Pages: [1]
  Print  
Author Topic: Constant " Blocked incoming TCP Ack packet" messages in log  (Read 12145 times)
rmontrose
Level 1 Member
*
Posts: 1


« on: November 27, 2011, 12:22:18 AM »

Using a Samsung Galaxy S2, iPod Touch 3rd Gen, and Nook Color, they are all experiencing retry problems, even when 3 feet from the DIR-601. When I use them my log gets filled with messages like:


Blocked incoming TCP Ack packet from 192.168.100.201:2926 to 209.85.145.113:80 with unexpected sequence


On the devices I see the downloads/content taking a long time to appear and often I get a blank page or "Retry" messages.

I purchased two DIR-601s and get the same problem with both. They are both running 1.02NA firmware. The WLAN is Time Warner cable modem. Prior to this I had a Linksys WRT-54 that gave great performance, though just at B/G speeds. I was hoping for a performance boost but right now the N speeds are slower than B with the retries. Any suggestions?
Logged
FurryNutz
Poweruser
  ▲
▲ ▲
*****
Posts: 27604


D-Link Global Forum Moderator


WWW
« Reply #1 on: November 27, 2011, 01:27:20 PM »

What Hardware version is your router?
What Firmware version is currently loaded?

Ensure DNS IP addresses are being filled in under Setup/Internet/Manual? You can copy and paste these from under Status/Device Info/Wan section.
Turn off ALL QoS (DIR only) GameFuel (DGL only and if ON.) options.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices on the router.
Ensure devices are set to auto obtain an IP address.
Set Firewall settings to Endpoint Independent for TCP and UDP.

What wireless modes are you using?
Try single mode G or mixed G and N?
What security mode are you using? WEP, WPA or WPA2? Preferred is WPA-Personal. WPA2/Auto TPIK and AES.
What wireless devices do you have connected?
Any cordless house phones?
Any other WiFi routers in the area?
Turn off Short GI under Advanced/Adv. Wireless.
Logged

Cable:50mb/3Mb>Motorola SB6180>DGL-5500>HP 24pt Gb Switch. 3x4500s,DGL-5500,DIR-857,835,827,880L,868L,865L,826L,810L,685,657,3x655,645,601,DNS-345,DCS-933L and a Boxee.
Go Here>Router Troubleshooting
jeffstearns
Level 1 Member
*
Posts: 1


« Reply #2 on: December 06, 2011, 12:57:21 PM »

I confirm this bug. I see it on a new DIR-601 (hardware version A1) running factory firmware 1.01NA, and also with upgraded firmware 1.02NA.

By snooping Ethernet traffic on the wire, I can see the bug in action. The router incorrectly drops some valid TCP Ack packets.

I spent an hour on the phone describing the problem to D-Link level 1, 2, and 3 technicians. That was generally a waste of my time.  They aren't really prepared to help with a technical problem like this.

They did offer one suggestion: On the ADVANCED -> FIREWALL SETTINGS page, set both UDP Endpoint Filtering and TCP Endpoint Filtering to "endpoint independent".  I made this change and determined that it didn't fix the problem, but it's all that D-Link technical support could suggest.

I do have a suggestion of my own.  I suspect that stateful packet inspection is broken in this version of the firmware.  I recommend going to the ADVANCED -> FIREWALL SETTINGS page and de-selecting the Enable SPI checkbox.  After 20 hours of testing with this setting, the bug hasn't recurred.

[I see that there are other postings about this bug. I asked D-Link technical support to please post a response, but the level 3 technician told me that they're not allowed to post anything to this support forum. What a strange company.]
« Last Edit: December 07, 2011, 01:30:19 PM by jeffstearns » Logged
FurryNutz
Poweruser
  ▲
▲ ▲
*****
Posts: 27604


D-Link Global Forum Moderator


WWW
« Reply #3 on: December 06, 2011, 01:03:19 PM »

What Hardware version is your router?
What Firmware version is currently loaded?

I confirm this bug.  I spent an hour on the phone describing it to D-Link level 1, 2, and 3 technicians.  That was generally a waste of my time.  They aren't really prepared to help with a technical problem like this.

They did offer one suggestion: On the ADVANCED -> FIREWALL SETTINGS page, set both UDP Endpoint Filtering and TCP Endpoint Filtering to "endpoint independent".  I made this change and determined that it didn't help, but it's all that D-Link technical support could suggest.

