Syn without syn-ack?

I updated to 22.03.0 (then .1 and .2). I'm using a Linksys EA6350v3 through an Actiontec router in bridging mode to Frontier DSL in L.A. I see connections either finish quickly or time out, it looks like the SYN packets go out from my desktop but there is no response from the internet. Is anybody else seeing anything like this? The following is running 'curl -I http://github.com/' repeatedly, the first connection works and the second times out. If I run a ping at the same time, I don't see anything unusual,, no dropped packets, it's like the SYN packets aren't making it out or the SYN-ACK is going missing somewhere.

It's Frontier so who knows, but this behavior started around when I switched to 22.03...

13:07:54.642409 IP lb-192-30-255-112-sea.github.com.http > xps.mvh.51114: Flags [S.], seq 2988215672, ack 1976558489, win 65535, options [mss 1436,sackOK,TS val 3302907771 ecr 2354075195,nop,wscale 10], length 0
13:07:54.642498 IP xps.mvh.51114 > lb-192-30-255-112-sea.github.com.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 2354075238 ecr 3302907771], length 0
13:07:54.642661 IP xps.mvh.51114 > lb-192-30-255-112-sea.github.com.http: Flags [P.], seq 1:76, ack 1, win 502, options [nop,nop,TS val 2354075238 ecr 3302907771], length 75: HTTP: HEAD / HTTP/1.1
13:07:54.688069 IP lb-192-30-255-112-sea.github.com.http > xps.mvh.51114: Flags [P.], seq 1:85, ack 76, win 64, options [nop,nop,TS val 3302907816 ecr 2354075238], length 84: HTTP: HTTP/1.1 301 Moved Permanently
13:07:54.688140 IP xps.mvh.51114 > lb-192-30-255-112-sea.github.com.http: Flags [.], ack 85, win 502, options [nop,nop,TS val 2354075283 ecr 3302907816], length 0
13:07:54.688552 IP xps.mvh.51114 > lb-192-30-255-112-sea.github.com.http: Flags [F.], seq 76, ack 85, win 502, options [nop,nop,TS val 2354075284 ecr 3302907816], length 0
13:07:54.731919 IP lb-192-30-255-112-sea.github.com.http > xps.mvh.51114: Flags [F.], seq 85, ack 77, win 64, options [nop,nop,TS val 3302907861 ecr 2354075284], length 0
13:07:54.731983 IP xps.mvh.51114 > lb-192-30-255-112-sea.github.com.http: Flags [.], ack 86, win 502, options [nop,nop,TS val 2354075327 ecr 3302907861], length 0
13:07:56.957108 IP xps.mvh.51122 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 611891571, win 64240, options [mss 1460,sackOK,TS val 2354077552 ecr 0,nop,wscale 7], length 0
13:07:57.986273 IP xps.mvh.51122 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 611891571, win 64240, options [mss 1460,sackOK,TS val 2354078581 ecr 0,nop,wscale 7], length 0
13:08:00.006236 IP xps.mvh.51122 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 611891571, win 64240, options [mss 1460,sackOK,TS val 2354080601 ecr 0,nop,wscale 7], length 0
13:08:04.162091 IP xps.mvh.51122 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 611891571, win 64240, options [mss 1460,sackOK,TS val 2354084757 ecr 0,nop,wscale 7], length 0
13:08:12.358095 IP xps.mvh.51122 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 611891571, win 64240, options [mss 1460,sackOK,TS val 2354092953 ecr 0,nop,wscale 7], length 0
13:08:28.482155 IP xps.mvh.51122 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 611891571, win 64240, options [mss 1460,sackOK,TS val 2354109077 ecr 0,nop,wscale 7], length 0
13:09:01.762146 IP xps.mvh.51122 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 611891571, win 64240, options [mss 1460,sackOK,TS val 2354142357 ecr 0,nop,wscale 7], length 0
13:33:01.914793 IP 192.168.0.2.19150 > lb-192-30-255-112-sea.github.com.http: Flags [S], seq 2080654012, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1916692642 ecr 0], length 0

http sends a redirect. Perhaps https would work better?

(The OP is referring to an issue on Layer 3, HTTP/HTTPS is Layer 7.)

my point being, if I were github and someone was hammering me with http rather than https requests with a script, I would drop synacks on a lot of the traffic.

1 Like

I picked up a T-Mobile home internet plan box, and looped that through openwrt. I do not see any missing SYN+ACK packages with this setup. WRT github and hammering, I saw the same behavior with multiple sites (although, not with Amazon), never accessed the sites more than 100 times or closer than 1 second apart, and just did a 'curl -I' which just fetches the header. The behavior was strange, the SYN retransmits for a connection attempt were never acknowledged either, so the connect attempts would time out after a long time and multiple SYN packets sent even if -other- connection attempts to the same IP succeeded at the same time. I'm going to chalk this up to some Frontier gremlin which will likely not be fixed in a timely manner as most people don't 'ssh' to boxes or write networking code. There must be some state being kept somewhere that keeps those syn packets from being responded to maybe a proxy or something, likely specific to Frontier.