Xen users - Nov 2013 - Dom0 seeing traffic on br0 but it's not routing

Hello,

I''ve beaten my head against the wall on trying to get bridging working
on a new dom0 install. I initially went  with CentOS 6 w/Xen 4.2 but
figured that the xl toolkit not being fully supported was the issue so
I went with SLES 11.3 and I''m having the same issue.

The issue is that appears to be that bridging isn''t fully working as
the DomU can''t ping anything *other* than the Dom0. When I do a
tcpdump on the DomU I can see the correct arp traffic that the Dom0
should be seeing, but I can''t ping the gw on that network, again only
the Dom0 ip. Also, when I do a tcpdump on the Dom0 I can see the DomU
sending arp request trying to find the gw I''m trying to ping.

Some basic config info:

xen-den:~ # brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.0025b50002fb    no        eth0

xen-den:~ # ifconfig # only br0 and eth0
br0       Link encap:Ethernet  HWaddr 00:25:B5:00:02:FB
          inet addr:10.157.209.8  Bcast:10.157.209.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30071 errors:0 dropped:321 overruns:0 frame:0
          TX packets:3250 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1634697 (1.5 Mb)  TX bytes:18920997 (18.0 Mb)

eth0      Link encap:Ethernet  HWaddr 00:25:B5:00:02:FB
          UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
          RX packets:30050 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15647 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2301897 (2.1 Mb)  TX bytes:19801909 (18.8 Mb)


xen-den:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.157.208.1    0.0.0.0         UG    0      0        0 br0
10.157.208.0    *               255.255.254.0   U     0      0        0 br0
loopback        *               255.0.0.0       U     0      0        0 lo

xen-den:~ # grep vif /etc/xen/centos.cfg
vif=["bridge=br0,model=e1000"]

Any ideas?

-- 
I''ve seen things you people wouldn''t believe. Attack ships on
fire off
the shoulder of Orion. I watched C-beams glitter in the dark near the
Tannhauser gate. All those moments will be lost in time... like tears
in rain... Time to die.

On Fri, Nov 22, 2013 at 11:18:01AM -0600, Glenn E. Bailey III
wrote:
> Hello,
> 
> I''ve beaten my head against the wall on trying to get bridging
working
> on a new dom0 install. I initially went  with CentOS 6 w/Xen 4.2 but
> figured that the xl toolkit not being fully supported was the issue so
> I went with SLES 11.3 and I''m having the same issue.
> 
> The issue is that appears to be that bridging isn''t fully working
as
> the DomU can''t ping anything *other* than the Dom0. When I do a
> tcpdump on the DomU I can see the correct arp traffic that the Dom0
> should be seeing, but I can''t ping the gw on that network, again
only
> the Dom0 ip. Also, when I do a tcpdump on the Dom0 I can see the DomU
> sending arp request trying to find the gw I''m trying to ping.
> 
> Some basic config info:
> 
> xen-den:~ # brctl show
> bridge name    bridge id        STP enabled    interfaces
> br0        8000.0025b50002fb    no        eth0
> 
You vif doesn''t seem to be on br0? Try brctl addif?

If that works, then you probably need to look at hotplug scripts and
figure out why it doesn''t work.

Wei.
> xen-den:~ # ifconfig # only br0 and eth0
> br0       Link encap:Ethernet  HWaddr 00:25:B5:00:02:FB
>           inet addr:10.157.209.8  Bcast:10.157.209.255  Mask:255.255.254.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:30071 errors:0 dropped:321 overruns:0 frame:0
>           TX packets:3250 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:1634697 (1.5 Mb)  TX bytes:18920997 (18.0 Mb)
> 
> eth0      Link encap:Ethernet  HWaddr 00:25:B5:00:02:FB
>           UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
>           RX packets:30050 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:15647 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2301897 (2.1 Mb)  TX bytes:19801909 (18.8 Mb)
> 
> 
> xen-den:~ # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> default         10.157.208.1    0.0.0.0         UG    0      0        0 br0
> 10.157.208.0    *               255.255.254.0   U     0      0        0 br0
> loopback        *               255.0.0.0       U     0      0        0 lo
> 
> xen-den:~ # grep vif /etc/xen/centos.cfg
> vif=["bridge=br0,model=e1000"]
> 
> Any ideas?
> 
> -- 
> I''ve seen things you people wouldn''t believe. Attack
ships on fire off
> the shoulder of Orion. I watched C-beams glitter in the dark near the
> Tannhauser gate. All those moments will be lost in time... like tears
> in rain... Time to die.
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xen.org
> http://lists.xen.org/xen-users

