Etienne Dechamps
2017-Sep-13 19:02 UTC
Packet capture to analysis the tinc connection close
It seems like that kind of problem could be solved by making sure that tinc continues PINGing over TCP metaconnections even when an UDP tunnel is established, to keep the metaconnection alive. In fact I was under the impression that the 1.1 branch already did that or that I had submitted some code to do that at some point in the past, but it looks like I maybe be misremembering things. On 13 September 2017 at 16:13, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Fri, Sep 08, 2017 at 06:35:41AM +0800, Bright Zhao wrote: > > > And, I ran a constant ping from the tinc client’s IP to the tinc > server’s IP, it shows, the pings are all successfully back and forth, no > any packet loss during the connection drop happens, so will this help to > exclude any NAT/firewall cause the connection drop? > > > > And as you saw from the earlier screen shot, when it happens, it drop > all tinc connections, and those connections are for different direction of > tinc servesr, and the packet capture is just show one of the connections. > > > > I do realize the connection drop in the picture happens 10 mins, but the > tinc client is direct connect to SP with public routable IP, without any > firewall/NAT. Just trying to know if there’s any other reason might cause > this? > > > > And BTW, this type of connection drop is not regularly with pattern, > sometimes it happens, sometimes it doesn’t. > > Tinc itself wouldn't cause these kind of reconnections. It clearly sees > a timeout, which means it didn't receive a response to its PING packets in > time. Unfortunately, there are two classes of devices that are not > uncommon that could cause this to happen: consumer ADSL/cable modems > tend to have very short timeouts on connections or NAT mappings, and > some providers just randomly drop long-lived connections for various > reasons (mainly because they think you should only browse webpages, > which only requires short-lived TCP connections, which is also easy to > analyze, and they want to discourage VPNs, VoIP et cetera). > > But just to be sure, just set up a TCP connection between the two nodes > using netcat or socket for example, send something over that connection > every minute, and see how long it lasts. > > You can also try to reduce PingInterval to, say, 30, and see if that > improves anything. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170913/fdc38c29/attachment-0001.html>
On Wed, Sep 13, 2017 at 08:02:11PM +0100, Etienne Dechamps wrote:> It seems like that kind of problem could be solved by making sure that tinc > continues PINGing over TCP metaconnections even when an UDP tunnel is > established, to keep the metaconnection alive. In fact I was under the > impression that the 1.1 branch already did that or that I had submitted > some code to do that at some point in the past, but it looks like I maybe > be misremembering things.Tinc always sends regular PINGs over its metaconnections, regardless of what happens with UDP. This has been the case at least since 1.0 was released. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170913/46162e60/attachment.sig>
I don't know why, but for my case, I reduced the tinc topology from a complex one(which provide layered redundancy) to a very simpled one(one connection), and that connection drop disappeared. Later, let me draw the topology and share the config to you to see if there's any findings of the cause. Guus Sliepen <guus at tinc-vpn.org>于2017年9月14日 周四上午3:20写道:> On Wed, Sep 13, 2017 at 08:02:11PM +0100, Etienne Dechamps wrote: > > > It seems like that kind of problem could be solved by making sure that > tinc > > continues PINGing over TCP metaconnections even when an UDP tunnel is > > established, to keep the metaconnection alive. In fact I was under the > > impression that the 1.1 branch already did that or that I had submitted > > some code to do that at some point in the past, but it looks like I maybe > > be misremembering things. > > Tinc always sends regular PINGs over its metaconnections, regardless of > what happens with UDP. This has been the case at least since 1.0 was > released. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-- Sent from iPhone -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170913/0bff3542/attachment.html>