PGNd
2014-Sep-24 16:14 UTC
troubleshooting SW v4.6.3.4 interface failures during boot sequence?
I'm (still) trying to troubleshoot SW + interface behavior on boot/startup. The boot process reports failures on interface checks, which resolve 'automagically' after boot's completed. Looking at my system's boot log journalctl -xb | awk '/vpn/ || /shorewall/ || ((/ifup/ || /ifdown/ || /service/) && (/eth0/ || /tun1/))' Sep 24 08:02:07 fw shorewall-init[935]: Initializing "Shorewall-based firewalls": Stopping Shorewall Lite.... Sep 24 08:02:08 fw shorewall-init[935]: done. Sep 24 08:02:08 fw shorewall-init[935]: Stopping Shorewall6 Lite.... Sep 24 08:02:08 fw shorewall-init[935]: done. ... shorewall-init has done its thing, Sep 24 08:02:09 fw systemd[1]: Starting ifup managed network interface eth0... -- Subject: Unit network@eth0.service has begun with start-up -- Unit network@eth0.service has begun starting up. Sep 24 08:02:10 fw ifup[1682]: eth0 device: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06) Sep 24 08:02:26 fw systemd[1]: Started ifup managed network interface eth0. -- Subject: Unit network@eth0.service has finished start-up -- Unit network@eth0.service has finished starting up. ... the external interface, eth0, is up, Sep 24 08:02:58 fw systemd[1]: Starting ifup managed network interface tun1... -- Subject: Unit network@tun1.service has begun with start-up -- Unit network@tun1.service has begun starting up. Sep 24 08:02:58 fw ifup[3146]: tun1 Sep 24 08:02:58 fw ifup[3213]: tun1 Sep 24 08:02:58 fw ifup[3146]: tun1 Set 'tun1' persistent and owned by uid 499 gid 499 ... the vpn tunnel interface, tun1, is up, -- Subject: Unit openvpn.service has begun with start-up -- Unit openvpn.service has begun starting up. -- Subject: Unit openvpn.service has finished start-up -- Unit openvpn.service has finished starting up. ... the openvpn.service is up, next, shorewall-lite starts Sep 24 08:03:13 fw systemd[1]: Starting shorewall-lite... -- Subject: Unit shorewall-lite.service has begun with start-up -- Unit shorewall-lite.service has begun starting up. Sep 24 08:03:13 fw shorewall-lite[3450]: Starting Shorewall Lite.... ... but fails to ping the 1st provider's interface, eth0, Sep 24 08:03:14 fw shorewall-lite[3450]: BAD ping @ INTFC=eth0 Sep 24 08:03:14 fw shorewall-lite[3450]: Initializing... Sep 24 08:03:15 fw shorewall-lite[3450]: Processing init user exit ... Sep 24 08:03:16 fw shorewall-lite[3450]: Processing tcclear user exit ... Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Route Filtering... Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Martian Logging... Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Accept Source Routing... Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Proxy ARP... Sep 24 08:03:16 fw shorewall-lite[3450]: Adding Providers... Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface eth0 is not usable -- Provider prov1 (1) not Started Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface tun1 is not usable -- Provider prov2 (2) not Started Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: No Default route added (all 'balance' providers are down) Sep 24 08:03:17 fw shorewall-lite[3450]: NOTICE: Default route restored Sep 24 08:03:17 fw shorewall-lite[3450]: Preparing iptables-restore input... Sep 24 08:03:17 fw shorewall-lite[3450]: Running /usr/sbin/iptables-restore... Sep 24 08:03:17 fw shorewall-lite[3450]: IPv4 Forwarding Enabled Sep 24 08:03:17 fw shorewall-lite[3450]: Processing start user exit ... Sep 24 08:03:17 fw shorewall-lite[3450]: Processing started user exit ... Sep 24 08:03:17 fw shorewall-lite[3450]: done. -- Subject: Unit shorewall-lite.target has begun with start-up -- Unit shorewall-lite.target has begun starting up. ... shorewall-lite never announces that it "has finished starting up." Shorewall6-lite begins startup, Sep 24 08:03:17 fw systemd[1]: Starting shorewall6-lite... -- Subject: Unit shorewall6-lite.service has begun with start-up -- Unit shorewall6-lite.service has begun starting up. Sep 24 08:03:17 fw shorewall6-lite[3819]: Starting Shorewall6 Lite.... Sep 24 08:03:17 fw shorewall6-lite[3819]: Initializing... Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing init user exit ... Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing tcclear user exit ... Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up Proxy NDP... Sep 24 08:03:18 fw shorewall6-lite[3819]: Preparing ip6tables-restore input... Sep 24 08:03:18 fw shorewall6-lite[3819]: Running /usr/sbin/ip6tables-restore... Sep 24 08:03:18 fw shorewall6-lite[3819]: IPv6 Forwarding Enabled Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up IPv6 Interface Forwarding... Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing start user exit ... Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing started user exit ... Sep 24 08:03:18 fw shorewall6-lite[3819]: done. -- Subject: Unit shorewall6-lite.target has begun with start-up -- Unit shorewall6-lite.target has begun starting up. -- Subject: Unit shorewall6-lite.target has finished start-up -- Unit shorewall6-lite.target has finished starting up. and finishes successfully. But, immediately AFTER boot's complete, at shell, both ping to the 'net via eth0, ping 8.8.8.8 -c1 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=61.6 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 61.663/61.663/61.663/0.000 ms and ping to the other side of the vpn, via tun1, ping 192.168.0.10 -c1 PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data. 64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=45.8 ms --- 192.168.0.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 45.833/45.833/45.833/0.000 ms work correctly, and SW status shows, shorewall-lite status Shorewall Lite-4.6.3.4 Status at fw - Wed Sep 24 09:03:25 PDT 2014 Shorewall Lite is running State:Started (Wed Sep 24 08:03:17 PDT 2014) from /usr/local/etc/shorewall/IPv4/ (/var/lib/shorewall-lite/firewall compiled by Shorewall version 4.6.3.4) shorewall6-lite status Shorewall6 Lite-4.6.3.4 Status at fw - Wed Sep 24 09:03:43 PDT 2014 Shorewall6 Lite is running State:Started (Wed Sep 24 08:03:18 PDT 2014) from /usr/local/etc/shorewall/IPv6/ (/var/lib/shorewall6-lite/firewall compiled by Shorewall version 4.6.3.4) that both SF4 & SW6 are up & running. The progress/state DURING boot, and AFTER boot are not consistent. I've do not understand why the interfaces are up, SW seems to fail, then ends up working anyway. What do I check to find/fix the SW startup fail on interfaces DURING boot? ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk