Problem accessing some websites
Guillaume CHARDIN
Three weeks ago I had a debian 4 on my network acting as a gateway
with ppp/pppoe. I install from scratch a new debian 5 on this computer
last week.
Since, I experience problem accessing some websites with a timeout for
error, or the browser (firefox or ie) indefinitely load the page and
never display it.
First i re-install from scratch the debian thinking it could be an
installation problem. But problem persist.
Then, I do some search on web and different list and I found i could
be a MTU related problem, so i try different configuration in my ppp
"dsl-provider" file but nothing good happen. I disable iptables on the
box and nothing better too.
Unfortunately, my adsl modem was destroyed last week and I buy a new
one and then the same problem happen.
When I use another router or another computer (winXP) to establish the
pppoe session it works fine for all websites...
Someone have any idea on whats going on ?
Thanks for your help
--
Guillaume
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Guillaume CHARDIN
> Guillaume CHARDIN escreveu:
> Maybe DNS? :)
> Try a different server and let us know.
>
DNS resolution works fine on all computers (i can get ip address of
all host i ping) i use the dns provided by my ISP. Anyway, i used
change them to openDNS one, but still not working.
Leandro Quibem Magnabosco
> Hi,
>
> Three weeks ago I had a debian 4 on my network acting as a gateway
> with ppp/pppoe. I install from scratch a new debian 5 on this computer
> last week.
> Since, I experience problem accessing some websites with a timeout for
> error, or the browser (firefox or ie) indefinitely load the page and
> never display it.
>
> First i re-install from scratch the debian thinking it could be an
> installation problem. But problem persist.
> Then, I do some search on web and different list and I found i could
> be a MTU related problem, so i try different configuration in my ppp
> "dsl-provider" file but nothing good happen. I disable iptables on the
> box and nothing better too.
>
> Unfortunately, my adsl modem was destroyed last week and I buy a new
> one and then the same problem happen.
> When I use another router or another computer (winXP) to establish the
> pppoe session it works fine for all websites...
>
> Someone have any idea on whats going on ?
>
> Thanks for your help
>
>
Maybe DNS? :)
Try a different server and let us know.
Alex Samad
> Hi,
[snip]
> Then, I do some search on web and different list and I found i could
> be a MTU related problem, so i try different configuration in my ppp
> "dsl-provider" file but nothing good happen. I disable iptables on the
> box and nothing better too.
It still sounds like a mtu problem, what exactly did you do to fix the
mtu problem
>
> Unfortunately, my adsl modem was destroyed last week and I buy a new
> one and then the same problem happen.
> When I use another router or another computer (winXP) to establish the
> pppoe session it works fine for all websites...
so when you browse from the linux computer running pppoe you have
problems ? or only when you have a computer behind it.
>
> Someone have any idea on whats going on ?
>
> Thanks for your help
>
--
In 1869 the waffle iron was invented for people who had wrinkled waffles.
Guillaume CHARDIN
> On Wed, Nov 25, 2009 at 08:03:52PM +0100, Guillaume CHARDIN wrote:
>> Hi,
> [snip]
> problems ? or only when you have a computer behind it.
I don't have any graphical ui on the linux box but a `wget
website.domain` is endless.
To fix mtu problem, i edit the /etc/ppp/peer/dsl-provider and modify the line :
mtu 1492
to
mtu 1450 (i tried many value between 1450-1400)
the disconnect/reconnect.
I tried to set it to another value with the ifconfig command too.
And I found on an internal windows station a max mtu size of 1463
(with ping -l 1463 -f)
For information, the MTU discovery is set on iptable on the debian gateway :
#iptables -t mangle -L
[...]
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
Thanks for your help
--
Alex Samad
> 2009/11/25 Alex Samad <al...@samad.com.au>:
> > On Wed, Nov 25, 2009 at 08:03:52PM +0100, Guillaume CHARDIN wrote:
> >> Hi,
> > [snip]
> > so when you browse from the linux computer running pppoe you have
> > problems ? or only when you have a computer behind it.
>
> I don't have any graphical ui on the linux box but a `wget
> website.domain` is endless.
>
> To fix mtu problem, i edit the /etc/ppp/peer/dsl-provider and modify the line :
> mtu 1492
> to
> mtu 1450 (i tried many value between 1450-1400)
> the disconnect/reconnect.
> I tried to set it to another value with the ifconfig command too.
>
> And I found on an internal windows station a max mtu size of 1463
> (with ping -l 1463 -f)
>
> For information, the MTU discovery is set on iptable on the debian gateway :
> #iptables -t mangle -L
> [...]
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> TCPMSS tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
Great thats about all the things I would have checked as well.
you can test from linux itself with ping -M do -s <packet size> -c 10
<dest ip>
I would try using the ping above to find the max mtu size to say
your isp dns or proxy.
then try it to the sites you can't always get to
>
> Thanks for your help
--
"But all in all, it's been a fabulous year for Laura and me."
- George W. Bush
12/20/2001
Washington, DC
summing up his first year in office, three months after the 9/11 attacks
Guillaume CHARDIN
>
> you can test from linux itself with ping -M do -s <packet size> -c 10
> <dest ip>
>
> I would try using the ping above to find the max mtu size to say
> your isp dns or proxy.
>
> then try it to the sites you can't always get to
>
>
I do the same test on the gateway and on windows clients below the results :
Linux debian 5
ping -M do -s 1465 -c 10 86.64.145.147
PING 86.64.145.147 (86.64.145.147) 1465(1493) bytes of data.
