none
0 Data Out, a few KB Data In from Virtual Network RRS feed

  • Question

  • Packets from within a linux machine deployed in my virtual network don't seem to be able to reach a machine in my local network.

    Local Network address space: 10.0.0.0/16
    Virtual Network address space: 10.100.0.0/16
    Gateway Subnet: 10.100.2.0/24
    Internal gateway IP: 10.100.2.5 (or so it appears)
    Linux machine in Virtual Network: 10.100.2.6

    I tried to SSH from my local machine 10.0.0.35 to the one in the virtual network at 10.100.2.6. Running tcpdump seems to show the SYN packet arriving, but responses seem to fail with the gateway issuing an ICMP redirect to use 10.100.2.1 instead. This message keeps repeating itself (presumably due to timeouts and retries from my local machine):

    10:58:30.233868 IP 10.0.0.35.60487 > 10.100.2.6.ssh: Flags [S], seq 2360698852, win 13500, options [mss 1326,sackOK,TS val 44724952 ecr 0,nop,wscale 5], length 0 10:58:30.233959 IP 10.100.2.6.ssh > 10.0.0.35.60487: Flags [S.], seq 2637777877, ack 2360698853, win 12740, options [mss 1286,sackOK,TS val 618938 ecr 44724952,nop,wscale 5], length 0 10:58:30.237502 IP 10.100.2.5 > 10.100.2.6: ICMP redirect 10.0.0.35 to net 10.100.2.1, length 68

    My Virtual Network dashboard shows a few KB data in with 0 data out. This appears to be consistent with the behavior seen above. Pinging 10.0.0.35 yields similar results (I wasn't expecting the ping reply to be successful, but I saw no ICMP packets on 10.0.0.35 anyway):

    $ ping 10.0.0.35
    PING 10.0.0.35 (10.0.0.35) 56(84) bytes of data.
    From 10.100.2.5: icmp_seq=1 Redirect Network(New nexthop: 10.100.2.1)
    From 10.100.2.5: icmp_seq=2 Redirect Network(New nexthop: 10.100.2.1)
    From 10.100.2.5: icmp_seq=3 Redirect Network(New nexthop: 10.100.2.1)

    Here is the output of `netstat -nr`. The gateway already appears to be 10.100.2.1, so I can only assume that it is sending packets to 10.100.2.6, which then sends them back to it or something similar:

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         10.100.2.1      0.0.0.0         UG        0 0          0 eth0
    0.0.0.0         10.100.2.1      0.0.0.0         UG        0 0          0 eth0
    10.100.2.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0

    Any ideas what's going on here, or suggestions on how to debug this?

    Saturday, October 6, 2012 11:16 AM

Answers

  • Hi Vinod,

    In light of your explanation, I'm not sure I follow your scenario.

    In your original post you say, "responses seem to fail with the gateway issuing an ICMP redirect to use 10.100.2.1. This message keeps repeating itself."

    This tells me that your Linux VM is ignoring the ICMP redirect but in the message above, you state that, "accepting ICMP redirects is also enabled in /etc/sysctl.conf ."

    Is your Linux VM respecting the ICMP redirect? Is it sending packets to 10.100.2.1 as instructed?

    Are you willing to collect and share a network capture from your VM with us? If so, I'll make arrangements to be able to receive it. Let me know.

    Regards,

    -Steve

    Thursday, October 11, 2012 12:42 AM
    Moderator

All replies

  • Hi Vinod,

    Thank you for posting your question here.

    It seems that your Linux VM is refusing the ICMP message to redirect its response. Is ICMP blocked or somehow disabled in your Linux VM?

    This could explain why packets are delivered to your Linux VM but the Linux VM is not able to reply.

    Regards,

    -Steve

    Monday, October 8, 2012 8:21 PM
    Moderator
  • Thanks for the quick response Steve.

    ICMP appears to be enabled. I can ping my linux VM from another linux VM in the same virtual network. In addition, accepting ICMP redirects is also enabled in /etc/sysctl.conf . It seems odd since the redirect is requesting the next hop to be the gateway I'm using anyway (according to netstat), and the IP address it is coming from is the internal IP of the gateway machine.

    Have deployments of linux VMs in virtual networks been successful in the past? Do you have any idea if there is something else I'm overlooking here?

    Thanks!

    Vinod

    Monday, October 8, 2012 10:47 PM
  • Hi Vinod,

    In light of your explanation, I'm not sure I follow your scenario.

    In your original post you say, "responses seem to fail with the gateway issuing an ICMP redirect to use 10.100.2.1. This message keeps repeating itself."

    This tells me that your Linux VM is ignoring the ICMP redirect but in the message above, you state that, "accepting ICMP redirects is also enabled in /etc/sysctl.conf ."

    Is your Linux VM respecting the ICMP redirect? Is it sending packets to 10.100.2.1 as instructed?

    Are you willing to collect and share a network capture from your VM with us? If so, I'll make arrangements to be able to receive it. Let me know.

    Regards,

    -Steve

    Thursday, October 11, 2012 12:42 AM
    Moderator