ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c23b803dc602e70ec1f5fb95bdf1e801675402f6
pxe-server/playbook/pxe-server-helpers/99-pxe-conntrack.conf
cproudlock 18537acbbc PXE server: fix WinPE re-image SMB connection loss 
WinPE clients re-imaging the same machine hit "System error 53 -
network path not found" on the second attempt. systemctl restart smbd
did not help; only a full server power cycle cleared the state.

Root cause is kernel nf_conntrack: the default TCP ESTABLISHED timeout
is 5 days (432000s), so a session from the first WinPE run whose
client rebooted abnormally leaves an ASSURED ESTABLISHED entry that
ufw's state-tracking rules then mis-classify the new SYN against.

Fix applied in three layers:
- /etc/sysctl.d/99-pxe-conntrack.conf drops TCP ESTABLISHED timeout
  to 1 hour and shortens the half-closed states to 30s each.
- smb.conf gains socket options TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
  plus keepalive = 30 and deadtime = 5. Active sessions refresh the
  conntrack timer every 30s via keepalives so they never age out;
  dead ones expire in an hour.
- /usr/local/sbin/smb-diag.sh snapshots kernel + Samba state for
  remote diagnosis; /usr/local/sbin/smb-soft-reset.sh walks a
  progressive recovery (nmbd/smbd restart, conntrack flush, arp
  flush, ss -K) as an alternative to power-cycling.

conntrack package added to download-packages.sh and playbook verify
list so the offline .deb bundle ships with it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 13:00:43 -04:00

14 lines
806 B
Plaintext
Raw Blame History

# Reduce nf_conntrack TCP timeouts so stale SMB sessions from rebooted WinPE
# clients age out in minutes instead of days. Real active sessions stay
# alive via keepalive traffic refreshing the conntrack timer. Defaults
# (432000s = 5 days for ESTABLISHED) are designed for long-lived enterprise
# TCP flows, not the short bursty connections PXE imaging creates.
#
# Paired with Samba's keepalive=30 + SO_KEEPALIVE (see smb.conf) the
# combination is: dead sessions cleaned up in ~1 hour max, active sessions
# never ageing out because every keepalive packet refreshes the timer.
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
Reference in New Issue View Git Blame Copy Permalink