FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 05-07-2010, 08:14 AM
Tony Molloy
 
Default Not firewall, but what?

On Friday 07 May 2010 05:38:45 Jussi Hirvi wrote:
> Ok, thanks for ideas - many new things to test. So far no luck.
>
> Too bad i don't have first-hand access to any of the client machines who
> *do* have this problem.
>
> Next, I will go and switch the ethernet cable to a different slot on the
> router - kind of desperate, I know.
>
> Some more details:
> - this web server is a xen virtual guest system, with CentOS 5.4
> - the problem surfaced yesterday morning (6th of May), after I had
> migrated all these web sites from an old Fedora box to this new CentOS
> system
>
> Does the problem affect other xen systems on the same box? I haven't
> tested this yet (I cannot reproduce the error).
>
> You could test yourself if you can see
> http://62.236.221.71 (the problem system)
> http://62.236.221.78 (another guest on the same xen host)
>
> If someone *cannot* see the 1st one, then it would be interesting to
> know if (s)he can see the 2nd one or not.
>
> - Jussi
>

OK I can see the second one but not the first.

I can also ping the second one but not the first.

Tony

> On 6.5.2010 22.00, Benjamin Franz wrote:
> > On 05/06/2010 11:42 AM, Ryan Manikowski wrote:
> >> Notice the op posted they get timeouts even when going directly to a
> >> numerical address (if the apache server is configured to respond to
> >> *:80 it should at least display something)
> >>
> >> Try using telnet from a client machine that can not connect.
> >>
> >> e.g. telnet host.name.here 80
> >>
> >> or
> >>
> >> telnet xx.xxx.xxx.xxx 80
> >>
> >> Try a few times and see if you're getting a timeout or if it connects
> >> every time. Run tcpdump on the apache server while sending the
> >> connection requests and see if the connection attempts show up at all.
> >> If they do not, then it's a network problem.
> >
> > Try running 'ab' (the apache bench tool - see 'man ab' for how to use
> > it) against your server and see if you can provoke the timeouts. If you
> > can, then you are probably not configured to handle many quick
> > connections and should check (1) httpd.conf to make sure you don't have
> > an excessively low setting for 'MaxClients' or (2) a too low setting for
> > max open filehandles. Look in /etc/security/limits.conf - you should
> > have a line reading something similar to:
> >
> >
> > * - nofile 64000
> >
> >
> > somewhere in it to raise the max number of open files. Busy web servers
> > need lots of filehandles.
> >
> > --
> > Benjamin Franz
> >
> > --
> > Benjamin Franz
> >
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
>

--

Chief Technical Officer. Tel: +353 061-202778
Dept. of Comp. Sci.
University of Limerick.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 08:25 AM
Philippe Naudin
 
Default Not firewall, but what?

Le Fri, 7 May 2010 09:01:17 +0100,
"Simon Billis" <simon@houxou.com> a écrit :

> Can you confirm the routing on the two boxes - is there anything different?
> I would also check the routing on the upstream routers - it is possible that
> one of your ingress/egress routers has a static entry that is causing
> issues. I would check all the routers that are inside the 62.236.0.0/15
> subnet (BGP thinks that these addresses are part of that subnet).


$ traceroute -T 62.236.221.71
traceroute to 62.236.221.71 (62.236.221.71), 30 hops max, 40 byte packets
1 cc-campus.supagro.inra.fr (147.99.0.20) 0.231 ms 0.186 ms 0.185 ms
2 cc-dmz1.supagro.inra.fr (147.99.75.1) 0.406 ms 0.392 ms 0.373 ms
3 (195.220.89.181) 22.530 ms 22.517 ms 22.843 ms
4 193.51.241.145 (193.51.241.145) 6.910 ms 6.806 ms 7.637 ms
5 * * *
6 te1-2-marseille-rtr-021.noc.renater.fr (193.51.189.21) 9.527 ms 9.756 ms 9.976 ms
7 te0-0-0-0-lyon1-rtr-001.noc.renater.fr (193.51.189.17) 10.801 ms 10.786 ms 10.767 ms
8 xe-8-0-0.edge5.Paris1.Level3.net (212.73.207.173) 18.686 ms 17.010 ms 16.981 ms
9 ae-33-51.ebr1.Paris1.Level3.net (4.69.139.193) 16.548 ms 20.324 ms 20.076 ms
10 ae-47-47.ebr1.London1.Level3.net (4.69.143.109) 22.232 ms ae-48-48.ebr1.London1.Level3.net (4.69.143.113) 22.659 ms 22.723 ms
11 ae-1-51.edge3.London1.Level3.net (4.69.139.73) 22.949 ms 22.260 ms 22.547 ms
12 tdcdenmark-level3-xe.london1.Level3.net (4.68.63.90) 22.949 ms 22.611 ms 22.695 ms
13 atm1-0-5.psl-gw3.hel.fi.ip.tdc.net (62.236.1.26) 55.654 ms 55.624 ms 55.806 ms
14 proequal-cpe1.hel.fi.sn.net (62.236.27.110) 70.389 ms 71.992 ms 69.084 ms
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

