IP truncated-ip - 4 bytes missing!

We are not able to reach the homepage http://www.citibank.de.
The TCP SYN is answered from www.citibank.de with a TCP SYN ACK.
This TCP SYN ACK is malformed.
tcpdump says: "IP truncated-ip - 4 bytes missing!" with a window size of
0 and missing mss.
ethereal says: "[Malformed Packet: TCP] with incorrect checksum.

This TCP SYN ACK is not forwarded to the PC which requested the connection.

We are using a linux router with Suse 9.1 on a x86.
The Uplink to the internet is ADSL with PPPoE. The server use NAT for IP
address masquerading. The Suse Firewall is also active.

Every thing works fine except the connections to www.citibank.de.

The only one - I found at the Web - who had the same problems, uses a
FritzBox. But after a firmware update, it worked for him.

Are there any statistics, where the drops are counted?
ip -s link and ifstats are without errors.

Regards,
Thomas

On Wed, 09 Mar 2005 00:07:11 +0100, Thomas Molkenbur wrote:
> We are not able to reach the homepage http://www.citibank.de.

Worked for me. Try the ip address 192.193.137.25 and see if it fails.


$ host www.citibank.de
www.citibank.de has address 192.193.137.25

Bit Twister schrieb:
> Worked for me. Try the ip address 192.193.137.25 and see if it fails.

Yes, I already tried this.
I would not able to send a TCP SYN to a host, if the DNS lookup failed
before.

And remember, I got an answer from 192.193.137.25.
But this answer might be the problem.

Regards,
Thomas

Thomas Molkenbur schrieb:
> We are not able to reach the homepage http://www.citibank.de.
> The TCP SYN is answered from www.citibank.de with a TCP SYN ACK.
> This TCP SYN ACK is malformed.
> tcpdump says: "IP truncated-ip - 4 bytes missing!" with a window size of
> 0 and missing mss.
> ethereal says: "[Malformed Packet: TCP] with incorrect checksum.
>

Here are the two frames:
Bei mir sieht das Antwortpaket (SYN ACK) noch etwas anders aus.
Hier die Ethereal-Ausgabe des SYN und des SYN ACKs:

Frame 15 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src Addr: 80.133.151.114 (80.133.151.114), Dst Addr:
192.193.117.25 (192.193.117.25)
Transmission Control Protocol, Src Port: 23302 (23302), Dst Port: http
(80), Seq: 0, Ack: 0, Len: 0
Source port: 23302 (23302)
Destination port: http (80)
Sequence number: 0
Header length: 40 bytes
Flags: 0x0002 (SYN)
Window size: 5808
Checksum: 0xbad2 (correct)
Options: (20 bytes)

Frame 16 (56 bytes on wire, 56 bytes captured)
Linux cooked capture
Internet Protocol, Src Addr: 192.193.117.25 (192.193.117.25), Dst Addr:
80.133.151.114 (80.133.151.114)
Transmission Control Protocol, Src Port: http (80), Dst Port: 23302
(23302), Seq: 144111825, Ack: 1294171179
Source port: http (80)
Destination port: 23302 (23302)
Short segment. Segment/fragment does not contain a full TCP header
(might be NMAP or someone else deliberately sending unusual packets)
Sequence number: 144111825
Acknowledgement number: 1294171179
Header length: 24 bytes
Flags: 0x0012 (SYN, ACK)
Window size: 0
Checksum: 0x5a12 (incorrect, should be 0x5bf3)
Options: (4 bytes)
[Malformed Packet: TCP]

Hope anybody has an idea how to get the router to forward this (Frame 16).

Regards,
Thomas