I''ve been trying to join the LARTC mailing list all week, but have yet to get any response from them...hence my post here. I figured someone here might know how to get this going. I have Shorewall running on both firewalls/routers...so it''s slightly on-topic. :^) Here''s my network map: Public subnet----\ /--- Link 1 ---\ -| Router 2 | - -| Router 1 |--| Internet | Public subnet----/ \--- Link 2 ---/ Sorry if the ASCII doesn''t show up correctly. I hope it does. Anyway, router 1 is running Proxy Arp for several public subnets to dish them across link 1 and 2 so they can reside on the backside of router 2. Router 1 has link 1 and 2 plugged in to separate interfaces, as does router 2. Link 1 and 2 have unique private subnets assigned to them. Link 1 and 2 are both wireless bridge devices. Link 1''s bridge devices will physically take the wired Ethernet connection down when they can not communicate to each other wirelessly, resulting in an ifdown state on router 1 and router 2. Routing tables in router 1 are: Public subnet 1 via R2L1 IP metric 10 Public subnet 1 via R2L2 IP metric 100 Public subnet 2 via R2L1 IP metric 10 Public subnet 2 via R2L2 IP metric 100 Routing tables in router 2 are: Default via R1L1 IP metric 10 Default via R1L2 IP metric 100 Obviously, link 1 is the more desirable route. Packets traverse from the Internet to the public subnets on router 2 exactly as expected when both links are functioning. All traffic runs over link 1. Now to my problem: I have two links for failover reasons. I''ve setup, I believe, the easiest, simplest mechanism for route failover, as the bridge devices are plugged directly into discreet physical interfaces on both routers. When I force link 1 down, routes via it''s subnet are immediately removed from the routing table as expected. Router 1 can still ping devices on the public subnets connected to router 2. The problem is that nothing outside of router 1 can communicate with the public subnets. I''ve done an "ip route flush cache" on both routers during a simulated failure, but that didn''t allow hosts other than router 1 to communicate with the public subnets. I let the simulated situation sit for a while after reading some of the garbage collection parameters for the kernel on the LARTC site, assuming that the routes were still lingering on one router or another. Nothing I have tried yet has managed to get the failover to work for any device other than router 1 itself. Does anyone have any idea why Internet hosts can''t communicate with the public subnets on router 2 when link 1 is physically down? Again, I would have posted this on the LARTC mailing list, but I haven''t gotten a subscription response yet. I''ve tried subscribing several times over the course of this week. Thanks for any and all input. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
List Receiver wrote:> > I have two links for failover reasons. I''ve setup, I believe, the > easiest, simplest mechanism for route failover, as the bridge devices > are plugged directly into discreet physical interfaces on both routers. > When I force link 1 down, routes via it''s subnet are immediately removed > from the routing table as expected. Router 1 can still ping devices on > the public subnets connected to router 2. The problem is that nothing > outside of router 1 can communicate with the public subnets.Have you used a packet sniffer to try to understand what is happening? Seems like the only way to discover the root cause of the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Friday, October 20, 2006 8:38 AM > To: Shorewall Users > Subject: Re: [Shorewall-users] OT: Routing problem > > List Receiver wrote: > > > > > I have two links for failover reasons. I''ve setup, I believe, the > > easiest, simplest mechanism for route failover, as the > bridge devices > > are plugged directly into discreet physical interfaces on > both routers. > > When I force link 1 down, routes via it''s subnet are immediately > > removed from the routing table as expected. Router 1 can > still ping > > devices on the public subnets connected to router 2. The > problem is > > that nothing outside of router 1 can communicate with the > public subnets. > > Have you used a packet sniffer to try to understand what is > happening? Seems like the only way to discover the root cause > of the problem. > > -TomNo, not yet. I don''t consider myself proficient at tcpdump to make that part of my normal troubleshooting process. I guess I better learn. :^) How does that saying go? "Necessity is the mother of intervention..." Misquoted on purpose for those with no humor. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
List Receiver wrote:> Tom Eastep wrote: >> >> Have you used a packet sniffer to try to understand what is >> happening? Seems like the only way to discover the root cause >> of the problem. >> >> -Tom > > No, not yet. I don''t consider myself proficient at tcpdump to make that > part of my normal troubleshooting process. I guess I better learn. :^)I agree :-) Running a complex multi-router setup without being able to use the routers'' basic troubleshooting tools is a real handicap. Be sure to use the -e option to tcpdump so that you can see the link-layer addresses. Ethereal is also nice as it gives a graphical display. It''s display is similar to Shomiti Surveyor Lite, the sniffer featured in "Internet Core Protocols: The Definitive Guide" by Eric A. Hall. I think that book is a "must have" for network administrators. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > No, not yet. I don''t consider myself proficient at tcpdump to make > > that part of my normal troubleshooting process. I guess I better > > learn. :^) > > I agree :-) Running a complex multi-router setup without > being able to use the routers'' basic troubleshooting tools is > a real handicap. Be sure to use the -e option to tcpdump so > that you can see the link-layer addresses. > > Ethereal is also nice as it gives a graphical display. It''s > display is similar to Shomiti Surveyor Lite, the sniffer > featured in "Internet Core Protocols: The Definitive Guide" > by Eric A. Hall. I think that book is a "must have" for > network administrators. > > -TomThanks for the recommendation. I''ll definitely check the book out. I''m not running X on either router, so Ethereal is probably out of the question unless you can run one in probe mode and another in display mode. I have used it in the past, however. They even have a Windows version now... ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
List Receiver wrote:> Thanks for the recommendation. I''ll definitely check the book out. I''m > not running X on either router, so Ethereal is probably out of the > question unless you can run one in probe mode and another in display > mode. I have used it in the past, however. They even have a Windows > version now...You can capture a trace with tcpdump (using -w) then analyze it on another system with Ethereal. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> > Thanks for the recommendation. I''ll definitely check the book out. I''m >> not running X on either router, so Ethereal is probably out of the >> question unless you can run one in probe mode and another in display >> mode. I have used it in the past, however. They even have a Windows >> version now... > >You can capture a trace with tcpdump (using -w) then analyze it on another >system with Ethereal.There is also it''s text-only brother tethereal which I install on just about any system I set up. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On 10/20/06, Tom Eastep <teastep@shorewall.net> wrote:> You can capture a trace with tcpdump (using -w) then analyze it on another > system with Ethereal.Which is in fact the recommended mode of operation, since it has had quite a few exploits in the past, though I suppose running it for a few minutes while debugging is unlikely to cause any harm.. Prasanna. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642