$ traceroute -T 62.236.221.78
traceroute to 62.236.221.78 (62.236.221.78), 30 hops max, 40 byte packets
1 cc-campus.supagro.inra.fr (147.99.0.20) 0.256 ms 0.185 ms 0.182 ms
2 cc-dmz1.supagro.inra.fr (147.99.75.1) 0.283 ms 0.267 ms 0.256 ms
3 (195.220.89.181) 1150.194 ms 1150.189 ms 1150.165 ms
4 193.51.241.145 (193.51.241.145) 1.050 ms 0.947 ms 0.910 ms
5 * * *
6 te1-2-marseille-rtr-021.noc.renater.fr (193.51.189.21) 8.441 ms 8.389 ms 8.646 ms
7 te0-0-0-0-lyon1-rtr-001.noc.renater.fr (193.51.189.17) 10.117 ms 10.090 ms 10.065 ms
8 xe-8-0-0.edge5.Paris1.Level3.net (212.73.207.173) 15.203 ms 17.176 ms 17.279 ms
9 ae-33-51.ebr1.Paris1.Level3.net (4.69.139.193) 17.261 ms 15.151 ms 15.124 ms
10 ae-47-47.ebr1.London1.Level3.net (4.69.143.109) 22.346 ms ae-48-48.ebr1.London1.Level3.net (4.69.143.113) 22.200 ms 22.164 ms
11 ae-1-51.edge3.London1.Level3.net (4.69.139.73) 22.625 ms 22.504 ms 22.582 ms
12 tdcdenmark-level3-xe.london1.Level3.net (4.68.63.90) 22.247 ms 22.714 ms 22.815 ms
13 atm1-0-5.psl-gw3.hel.fi.ip.tdc.net (62.236.1.26) 55.513 ms 55.065 ms 55.150 ms
14 proequal-cpe1.hel.fi.sn.net (62.236.27.110) 60.118 ms 60.908 ms 60.062 ms
15 ns2.greenspot.fi (62.236.221.78) 62.618 ms 63.832 ms 64.659 ms

--
Philippe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 09:25 AM
Jussi Hirvi
 
Default Not firewall, but what?

Thanks everyone for feedback.

This could be something weird with the xen network-interface bridging.
This problematic server-system is the only xen guest that shares *both*
network cards on the machine.

I asked my upstream ISP to check things from their side.

I hope I will soon get a ssh account on some client where the error is
reproducible. Then I could start testing.

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi@greenspot.fi * http://www.greenspot.fi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 10:17 AM
Didi Hoffmann
 
Default Not firewall, but what?

On Fri, 2010-05-07 at 09:14 +0100, Tony Molloy wrote:
> > You could test yourself if you can see
> > http://62.236.221.71 (the problem system)
> > http://62.236.221.78 (another guest on the same xen host)
> >
> > If someone *cannot* see the 1st one, then it would be interesting to
> > know if (s)he can see the 2nd one or not.
> >
> > - Jussi
> >
>
> OK I can see the second one but not the first.
>
> I can also ping the second one but not the first.

+ 1

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 01:40 PM
Benjamin Franz
 
Default Not firewall, but what?

