Re: Doesn't work for a very few visitors

From: Willy Tarreau <>
Date: Sun, 20 Dec 2009 06:57:54 +0100

On Sat, Dec 19, 2009 at 05:14:42PM -0500, John Lauro wrote:
> Are you using connection tracking with iptables? If so, you might want to
> consider using a more basic configuration without connection tracking.


most likely you have a rule somewhere which does a REJECT on INVALID packets and those poor users are running a buggy TCP stack which breaks window scaling, SACKs or things like this, regularly causing some INVALID packets to be detected by the conntrack code.

Once I even found a user who was doing all of his browsing using the same TCP source port ! You bet the conntrack has good reasons to complain.

The other common issue with conntrack as shipped in common distros is that it's tuned for a desktop system (ie not tuned). And the table fills very fast when you use that on a server. You can easily detect this by messages in kernel logs : "Conntrack table is full".

Willy Received on 2009/12/20 06:57

This archive was generated by hypermail 2.2.0 : 2009/12/20 07:00 CET