syncache_timer: Response timeout and other msgs, whats up?

From: Oskar Eyb <oskar-FreeBSD_at_eyb.de>
Date: Thu, 24 Jan 2008 10:31:45 +0100
Hello!
I#m not sure if this is a issue belonging to -current, but maybe..


A remote MTA cannot deliver me any email. the admin gets the following 
errors:

"retry time not reached for any host after a long failure period"
and "retry timeout exceeded".

After I cant find anything related to this server in my postfix log, I 
grep'ed for <ip> in /var/log/* and got the following hits:

[...]
dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25 tcpflags
0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
retransmitting SYN|ACK
dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
syncache_timer: Response timeout, retransmitting (1) SYN|ACK
dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
syncache_timer: Response timeout, retransmitting (2) SYN|ACK
dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
syncache_timer: Response timeout, retransmitting (3) SYN|ACK
dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
syncache_timer: Retransmits exhausted, giving up and removing syncache entry

85.214.42.62 is the other MTA, 172.16.0.2 is my jail.
I use PF with rdr/nat on FreeBSD 7 RC4.


in the daily security email I get dozens of messages like this, also to 
other tcp ports.


default-values for:
net.inet.tcp.syncache.rst_on_sock_fail: 1
net.inet.tcp.syncache.rexmtlimit: 3
net.inet.tcp.syncache.hashsize: 512
net.inet.tcp.syncache.count: 0
net.inet.tcp.syncache.cachelimit: 15360
net.inet.tcp.syncache.bucketlimit: 30


Can anybody help me out of this?


Greets,
Oskar





+TCP: [58.182.131.11]:4216 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4216 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4216 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4217 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4217 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4217 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4218 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4218 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4219 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4219 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4220 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4220 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4220 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4221 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4221 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4222 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4222 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4222 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4223 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4223 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4224 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4224 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4224 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4225 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4225 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4226 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4226 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4226 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4227 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4227 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4227 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4228 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4228 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4229 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4230 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4231 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4232 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4230 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4231 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4234 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4234 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4234 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4235 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4235 to [172.16.0.2]:25 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4235 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4236 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4236 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [58.182.131.11]:4233 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [58.182.131.11]:4233 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 6 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [58.182.131.11]:4233 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+Connection attempt to UDP 172.16.0.2:57897 from 85.214.103.56:53
+Connection attempt to UDP 172.16.0.2:60521 from 85.214.103.56:53
+TCP: [59.189.18.5]:1332 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [59.189.18.5]:1332 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:1332 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [59.189.18.5]:1332 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:1332 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (2) SYN|ACK
+TCP: [59.189.18.5]:1332 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (3) SYN|ACK
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [59.189.18.5]:1332 to [172.16.0.2]:25; syncache_timer: Retransmits 
exhausted, giving up and removing syncache entry
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (2) SYN|ACK
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (3) SYN|ACK
+Connection attempt to UDP 85.214.103.56:57111 from 88.191.254.7:53
+TCP: [59.189.18.5]:2189 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [83.40.210.36]:27836 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [59.189.18.5]:2189 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:1700 to [172.16.0.2]:25; syncache_timer: Retransmits 
exhausted, giving up and removing syncache entry
+TCP: [59.189.18.5]:2189 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [59.189.18.5]:2189 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:2189 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (2) SYN|ACK
+TCP: [59.189.18.5]:2189 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (3) SYN|ACK
+TCP: [213.5.169.184]:62636 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [213.5.169.184]:62636 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [213.5.169.184]:62636 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [213.5.169.184]:62636 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [59.189.18.5]:2189 to [172.16.0.2]:25; syncache_timer: Retransmits 
exhausted, giving up and removing syncache entry
+TCP: [213.5.169.184]:62636 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (2) SYN|ACK
+TCP: [213.5.169.184]:62636 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (3) SYN|ACK
+TCP: [193.43.150.242]:60772 to [85.214.103.56]:22 tcpflags 0x2<SYN>; 
tcp_input: Connection attempt to closed port
+Connection attempt to UDP 172.16.0.2:59259 from 85.214.103.56:53
+Connection attempt to UDP 172.16.0.2:52025 from 85.214.103.56:53
+TCP: [213.5.169.184]:62636 to [172.16.0.2]:25; syncache_timer: 
Retransmits exhausted, giving up and removing syncache entry
+TCP: [64.237.204.59]:64347 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+Connection attempt to UDP 172.16.0.2:49575 from 85.214.103.56:53
+Connection attempt to UDP 172.16.0.2:49201 from 85.214.103.56:53
+Connection attempt to UDP 172.16.0.2:53140 from 85.214.103.56:53
+Connection attempt to UDP 172.16.0.2:60597 from 85.214.103.56:53
+TCP: [209.223.48.146]:36342 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [189.132.247.46]:3006 to [172.16.0.2]:25 tcpflags 0x14<RST,ACK>; 
syncache_chkrst: Spurious RST with ACK, SYN or FIN flag set, segment ignored
+TCP: [190.142.56.104]:1990 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [190.142.56.104]:1990 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [190.142.56.104]:2350 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [72.52.143.18]:38333 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [65.19.179.9]:1973 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [88.67.29.27]:62531 to [172.16.0.2]:25 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [88.67.29.27]:62531 to [172.16.0.2]:25 tcpflags 0x11<FIN,ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
+TCP: [195.4.92.9]:25 to [172.16.0.2]:57654 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_1: Received 69 bytes of data after socket was 
closed, sending RST and removing tcpcb
+TCP: [213.133.109.71]:47054 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [202.164.234.72]:3775 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [207.217.120.84]:54387 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [207.217.120.84]:54387 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [220.226.52.141]:3655 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [220.226.52.141]:3655 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [220.226.52.141]:3655 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
+TCP: [220.226.52.141]:3655 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [217.255.195.182]:61347 to [172.16.0.2]:25 tcpflags 0x4<RST>; 
syncache_chkrst: Spurious RST without matching syncache entry (possibly 
syncookie only), segment ignored
+TCP: [220.226.52.141]:4446 to [172.16.0.2]:25; syncache_timer: Response 
timeout, retransmitting (1) SYN|ACK
+TCP: [220.226.52.141]:4446 to [172.16.0.2]:25 tcpflags 0x2<SYN>; 
syncache_add: Received duplicate SYN, resetting timer and retransmitting 
SYN|ACK
Received on Thu Jan 24 2008 - 08:48:27 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:26 UTC