hardy-konto@wolfundreimer.de
2006-Apr-20 06:31 UTC
Re: [Xen-users] Virtual network disconnect?
>There is bridging and routing with Xen 2.x as well. I use it a lot.Erm, i didn''t know, thx for information.>Just to make sure you did not set up intrusion detection >(e. g. snort inline) which cuts down on network connections >if traffic reaches a threshold limit. Something like that.Snort i had set up some months ago, but it isn running.>I think it cannot be a problem of your general networking >concept since it works with smaller downloads.I think so, too.>So there is either a problem with your kernel or a feature >you do not remember setting up. :-)But how to find that?>Have you tested the same with a different protocol >(let''s say ftp or sftp or smb ...) so make sure the >problem is not on the application layer?The problem is _not_ the application (layer): The virtual connection between dom0 and domU is lost. No ping, no ssh, nothing. The application is still running and working (tested with xm console and e.g. lynx) That problem occured with http, ftp and scp. Hardy ===================================To: xen-users@lists.xensource.com Subject: Re: [Xen-users] Virtual network disconnect? Hi Hardy, Hardy schrieb: Hi Dirk :)> a) in which direction does the download go (from domU to net, from net to domU, from dom0 to net, ....)? >From domU to net. A service (here: webserver) offers files to download (like a fileserver). If a user (like me at home) downloads the file the breakdown happens.> b) did you setup iptables manually or do you use something like shorewall for that?I set up them manually within a script like that: $ipt -t nat -A PREROUTING -d $external_ip -p tcp --dport 80 -j DNAT --to 192.168.1.5 (packet-forwarding enabled)> c) what exactly is script-nat?I think XEN3''s nat is like the network in XEN2. New to XEN3 is bridging and routing, but i don''t use them. There is bridging and routing with Xen 2.x as well. I use it a lot. every domU has a vifx.y in dom0''s address space and its own IP, but there is automatically routing/natting between them.> d) did you test if connection is reopened after some time (5 minutes, one hour, etc.)?No, I didn''t. How to do that? Why should the connection reopens itself in a natted net? Just to make sure you did not set up intrusion detection (e. g. snort inline) which cuts down on network connections if traffic reaches a threshold limit. Something like that. I think it cannot be a problem of your general networking concept since it works with smaller downloads. So there is either a problem with your kernel or a feature you do not remember setting up. :-) Have you tested the same with a different protocol (let''s say ftp or sftp or smb ...) so make sure the problem is not on the application layer? Dirk Thx for answering, Hardy At 08:58 19.04.2006, Dirk H. Schulz wrote: Hi Hardy, Hardy Wolf schrieb: Hi, I have a XEN 3.0.1 - Debian Sarge (Rootserver). There is a dom0 with connection to the internet (WAN-IP) and a domU with a local IP (192.168.x.y). The network is forwarded with iptables and script-nat. All works fine until someone downloads a big file (last test ~100 MB). Suddenly the connection is lost. By checking all circumstances I noticed that XEN is no longer able to send packets to the domU. The connection from virtual to the real network is broken. How can I fix that? Does anybody know that problem? In XEN 2.0.7 I had that problem, too. I think I have a similar setup with Xen 2.0.7, but not the same problem. Just to make things clear: a) in which direction does the download go (from domU to net, from net to domU, from dom0 to net, ....)? b) did you setup iptables manually or do you use something like shorewall for that? c) what exactly is script-nat? d) did you test if connection is reopened after some time (5 minutes, one hour, etc.)? Dirk _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
hardy-konto@wolfundreimer.de schrieb:>>There is bridging and routing with Xen 2.x as well. I use it a lot. >> >> >Erm, i didn''t know, thx for information. > > > >>Just to make sure you did not set up intrusion detection >>(e. g. snort inline) which cuts down on network connections >>if traffic reaches a threshold limit. Something like that. >> >> >Snort i had set up some months ago, but it isn running. > > > >>I think it cannot be a problem of your general networking >>concept since it works with smaller downloads. >> >> >I think so, too. > > > >>So there is either a problem with your kernel or a feature >>you do not remember setting up. :-) >> >> >But how to find that? > > > >>Have you tested the same with a different protocol >>(let''s say ftp or sftp or smb ...) so make sure the >>problem is not on the application layer? >> >> >The problem is _not_ the application (layer): The virtual connection between dom0 and domU is lost. No ping, no ssh, nothing. The application is still running and working (tested with xm console and e.g. lynx) >That problem occured with http, ftp and scp. > >Okay, then it must be something with your kernels. Do you use ready made kernels, did you compile yourself, and if yes, what did you change compared to the standard config in the sources? Dirk>Hardy > > >===================================>To: xen-users@lists.xensource.com >Subject: Re: [Xen-users] Virtual network disconnect? > >Hi Hardy, > >Hardy schrieb: > >Hi Dirk :) > > > >>a) in which direction does the download go (from domU to net, from net to domU, from dom0 to net, ....)