾是基于ip的;
B、检查系统内没有云锁之类的软件,iptables也没开;
C、检查系统参数 sysctl –p (-a打印所有)看到有timestamp;
4、对比timestamp
失败的截图
成功的截图
成功的timestamp都很大,修改/etc/sysctl.conf文件里面得net.ipv4.tcp_timestamps=0即可
timestamp扩展:
同时开启timestamp(时间戳)和tw_recycle(快速回收),会导致在一个MSL时间内只响应timestamp递增的请求,对于时间戳较小的请求都抛弃了(不响应ack)。
MSL扩展: RFC793中规定MSL为2分钟,也就是说2分钟内同一个ip的请求的时间戳要求递增,不是递增的话服务器不予响应。
快速甄别:使用netstat收集被拒的报文统计
SYNs to LISTEN sockets dropped 所有在syn阶段就拒绝的包
passive connections rejected because of time stamp 因为timestamp校验被拒绝的包
# netstat -st | egrep -i "drop|reject|overflowed|listen|filter"
671 ICMP packets dropped because they were out-of-window
921102 passive connections rejected because of time stamp 注意这里
14878 packets rejects in established connections because of timestamp
89113 times the listen queue of a socket overflowed
3470836 SYNs to LISTEN sockets dropped
TCPBacklogDrop: 14
TCPDeferAcceptDrop: 4533
IPReversePathFilter: 10387
# netstat -st | egrep -i "drop|reject|overflowed|listen|filter"
671 ICMP packets dropped because they were out-of-window
921103 passive connections rejected because of time stamp 注意这里,
14878 packets rejects in established connections because of timestamp
89113 times the listen queue of a socket overflowed
3470837 SYNs to LISTEN sockets dropped
TCPBacklogDrop: 14
TCPDeferAcceptDrop: 4533
IPReversePathFilter: 10387
