GRE problem

GRE problem

[Marcin Giedz]

Hello all,

I've posted this message on several news groups without any results, maybe 
here someone can help me...

I still have problem with GRE through Linux router and Win2k clients but
additional information have occured. Let's start from the beginning:

My subnet is as follows:
192.168.49.0 ----- linux router ------ 172.19.1.0 ------> Win2k clients

When first client is trying to connect to VPN server out side our office all
packets are sent through "linux router". When he finishes the connection
and second client wants to make a new connection no GRE packets are sent
through router. If I down and up interfaces on "linux router" everything
works OK as earlier - GRE packets are transmitted through router. If I
don't down and up interfaces but wait eg. for next day everything also
works OK. It seems for me that some "timeout" variable is set on my linux
router but I didn't set anything. 

Can you tell me where I can change this "timeout" on my router? For me it
should stay in /proc/xxxx? but what next?

Thanks,
Marcin

Re: GRE problem

[Marcin Giedz]

Dnia czwartek, 13 stycznia 2005 12:33, Craig Steadman napisa³:
> Hi Marcin
>
> Sounds like an issue with the nic drivers.  Check if there are any
> updates ... failing that try some intel nics which are well supported.
I use e1000 from kernel. Guys from my VPN support told about some /proc/xxxx 
changes but they really didn't know where exactly should I change it.

> Also check your /proc/sys/net/ipv4/ip_forward is "1".
It's set.

> Does this problem only effect GRE traffic ?
Yes only GRE

Thx
Marcin

>
> Cheers
>    Craig
>
> On Thu, 2005-01-13 at 10:13 +0100, Marcin Giedz wrote:
> > Hello all,
> >
> > I've posted this message on several news groups without any results,
> > maybe here someone can help me...
> >
> > I still have problem with GRE through Linux router and Win2k clients but
> > additional information have occured. Let's start from the beginning:
> >
> > My subnet is as follows:
> > 192.168.49.0 ----- linux router ------ 172.19.1.0 ------> Win2k clients
> >
> > When first client is trying to connect to VPN server out side our office
> > all packets are sent through "linux router". When he finishes the
> > connection and second client wants to make a new connection no GRE
> > packets are sent through router. If I down and up interfaces on "linux
> > router" everything works OK as earlier - GRE packets are transmitted
> > through router. If I don't down and up interfaces but wait eg. for next
> > day everything also works OK. It seems for me that some "timeout"
> > variable is set on my linux router but I didn't set anything.
> >
> > Can you tell me where I can change this "timeout" on my router? For me it
> > should stay in /proc/xxxx? but what next?
> >
> > Thanks,
> > Marcin

Re: GRE problem

[Les Mikesell]

On Thu, 2005-01-13 at 03:13, Marcin Giedz wrote:

> When first client is trying to connect to VPN server out side our office all
> packets are sent through "linux router". When he finishes the connection
> and second client wants to make a new connection no GRE packets are sent
> through router. If I down and up interfaces on "linux router" everything
> works OK as earlier - GRE packets are transmitted through router. If I
> don't down and up interfaces but wait eg. for next day everything also
> works OK. It seems for me that some "timeout" variable is set on my linux
> router but I didn't set anything. 

Is NAT involved here?  I have a similar problem where a GRE
connection goes out the wrong interface as the gateway starts
up, getting a NAT association in ip_conntrack and the NAT
never goes away after the correct interface and route come
up.  I think you need to get rid of the /proc/net/ip_conntrack
entry but there is no mechanism to do this.

-- 
  Les Mikesell
   les@futuresource.com

Re: GRE problem

[Marcin Giedz]

U¿ytkownik Les Mikesell napisa³:

>On Thu, 2005-01-13 at 03:13, Marcin Giedz wrote:
>
>  
>
>>When first client is trying to connect to VPN server out side our office all
>>packets are sent through "linux router". When he finishes the connection
>>and second client wants to make a new connection no GRE packets are sent
>>through router. If I down and up interfaces on "linux router" everything
>>works OK as earlier - GRE packets are transmitted through router. If I
>>don't down and up interfaces but wait eg. for next day everything also
>>works OK. It seems for me that some "timeout" variable is set on my linux
>>router but I didn't set anything. 
>>    
>>
>
>Is NAT involved here?  
>
Yes it is

>I have a similar problem where a GRE
>connection goes out the wrong interface as the gateway starts
>up, getting a NAT association in ip_conntrack and the NAT
>never goes away after the correct interface and route come
>up.  
>
Seems similar ;)

>I think you need to get rid of the /proc/net/ip_conntrack
>entry but there is no mechanism to do this.
>
>  
>
So how this is removed from ip_conntrack after some period of time?. As
I said before, on a next day all GRE packets are transimited through
router, thence it seems that there is some "TTL" on "these" packets.

BR,
Marcin

Re: GRE problem

[Les Mikesell]

On Thu, 2005-01-13 at 15:10, Marcin Giedz wrote:

> >I think you need to get rid of the /proc/net/ip_conntrack
> >entry but there is no mechanism to do this.
> >
> >
> So how this is removed from ip_conntrack after some period of time?. As 
> I said before, on a next day all GRE packets are transimited through 
> router, thence it seems that there is some "TTL" on "these" packets.

There is some kind of timeout on the conntrack entries and I assume
each protocol (tcp/udp/icmp/gre) has its own value.  In my case it
never does work because the source never stops sending and even though
it is doing the wrong thing applying the NAT it keeps the timeout
from expiring.

-- 
  Les Mikesell
   les@futuresource.com