[vox-tech] Webserver Woes: Lost Packets

Chanoch (Ken) Bloom kbloom at gmail.com
Sun Oct 17 18:59:25 PDT 2010 

On Sun, Oct 17, 2010 at 06:04:58PM -0400, Peter Salzman wrote:
> I'm having trouble with Apache running on satan (192.162.0.2).  At
> some point I must have changed something, and it stopped working.
> 
> There are two virtual hosts:
> 
> 1. /etc/apache2/sites-enabled/000-default
> 
> <VirtualHost *:80>
>    ServerAdmin p at dirac.org
>    DocumentRoot /var/www
>    <Directory />
>       Options FollowSymLinks
>       AllowOverride None
>    </Directory>
> 
>    <Directory /var/www/>
>       Options Indexes FollowSymLinks MultiViews
>       AllowOverride None
>       Order allow,deny
>       allow from all
>    </Directory>
> 
>    ErrorLog /var/log/apache2/error.log
>    LogLevel debug
> 
>    CustomLog /var/log/apache2/access.log combined
> 
> </VirtualHost>
> 
> 
> 2. /etc/apache2/sites-enabled/001-dirac.org  (the one I want to work)
> 
> <VirtualHost *:80>
>    ServerAdmin p at dirac.org
>    ServerName  www.dirac.org
>    ServerAlias dirac.org
> 
>    DirectoryIndex index.html
>    DocumentRoot /var/www/
> 
>    LogLevel debug
>    ErrorLog  /var/log/apache2/dirac.org.error
>    CustomLog //var/log/apache2/dirac.org.access combined
> </VirtualHost>
> 
> The /etc/hostname file contains "satan".   The /etc/hosts file contains:
> 
> 192.168.0.2  satan
> 192.168.0.2  dirac.org
> 192.168.0.2  www.dirac.org
> 
> 
> 
> 
> I'm seeing different behaviors depending on whether I'm on the home
> network or outside the home network.
> 
> From the home network I can access the webserver from any computer by
> pointing a browser to http://dirac.org, http://www.dirac.org,
> http://192.168.0.2, http://24.189.162.69/, or http://satan.   When I
> access www.dirac.org or dirac.org, /var/log/apache/dirac.org.access
> gets larger.   When I access satan, 192.168.0.2, or 24.189.162.69 (my
> external IP),  /var/log/apache2/access.log gets larger.  No surprises
> here.
> 
> From outside the home network, I can't access the webserver at all,
> and as expected, none of the logs get larger.  It's clear that Apache
> simply isn't seeing anything, otherwise, the logs would increase in
> size.
> 
> I don't think it's a firewall issue because tcpdump sees external www
> requests coming from.  From external IP 10.37.247.64 (an iPhone on the
> 3G network), I point Safari to "http://www.dirac.org" and this is what
> tcpdump reports:
> 
> root at satan:/var/log/apache2# tcpdump -vv -i eth0 tcp port 80 | grep cingular
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>     satan.www > mobile-166-137-137-082.mycingular.net.4445: Flags
> [S.], cksum 0x4d17 (correct), seq 305106526, ack 4022190454, win 5792,
> options [mss 1460,sackOK,TS val 1210510762 ecr 842475580,nop,wscale
> 6], length 0
>     mobile-166-137-137-082.mycingular.net.5878 > satan.www: Flags [S],
> cksum 0x3dc6 (correct), seq 1346585780, win 65535, options [mss
> 1410,nop,wscale 2,nop,nop,TS val 842476145 ecr 0,sackOK,eol], length 0
>     satan.www > mobile-166-137-137-082.mycingular.net.5878: Flags
> [S.], cksum 0xcafe (correct), seq 1206576348, ack 1346585781, win
> 5792, options [mss 1460,sackOK,TS val 1210513399 ecr
> 842476145,nop,wscale 6], length 0
>     mobile-166-137-137-082.mycingular.net.5878 > satan.www: Flags [S],
> cksum 0x3dbc (correct), seq 1346585780, win 65535, options [mss
> 1410,nop,wscale 2,nop,nop,TS val 842476155 ecr 0,sackOK,eol], length 0
>     satan.www > mobile-166-137-137-082.mycingular.net.5878: Flags
> [S.], cksum 0xcafe (correct), seq 1206576348, ack 1346585781, win
> 5792, options [mss 1460,sackOK,TS val 1210513399 ecr
> 842476145,nop,wscale 6], length 0
> 
> Packets from the iPhone are seen coming in.  And packets are being
> sent back out to the iPhone.  However, Safari errors out with a
> "Cannot open Page" error.  Furthermore, neither
> /var/log/apache2/access.log no /var/log/apache2/dirac.org.access get
> larger.
> 
> On one hand it's "obvious" that Apache isn't seeing these packets from
> the iPhone because the logs aren't increasing in size.  On the other
> hand, it's not "obvious" because .. why are packets being sent from
> satan.www to mycingular.net?
> 
> I'm really stumped.  Any ideas?

The packets you see going from satan.www to mycingular.net are SYN-ACK
packets, which are the second part of the three-way handshake used to
open a TCP connection. That is, satan is responding to the iPhone and
agreeing to open a connection. For some reason, the iPhone doesn't see
this response (or just doesn't respond with the ACK that is the third
part of the three-way handshake).

Your apache configuration has nothing to do with a problem at this
level.

--Ken

-- 
Chanoch (Ken) Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu/~kbloom1/

More information about the vox-tech mailing list