FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 05-06-2010, 06:31 PM
Jussi Hirvi
 
Default Not firewall, but what?

I have a strange problem, where some clients see the website on my
server and some do not. It is not about the iptables, and seems to be
not about tcp wrapper. Still it is something within the box.

More details:
- the problem is only with some clients, with no geographical connection
between them; other clients see the website just fine
- the problem-clients get timeout with their browser
- they get timeout also when they try a numerical ip address
- but they see another machine in the same subnet just fine (when they
browse by ip number), so the problem has to be inside this webserver
box, right?
- port 80 (not ssl)

Switching off iptables does not help. The files hosts.allow and
hosts.deny are empty, so I guess it's not the tcp wrapper.

I am out of things to test. Any ideas?

- Jussi Hirvi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi@greenspot.fi * http://www.greenspot.fi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-06-2010, 06:35 PM
Gavin Carr
 
Default Not firewall, but what?

Is one of your dns servers broken?

On Thu, May 06, 2010 at 09:31:22PM +0300, Jussi Hirvi wrote:
> I have a strange problem, where some clients see the website on my
> server and some do not. It is not about the iptables, and seems to be
> not about tcp wrapper. Still it is something within the box.
>
> More details:
> - the problem is only with some clients, with no geographical connection
> between them; other clients see the website just fine
> - the problem-clients get timeout with their browser
> - they get timeout also when they try a numerical ip address
> - but they see another machine in the same subnet just fine (when they
> browse by ip number), so the problem has to be inside this webserver
> box, right?
> - port 80 (not ssl)
>
> Switching off iptables does not help. The files hosts.allow and
> hosts.deny are empty, so I guess it's not the tcp wrapper.
>
> I am out of things to test. Any ideas?
>
> - Jussi Hirvi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-06-2010, 06:42 PM
Ryan Manikowski
 
Default Not firewall, but what?

On 5/6/2010 2:35 PM, Gavin Carr wrote:

Is one of your dns servers broken?

On Thu, May 06, 2010 at 09:31:22PM +0300, Jussi Hirvi wrote:


I have a strange problem, where some clients see the website on my
server and some do not. It is not about the iptables, and seems to be
not about tcp wrapper. Still it is something within the box.

More details:
- the problem is only with some clients, with no geographical connection
between them; other clients see the website just fine
- the problem-clients get timeout with their browser







- they get timeout also when they try a numerical ip address







- but they see another machine in the same subnet just fine (when they
browse by ip number), so the problem has to be inside this webserver
box, right?
- port 80 (not ssl)

Switching off iptables does not help. The files hosts.allow and
hosts.deny are empty, so I guess it's not the tcp wrapper.






Notice the op posted they get timeouts even when going directly to a
numerical address (if the apache server is configured to respond to
*:80 it should at least display something)



Try using telnet from a client machine that can not connect.



e.g. telnet host.name.here 80



or



telnet xx.xxx.xxx.xxx 80



Try a few times and see if you're getting a timeout or if it connects
every time. Run tcpdump on the apache server while sending the
connection requests and see if the connection attempts show up at all.
If they do not, then it's a network problem.



--
Ryan Manikowski


]] Devision Media Services LLC [[
www.devision.us
ryan@devision.us | 716.771.2282


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-06-2010, 06:43 PM
Paul Heinlein
 
Default Not firewall, but what?

On Thu, 6 May 2010, Jussi Hirvi wrote:

> I have a strange problem, where some clients see the website on my
> server and some do not. It is not about the iptables, and seems to be
> not about tcp wrapper. Still it is something within the box.
>
> More details:
> - the problem is only with some clients, with no geographical connection
> between them; other clients see the website just fine

A while back, I remember there was a problem with TCP window scaling
that would impact only some clients in a way that you describe:

http://lwn.net/Articles/92727/

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-06-2010, 06:49 PM
Rob Kampen
 
Default Not firewall, but what?

Paul Heinlein wrote:

On Thu, 6 May 2010, Jussi Hirvi wrote:



I have a strange problem, where some clients see the website on my
server and some do not. It is not about the iptables, and seems to be
not about tcp wrapper. Still it is something within the box.

More details:
- the problem is only with some clients, with no geographical connection
between them; other clients see the website just fine



A while back, I remember there was a problem with TCP window scaling
that would impact only some clients in a way that you describe:

http://lwn.net/Articles/92727/



Did this problem begin yesterday?

I recall that the DNS top level domain servers changed something
yesterday in regards to DNSSEC

It has to do with packet sizes for TCP DNS requests and how some
routers cannot handle the larger packets and thus time out.

(not a technical summary - just a layman's version)

HTH



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-06-2010, 07:00 PM
Benjamin Franz
 
Default Not firewall, but what?

On 05/06/2010 11:42 AM, Ryan Manikowski wrote:




Notice the op posted they get timeouts even when going directly to a
numerical address (if the apache server is configured to respond to
*:80 it should at least display something)



Try using telnet from a client machine that can not connect.



e.g. telnet host.name.here 80



or



telnet xx.xxx.xxx.xxx 80



Try a few times and see if you're getting a timeout or if it connects
every time. Run tcpdump on the apache server while sending the
connection requests and see if the connection attempts show up at all.
If they do not, then it's a network problem.




Try running 'ab' (the apache bench tool - see 'man ab' for how to use
it) against your server and see if you can provoke the timeouts. If you
can, then you are probably not configured to handle many quick
connections and should check (1) httpd.conf to make sure you don't have
an excessively low setting for 'MaxClients' or (2) a too low setting
for max open filehandles. Look in /etc/security/limits.conf - you
should have a line reading something similar to:





**************** -****** nofile********* 64000





somewhere in it to raise the max number of open files. Busy web servers
need lots of filehandles.



