Skip to main content.

2004-Apr-28

My wife told me that she could not visit http://www.universalcard.com/, http://www.gracobaby.com/ nor http://www.wm.com/.

She is using firefox-0.8 (gtk2 version).

So I used a simple http command-line client (tnftp) and it couldn't get to them either: 

-sh-2.05b# ftp -o a.html http://www.universalcard.com
ftp: Connect to address `192.193.210.24': Connection refused
ftp: Can't connect to www.universalcard.com: Connection refused

I got "Connection refused" for each of these.

I can visit many other websites fine from that system.

tcpdump from another system showed: 

16:13:20.918919 192.168.0.99.2958 > 216.52.152.131.80: SWE [tcp sum ok]
4096571589:4096571589(0) win 5840  (DF) (ttl 64, id 25807, len 60)
0x0000   4500 003c 64cf 4000 4006 a429 c0a8 0063        E.. 192.168.0.99.2958: R [tcp sum ok]
0:0(0) ack 4096571590 win 5840  (DF) (ttl 36, id 25807, len 60)
0x0000   4500 003c 64cf 4000 2406 c029 d834 9883        E..

(The above is www.gracobaby.com: Connection refused.)



I can get to them fine directly from Linux router. I can get to them fine
from my NetBSD workstation on same network.



But another Linux system with same 2.6.3 kernel can't get to them either.



lynx reports "Alert!: Unable to connect to remote host." for the
http://www.wm.com/ site and for the http://www.gracobaby.com/ site.



I found the answer:


-sh-2.05b# ftp -o a.html http://www.wm.com
ftp: Connect to address `156.101.1.30': Connection refused
ftp: Can't connect to www.wm.com: Connection refused

-sh-2.05b# cat /proc/sys/net/ipv4/tcp_ecn
1

-sh-2.05b# echo 0 > /proc/sys/net/ipv4/tcp_ecn

-sh-2.05b# ftp -o a.html http://www.wm.com
Requesting http://www.wm.com
100% |*************************************| 37225      24.84 KB/s
00:00 ETA
37225 bytes retrieved in 00:01 (24.83 KB/s)

-sh-2.05b# echo 1 > /proc/sys/net/ipv4/tcp_ecn

-sh-2.05b# ftp -o a.html http://www.gracobaby.com
ftp: Connect to address `216.52.152.131': Connection refused
ftp: Can't connect to www.gracobaby.com: Connection refused

-sh-2.05b# echo 0 > /proc/sys/net/ipv4/tcp_ecn

-sh-2.05b# ftp -o a.html http://www.gracobaby.com
Requesting http://www.gracobaby.com
100% |*************************************| 23465      43.61 KB/s
00:00 ETA
23465 bytes retrieved in 00:00 (43.59 KB/s)




The kernel was configured with:
CONFIG_INET_ECN=y



It is: "Explicit Congestion Notification (ECN) allows routers to notify
clients about network congestion, resulting in fewer dropped packets and
increased network performance. ... there are many broken firewalls which
refuse connections from ECN-enabled machines, and it may be a while before
these firewalls are fixed. Until then, to access a site behind such a
firewall (some of which are major sites, at the time of this writing) you
will have to disable this option." (From Linux kernel documentation.)