>From 86.77.213.79 icmp_seq=1 Frag needed and DF set (mtu = 1492)
ping -M do -s 1464 -c 10 86.64.145.147
PING 86.64.145.147 (86.64.145.147) 1464(1492) bytes of data.
1472 bytes from 86.64.145.147: icmp_seq=1 ttl=56 time=56.0 ms
--> So mtu is 1464 (+8 ?)
on windows :
ping -l 1464 -f 86.64.145.147
Envoi d'une requête 'ping' sur 86.64.145.147 avec 1464 octets de données :
Réponse de 86.64.145.147 : octets=1464 temps=54 ms TTL=55
ping -l 1465 -f 86.64.145.147
Envoi d'une requête 'ping' sur 86.64.145.147 avec 1465 octets de données :
Le paquet doit être fragmenté mais paramétré DF.
--> Same MTU 1464
Same thing on the websites i cannot access
Haha, this issue is starting to make me crazy !
Alex Samad
okay for something silly try setting the mtu to 1400 in pppoe.
check to make sure it is being set so in another window
tcpdump -pni ppp0 host <ip address of the site in question>
other window
wget <ip address of the site in question>
you can see the size being set in tcpdump.
if it still stalls after setting to 1400, try something smaller 900 -
just to make sure we are on the right track.
Alex
--
"You never know what your history is going to be like until long after you're gone."
- George W. Bush
05/05/2006
Washington, DC
Guillaume CHARDIN
>
> you can see the size being set in tcpdump.
>
> if it still stalls after setting to 1400, try something smaller 900 -
> just to make sure we are on the right track.
>
> Alex
>
>
a) tcpdump in non promiscous mode and try to contact via wget
www.microsoft.com with a mtu set to 1400 : segment size is regulated
to 1360 so under the value
b) tcpdump in promiscous mode try to contact via wget
www.microsoft.com from win station same max mtu size : segment size is
regulated to 1360 so under the value
c) same as (a) but with a mtu of 1000 : packet size is maximized to 960...
d same as (b) but with mtu of 1000 : packet size is maximized to 960...
a)
# tcpdump -pni ppp0 host www.microsoft.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:16:31.535269 IP 86.69.85.63.49104 > 207.46.19.190.80: S
1429337682:1429337682(0) win 5440 <mss 1360,sackOK,timestamp 24647950
0,nop,wscale 1>
22:16:34.535269 IP 86.69.85.63.49104 > 207.46.19.190.80: S
1429337682:1429337682(0) win 5440 <mss 1360,sackOK,timestamp 24648700
0,nop,wscale 1>
b)
tcpdump -ni ppp0 host www.microsoft.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:21:24.527269 IP 86.69.85.63.3183 > 207.46.192.254.80: S
824552434:824552434(0) win 65535 <mss 1360,nop,nop,sackOK>
c)
tcpdump -pni ppp0 host www.microsoft.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:58:39.003269 IP 86.77.213.79.55709 > 207.46.19.190.80: S
2417518931:2417518931(0) win 3840 <mss 960,sackOK,timestamp 25279817
0,nop,wscale 1>
d)
tcpdump -ni ppp0 host www.microsoft.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
23:01:13.539269 IP 86.77.213.79.3433 > 65.55.21.250.80: S
1538952923:1538952923(0) win 65535 <mss 960,nop,nop,sackOK>
Ok so maybe its not mtu related ?! no ? what do you think about that Alex ?
Guillaume CHARDIN
I've just forgot to tell you the system was running on Xen. Really big
mistake sorry :)
I configure on my dom0 the pppoe connection and it works fine. All
wget on all websites where i have access problem works fines. It
looks like I have some packet lost between dom0 and my firewall
(inside domU).
here is the "brctl show" command if someone saw something strange, tell me.
# brctl show
bridge name bridge id STP enabled interfaces
brdmz 8000.00163e3a45d7 no veth0
vif1.0
vif3.0
vif30.1
vif4.0
brlocal 8000.00163579dcc3 no eth0
vif30.0
brnet 8000.000000000000 no
These bridges are defined by this startup script :
modprobe netloop nloopbacks=2
brctl addbr brlocal
brctl addbr brdmz
brctl addbr brnet
ip link set eth0 down
ip link set veth0 down
ip addr flush dev eth0
ip addr flush dev veth0
ip link set addr 00:16:3e:3a:45:d7 dev veth0
brctl addif brlocal eth0
brctl addif brdmz veth0
ip addr add 192.168.100.1/24 broadcast 192.168.100.255 dev brlocal
ip addr add 10.0.0.1/8 broadcast 10.255.255.255 dev brdmz
ip link set eth0 arp off
ip link set eth0 multicast off
ip link set veth0 arp off
ip link set veth0 multicast off
ip link set brlocal up
ip link set brdmz up
ip link set eth0 up
ip link set veth0 up
* brnet is not actually used
* the pppoe connection is done by this way : firewall (eth1)
--xen_bridged_to--> Dom0 (eth0) --manually-bridged-to--> physical
interface
* others vm can access this physical interface. Shutting down these
vm do not correct problem.
Thanks for your time.
Guillaume CHARDIN
sysctl -w "net.bridge.bridge-nf-call-iptables=0"
So netfilter on dom0 is the source of the problem... But i don't know
why just on some service/websites.