--

Benjamin Franz



--
Benjamin Franz



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 04:38 AM
Jussi Hirvi
 
Default Not firewall, but what?

Ok, thanks for ideas - many new things to test. So far no luck.

Too bad i don't have first-hand access to any of the client machines who
*do* have this problem.

Next, I will go and switch the ethernet cable to a different slot on the
router - kind of desperate, I know.

Some more details:
- this web server is a xen virtual guest system, with CentOS 5.4
- the problem surfaced yesterday morning (6th of May), after I had
migrated all these web sites from an old Fedora box to this new CentOS
system

Does the problem affect other xen systems on the same box? I haven't
tested this yet (I cannot reproduce the error).

You could test yourself if you can see
http://62.236.221.71 (the problem system)
http://62.236.221.78 (another guest on the same xen host)

If someone *cannot* see the 1st one, then it would be interesting to
know if (s)he can see the 2nd one or not.

- Jussi


On 6.5.2010 22.00, Benjamin Franz wrote:
> On 05/06/2010 11:42 AM, Ryan Manikowski wrote:
>>
>> Notice the op posted they get timeouts even when going directly to a
>> numerical address (if the apache server is configured to respond to
>> *:80 it should at least display something)
>>
>> Try using telnet from a client machine that can not connect.
>>
>> e.g. telnet host.name.here 80
>>
>> or
>>
>> telnet xx.xxx.xxx.xxx 80
>>
>> Try a few times and see if you're getting a timeout or if it connects
>> every time. Run tcpdump on the apache server while sending the
>> connection requests and see if the connection attempts show up at all.
>> If they do not, then it's a network problem.
>>
> Try running 'ab' (the apache bench tool - see 'man ab' for how to use
> it) against your server and see if you can provoke the timeouts. If you
> can, then you are probably not configured to handle many quick
> connections and should check (1) httpd.conf to make sure you don't have
> an excessively low setting for 'MaxClients' or (2) a too low setting for
> max open filehandles. Look in /etc/security/limits.conf - you should
> have a line reading something similar to:
>
>
> * - nofile 64000
>
>
> somewhere in it to raise the max number of open files. Busy web servers
> need lots of filehandles.
>
> --
> Benjamin Franz
>
> --
> Benjamin Franz
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi@greenspot.fi * http://www.greenspot.fi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 07:28 AM
Philippe Naudin
 
Default Not firewall, but what?

Le Fri, 07 May 2010 07:38:45 +0300,
Jussi Hirvi <listmember@greenspot.fi> a écrit :

> ...
> You could test yourself if you can see
> http://62.236.221.71 (the problem system)
> http://62.236.221.78 (another guest on the same xen host)
>
> If someone *cannot* see the 1st one, then it would be interesting to
> know if (s)he can see the 2nd one or not.

It is the case from 147.99.7.1, and not only for port 80 :

$ ping -c 10 62.236.221.71
PING 62.236.221.71 (62.236.221.71) 56(84) bytes of data.

--- 62.236.221.71 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8998ms

$ ping -c 1 62.236.221.78
PING 62.236.221.78 (62.236.221.78) 56(84) bytes of data.
64 bytes from 62.236.221.78: icmp_seq=1 ttl=46 time=58.9 ms

--- 62.236.221.78 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 58.975/58.975/58.975/0.000 ms

--
Philippe Naudin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 07:49 AM
kalinix
 
Default Not firewall, but what?

On Fri, 2010-05-07 at 07:38 +0300, Jussi Hirvi wrote:





You could test yourself if you can see
http://62.236.221.71 (the problem system)
http://62.236.221.78 (another guest on the same xen host)

If someone *cannot* see the 1st one, then it would be interesting to
know if (s)he can see the 2nd one or not.

- Jussi






Tested: I cannot reach the first one but can see the second one. The first one does not respond to ping either.








Calin



Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857



=================================================

Inara: "Mal, you don't have to die alone." Mal: "Everybody dies alone." --Episode #8, "Out of Gas"





_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-07-2010, 08:01 AM
"Simon Billis"
 
Default Not firewall, but what?

Hi,

Philippe Naudin sent a missive on*2010-05-07:

> Le Fri, 07 May 2010 07:38:45 +0300,
> Jussi Hirvi a écrit :
>
>> ...
>> You could test yourself if you can see
>> http://62.236.221.71 (the problem system)
>> http://62.236.221.78 (another guest on the same xen host)
>>
>> If someone *cannot* see the 1st one, then it would be interesting to
>> know if (s)he can see the 2nd one or not.
>
> It is the case from 147.99.7.1, and not only for port 80 :
>
> $ ping -c 10 62.236.221.71
> PING 62.236.221.71 (62.236.221.71) 56(84) bytes of data.
>
> --- 62.236.221.71 ping statistics ---
> 10 packets transmitted, 0 received, 100% packet loss, time 8998ms
>
> $ ping -c 1 62.236.221.78
> PING 62.236.221.78 (62.236.221.78) 56(84) bytes of data.
> 64 bytes from 62.236.221.78: icmp_seq=1 ttl=46 time=58.9 ms
>
> --- 62.236.221.78 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt
> min/avg/max/mdev = 58.975/58.975/58.975/0.000 ms
>

Can you confirm the routing on the two boxes - is there anything different?
I would also check the routing on the upstream routers - it is possible that
one of your ingress/egress routers has a static entry that is causing
issues. I would check all the routers that are inside the 62.236.0.0/15
subnet (BGP thinks that these addresses are part of that subnet).

Simon.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org