View previous topic :: View next topic |
Author |
Message |
wan-geek n00b
Joined: 03 Apr 2003 Posts: 66 Location: knee-deep in the ether
|
Posted: Thu Mar 10, 2005 11:38 pm Post subject: Lose web/ftp/rsync randomly with a sparc system |
|
|
I have run into this on 2 different systems now...and am stumped.
The first box i saw this behavior on was an E450...running gentoo. But now it's started happening on my U60 as well....and it makes no sense.
I have 2 different firewalls at my location. 1 - iptables and 1 - pix 515e. I am CCNP....so know what I am doing....and this is -NOT- a firewall problem. This -only- affects my sun systems and no other computers at this site. I have gentoo, openbsd, win2k, & debian all running great. Only the sun hardware systems exhibit this behavior.
Randomly....while trying to emerge packages on a sparc system....they completely lose their ability to get traffic for http/ftp/rsync....out to the web. I can hit these kinds of resources -fine- if I remain in-network. Any time I try to traverse either firewall (by changing the default route of the system), the traffic egresses the firewall, but never returns.
This -ONLY- happens with my sun boxes. I have ~15 x86 systems...and have never seen this behavior.
reboots do nothing. http/ftp/rsync traffic cannot leave the network still. Changing gateways (and firewall types) has no effect either.
I -CAN- ping and traceroute out though....so I know that traffic from the sun boxes does know how to get out. just none of the protocols that I need to do my updates with. I can get sniffs of the external interfaces of the firewalls....and see the packets destined to the remote end. ICMP returns fine. I can even get DNS to query externally with success. No other protocol comes back however.
Sites I try to hit (unsuccessfully) while this is occurring include www.google.com, distfiles.gentoo.org, www.qualcomm.com, www.gentoo.org....and I can go on and on and on.
Is anyone familiar with the sparc version of linux/gentoo having issues with the protocol stack?
-Chris |
|
Back to top |
|
|
wan-geek n00b
Joined: 03 Apr 2003 Posts: 66 Location: knee-deep in the ether
|
Posted: Thu Mar 10, 2005 11:53 pm Post subject: |
|
|
here's some results...These are all through the iptables firewall.
##########
watchdog ~ # tracepath distfiles.gentoo.org
1?: [LOCALHOST] pmtu 1500
1: kalamari.siliconhotrod.com (192.168.1.1) 2.202ms
2: r-64-105-166-105.sndacagl.covad.net (64.105.166.105) asymm 102 3.586ms
3: r-64-105-166-105.sndacagl.covad.net (64.105.166.105) asymm 102 7.072ms pmtu 1492
4: 192.168.19.113 (192.168.19.113) 34.122ms
5: sndgca1wce2-gige7-0-21.wcg.net (65.77.90.61) 34.159ms
6: anhmca1wcx3-pos3-1.wcg.net (64.200.141.17) 35.746ms
7: sntcca1wcx1-pos13-0-oc192.wcg.net (64.200.240.110) 48.050ms
8: scrmca2wcx1-pos9-0.wcg.net (64.200.240.114) 52.029ms
9: eugnor1wce1-pos3-0.wcg.net (64.200.210.2) 62.171ms
10: eugnor1wce1-univ-of-oregon.wcg.net (64.200.134.198) asymm 11 61.871ms
11: corv-car1-gw.nero.net (207.98.64.6) asymm 12 63.295ms
12: ftp.osuosl.org (140.211.166.134) 67.894ms reached
##########
success!
########## (nslookup via an external name server)
> server 192.35.156.212
Default server: 192.35.156.212
Address: 192.35.156.212#53
> distfiles.gentoo.org
Server: 192.35.156.212
Address: 192.35.156.212#53
Non-authoritative answer:
Name: distfiles.gentoo.org
Address: 140.211.166.134
Name: distfiles.gentoo.org
Address: 156.56.247.195
Name: distfiles.gentoo.org
Address: 216.165.129.135
##########
success!
########## (ping to external site)
watchdog ~ # ping www.google.com
PING www.google.akadns.net (66.102.7.104) 56(84) bytes of data.
64 bytes from 66.102.7.104: icmp_seq=1 ttl=244 time=26.2 ms
64 bytes from 66.102.7.104: icmp_seq=2 ttl=244 time=42.2 ms
64 bytes from 66.102.7.104: icmp_seq=3 ttl=244 time=25.8 ms
64 bytes from 66.102.7.104: icmp_seq=4 ttl=244 time=26.1 ms
64 bytes from 66.102.7.104: icmp_seq=5 ttl=244 time=26.2 ms
##########
success!
but connections on port 80 (www) ...and ftp (20/21) are unsuccessful and all timeout. Any x86 box on the same subnet with the same gateway, routes, and resolv.conf work flawlessly.
-C |
|
Back to top |
|
|
wan-geek n00b
Joined: 03 Apr 2003 Posts: 66 Location: knee-deep in the ether
|
Posted: Sat May 28, 2005 2:31 am Post subject: interesting twist |
|
|
So finally have a chance to test more.
Isolating Layer-1 first, I swap NIC cards, thinking something may be awry with the onboard NIC on the U60. It's now running a 3c59x as eth1. No difference in behavior. /
It seems that the Sun hardware/gentoo combo can't handle a PAT connection. (overload NAT)
I setup a static NAT on the PIX, and we're rsyncing great. I remove the static NAT...and the connection goes to shit again.
This is FSCKin' weird...I know. Makes -0- sense to me.
I use the iptables firewall for production traffic, so am not going to mangle the rules and test via a static-nat on iptables, but this is at least -some- progress.
Now to grab packet traces and find out why it works this way.
-Chris |
|
Back to top |
|
|
Weeve Retired Dev
Joined: 30 Oct 2002 Posts: 641
|
Posted: Sat May 28, 2005 5:11 pm Post subject: |
|
|
I'm running NAT here locally for my home connection with a 32 bit SPARC.
What kernel are you running on your Sun hosts and how many rules are in your iptables ruleset? |
|
Back to top |
|
|
|