> The keepalive packets are simple tcp segments sent on the connection:
>
> - no data
> - ack # is next expected byte
> - sequence # is a stale (byte already acked by the other end) one, so that
> the
> other end is forced to send an ack in return (as it receives an out of
> window
> sequence #).
>
> I cant imagine how a firewall would be filtering them..
The firewall is also doing IP Masquerading/transparent proxying/port
forwarding as part of a VPN setup (both source and destination NAT). So
iptables' connection tracking might be timing out, and/or interfering with
the keepalive packets. (Maybe the keepalive packets aren't making it through
NAT? That's my current theory. I know that's got a timeout after which it
forgets a masqueraded connection, and the same probably applies to the other
forms of NAT. My current theory is that keepalive packets aren't keeping NAT
connections alive...)
> thanks,
> Nivedita
Rob
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/