? >> >> >>From domU to net. A service (here: webserver) offers files to download (like a fileserver). If a user (like me at home) downloads the file the breakdown happens. > > > >>b) did you setup iptables manually or do you use something like shorewall for that? >> >> >I set up them manually within a script like that: >$ipt -t nat -A PREROUTING -d $external_ip -p tcp --dport 80 -j DNAT --to 192.168.1.5 >(packet-forwarding enabled) > > > >>c) what exactly is script-nat? >> >> >I think XEN3''s nat is like the network in XEN2. New to XEN3 is bridging and routing, but i don''t use them. > >There is bridging and routing with Xen 2.x as well. I use it a lot. > >every domU has a vifx.y in dom0''s address space and its own IP, but there is automatically routing/natting between them. > > > >>d) did you test if connection is reopened after some time (5 minutes, one hour, etc.)? >> >> >No, I didn''t. How to do that? Why should the connection reopens itself in a natted net? > >Just to make sure you did not set up intrusion detection (e. g. snort inline) which cuts down on network connections if traffic reaches a threshold limit. Something like that. > >I think it cannot be a problem of your general networking concept since it works with smaller downloads. So there is either a problem with your kernel or a feature you do not remember setting up. :-) > >Have you tested the same with a different protocol (let''s say ftp or sftp or smb ...) so make sure the problem is not on the application layer? > >Dirk > > >Thx for answering, >Hardy > >At 08:58 19.04.2006, Dirk H. Schulz wrote: > >Hi Hardy, > >Hardy Wolf schrieb: > >Hi, > >I have a XEN 3.0.1 - Debian Sarge (Rootserver). There is a dom0 with connection to the internet (WAN-IP) and a domU with a local IP (192.168.x.y). The network is forwarded with iptables and script-nat. >All works fine until someone downloads a big file (last test ~100 MB). Suddenly the connection is lost. By checking all circumstances I noticed that XEN is no longer able to send packets to the domU. The connection from virtual to the real network is broken. > >How can I fix that? >Does anybody know that problem? > >In XEN 2.0.7 I had that problem, too. > > >I think I have a similar setup with Xen 2.0.7, but not the same problem. > >Just to make things clear: >a) in which direction does the download go (from domU to net, from net to domU, from dom0 to net, ....)? >b) did you setup iptables manually or do you use something like shorewall for that? >c) what exactly is script-nat? >d) did you test if connection is reopened after some time (5 minutes, one hour, etc.)? > >Dirk > >_______________________________________________ >Xen-users mailing list >Xen-users@lists.xensource.com >http://lists.xensource.com/xen-users > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Hardy, Hardy Wolf schrieb:>> Okay, then it must be something with your kernels. Do you use ready made >> kernels, did you compile yourself, and if yes, what did you change >> compared to the standard config in the sources? > > I compiled the kernel (version 2.6.12.6) myself, but used the standard > configuration, i.e. I did not change anything. Perhaps the compiler has > taken the configuration of my original kernel? But there the problem is > testable (there is no xen, i.e. no domUs :D ). (version 2.6.8) >If you have compiled the xen kernels in their own directory (that is generated when unpacking the sources), the compiler should not have taken any other config. And you would not have a xen kernel if it was the vanilla kernel config. Okay, nothing you have setup on your own. Then I would carry the problem over to the developpers mailing list, maybe open up a bug report. Before that you could test it with Xen 3.0.2 and kernel 2.6.16 (to see if it has been solved inbetween). If you want to find out on your own, you have to compare the contents of your routing table, nat table etc. before and after the disruption. If that does not lead to anything, you could use the packet marking feature to follow single packets through the dom0 kernel and find out where they get stuck (if they do). But all that is nothing I am very familiar with (like in "I do that daily"), so I guess the developpers could be of much more help. Dirk _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users