HTTP/2 connections failing for specific websites

totkeks · December 22, 2024, 10:19pm

I seem to be having the same issue as this thread: Some websites are inaccessible

curl -v --http2 https://www.xda-developers.com
> GET / HTTP/2
> Host: www.xda-developers.com
> User-Agent: curl/8.10.1
> Accept: */*
>
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

I tried all the various suggestions and none of those helped.

My MTU on the pppoe interface is set to 1492 by default. I tried lower values, 1472, 1450, but that didn't change anything.

I checked for the MSS clamping, it was enabled. I tried disabling it, no change.

As for the other guy, it works on my mobile phone's data.

Something in OpenWrt results in this error.

ubus call system board
{
        "kernel": "6.6.65",
        "hostname": "router",
        "system": "ARMv8 Processor rev 0",
        "model": "Bananapi BPI-R4",
        "board_name": "bananapi,bpi-r4",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r28349-47c75a25cd",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r28349-47c75a25cd",
                "builddate": "1734522436"
        }
}

brada4 · December 22, 2024, 10:25pm

Lets check for "traffic management" on providers side:

enable "drop invalid" in firewall page
Then make connreack more picky

sysctl net.netfilter.nf_conntrack_checksum=1 \
net.netfilter.nf_conntrack_tcp_be_liberal=0 \
net.netfilter.nf_conntrack_tcp_ignore_invalid_rst=0 \
net.netfilter.nf_conntrack_tcp_loose=0 # | tee -a /etc/sysctl.conf

Remove # to save for good

Now enable detailed logging of invalid packets (do not save, output may be overwhelming if they block torrents.

sysctl net.netfilter.nf_conntrack_log_invalid=255

Under normal conditions one gets few invalid packets per hour, check your log.

totkeks · December 22, 2024, 11:04pm

Thanks! I tried this, but nothing is shown.

I tried to dig a little deeper on my Windows client in the network behind the router.

It is actually the server, so the remote page like xda-developers.com or screenrant.com that sends an HTTP2 RST_STREAM message.

So my assumption is that something happens to the TCP communication when passing through the router. It changes something on one of the packets maybe.

brada4 · December 23, 2024, 12:22am

Show it with curl. That is client to server message.

Nothing happens to tcp, it is all your provider. Make tcpdump

totkeks · December 23, 2024, 6:14pm

Unfortunately not. The server side sends this message and I have no idea why:

This is wireshark on my PC behind the router.

I have no idea how to decrypt the SSL connection when using tcpdump.

What do you mean by this? Could you elaborate? You mean the issue happens in my ISP's network?

brada4 · December 23, 2024, 6:42pm

Mine goes to quic

totkeks · December 23, 2024, 7:04pm

Yeah, that is not activated in my chrome by default.

What did you mean with the "it is all your provider" comment?

brada4 · December 23, 2024, 7:13pm

Why would ig/fb kick you off?

totkeks · December 23, 2024, 7:31pm

I do not understand the words you are saying. You mean instagram and facebook?

There are particular pages that have this issue. So far, I encountered it with screenrant.com and xda-developers.com, just like the other thread I linked in the OP.

Maybe @p9203 reads this and can tell if they found a solution. Or figured out the root cause.

brada4 · December 23, 2024, 7:37pm

openwrt does not alter inside ssl connection. It is something other end dislikes about you. Because of somebody in your /24 for example

Names point to amazon cloud front.