Michael Grimm
2012-Dec-26 15:23 UTC
[nsd-users] nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out
Hi -- I do run both my primary and secondary nameservers in FreeBSD jails as outlined below: (jail1/a:a:a:a::1:1) <-----> (jail2/b:b:b:b::1:1) (jail1/10.10.10.1) <--NAT--> (host 1.2.3.4) <-----> (host 5.6.7.8) <--NAT--> (jail2/10.10.10.1) jail1 (master): nsd.conf (relevant part) ip-address: 10.10.10.1 ip-address: a:a:a:a::1:1 [...] notify: b:b:b:b::1:1 secret-key provide-xfr: b:b:b:b::1:1 secret-key outgoing-interface: a:a:a:a::1:1 [...] jail2 (slave): nsd.conf (relevant part) ip-address: 10.10.10.1 ip-address: b:b:b:b::1:1 [...] allow-notify: a:a:a:a::1:1 secret-key request-xfr: AXFR a:a:a:a::1:1 secret-key outgoing-interface: b:b:b:b::1:1 [...] Both servers are running well, serving all requests as expected, and the master is delivering all zones with afxr at startup perfectly well. But, I get the following error messages (for IPv6 address, only!) in the *slave*'s syslog: | nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out tcpdump at the *master* tells me (shortend to the relevant part): | pass in on em0: (flowlabel 0x360ed, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1:1.15298 > a:a:a:a::1:1.53: Flags [S], cksum 0xfedd (incorrect -> 0x7df6), seq 1459122906, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 333780857 ecr 0], length 0 So, what's going wrong here: - Is it my setup regarding nsd? - Is it a screwed IPv6 routing? - Or something else? Any help is highly appreciated. Thanks and with kind regards, Michael
Willem Toorop
2012-Dec-27 09:03 UTC
[nsd-users] nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out
Hi Michael, Your configuration looks good. Op 26-12-12 16:23, Michael Grimm schreef:> Both servers are running well, serving all requests as expected, and the master is delivering all zones with afxr at startup perfectly well. But, I get the following error messages (for IPv6 address, only!) in the *slave*'s syslog: > | nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out > > tcpdump at the *master* tells me (shortend to the relevant part): > | pass in on em0: (flowlabel 0x360ed, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1:1.15298 > a:a:a:a::1:1.53: Flags [S], cksum 0xfedd (incorrect -> 0x7df6), seq 1459122906, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 333780857 ecr 0], length 0I suspect the master and the slave are on the same host causing the checksum error (because checksum calculation is offloaded to the NIC). Is this true? Is this the only packet you saw for the handshake? Did you see an Syn/Ack after this packet? I.e. A packet returning from a:a:a:a::1:1 with "Flags [S.]"? Do you see the tcp6 listening socket on the master with "sockstat -l"? Do you use carp devices for the jails. I have seen some weird ipv6 routing behaviour with those myself. Regards, -- Willem
Michael Grimm
2012-Dec-29 15:12 UTC
[nsd-users] [SOLVED] nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out
On 26.12.2012, at 16:23, Michael Grimm <trashcan at odo.in-berlin.de> wrote:> - Or something else?JFTR: It had nothing to do with my nsd setup, nor with keeping master and slave servers in FreeBSD jails, no the cause had to do with my PF firewall's outgoing rule: Erroneous: | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate state Working: | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all I'd used that rule for a very long time, but now the recent Upgrade to 9.1 broke that rule. Thanks again and with kind regards, Michael