Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

TCP Reassembly Queue Overflows Lead to Poor Performance and Possible Application Disruption on 8.2.5P2 7-mode or ONTAP 9.1P16

Views:
1,321
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9.1 
  • Data ONTAP 8.2 7-Mode 

Issue

A security vulnerability fix in the ONTAP networking stack causes Transmission Control Protocol (TCP) performance to degrade and causes ONTAP to send invalid Selective Acknowledgement (SACK) options in the header of TCP packets. These invalid SACK options can expose an issue in some client networking stacks, causing the clients to fail to retransmit packets on normal retransmit timeout intervals. This interaction can cause application outages. For example, this problem may lead to NFS timeouts or SnapMirror failures.

Signature 

7-mode 8.2.5P2

Command: netstat -s -p tcp 

Counter: <no. packets> discarded because reassembly queue overflow 

ONTAP 9.1P16

Commands: 

node run -node <node> netstat -s -p tcp 

systemshell -node <node> netstat -s -p tcp 

Counters:  

For node level command: 

<no. packets> discarded because reassembly queue overflow 

For systemshell level command: 

<no. packets> discarded due to memory problems 

  • A packet-trace is needed during a problem to confirm if invalid SACK packets are being sent on the affected ONTAP versions. The invalid SACK packets will have an ACK value between one of the SACK left and right edge pairs. 

For each SACK range: 

If (SACK left edge <= ACK Value < SACK right edge) then an invalid SACK packet is confirmed.

 

Scan to view the article on your device
CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support