Sorry,

The DomU wasn''t running when I did the brctl:

xen-den:~ # brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.0025b50002fb    no        eth0
                            vif1.0
                            vif1.0-emu




On Fri, Nov 22, 2013 at 11:31 AM, Wei Liu <wei.liu2@citrix.com>
wrote:
> On Fri, Nov 22, 2013 at 11:18:01AM -0600, Glenn E. Bailey III wrote:
>> Hello,
>>
>> I''ve beaten my head against the wall on trying to get bridging
working
>> on a new dom0 install. I initially went  with CentOS 6 w/Xen 4.2 but
>> figured that the xl toolkit not being fully supported was the issue so
>> I went with SLES 11.3 and I''m having the same issue.
>>
>> The issue is that appears to be that bridging isn''t fully
working as
>> the DomU can''t ping anything *other* than the Dom0. When I do
a
>> tcpdump on the DomU I can see the correct arp traffic that the Dom0
>> should be seeing, but I can''t ping the gw on that network,
again only
>> the Dom0 ip. Also, when I do a tcpdump on the Dom0 I can see the DomU
>> sending arp request trying to find the gw I''m trying to ping.
>>
>> Some basic config info:
>>
>> xen-den:~ # brctl show
>> bridge name    bridge id        STP enabled    interfaces
>> br0        8000.0025b50002fb    no        eth0
>>
>
> You vif doesn''t seem to be on br0? Try brctl addif?
>
> If that works, then you probably need to look at hotplug scripts and
> figure out why it doesn''t work.
>
> Wei.
>
>> xen-den:~ # ifconfig # only br0 and eth0
>> br0       Link encap:Ethernet  HWaddr 00:25:B5:00:02:FB
>>           inet addr:10.157.209.8  Bcast:10.157.209.255 
Mask:255.255.254.0
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:30071 errors:0 dropped:321 overruns:0 frame:0
>>           TX packets:3250 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:0
>>           RX bytes:1634697 (1.5 Mb)  TX bytes:18920997 (18.0 Mb)
>>
>> eth0      Link encap:Ethernet  HWaddr 00:25:B5:00:02:FB
>>           UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
>>           RX packets:30050 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:15647 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:2301897 (2.1 Mb)  TX bytes:19801909 (18.8 Mb)
>>
>>
>> xen-den:~ # route
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
>> default         10.157.208.1    0.0.0.0         UG    0      0        0
br0
>> 10.157.208.0    *               255.255.254.0   U     0      0        0
br0
>> loopback        *               255.0.0.0       U     0      0        0
lo
>>
>> xen-den:~ # grep vif /etc/xen/centos.cfg
>> vif=["bridge=br0,model=e1000"]
>>
>> Any ideas?
>>
>> --
>> I''ve seen things you people wouldn''t believe. Attack
ships on fire off
>> the shoulder of Orion. I watched C-beams glitter in the dark near the
>> Tannhauser gate. All those moments will be lost in time... like tears
>> in rain... Time to die.
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xen.org
>> http://lists.xen.org/xen-users


-- 
I''ve seen things you people wouldn''t believe. Attack ships on
fire off
the shoulder of Orion. I watched C-beams glitter in the dark near the
Tannhauser gate. All those moments will be lost in time... like tears
in rain... Time to die.

Hello.

El 22/11/13 11:18, Glenn E. Bailey III escribió:
> The issue is that appears to be that bridging isn''t fully working
as
> the DomU can''t ping anything *other* than the Dom0. When I do a
> tcpdump on the DomU I can see the correct arp traffic that the Dom0
> should be seeing,  but I can''t ping the gw on that network, again
only
> the Dom0 ip. Also, when I do a tcpdump on the Dom0 I can see the DomU
> sending arp request trying to find the gw I''m trying to ping.
Are you watching Dom0''s br0 or eth0?
> Some basic config info:
Seems correct, after your update in replay to Wei Liu.
I guess, "1" is the ID of your Centos guest and vif1.0 and vif1.0-emu 
are also shown in ifconfig''s output.

"vif1.0-emu" is new for me. Are you using HVM or PV DomU? Try dropping
"model=e1000" parameter from your vif config, for sake of
simplification.

Do you have any special ipfilter setup on Dom0? DROP policy in FORWARD 
chain, maybe? Check with "iptables -L -v".

Also, there might be something set wrong on your ethernet switch, like 
MAC address blocking. I have faced that in a couple occasions, they was 
always a real pain to troubleshoot. The only way I can think of to make 
sure it''s not so, is to clone your DomU''s MAC to
Dom0''s eth0 and try to
ping the gateway from Dom0.

Greetings.

-- 
Alexandre Kouznetsov

Iptables is off, and I''ve tried dropping the e1000 w/no luck.

You might be on to something w/the switch idea. So are you saying
clone Dom0''s MAC to DomU''s and then see if I can ping the
gateway from
DomU (You stated Dom0)?

On Fri, Nov 22, 2013 at 1:04 PM, Alexandre Kouznetsov <alk@ondore.com>
wrote:
> Hello.
>
> El 22/11/13 11:18, Glenn E. Bailey III escribió:
>
>> The issue is that appears to be that bridging isn''t fully
working as
>> the DomU can''t ping anything *other* than the Dom0. When I do
a
>> tcpdump on the DomU I can see the correct arp traffic that the Dom0
>> should be seeing,  but I can''t ping the gw on that network,
again only
>> the Dom0 ip. Also, when I do a tcpdump on the Dom0 I can see the DomU
>> sending arp request trying to find the gw I''m trying to ping.
>
> Are you watching Dom0''s br0 or eth0?
>
>> Some basic config info:
>
> Seems correct, after your update in replay to Wei Liu.
> I guess, "1" is the ID of your Centos guest and vif1.0 and
vif1.0-emu are
> also shown in ifconfig''s output.
>
> "vif1.0-emu" is new for me. Are you using HVM or PV DomU? Try
dropping
> "model=e1000" parameter from your vif config, for sake of
simplification.
>
> Do you have any special ipfilter setup on Dom0? DROP policy in FORWARD
> chain, maybe? Check with "iptables -L -v".
>
> Also, there might be something set wrong on your ethernet switch, like MAC
> address blocking. I have faced that in a couple occasions, they was always
a
> real pain to troubleshoot. The only way I can think of to make sure
it''s not
> so, is to clone your DomU''s MAC to Dom0''s eth0 and try to
ping the gateway
> from Dom0.
>
> Greetings.
>
> --
> Alexandre Kouznetsov
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xen.org
> http://lists.xen.org/xen-users


-- 
I''ve seen things you people wouldn''t believe. Attack ships on
fire off
the shoulder of Orion. I watched C-beams glitter in the dark near the
Tannhauser gate. All those moments will be lost in time... like tears
in rain... Time to die.

El 22/11/13 14:05, Glenn E. Bailey III escribió:
> Iptables is off, and I''ve tried dropping the e1000 w/no luck.
"off", you mean, "iptables -L -v" displays no rules and the
default
policy is ACCEPT, right?
iptables can''t be "off" as is, it''s just a tool to
control netfilter,
which is part of the kernel. It is normally on and permissive by 
default. By kernel''s default, not necessarily by the OS default.
> You might be on to something w/the switch idea. So are you saying
> clone Dom0''s MAC to DomU''s and then see if I can ping the
gateway from
> DomU (You stated Dom0)?
Actually, quite opposite. I meant to state Dom0.

I''m assuming that the only difference the switch (and rest of your 
network) can see between traffic from Dom0 and DomU is the MAC address. 
So, since Dom0 is the one who has a known working configuration, let''s 
see is the change we want to prove or discard as relevant, breaks things 
there.
I would take DomU''s MAC address, shut down DomU, assign that MAC to
Dom0
and see if the rest of your network still want to play with it. If this 
break network for Dom0, you will have to talk to your network 
administrator. If the new MAC works fine, then you''ll have to keep 
troubleshooting.

I guess it''s possible to do this from the other end, borrowing
dom0''s
MAC and giving it to DomU, but this will force you to get a new MAC for 
Dom0 anyway, since they can''t share the same physical address. You also
can''t leave Dom0 without MAC at all. More steps, more complex, more 
things to keep in mind. Proof of concept tests shall be simple.

My own past experience I have referenced, had to do with VLAN 
misconfiguration in one case. In other case it was unusually long arp 
cache (around 4 hours) on a L3 switch (or a more robust router, maybe? 
it was out of my scope). That one took me days to troubleshoot and blame 
the network administrator.

BTW, you might consider to set up a fixed MAC address for your DomU.
http://wiki.xen.org/wiki/Xen_Networking#MAC_addresses

Greetings.

-- 
Alexandre Kouznetsov