[opensuse-virtual] [Fwd: Malfunctioning bridge]
Hi all, In order to create a -more or less- representative test configuration, I tried to copy a real life situation into a xen-set-up: -external firewal (kc3040) -openvpn server (kc3072) -Internal firewall (kc3041) -management gateway (kc3075) -asterisk pabx -mysql server To simulate different networks, I created dummy ethernet devices, and connected bridges to it. All of the four bridges are working OK, except ONE: BR2 and also only from one virtual machine: openvpn/kc3072 If i ping on the vpn-box (vpn is not setup yet) towards internal firewall i see no traffic at all ( 172.16.100.1 => 172.16.100.2 ) Even if i do an tcpdump on the bridge-device from DOM-0, i dont see anything. On the otherhand, if i do a ping the otherway round (int-fw towards vpn) i see the icmp-request on the bridge device (but no repy, hence the problem) Looked at [internal] firewall, at the bridges, routing, but i'm clue-less…. Tried to move the whole configuration towards a different DOM-0, with the same result, rebuild the vpn-dom-U: still no show All firewall's are down. All boxes are suse: both firewals are open_11.4, mgnt+vpn are sles11sp1 and dom0 is also sles, but tried also with open. Tried the lists at xen, but the only replies were questions what i used to make the drawing ;-) Any suggestion where to look next? Kind regards, Hans Oh, btw config of the vpn-box (kc3072) is as follows: name="kc3072" description="int vpn server" uuid="99ee7c72-493b-e69d-3cfa-7b438fcd2988" memory=1000 maxmem=1000 vcpus=1 on_poweroff="destroy" on_reboot="restart" on_crash="destroy" localtime=0 keymap="en-us" builder="linux" bootloader="/usr/bin/pygrub" bootargs="" extra=" " disk=[ 'phy:/dev/xen-productie/kc3072-boot,xvda,w', 'phy:/dev/xen-productie/kc3072-swap,xvdb,w', 'phy:/dev/xen-productie/kc3072-syst,xvdc,w', 'phy:/dev/xen-productie/kc3072-data,xvdd,w', ] vif=[ 'mac=00:16:3e:30:72:01,bridge=br1', 'mac=00:16:3e:30:72:02,bridge=br2', 'mac=00:16:3e:30:72:03,bridge=br3', ] vfb=['type=vnc,vncunused=1'] kc3072:~ # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:16:3E:30:72:01 inet addr:192.168.100.2 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe30:7201/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14 errors:0 dropped:0 overruns:0 frame:0 TX packets:19 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1140 (1.1 Kb) TX bytes:1530 (1.4 Kb) eth1 Link encap:Ethernet HWaddr 00:16:3E:30:72:02 inet addr:172.16.100.1 Bcast:172.16.100.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe30:7202/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3 errors:0 dropped:0 overruns:0 frame:0 TX packets:77 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:230 (230.0 b) TX bytes:3518 (3.4 Kb) eth2 Link encap:Ethernet HWaddr 00:16:3E:30:72:03 inet addr:192.168.0.236 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe30:7203/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:53 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2330 (2.2 Kb) TX bytes:872 (872.0 b)
2011/8/28 Hans Witvliet <suse@a-domani.nl>:
Hi all,
In order to create a -more or less- representative test configuration, I tried to copy a real life situation into a xen-set-up: -external firewal (kc3040) -openvpn server (kc3072) -Internal firewall (kc3041) -management gateway (kc3075) -asterisk pabx -mysql server
To simulate different networks, I created dummy ethernet devices, and connected bridges to it. All of the four bridges are working OK, except ONE: BR2 and also only from one virtual machine: openvpn/kc3072
If i ping on the vpn-box (vpn is not setup yet) towards internal firewall i see no traffic at all ( 172.16.100.1 => 172.16.100.2 ) Even if i do an tcpdump on the bridge-device from DOM-0, i dont see anything.
On the otherhand, if i do a ping the otherway round (int-fw towards vpn) i see the icmp-request on the bridge device (but no repy, hence the problem)
Looked at [internal] firewall, at the bridges, routing, but i'm clue-less…. Tried to move the whole configuration towards a different DOM-0, with the same result, rebuild the vpn-dom-U: still no show All firewall's are down.
All boxes are suse: both firewals are open_11.4, mgnt+vpn are sles11sp1 and dom0 is also sles, but tried also with open.
Tried the lists at xen, but the only replies were questions what i used to make the drawing ;-)
Any suggestion where to look next?
did you try "ethtool - K eth0 tx off" [1] Hope the helps. Thanks, Todd [1] http://xen.markmail.org/search/?q=xen+ethtool+-K+eth0+tx+checksum+off#query:... -- Todd Deshane http://www.linkedin.com/in/deshantm http://www.xen.org/products/cloudxen.html http://runningxen.com/ -- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-virtual+help@opensuse.org
On Mon, 2011-08-29 at 21:54 -0400, Todd Deshane wrote:
did you try "ethtool - K eth0 tx off" [1]
Hope the helps.