I do have a suggestion of my own.  I suspect that stateful packet inspection is broken in this version of the firmware.  I recommend going to the ADVANCED -> FIREWALL SETTINGS page and de-selecting the Enable SPI checkbox.  After 15 minutes of testing with this setting, the bug hasn't recurred.

[I see that there are other postings about this bug. I asked D-Link technical support to please post a response, but the level 3 technician told me that they're not allowed to post anything to this support forum. What a strange company.]
Logged

Cable:50mb/3Mb>Motorola SB6180>DGL-5500>HP 24pt Gb Switch. 3x4500s,DGL-5500,DIR-857,835,827,880L,868L,865L,826L,810L,685,657,3x655,645,601,DNS-345,DCS-933L and a Boxee.
Go Here>Router Troubleshooting
coredumperror
Level 1 Member
*
Posts: 1


« Reply #4 on: February 25, 2012, 04:03:35 PM »

Just wanted to let anyone who has also been having this problem know: jeffstearns' fix worked for me.  I haven't seen a single log message about dropped Ack packets, or had any browsing issues at all since I disabled SPI.
Logged
FurryNutz
Poweruser
  ▲
▲ ▲
*****
Posts: 27604


D-Link Global Forum Moderator


WWW
« Reply #5 on: February 26, 2012, 09:52:48 AM »

it's not recommended to turn SPI off, This is turning off the firewall and the routers protection for devices connected to the router. These messages are the function of the router and the router is just reporting what is going on in the logs. If there is a problem with a connection or getting an application connected then there is some troubleshooting and configuration of the router that needs to be done to get those connected right.
Turning OFF SPI means your connected devices are now vulnerable and open to many attacks.

Logged

Cable:50mb/3Mb>Motorola SB6180>DGL-5500>HP 24pt Gb Switch. 3x4500s,DGL-5500,DIR-857,835,827,880L,868L,865L,826L,810L,685,657,3x655,645,601,DNS-345,DCS-933L and a Boxee.
Go Here>Router Troubleshooting
pipeti
Level 1 Member
*
Posts: 1


« Reply #6 on: February 27, 2014, 11:58:32 AM »

Hi,

Old forum, I know, but maybe someone encountering the same problem these days, too.
I have a DIR652, but the same problem (luckily, I could improve the situation).
I'm behind double NAT (ISP is doing NAT, with rate and connection limit) and my home router is doing NAT, of course. So connection quality was really bad in some cases, with dropped ACK and random packet drops in TCP connections. Typically, applications which are opening many TCP connections to download did suffer (not really talking about torrent, but things like youtube, gmail which are accessing content delivery networks, e.g. akamai).
So, how I could improve my situation and keep SPI and other firewall functions ON: I enabled WAN traffic shaping and Automatic upload speed detection. Bad luck, if this is not available in your models... Sad
Hope this helps some. Good luck'
Logged
FurryNutz
Poweruser
  ▲
▲ ▲
*****
Posts: 27604


D-Link Global Forum Moderator


WWW
« Reply #7 on: February 27, 2014, 12:17:00 PM »

It's recommended if your having the ISP do the NAT, either put the DIRs IP address it gets from the ISP NAT into the ISPs DMZ or bridge the ISP modem and use the DIR has the main host router or NAT.

There maybe conflicts in NAT and Firewall that maybe going on and causing some incorrect blocking of traffic.

Thank you for sharing.

Hi,

Old forum, I know, but maybe someone encountering the same problem these days, too.
I have a DIR652, but the same problem (luckily, I could improve the situation).
I'm behind double NAT (ISP is doing NAT, with rate and connection limit) and my home router is doing NAT, of course. So connection quality was really bad in some cases, with dropped ACK and random packet drops in TCP connections. Typically, applications which are opening many TCP connections to download did suffer (not really talking about torrent, but things like youtube, gmail which are accessing content delivery networks, e.g. akamai).
So, how I could improve my situation and keep SPI and other firewall functions ON: I enabled WAN traffic shaping and Automatic upload speed detection. Bad luck, if this is not available in your models... Sad
Hope this helps some. Good luck'
Logged

Cable:50mb/3Mb>Motorola SB6180>DGL-5500>HP 24pt Gb Switch. 3x4500s,DGL-5500,DIR-857,835,827,880L,868L,865L,826L,810L,685,657,3x655,645,601,DNS-345,DCS-933L and a Boxee.
Go Here>Router Troubleshooting
Pages: [1]
  Print  
 
Jump to:  

Theme by webtechnica.com.