I tried to get Actiontec (the vendor of the gateway router) to respond but without any luck so I approached Oracle support. To my surprised, I got some very good and prompt responses back from Oracle support. Service Request Number: SR 3-5661194891. I will create a PDF file out of this service request when it is finally completed and closed.
After a few days back and forth troubleshooting and information gathering, Oracle support determined it is the abnormal windows size Actiontec is using that causes Solaris 11 (starting from later versions of Solaris 10) to blocked the packets for security reasons - "the tunable tcp_init_wnd_chk (to disable the security protection against the window size attacks) is not working".
The workaround did not work due to compiler compatibility issue on x86/x64 platform. The tech support helped created a bug fix ticket internally (bug creates is 7167477).
Even though the root cause is Ationtec's window size but I haven't got any feedback from them since May 4th.
The service from Oracle/Sun is obvious much better than Actiontec without a doubt.
....... waiting for an IDR from 05/13/2012 to 06/21/2012 .......
I got a notification from SUN support today (06/21/2012) saying an IDR (Interim Diagnostic/Relief) from engineering team is ready for me to test.
The installation failed partially.....Hi,
a new version of the IDR (Interim Diagnostic/Relief) 232 has been uploaded to this service request.
Please check the attachement section of this service request where you should be able to find a file called idr232.2.p5p
download the file idr232.2.p5p and install it by using the command "pkg install -g ./idr232.2.p5p idr232". See document 1452392.1 for more information about Solaris 11 IDRs and how to apply or remove them.
A reboot is requied after the IDR installation to activate the fix.
Once the fix is active you should be able to tune the lowest allowed initial window size to be even lower than an ethernet packet.
This can be done by using /etc/system and adding a line such as
set ip:tcp_init_wnd_chk = 512
(or use an even lower value such as 100).
Please ntoe that after any change in /etc/system another reboot is required to activate the new setting.
Please let me know if this IDR works for you and allows you to tune the window size checks until you get the final fix from your firewall vendor. Thanks.
Best regards,
Wolfgang Ley.
Code: Select all
%pkg install -g ./idr232.2.p5p idr232
Packages to install: 1
Packages to update: 1
Create boot environment: Yes
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB)
Completed 2/2 8/8 0.8/0.8$<3>
PHASE ACTIONS
Removal Phase 1/1
Install Phase 7/7
Update Phase 4/4
PHASE ITEMS
Package State Update Phase 3/3
Package Cache Update Phase 1/1
Image State Update Phase 2/2
PHASE ITEMS
Reading Existing Index 8/8
Indexing Packages 2/2
pkg: '/sbin/bootadm update-archive -R /tmp/tmpsImdFP' failed.
with a return code of 1.
A clone of solaris exists and has been updated and activated.
On the next boot the Boot Environment solaris-1 will be
mounted on '/'. Reboot when ready to switch to this updated BE.
Code: Select all
%pkg info idr232
pkg: info: no packages matching the following patterns you specified are
installed on the system. Try specifying -r to query remotely:
idr232