[SLE] Problem with W2003 Server causing Martian source...filling logs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just replaced a UnixWare Server with SUSE Linux 10.1. I talked with the
Windows Admin because I am getting 3-9 MB log files with...
Jun 7 17:30:47 www kernel: ll header:
ff:ff:ff:ff:ff:ff:00:0e:0c:4a:83:11:08:06
Jun 7 17:30:54 www kernel: printk: 2 messages suppressed.
Jun 7 17:30:54 www kernel: martian source 192.168.30.32 from
192.168.30.32, on dev eth0
If I have the mac address correct from above it is the MS Win 2003 server
causing these messages. What can I do to get these to stop. It is
causing the Mail to not go through to one use as the XP machine is or
seems unable to handle these large files via POP3. How can I find out
what on the win server is generating this entry in the log. I need to
some how stop these from going in the log. I know that if it were a
public IP, RFC's do not permit it. Any ideas to stop this from filling up
my log files.
Thanks,
- --
Boyd Gerber
On Thursday 08 June 2006 02:42, Boyd Lynn Gerber wrote:
I just replaced a UnixWare Server with SUSE Linux 10.1. I talked with the Windows Admin because I am getting 3-9 MB log files with...
Jun 7 17:30:47 www kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:4a:83:11:08:06 Jun 7 17:30:54 www kernel: printk: 2 messages suppressed. Jun 7 17:30:54 www kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
A martian source is an IP address that is arriving on an interface where that IP address is wrong. An example would be an internal non-routable IP address arriving on an external interface I'm guessing the 192.168.30.32 address is something for which you don't have a routing table entry - maybe it is an internal machine that is somehow connected to your external interface? If you explain a bit more about your setup, what is connected to what, then it would be easier to say what the problem is -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 08 June 2006 02:42, Boyd Lynn Gerber wrote:
I just replaced a UnixWare Server with SUSE Linux 10.1. I talked with the Windows Admin because I am getting 3-9 MB log files with...
Jun 7 17:30:47 www kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:4a:83:11:08:06 Jun 7 17:30:54 www kernel: printk: 2 messages suppressed. Jun 7 17:30:54 www kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
A martian source is an IP address that is arriving on an interface where that IP address is wrong. An example would be an internal non-routable IP address arriving on an external interface
I'm guessing the 192.168.30.32 address is something for which you don't have a routing table entry - maybe it is an internal machine that is somehow connected to your external interface?
If you explain a bit more about your setup, what is connected to what, then it would be easier to say what the problem is
Thanks, I thought I had put this information in. We have two network
cards. One with public IP a block of 16. The other is an internal
network on 198.60.2.0/24. They have machines coming up and down. They
use all the IP's in this block at one time or an other. This machine is
192.168.2.85 and the MS win 2003 server is 192.168.2.35. I do not
remember the exact address. All have the same netmask which should
exclude this 192.168.30.32 address. The stupid MS server is spewing out
this even though it should not. The MS Admin says he does not know what
on his server is giving this error to the linux box. I do not know else
to sugest. All I know is the mac address coresponds to the MS Server.
They have over 200 machines on and off at any one time. All the internal
machines use the same wiring on this internal network. The MS addmin may
not really know what he is talking about. They did have a Novell Network
on this wiring as well. He thinks that everything is a MS Network. As
they replaced the Novell Network with MS after the Novell announcement.
Any ideas? Thanks,
- --
Boyd Gerber
On Thursday 08 June 2006 03:50, Boyd Lynn Gerber wrote:
Thanks, I thought I had put this information in. We have two network cards. One with public IP a block of 16. The other is an internal network on 198.60.2.0/24.
Considering the rest of your email, I'm guessing this was a typo
They have machines coming up and down. They use all the IP's in this block at one time or an other. This machine is 192.168.2.85 and the MS win 2003 server is 192.168.2.35. I do not remember the exact address. All have the same netmask which should exclude this 192.168.30.32 address.
I guess so too, since if the netmask included that IP, it wouldn't be a martian
The stupid MS server is spewing out this even though it should not. The MS Admin says he does not know what on his server is giving this error to the linux box.
Something on that machine obviously thinks it has that address. Is it running some sort of virtual machine perhaps, like Vmware? If so, then perhaps it's misconfigured. I've seen it happen, when the guest OS (with a fake vmware-private IP) suddenly gets direct access to the LAN
I do not know else to sugest. All I know is the mac address coresponds to the MS Server.
The quickest way would be to run a network trace, for example ethereal, until you've captured a few of these packets. Then you can see what it's trying to do, and that should give some idea about what's going on
They have over 200 machines on and off at any one time. All the internal machines use the same wiring on this internal network. The MS addmin may not really know what he is talking about. They did have a Novell Network on this wiring as well. He thinks that everything is a MS Network. As they replaced the Novell Network with MS after the Novell announcement.
Which announcement was that? -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 08 June 2006 03:50, Boyd Lynn Gerber wrote:
Thanks, I thought I had put this information in. We have two network cards. One with public IP a block of 16. The other is an internal network on 198.60.2.0/24.
Considering the rest of your email, I'm guessing this was a typo
Yes, It should have been 198.168.2.0/24. The public IP has a 198.60.X.X address.
