Environment
Novell Access Manager 3 Linux Access Gateway Service Pack 4
Novell Access Manager 3.1 Linux Access Gateway Service Pack 1
Novell Access Manager 3.1 Linux Access Gateway Service Pack 1
Situation
- Web pages protected by a Linux Access Gateway are randomly missing web objects
- Retrieving web pages protected by a Linux Access Gateway seems to be very slow
- Downloading files through a Linux Access Gateway will get broken
(See KB 7000478: Problem downloading pdf files on Linux Access Gateway) - Problem happens while running the Linux Access Gateway as a VMWare guest as well as running it on a real hardware platform
Resolution
This issue has been caused by the TCP segmentation offload process provided by the network interface card.
In order to turn off the TCP segmentation option a script needs to be created which will be called each time the NIC will be started by the "ifup" process.
For the Linux Access Gateway which is running on "SLES9" network configuration files are stored in the "/etc/sysconfig/network" directory. Ethernet card configuration file names are build by "ifcfg-eth-id-[Mac-Address]". Note: The " ETHTOOL_OPTIONS=''" parameter cannot be used with SLES9. This configuration file parameter is only available on SLES10.
Depending on your setup and the amount of network cards available edit the related configuration ("ifcfg-eth-id-[Mac-Address]") file and add the following directive at the end"POST_UP_SCRIPT='eth0'". Where "eth0" is the name of the script which we will create as a next step. The default directory for the "POST_UP_SCRIPT, PRE_DOWN_SCRIPT, POST_DOWN_SCRIPT"is"/etc/sysconfig/network/scripts"
Create the following script an flag it executable (chmod 770):
In order to turn off the TCP segmentation option a script needs to be created which will be called each time the NIC will be started by the "ifup" process.
For the Linux Access Gateway which is running on "SLES9" network configuration files are stored in the "/etc/sysconfig/network" directory. Ethernet card configuration file names are build by "ifcfg-eth-id-[Mac-Address]". Note: The " ETHTOOL_OPTIONS=''" parameter cannot be used with SLES9. This configuration file parameter is only available on SLES10.
Depending on your setup and the amount of network cards available edit the related configuration ("ifcfg-eth-id-[Mac-Address]") file and add the following directive at the end"POST_UP_SCRIPT='eth0'". Where "eth0" is the name of the script which we will create as a next step. The default directory for the "POST_UP_SCRIPT, PRE_DOWN_SCRIPT, POST_DOWN_SCRIPT"is"/etc/sysconfig/network/scripts"
Create the following script an flag it executable (chmod 770):
===============================================
If you like to add information to the "/var/log/messages" file you can try to run the following script instead:
===============================================
#!/bin/bash
ETHTOOL=`which ethtool`
logger "====== Start NIC Configscript ========"
logger "====== Actual Settings ==============="
${ETHTOOL} -k eth0 2>&1 | logger
logger "====== Apply Settings ================"
exec ${ETHTOOL} -K eth0 tso off 2>&1 | logger
logger "======= New Settings ================"
${ETHTOOL} -k eth0 2>&1 | logger
=============================================== #!/bin/bash
ETHTOOL=`which ethtool`
${ETHTOOL} -K eth0 tso off
===============================================ETHTOOL=`which ethtool`
${ETHTOOL} -K eth0 tso off
If you like to add information to the "/var/log/messages" file you can try to run the following script instead:
===============================================
#!/bin/bash
ETHTOOL=`which ethtool`
logger "====== Start NIC Configscript ========"
logger "====== Actual Settings ==============="
${ETHTOOL} -k eth0 2>&1 | logger
logger "====== Apply Settings ================"
exec ${ETHTOOL} -K eth0 tso off 2>&1 | logger
logger "======= New Settings ================"
${ETHTOOL} -k eth0 2>&1 | logger
Additional Information
In order to review your current Network Card settings you can use: "ethtool -k eth{n}" where 'n" is the logical number of your Interface.
Example:
Looking at LAN trace usually shows over-sized Ethernet frames (even more than GBit Ethernet Jumbo Frames would allow / e.g. 32000 bytes) and packet loss at the browser client receiving web objects (retransmission count very high). The LAN trace should be taken by using a Wireshark workstation (or any other tool) using port mirroring on the connecting L2 switch but not on the LAG directly using tcpdump
Example:
lag1:~> ethtool -k eth0
Offload parameters for eth0:
Cannot get device flags: Operation not supported
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off
large receive offload: off
Offload parameters for eth0:
Cannot get device flags: Operation not supported
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off
large receive offload: off
Looking at LAN trace usually shows over-sized Ethernet frames (even more than GBit Ethernet Jumbo Frames would allow / e.g. 32000 bytes) and packet loss at the browser client receiving web objects (retransmission count very high). The LAN trace should be taken by using a Wireshark workstation (or any other tool) using port mirroring on the connecting L2 switch but not on the LAG directly using tcpdump