Thanks, Todd
[1] http://xen.markmail.org/search/?q=xen+ethtool+-K+eth0+tx+checksum+off#query:...
No, not yet. Will try it first thing tomorrow morning. Although it's beyond my comprehension why: "change the checksumming parameters of the specified ethernet device." should have any influence, if so i would expect more relevant info in syslog on either dom-0 or dom-U Saw some references, that shouldn't make anybody happy: http://www.shorewall.net/XenMyWay-Routed.html And some people go even much further: ethtool -K eth0 tx off ethtool -K eth0 sg off ethtool -K eth0 tso off ethtool -K eth0 gso off ethtool -K eth0 gro off ethtool -k eth0 #ethtool -K eth0 rx off #ethtool -K eth0 ufo off #ethtool -K eth0 lro off http://pbraun.nethence.com/doc/sysutils_xen/guest_redhat.html On may 2008 Jeroen Torrekens wrote: It is a bug in Xen. In a few places in the network stack, there are some checksums made. Somewhere along the way an extra checksum is taken where it shouldn't. So the checksum doesn't match the packet anymore. But i sincerely hope that those problems are solved by now? Strange thing is that only one combination of dom-0/dum-U fails. But i'll try it, and report back Hans -- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-virtual+help@opensuse.org
On Mon, 2011-08-29 at 21:54 -0400, Todd Deshane wrote:
did you try "ethtool - K eth0 tx off" [1]
Hope the helps.
Thanks, Todd
As promissed, i tried it,but no luck... (from what i read, i had to do it on the physical network device on the DOM-0. But not the bridge-device or on the DOM-u devices) On KC0010 (the DOM-0): kc0010:~ # ethtool -K dummy0 tx off Cannot set device tx csum settings: Operation not supported Asking current settings: kc0010:~ # ethtool --show-offload dummy0 Offload parameters for dummy0: Cannot get device rx csum settings: Operation not supported Cannot get device tx csum settings: Operation not supported Cannot get device scatter-gather settings: Operation not supported Cannot get device tcp segmentation offload settings: Operation not supported Cannot get device udp large send offload settings: Operation not supported Cannot get device generic segmentation offload settings: Operation not supported Cannot get device flags: Operation not supported Cannot get device GRO settings: Operation not supported no offload info available Exactly the same happens with dummy1 and dummy2. Hans -- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-virtual+help@opensuse.org
On Thu, Sep 1, 2011 at 4:53 PM, Hans Witvliet <suse@a-domani.nl> wrote:
On Mon, 2011-08-29 at 21:54 -0400, Todd Deshane wrote:
did you try "ethtool - K eth0 tx off" [1]
Hope the helps.
Thanks, Todd
As promissed, i tried it,but no luck...
(from what i read, i had to do it on the physical network device on the DOM-0. But not the bridge-device or on the DOM-u devices)
On KC0010 (the DOM-0):
kc0010:~ # ethtool -K dummy0 tx off Cannot set device tx csum settings: Operation not supported
Asking current settings: kc0010:~ # ethtool --show-offload dummy0 Offload parameters for dummy0: Cannot get device rx csum settings: Operation not supported Cannot get device tx csum settings: Operation not supported Cannot get device scatter-gather settings: Operation not supported Cannot get device tcp segmentation offload settings: Operation not supported Cannot get device udp large send offload settings: Operation not supported Cannot get device generic segmentation offload settings: Operation not supported Cannot get device flags: Operation not supported Cannot get device GRO settings: Operation not supported no offload info available
Exactly the same happens with dummy1 and dummy2.
I wonder if it is an issue with the dummy module and your particular setup. Have you considered trying Open vSwitch for the internal bridges? -- Todd Deshane http://www.linkedin.com/in/deshantm http://www.xen.org/products/cloudxen.html http://runningxen.com/ -- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-virtual+help@opensuse.org
On Fri, 2011-09-02 at 03:44 -0400, Todd Deshane wrote:
I wonder if it is an issue with the dummy module and your particular setup. Have you considered trying Open vSwitch for the internal bridges?
No, but might have a look at it. Just before i dashed off, i had another peek at it... On (!) both machines i did following: a) ping to the machine at the other side of the bridge simultaneously B) do a tcpdump at the DOM-0 on the related bridge. I only saw an arp request, but no answer. So i manualy pupulated the arp-table at _both_ ends. Next i saw the ICMP-request of _both_ sides on the bridge, but NO answer. Now the intriguing part: I did a tcp-dump on both virtual machines on the related ethernet device, i this case eth1 on both sides. --> on both virtual machine i saw the incoming ICMP-request <-- But, never a reply. Routing is correct, and all firewalls are down. On no other network device i could detect a mis-routed ICMP-reply Getting stranger and stranger.... Specially as on same devices other bridges are working properly! hw -- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-virtual+help@opensuse.org
participants (2)
-
Hans Witvliet -
Todd Deshane