I'm running debian unstable and do updates nightly. My kernel version is 2.4.22.

Suddenly on tuesday. Apt failed. So while checking out why I found that I can connect to my box but not out. ftp and ssh for instance hang in connect according to strace.

Iptraf confirms this as well the Flags are 'S---'

I run an iptables firewall and it has always worked (MonMotha's Firewall 2.3.8-pre8). I inspected my iptables too and can't find why my machine would blackhole it own outgoing connections.

I also didn't change anything in my routing tables.

I can traceroute and ping out so ICMP and UDP packets work just not outgoing TCP connections.

So my attention has turned to what was updated last as a possible source of the problem.

But nothing is obvious:

The following packages were updated the last time apt ran:


libgcrypt11 1.2.0-11
less 382-2
cron-apt 0.1.1
libatk1.0-0 1.8.0-4
vim-common 1:6.3-046+1

Anyone have any idea why one of these would break out going connections? libgcrypt?

Could this be a NIC problem? A reboot did not fix the problem.

Thanks for any insight,

-ethan

How is it with the firewall off?

Kind of a start from basics and eliminate things one by one..

eg make sure all the firewall rules are loading..

I'll try this but I have to wait till later as there's an e-commerce site on it and it's the week before x-mas don't want any downtime since incoming traffic still works.

Thanks I'll report back.

-e

Eeeeek! You're running a production machine on Sid? And you do updates nightly?
You have a set of brass ones ;o)

Ok I got it.

Somehow some update turned ECN on and my router doesn't like packets with ECN.

sysctl -w net.ipv4.tcp_ecn=0

Did the trick

more /proc/sys/net/ipv4/tcp_ecn

will tell you if ECN is set.

-e

heh...only the second time in a year an update borked.

unstable is really not.

Oh, I know it's not, I use Sid on my desktop and laptop, and even install it for clients of mine. I'd be apprehensive about using it on a production server like the situation you're in however - especially doing nighly updates. By chance have you installed the apt-listbugs package? That can give you some warning before you actually upgrade a package that has known important/critical bugs and give you a brief synopsis of the bugs. It will then ask you to verify that you actually want the packages updated. It's saved my butt a couple of times when some major packages have been updated.

hmm good call. I should go back and check to see if there were any recent references to some package setting ECN.

-e

I'd recommend sending a bug-report on that one too once you find it..

Whether it's in an /etc script or an install script would be the difference between a repeat problem or a one-shot..

Accepting /etc scripts as they come can cause huge problems... ask anyone with gentoo..
I would suggest doing the upgrades during attendence hours until you can reconfigure the pre and post install script behaviour in dpkg..