On 05/06/2010 09:38 PM, Jussi Hirvi wrote:
> Does the problem affect other xen systems on the same box? I haven't
> tested this yet (I cannot reproduce the error).
>
> You could test yourself if you can see
> http://62.236.221.71 (the problem system)
> http://62.236.221.78 (another guest on the same xen host)
>
> If someone *cannot* see the 1st one, then it would be interesting to
> know if (s)he can see the 2nd one or not.
>
Interesting. I can ping and reach the second address, but not the first
one. A thought: Double-check your routes are good, your interfaces are
actually all up, and that no other machine has accidentally got the IP
address up as well. Post the results for 'route -n', 'ifconfig', and
'arping -D 62.236.221.71' on the machine.

--
Benjamin Franz
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 01:44 PM
Jussi Hirvi
 
Default Not firewall, but what?

Ok, I have now ssh account with which I can reproduce the errors. The
error is now narrowed down to inside the box: tcpdump shows that data is
coming in, but nothing is leaving.

The box is a xen system with 2 if-cards which are shared with xen
guests. The error is connected to eth0 (not eth1) and affects both the
host and one guest system. However, guest4, which uses eth0 only, works
quite ok!

Here is a list of the host and guest, their if cards, and errors:

xen host: eth0 (produces the error with some clients)
...and eth1 (default gateway; works ok)
guest2: eth1 (ok)
guest3: eth1 (ok)
guest4: eth0 (ok)
guest5: eth0 (errors), eth1 (ok)

Below is some more data. I would still need ideas about what to test.

Again I made sure that the firewall (iptables) does not cause the error.
Not tcpwrapper either: /etc/hosts.allow and /etc/hosts.deny are both empty.

- Jussi


Physical if cards:

Intel Corporation 82567LM-3 Gigabit Network Connection
(eth0; on motherboard)

Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+
(eth1; very old card)

ifconfig output:

eth0 Link encap:Ethernet HWaddr 00:1C:C07:A6:5B
inet addr:62.236.221.67 Bcast:62.236.221.79
Mask:255.255.255.240
inet6 addr: fe80::21c:c0ff:fed7:a65b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1470 errors:0 dropped:0 overruns:0 frame:0
TX packets:37 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:121445 (118.5 KiB) TX bytes:7584 (7.4 KiB)

eth1 Link encap:Ethernet HWaddr 00:02:44:97:95:50
inet addr:62.220.237.104 Bcast:62.220.237.127
Mask:255.255.255.224
inet6 addr: fe80::202:44ff:fe97:9550/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22601 errors:0 dropped:0 overruns:0 frame:0
TX packets:3371 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1644700 (1.5 MiB) TX bytes:598979 (584.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:168 errors:0 dropped:0 overruns:0 frame:0
TX packets:168 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11574 (11.3 KiB) TX bytes:11574 (11.3 KiB)

peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:49343 errors:0 dropped:0 overruns:0 frame:0
TX packets:35975 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5661018 (5.3 MiB) TX bytes:5200943 (4.9 MiB)
Memory:d0600000-d0620000

peth1 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:115801 errors:0 dropped:0 overruns:0 frame:0
TX packets:125786 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23407678 (22.3 MiB) TX bytes:83301169 (79.4 MiB)
Interrupt:19 Base address:0xa100

vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:37 errors:0 dropped:0 overruns:0 frame:0
TX packets:1470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7584 (7.4 KiB) TX bytes:121445 (118.5 KiB)

vif0.1 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:3391 errors:0 dropped:0 overruns:0 frame:0
TX packets:22614 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:603387 (589.2 KiB) TX bytes:1645558 (1.5 MiB)

vif2.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:5877 errors:0 dropped:0 overruns:0 frame:0
TX packets:23727 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:379075 (370.1 KiB) TX bytes:2115170 (2.0 MiB)

vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:28011 errors:0 dropped:0 overruns:0 frame:0
TX packets:50422 errors:0 dropped:22 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:16503337 (15.7 MiB) TX bytes:12688396 (12.1 MiB)

vif4.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:32753 errors:0 dropped:0 overruns:0 frame:0
TX packets:34011 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:4416529 (4.2 MiB) TX bytes:4253292 (4.0 MiB)

vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:3302 errors:0 dropped:0 overruns:0 frame:0
TX packets:16735 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:280451 (273.8 KiB) TX bytes:1521618 (1.4 MiB)

vif5.1 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:59898 errors:0 dropped:0 overruns:0 frame:0
TX packets:71340 errors:0 dropped:74 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:62709103 (59.8 MiB) TX bytes:10451893 (9.9 MiB)

virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.122.1 Bcast:192.168.122.255
Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:6484 (6.3 KiB)

xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:1135 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:82476 (80.5 KiB) TX bytes:0 (0.0 b)

xenbr1 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:17410 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:819653 (800.4 KiB) TX bytes:0 (0.0 b)



--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi@greenspot.fi * http://www.greenspot.fi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 02:26 PM
Jussi Hirvi
 
Default Not firewall, but what?

On 7.5.2010 16.40, Benjamin Franz wrote:
> Post the results for 'route -n', 'ifconfig', and
> 'arping -D 62.236.221.71' on the machine.
>

The values in the previous message and below are from the xen host
(62.236.221.67/62.220.237.104), which displays just the same errors as
the xen guest (62.236.221.71).

ifconfig is on the list already.

[root@farm1 log]# ip route show
62.236.221.64/28 dev eth0 proto kernel scope link src 62.236.221.67
62.220.237.96/27 dev eth1 proto kernel scope link src 62.220.237.104
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth1 scope link
default via 62.220.237.126 dev eth1


[root@farm1 log]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
62.236.221.64 0.0.0.0 255.255.255.240 U 0 0 0 eth0
62.220.237.96 0.0.0.0 255.255.255.224 U 0 0 0 eth1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0
virbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 62.220.237.126 0.0.0.0 UG 0 0 0 eth1

A meaningful response to arping I cannot deliver - I don't have a
machine which displays this error *and* has arping installed.

- Jussi





--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi@greenspot.fi * http://www.greenspot.fi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 02:47 PM
Eduardo Grosclaude
 
Default Not firewall, but what?

On Fri, May 7, 2010 at 7:17 AM, Didi Hoffmann <ribalba@gmail.com> wrote:
> On Fri, 2010-05-07 at 09:14 +0100, Tony Molloy wrote:
>> > You could test yourself if you can see
>> > * * http://62.236.221.71 (the problem system)
>> > * * http://62.236.221.78 (another guest on the same xen host)
>> >
>> > If someone *cannot* see the 1st one, then it would be interesting to
>> > know if (s)he can see the 2nd one or not.
>> >
>> > - Jussi
>> >
>>
>> OK I can see the second one but not the first.
>>
>> I can also ping the second one but not the first.
>
> + 1

Same from this side of the world

--
Eduardo Grosclaude
Universidad Nacional del Comahue
Neuquen, Argentina
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 02:52 PM
Eduardo Grosclaude
 
Default Not firewall, but what?

On Fri, May 7, 2010 at 11:47 AM, Eduardo Grosclaude
<eduardo.grosclaude@gmail.com> wrote:

>>> > You could test yourself if you can see
>>> > * * http://62.236.221.71 (the problem system)
>>> > * * http://62.236.221.78 (another guest on the same xen host)

Sure your network masks are OK?


--
Eduardo Grosclaude
Universidad Nacional del Comahue
Neuquen, Argentina
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-08-2010, 01:31 AM
Kahlil Hodgson
 
Default Not firewall, but what?

On 05/08/2010 12:26 AM, Jussi Hirvi wrote:
> On 7.5.2010 16.40, Benjamin Franz wrote:
>> Post the results for 'route -n', 'ifconfig', and
>> 'arping -D 62.236.221.71' on the machine.
>>
>
> The values in the previous message and below are from the xen host
> (62.236.221.67/62.220.237.104), which displays just the same errors as
> the xen guest (62.236.221.71).

Hmmm have you got more than one bridge on your network? If so you need
to make sure you have STP turned ON on all your bridges.
If you have any services that require network at start up (nfs), you'll
need set you network start up delay to more than 10 seconds
as well, so STP has some time to settle.

I encountered similar problems when I plugged a _second_ virtualisation
host into my network.

Kal
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org