From: David Ahern <dsahern@gmail.com>
To: "Bartschies, Thomas" <Thomas.Bartschies@cvk.de>,
"'netdev@vger.kernel.org'" <netdev@vger.kernel.org>
Subject: Re: big ICMP requests get disrupted on IPSec tunnel activation
Date: Fri, 13 Sep 2019 11:13:27 -0600 [thread overview]
Message-ID: <d0c8ebbb-3ed3-296f-d84a-6f88e641b404@gmail.com> (raw)
In-Reply-To: <EB8510AA7A943D43916A72C9B8F4181F629D9741@cvk038.intra.cvk.de>
On 9/13/19 9:59 AM, Bartschies, Thomas wrote:
> Hello together,
>
> since kenel 4.20 we're observing a strange behaviour when sending big ICMP packets. An example is a packet size of 3000 bytes.
> The packets should be forwarded by a linux gateway (firewall) having multiple interfaces also acting as a vpn gateway.
>
> Test steps:
> 1. Disabled all iptables rules
> 2. Enabled the VPN IPSec Policies.
> 3. Start a ping with packet size (e.g. 3000 bytes) from a client in the DMZ passing the machine targeting another LAN machine
> 4. Ping works
> 5. Enable a VPN policy by sending pings from the gateway to a tunnel target. System tries to create the tunnel
> 6. Ping from 3. immediately stalls. No error messages. Just stops.
> 7. Stop Ping from 3. Start another without packet size parameter. Stalls also.
>
> Result:
> Connections from the client to other services on the LAN machine still work. Tracepath works. Only ICMP requests do not pass
> the gateway anymore. tcpdump sees them on incoming interface, but not on the outgoing LAN interface. IMCP requests to any
> other target IP address in LAN still work. Until one uses a bigger packet size. Then these alternative connections stall also.
>
> Flushing the policy table has no effect. Flushing the conntrack table has no effect. Setting rp_filter to loose (2) has no effect.
> Flush the route cache has no effect.
>
> Only a reboot of the gateway restores normal behavior.
>
> What can be the cause? Is this a networking bug?
>
some of these most likely will fail due to other reasons, but can you
run 'tools/testing/selftests/net/pmtu.sh'[1] on 4.19 and then 4.20 and
compare results. Hopefully it will shed some light on the problem and
can be used to bisect to a commit that caused the regression.
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/testing/selftests/net/pmtu.sh
next prev parent reply other threads:[~2019-09-13 17:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-13 8:59 big ICMP requests get disrupted on IPSec tunnel activation Bartschies, Thomas
2019-09-13 17:13 ` David Ahern [this message]
2019-09-17 7:28 ` AW: " Bartschies, Thomas
2019-10-14 14:02 ` Bartschies, Thomas
2019-10-14 15:31 ` Eric Dumazet
2019-10-15 10:11 ` AW: " Bartschies, Thomas
-- strict thread matches above, loose matches on Subject: below --
2019-10-16 12:57 Bartschies, Thomas
2019-10-16 15:31 ` Eric Dumazet
2019-10-16 15:40 ` Eric Dumazet
2019-10-17 4:44 Bartschies, Thomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d0c8ebbb-3ed3-296f-d84a-6f88e641b404@gmail.com \
--to=dsahern@gmail.com \
--cc=Thomas.Bartschies@cvk.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).