For some reason the other side of the communication did not resend the missing packet but kept on sending new packets. As Juergen suggested, disabling
SACK kind-of-solved the problem. It only kind-of-solved the problem, because I still don’t know who is misbehaving: The endpoint, my firewall or my ISP. For now I have a solution that works and that is about all the time I am willing to invest before christmas.
Solution / Workaround
To disable SACKs for TCP use
ndd to set the
tcp_sack_permitted parameter for
tcp. A value of
1 tells OpenSolaris (and Solaris) to enable
SACK only for connections that have the
SACK allowed flag set in their
The default value is 2, which actively advertises
SACK in the initial
SYN-packet sent out by OpenSolaris. I did not test if I should have better set
tcp_sack_permitted to 0. This might be necessary, if connections initiated from the Internet advertise
SACK and the same problems happen again. Currently I have not the inclination to expose my OpenSolaris box to the Internet, so I can’t test this. I’ll keep
tcp_sack_permitted set to 1, so my internal connections might benefit from it.