They have machines coming up and down. They use all the IP's in this block at one time or an other. This machine is 192.168.2.85 and the MS win 2003 server is 192.168.2.35. I do not remember the exact address. All have the same netmask which should exclude this 192.168.30.32 address.
I guess so too, since if the netmask included that IP, it wouldn't be a martian
The stupid MS server is spewing out this even though it should not. The MS Admin says he does not know what on his server is giving this error to the linux box.
Something on that machine obviously thinks it has that address. Is it running some sort of virtual machine perhaps, like Vmware? If so, then perhaps it's misconfigured. I've seen it happen, when the guest OS (with a fake vmware-private IP) suddenly gets direct access to the LAN
The MS Admin says that it is only running W 2003 Server.
I do not know else to sugest. All I know is the mac address coresponds to the MS Server.
The quickest way would be to run a network trace, for example ethereal, until you've captured a few of these packets. Then you can see what it's trying to do, and that should give some idea about what's going on
That is what I have been trying to do. I do not see any real clue as what is sending it.
They have over 200 machines on and off at any one time. All the internal machines use the same wiring on this internal network. The MS addmin may not really know what he is talking about. They did have a Novell Network on this wiring as well. He thinks that everything is a MS Network. As they replaced the Novell Network with MS after the Novell announcement.
Which announcement was that?
About no further NetWare development and what appeared to be lack of
direction. They bought the MS line about Novell abandoning Netware. I
did not really listen to all their rantings. I feel lucky to have gotten
a SUSE Linux in to replace the UnixWare box. The MS reps... have been
really lobbying them. Lucky my Reputation and things I provide convinced
them to not use MS for their web, email, and business presence. They are
using Interchange, combined with php for their online book store.
Thanks,
- --
Boyd Gerber
On Wed, 2006-06-07 at 21:55 -0600, Boyd Lynn Gerber wrote:
Yes, It should have been 198.168.2.0/24.
Not to correct again (as I make typos regularly), but I assume you mean "192.168.2.0/24"?
The MS Admin says that it is only running W 2003 Server.
What what service pack? What hotfixes? Makes all the difference.
About no further NetWare development and what appeared to be lack of direction. They bought the MS line about Novell abandoning Netware. I did not really listen to all their rantings.
Didn't you hear? UNIX is dead! Linux is dead! Everyone with pet Linux projects are switching back to Windows! ;->
I feel lucky to have gotten a SUSE Linux in to replace the UnixWare box. The MS reps... have been really lobbying them.
Microsoft's Gold Partners are notorious for feeding utter BS. In the past, I've been brought in on several projects mid-way to clean up their collective messes and over-marketing what they could do. In more recent years, a number of clients have just decided to bring me in to evaluate their pitches and cut through the truth and BS _before_ they buy. The sad thing is that sometimes some Microsoft Gold Partners don't listen to me or try to discredit my interjections and corrections _until_ someone points out (often the client at some point) that I have more Microsoft certifications and experience than all of the "engineers" the Gold Partner brought with them collectively. That's really sad because someone's credentials shouldn't matter when you're pointing out the marketing BS from the reality. Software Assurance is almost always where they trip up. Software Assurance is not only the most legally stupid thing you can sign, but it often costs 130% of actual (according to Garner studies).
Lucky my Reputation and things I provide convinced them to not use MS for their web, email, and business presence. They are using Interchange, combined with php for their online book store.
Hey -- listen to Microsoft on that one. In Microsoft's own study of Windows Server 2003 versus Red Hat Enterprise Linux 3 (yes, that old) -- the TCO and security issues were less with Linux than Windows in 1 out of 5 apps. That 1 app was web services and Internet presence. The TCO included the assumption that the staff was 100% Windows knowledgeable and 0% Linux knowledgeable and required complete training for the entire staff in the case of Linux installation (using the fully multi-month 100-200-300 track of the RHCE "from 0 knowledge") -- and it was _still_ cheaper to go RHEL 3! Now how's that for a Microsoft-funded study! ;-> The Gold Partners really hate that one, they can't refute it that even if you don't know the first thing about Linux and you've got the world's best Windows administrators -- it's still cheaper, smoother and more secure to go Linux for web services and Internet presence after all the training costs and infrastructure changes. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ------------------------------------------------------- Illegal Immigration = "Representation Without Taxation" -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 2006-06-07 at 21:55 -0600, Boyd Lynn Gerber wrote:
Yes, It should have been 198.168.2.0/24.
Not to correct again (as I make typos regularly), but I assume you mean "192.168.2.0/24"?
Yes, I can't believe I still made the error. I read it 10 times think it looked right. (SIGH!)
The MS Admin says that it is only running W 2003 Server.
What what service pack? What hotfixes? Makes all the difference.
He is telling me it has been updated to the latest patch level from MS.
That there are no more patches or updates available for the system. Even
recommended patches/updates. He says he does not do any hacks, only uses
MS online tools. I find that a little hard to believe, because without
hotfixes, and other things, I do not consider a MS 2003 Server to be safe.
I wish I could get them to let me on the server to look at it. I feel
like I am shooting in the dark. I know it is this machine from the mac
address.
Thanks,
- --
Boyd Gerber
participants (3)
-
Anders Johansson -
Boyd Lynn Gerber -
Bryan J. Smith