Hi, experts for example, the below case: You can see a lot of back and forth MTU probe packets been exchanged between tinc nodes, but it’s weird that, from the debug log, one line shows "No response to MTU probes from node1”, but it indeed received a lot of MTU probe response, and finally it get the conclusion of "Packet for node1 (1.1.1.1 port 443) larger than minimum MTU”. 2017-06-21 08:12:05 tinc.myvpn[18854]: Got MTU probe length 1341 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:05 tinc.myvpn[18854]: Got MTU probe length 619 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 396 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 77 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 1033 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 798 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 607 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 902 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 143 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 1156 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 723 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 617 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 993 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 546 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 901 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 1246 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 786 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 221 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 910 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 649 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 218 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 526 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 353 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 547 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 602 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 201 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 543 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 141 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 445 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 806 to node1 (1.1.1.1 port 443) 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 1418 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 309 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 192 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:11 tinc.myvpn[18854]: No response to MTU probes from node1 (1.1.1.1 port 443) 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 1247 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 1104 from node1 (1.1.1.1 port 443) 2017-06-21 08:12:38 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP 2017-06-21 08:12:53 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP 2017-06-21 08:13:04 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP 2017-06-21 08:13:05 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP 2017-06-21 08:13:08 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP Also you can see from tcpdump that, 192.168.31.114 received the MTU probe response on it’s port 8201 08:14:21.497863 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 980 08:14:22.529725 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 72 08:14:22.529805 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 868 08:14:22.530085 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 1353 08:14:22.531425 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 76 08:14:22.532885 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 876 08:14:22.534025 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1356 08:15:31.904410 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 868 08:15:31.905610 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 868 08:15:31.907070 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1340 08:15:32.209491 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 113 08:15:32.209631 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 549 08:15:32.209651 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 637 08:15:32.210451 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 116 08:15:32.211271 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 556 08:15:32.212111 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 644 08:16:41.634229 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 588 08:16:41.634909 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 76 08:16:41.635909 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 620 08:16:42.173050 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 433 08:16:42.173210 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 447 08:16:42.173250 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 1209 08:16:42.174150 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 436 08:16:42.174970 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 452 08:16:42.175890 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1212 08:17:51.201088 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 324 08:17:51.202368 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1020 08:17:51.203788 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 980 08:17:52.251311 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 369 08:17:52.251451 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 784 08:17:52.251511 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 981 08:17:52.252351 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 372 08:17:52.253511 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 788 08:17:52.254471 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 988
I found the server(1.1.1.1) didn’t receive the MTU probe from client, so I add
iptables -A INPUT -p udp —port 443 -j ACCEPT.
After this, I see one packet matching on the server side, and the MTU
negotiation works, but when I tear down the tinc, and re-establish the tinc
connection, the counter of below UDP/443 never increase, and also my other tinc
nodes never add this statement on iptables, but they alll works well for the MTU
negotiation(finally works on UDP)
pkts bytes target prot opt in out source destination
1 104 ACCEPT udp -- any any anywhere anywhere
udp dpt:https
The above statement is necessary, or not?
> On 21 Jun 2017, at 8:22 AM, Bright Zhao <startryst at gmail.com>
wrote:
>
> Hi, experts
>
> for example, the below case:
>
> You can see a lot of back and forth MTU probe packets been exchanged
between tinc nodes, but it’s weird that, from the debug log, one line shows
"No response to MTU probes from node1”, but it indeed received a lot of MTU
probe response, and finally it get the conclusion of "Packet for node1
(1.1.1.1 port 443) larger than minimum MTU”.
>
> 2017-06-21 08:12:05 tinc.myvpn[18854]: Got MTU probe length 1341 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:05 tinc.myvpn[18854]: Got MTU probe length 619 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 396 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 77 to node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 1033 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 798 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 607 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 902 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 143 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 1156 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 723 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 617 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 993 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 546 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 901 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 1246 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 786 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 221 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 910 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 649 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 218 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 526 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 353 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 547 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 602 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 201 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 543 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 141 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 445 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 806 to
node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 1418 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 309 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 192 from node1
(1.1.1.1 port 443)
>
> 2017-06-21 08:12:11 tinc.myvpn[18854]: No response to MTU probes from node1
(1.1.1.1 port 443)
>
> 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 1247 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 1104 from node1
(1.1.1.1 port 443)
> 2017-06-21 08:12:38 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443)
larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:12:53 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443)
larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:13:04 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443)
larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:13:05 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443)
larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:13:08 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443)
larger than minimum MTU, forwarding via TCP
>
>
>
> Also you can see from tcpdump that, 192.168.31.114 received the MTU probe
response on it’s port 8201
>
> 08:14:21.497863 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 980
> 08:14:22.529725 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 72
> 08:14:22.529805 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 868
> 08:14:22.530085 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 1353
> 08:14:22.531425 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 76
> 08:14:22.532885 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 876
> 08:14:22.534025 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1356
> 08:15:31.904410 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 868
> 08:15:31.905610 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 868
> 08:15:31.907070 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1340
> 08:15:32.209491 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 113
> 08:15:32.209631 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 549
> 08:15:32.209651 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 637
> 08:15:32.210451 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 116
> 08:15:32.211271 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 556
> 08:15:32.212111 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 644
> 08:16:41.634229 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 588
> 08:16:41.634909 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 76
> 08:16:41.635909 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 620
> 08:16:42.173050 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 433
> 08:16:42.173210 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 447
> 08:16:42.173250 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 1209
> 08:16:42.174150 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 436
> 08:16:42.174970 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 452
> 08:16:42.175890 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1212
> 08:17:51.201088 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 324
> 08:17:51.202368 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1020
> 08:17:51.203788 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 980
> 08:17:52.251311 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 369
> 08:17:52.251451 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 784
> 08:17:52.251511 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 981
> 08:17:52.252351 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 372
> 08:17:52.253511 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 788
> 08:17:52.254471 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 988
On Wed, Jun 21, 2017 at 09:11:47AM +0800, Bright Zhao wrote:> I found the server(1.1.1.1) didn’t receive the MTU probe from client, so I add iptables -A INPUT -p udp —port 443 -j ACCEPT. > > After this, I see one packet matching on the server side, and the MTU negotiation works, but when I tear down the tinc, and re-establish the tinc connection, the counter of below UDP/443 never increase, and also my other tinc nodes never add this statement on iptables, but they alll works well for the MTU negotiation(finally works on UDP) > > pkts bytes target prot opt in out source destination > 1 104 ACCEPT udp -- any any anywhere anywhere udp dpt:https > > The above statement is necessary, or not?Yes, if it would otherwise block UDP packets coming in to the server, you need it to ensure tinc can communicate via UDP. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170622/dd95e415/attachment.sig>
Possibly Parallel Threads
- How to diagnostic UDP discovery failed situation
- No connection between nodes on same LAN
- What/why this event happens: Can't write to Linux tun/tap device (tun mode) /dev/net/tun: Input/output error
- config help & pid file not existing issue
- What/why this event happens: Can't write to Linux tun/tap device (tun mode) /dev/net/tun: Input/output error