Trouble with TCP handshake

I am having an issue involving the APF firewall and a user (call it Server A) being able to connect to our server (Server B)for any type of service. I have made a few dumps from our server using tcpdump with the firewall up and with the firewall down. When the firewall is up the user just gets connection timeouts whenever they try to connect to our server. I have had them try connecting to port 25 or port 110 using telnet just to verify a connection, with the firewall up these time out. With the firewall down, these connections work fine. It should be noted that this user's server is the only server that I know of that is having this issue. There are other users on our server and none have reported this issue and I even tried connecting from one of our other servers with the firewall up and did not have any problems.

The tcpdumps seem to show the problem. It would appear that with the APF up and running the client's server (Server A) is not sending a TCP ACK packet during the 3-way handshake for TCP. Server A does send a SYN packet, then Server B sends a SYN+ACK packet, but Server A does not respond or at least it does not show up in a tcpdump on Server B. When I bring down APF and flush the rules, everything happens as it should Server A sends a SYN packet, Server B responds with SYN+ACK, and Server A responds with ACK and the transaction goes through without a problem.

The IP for Server A is not listed anywhere in the iptables with APF up and running. I verified this by taking Server A's IP address (aa.bb.cc.dd) and issuing the following command on Server B:

Code: 
iptables -L -n | grep aa.bb.cc.dd 
iptables -L -n | grep aa.bb.cc
iptables -L -n | grep aa.bb
iptables -L -n | grep aa
This checks to make sure the IP is not blocked, its class-C is not blocked, its Class-B is not blocked, and its class-A is not blocked.

I just really don't know what, if anything, from APF would be blocking the ACK packet. And its possible that this is not the cause of the problem, its just what I have found so far. The client's server (Server A). may not even be sending the ACK packet, but its strange that it sends it when the firewall is down. Its strange to that this Server A is the only server (atleast the only one that I know about) that is having trouble communicating with Server B with the firewall up. When I connected to Server B from another one of our server, I made the same tcpdump on Server B to grab packets. The firewall was up in this instance, and the grab showed the SYN, SYN+ACK, ACK handshake.

I am just really at a loss to explain this. Does anybody know what I could try next? Is there something in the APF configuration that would cause this type of activity? I did try to read through it and I didn't see anything that appeared to directly related to this issue, but that doesn't mean there's nothing there. If you need to know what my specific settings for any of the configuration are in APF, let me know and I will post them. I just don't know what would be considered relevant.

Thanks

 

 

 

 

Top