I'm been experiencing a very very odd problem for the past several weeks and am throwing it out in case someone can shed some light on it for me. There is a single box on our tinc mesh which can be pinged from all hosts, but cannot ping any. It is not limited to ping, the box cannot communicate over tinc. tinc is running in router mode for this mesh. ~30 other nodes function normally, with no differences in configuration other than name, key, and subnet. ~10 of these nodes are running on identical hardware and software (one such node in my own office). There are no issues outside of tinc. All host files are syncronized and identical. TCPdump on other machines shows no incoming traffic from this box, but TCPdump on this box shows traffic 'exiting' via the tinc tun device. Having tried everything I could conceive of, for some reason I decided to start mucking with packet sizes. pinging with a data size of 26 bytes (total size 34) works perfectly. Any larger size fails. I've included some relevant informations below, keys are trimmed. Please let me know if you'd like something else. I would greatly appreciate any help or even suggestions anyone can offer. =============================================================================Central Node (10.0.0.1) configurations: =============================================================================--------------------------------------- tinc.conf --------------------------------------- Name=central Mode=router AddressFamily=any BindToInterface=eth0 MaxTimeout=333 KeyExpire=888 PingInterval=88 PingTimeout=4 #Forwarding=kernel TunnelServer=yes --------------------------------------- hosts/central --------------------------------------- Compression=10 PMTUDiscovery=yes Subnet=10.0.0.0/28 Subnet=0.0.0.0/0#10 =============================================================================My Office Node (10.13.1.1) configurations: =============================================================================--------------------------------------- tinc.conf --------------------------------------- Name=$HOST Mode=router AddressFamily=any BindToInterface=pppoe-wan MaxTimeout=333 KeyExpire=888 PingInterval=44 PingTimeout=4 ProcessPriority=high LocalDiscovery=yes ConnectTo=central --------------------------------------- hosts/myoffice --------------------------------------- PMTUDiscovery=yes Compression=10 Subnet=10.13.1.0/24 =============================================================================Problem Node (10.24.1.1) configurations: =============================================================================--------------------------------------- tinc.conf --------------------------------------- Name=$HOST Mode=router AddressFamily=any BindToInterface=pppoe-wan MaxTimeout=333 KeyExpire=888 PingInterval=44 PingTimeout=4 ProcessPriority=high LocalDiscovery=yes ConnectTo=central --------------------------------------- hosts/problemnode --------------------------------------- PMTUDiscovery=yes Compression=10 Subnet=10.24.1.0/24 =============================================================================Ping Output: =============================================================================[02:45 ~] root at problemnode # ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1): 56 data bytes ^C --- 10.0.0.1 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss [02:46 ~] root at problemnode ? ping -s 26 10.0.0.1 PING 10.0.0.1 (10.0.0.1): 26 data bytes 34 bytes from 10.0.0.1: seq=0 ttl=64 time=244.067 ms 34 bytes from 10.0.0.1: seq=1 ttl=64 time=244.342 ms 34 bytes from 10.0.0.1: seq=2 ttl=64 time=251.433 ms 34 bytes from 10.0.0.1: seq=3 ttl=64 time=246.311 ms ^C --- 10.0.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 244.067/246.538/251.433 ms [02:46 ~] root at problemnode # ping -s 27 10.0.0.1 PING 10.0.0.1 (10.0.0.1): 27 data bytes ^C --- 10.0.0.1 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss [02:46 ~] root at problemnode ? -- -shikkc
On Fri, Apr 24, 2015 at 03:08:54AM +0800, shikkc wrote:> There is a single box on our tinc mesh which can be pinged from all hosts, > but cannot ping any.[...]> TCPdump on other machines shows no incoming traffic from this box, but > TCPdump on this box shows traffic 'exiting' via the tinc tun device. Having > tried everything I could conceive of, for some reason I decided to start > mucking with packet sizes. pinging with a data size of 26 bytes (total size > 34) works perfectly. Any larger size fails.Have you tried much larger packet sizes, like 1400? It could be that this node's ISP blocks UDP packets with sizes that are commonly used by VoIP. Tinc only checks if large UDP packets can be sent, and if so it will not detect it when small packets get dropped. You can also try adding the following to the problematic node's tinc.conf: TCPOnly = yes This will force it to communicate via TCP only, hopefully circumventing the problem. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150424/aaa644b2/attachment.sig>
On 2015-04-24 22:02, Guus Sliepen wrote:> On Fri, Apr 24, 2015 at 03:08:54AM +0800, shikkc wrote: > >> There is a single box on our tinc mesh which can be pinged from all hosts, >> but cannot ping any. > [...] >> TCPdump on other machines shows no incoming traffic from this box, but >> TCPdump on this box shows traffic 'exiting' via the tinc tun device. Having >> tried everything I could conceive of, for some reason I decided to start >> mucking with packet sizes. pinging with a data size of 26 bytes (total size >> 34) works perfectly. Any larger size fails. > > Have you tried much larger packet sizes, like 1400? It could be that > this node's ISP blocks UDP packets with sizes that are commonly used by > VoIP. Tinc only checks if large UDP packets can be sent, and if so it > will not detect it when small packets get dropped.Yes, I have tried this, all larger packet sizes are dropped, including jumbos.> > You can also try adding the following to the problematic node's > tinc.conf: > > TCPOnly = yes >Yes, I've tried this already and removed it because it did not help at all. I should have included that doing an 'info' on the node shows that it is reachable directly via TCP, so it seems to be doing this regardless of having the flag or not. Some more testing reveals even odder behavior - when the router is set to use tinc as it's 'default gateway', Traffic is sent from it to the central node, and the central node and also farther servers reply. However, the problematic node never sees these replies. If you'd like example tinc pcap-format dumps I can provide those though for obvious reasons I don't want to send them to the entire list. -- -shikkc