networking network_error ai_generated partial

TCP: tcp_retransmit_timer: jiffies=12345678, rto=300, retransmits=3, skb lost due to peer not receiving timestamps

ID: networking/tcp-timestamps-retransmit

Also available as: JSON · Markdown · 中文
82%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Linux kernel 5.15.0-91-generic active
Linux kernel 6.2.0-26-generic active
iptables 1.8.7 active

Root Cause

The remote peer is dropping segments with TCP timestamps (RFC 1323) due to a misconfigured firewall or kernel module that strips or invalidates the timestamp option, causing the sender to retransmit indefinitely until the connection times out.

generic

中文

远程对端因防火墙或内核模块错误配置,丢弃带有TCP时间戳选项(RFC 1323)的报文,导致发送端无限重传直至连接超时。

Official Documentation

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

Workarounds

  1. 75% success Disable TCP timestamps only on the affected interface using iptables: iptables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu && iptables -A OUTPUT -o eth0 -p tcp -j DROP --tcp-option 8 
    Disable TCP timestamps only on the affected interface using iptables: iptables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu && iptables -A OUTPUT -o eth0 -p tcp -j DROP --tcp-option 8
  2. 88% success Configure the firewall to allow TCP option 8 (timestamps) through: iptables -A FORWARD -p tcp -m tcp --tcp-option 8 -j ACCEPT 
    Configure the firewall to allow TCP option 8 (timestamps) through: iptables -A FORWARD -p tcp -m tcp --tcp-option 8 -j ACCEPT
  3. 80% success In cloud environments, add a network ACL rule to permit TCP flags with timestamps: e.g., AWS NACL inbound rule: TCP, source 0.0.0.0/0, allow, TCP flags: SYN, ACK, FIN, RST. 
    In cloud environments, add a network ACL rule to permit TCP flags with timestamps: e.g., AWS NACL inbound rule: TCP, source 0.0.0.0/0, allow, TCP flags: SYN, ACK, FIN, RST.

中文步骤

  1. Disable TCP timestamps only on the affected interface using iptables: iptables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu && iptables -A OUTPUT -o eth0 -p tcp -j DROP --tcp-option 8
  2. Configure the firewall to allow TCP option 8 (timestamps) through: iptables -A FORWARD -p tcp -m tcp --tcp-option 8 -j ACCEPT
  3. In cloud environments, add a network ACL rule to permit TCP flags with timestamps: e.g., AWS NACL inbound rule: TCP, source 0.0.0.0/0, allow, TCP flags: SYN, ACK, FIN, RST.

Dead Ends

Common approaches that don't work:

  1. 65% fail

    Disabling timestamps can cause performance degradation in high-latency networks and may not address the root cause if the firewall is stripping them at a different layer.

  2. 85% fail

    This only masks the symptom by allowing more retransmissions; the connection will still eventually time out and the underlying packet drop persists.

  3. 90% fail

    The issue is not driver-specific; it is caused by firewall or middlebox behavior. Downgrading introduces regression risks and rarely solves the problem.