Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Bizzare networking / arp / iptables problem
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
aheld
n00b
n00b


Joined: 15 Nov 2002
Posts: 24
Location: ~Boston, MA

PostPosted: Tue Mar 18, 2003 10:08 pm    Post subject: Bizzare networking / arp / iptables problem Reply with quote

I just put up a new Gentoo based firewall / router for my office network and am having a very strange problem.

It is a typical three interface firewall and the local network routeable to the DMZ and both are masq'd to get to the Internet.

Most of the clients in the local work fine, but three of them cannot access our webserver in the DMZ via the private address.

The DMZ is in 10.1.64.xx
the Local is in 10.2.32.xx

I can ping from the client to the webserver, but I cannot open a socket.

For one of the clients I can not get an MAC address via APR, nor can I ping.
For the other two I can ping and get arp requests filled from the firewall.

But all three can access the internet as well as other machines on the DMZ.
All of the DMZ machines (win2000) have identical routing tables and are connected to the same switch (which I cleared)

Any pointers would be appreciated, I am definately stuck.

Thank You,
-Aaron Held

ps. Gentoo will be used as the VPN server to connect to hundreds of servers in the field. I'll submit a writeup once the project is live.
Back to top
View user's profile Send private message
Strubenator
n00b
n00b


Joined: 17 Mar 2003
Posts: 19
Location: Frederick, MD

PostPosted: Wed Mar 19, 2003 3:48 am    Post subject: Reply with quote

It sounds like it *may* be a netmask issue. This is a shot in the dark, but it never helps to check.

Also make sure all the cables are right. I've had many issues with faulty cables causing network havoc...

--Strube
Back to top
View user's profile Send private message
psp
Tux's lil' helper
Tux's lil' helper


Joined: 06 Aug 2002
Posts: 120
Location: Cape Town, South Africa

PostPosted: Wed Mar 19, 2003 1:09 pm    Post subject: Reply with quote

What's the output from a traceroute for these machines?
Back to top
View user's profile Send private message
aheld
n00b
n00b


Joined: 15 Nov 2002
Posts: 24
Location: ~Boston, MA

PostPosted: Wed Mar 19, 2003 3:19 pm    Post subject: More info Reply with quote

Points to Strubenator for the netmask issue.
The actually I had the broadcast address wrong, which made the netmask wrong.

The ip on the firewall was 10.1.32.14 and the bcast was 10.2.32.255 yielding a netmask of 255.0.0.0 after /etc/init.d/net.eth1 start

It should have had a bcast of 10.1.32.255

The cables are all good, I swapped cables, moved to different ports in switches and similar. I can ping all over the place, just no higer level networking.

traceroute fails to any of these machines, hey traceroute even fails to these machines from the same network segment.
Traceroute is going to the wrong ip!
nbtstat -a hostname works!
ipconfig /flushdns and now traceroute works.

traceroute from the webserver through Gentoo to the client
Code:

Tracing route to neo [10.1.32.38]
over a maximum of 30 hops:

  1   <10 ms   <10 ms   <10 ms  10.1.64.1
  2   <10 ms   <10 ms   <10 ms  neo [10.1.32.38]

Trace complete.


Now I am more confused.
Time for reboots all around!
Back to top
View user's profile Send private message
aheld
n00b
n00b


Joined: 15 Nov 2002
Posts: 24
Location: ~Boston, MA

PostPosted: Thu Mar 20, 2003 5:13 pm    Post subject: Still stuck Reply with quote

I am still stuck on this problem, any pointers what to try next would be appreciated.

I noticed that the clients that cannot conecct are trying to neotiate a
key exchange. But I do not know why some clients are doing this.
This is a trace of both clients running

telnet 10.1.64.2 80

10.1.32.139 can connect
10.1.32.38 cannot
Code:

Here is the bad client on the client side network:
gentooFireWall(266) everything # tethereal  host 10.1.64.2 and host
 10.1.32.38 -i eth1
 Capturing on eth1
   0.000000   10.1.32.38 -> 10.1.64.2    TCP 1683 > www [SYN] Seq=1971151845 Ack=0 Win=16384 Len=0
   0.001184    10.1.64.2 -> 10.1.32.38   ISAKMP Identity Protection (Main Mode)
   0.003623   10.1.32.38 -> 10.1.64.2    ISAKMP Informational
   2.973437   10.1.32.38 -> 10.1.64.2    TCP 1683 > www [SYN] Seq=1971151845 Ack=0 Win=16384 Len=0
   8.992462   10.1.32.38 -> 10.1.64.2    TCP 1683 > www [SYN] Seq=1971151845 Ack=0 Win=16384 Len=0

Here is the bad client on the DMZ side
gentooFireWall(266) root # tcpdump host 10.1.32.38 and host 10.1.64.2 -i eth2
tcpdump: listening on eth2
11:46:10.745700 10.1.32.38.1780 > 10.1.64.2.www: S 2943251698:2943251698(0) win 16384 <mss 1406,nop,nop,sackOK> (DF)
11:46:10.746528 10.1.64.2.500 > 10.1.32.38.500: isakmp: phase 1 I ident: [|sa]
11:46:10.749166 10.1.32.38.500 > 10.1.64.2.500: isakmp: phase 1 R inf:
    (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN orig=(
        (sa: doi=16842760 situation=50331740)))
11:46:13.735800 10.1.32.38.1780 > 10.1.64.2.www: S 2943251698:2943251698(0) win 16384 <mss 1406,nop,nop,sackOK> (DF)
11:46:19.754885 10.1.32.38.1780 > 10.1.64.2.www: S 2943251698:2943251698(0) win 16384 <mss 1406,nop,nop,sackOK> (DF)


Here are the same traces for a good client:
gentooFireWall(266) everything # tethereal  host 10.1.64.2 and host
 10.1.32.139 -i eth1
 Capturing on eth1
   0.000000  10.1.32.139 -> 10.1.64.2    TCP 3819 > www [SYN] Seq=387395454 Ack=0 Win=64240 Len=0
   0.000418    10.1.64.2 -> 10.1.32.139  TCP www > 3819 [SYN, ACK] Seq=649389284 Ack=387395455 Win=17520 Len=0
   0.000645  10.1.32.139 -> 10.1.64.2    TCP 3819 > www [ACK] Seq=387395455 Ack=649389285 Win=64240 Len=0
   1.610779  10.1.32.139 -> 10.1.64.2    HTTP Continuation


gentooFireWall(266) root # tcpdump host 10.1.32.139 and host 10.1.64.2 -i eth2
tcpdump: listening on eth2
11:45:21.473157 10.1.32.139.1128 > 10.1.64.2.www: S 2353590856:2353590856(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
11:45:21.473405 10.1.64.2.www > 10.1.32.139.1128: S 1666755345:1666755345(0) ack 2353590857 win 17520 <mss 1460,nop,nop,sackOK> (DF)
11:45:21.473837 10.1.32.139.1128 > 10.1.64.2.www: . ack 1 win 64240 (DF)
Back to top
View user's profile Send private message
aheld
n00b
n00b


Joined: 15 Nov 2002
Posts: 24
Location: ~Boston, MA

PostPosted: Thu Mar 20, 2003 5:53 pm    Post subject: SOLVED!!! Reply with quote

Both the clients had a netscreen IPSEC client setup that was defaulting all connections to use IPSEC.

The server that they could not connect to had IPSEC setup, but no matching settings for these clients, the serves that worked did not have any IPSEC at all.

The IPSEC rules were:
if there is IPSEC on the server you MUST use it
if there is no IPSEC at all then its OK to use

Once I turned off IPSEC on the clients everything worked!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum