From: Simon M. <sim...@in...> - 2017-06-20 13:41:33
|
> Hi, > > I used to ping correctly from the shorewall FW to a remote host's IP > address in particular zone (CAIB, see below). > > Somehow, this ping is failing now, and I don't know if it's a config error > on my behalf or that the remote host stopped replying. > > This is the failing ping performed on $FW: > > # ping -I 10.215.246.91 10.215.236.123 -c 1 > PING 10.215.236.123 (10.215.236.123) from 10.215.246.91 : 56(84) bytes of > data. > > --- 10.215.236.123 ping statistics --- > 1 packets transmitted, 0 received, 100% packet loss, time 0ms > > Still on $FW, I can ping the same IP address from a differnet source IP > address: > > # ping -I 10.215.144.91 10.215.236.123 -c 1 > PING 10.215.236.123 (10.215.236.123) from 10.215.144.91 : 56(84) bytes of > data. > 64 bytes from 10.215.236.123: icmp_seq=1 ttl=60 time=2.08 ms > > --- 10.215.236.123 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 2.084/2.084/2.084/0.000 ms > > I have this in rtrules: > > # grep "10.215.232.0/21" rtrules > 10.215.144.0/23 10.215.232.0/21 IBS 11420 > - 10.215.232.0/21 CAIB 11615 > > where IBS and CAIB are providers for the same 10.215.232.0/21 network (can > be used as load-balanced links or failover). > > # shorewall show routing | grep 10.215.232.0 > 11420: from 10.215.144.0/23 to 10.215.232.0/21 lookup IBS > 11615: from all to 10.215.232.0/21 lookup CAIB > > Note that pinging 10.215.236.123 from a LAN host with IP address > 10.215.246.* is successful. > > On $FW: > > # traceroute -s 10.215.246.91 10.215.236.123 > traceroute to 10.215.236.123 (10.215.236.123), 30 hops max, 60 byte > packets > 1 * * * > 2 * * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 * * * > 8 * * * > 9 * * * > 10 * * * > 11 * *^C > > # traceroute -s 10.215.144.91 10.215.236.123 > traceroute to 10.215.236.123 (10.215.236.123), 30 hops max, 60 byte > packets > 1 172.28.17.110 (172.28.17.110) 0.694 ms 1.396 ms 1.408 ms > 2 10.128.12.0 (10.128.12.0) 2.096 ms 2.558 ms 2.816 ms > 3 172.20.30.2 (172.20.30.2) 1.770 ms 1.763 ms 1.732 ms > 4 * * * > 5 * * * > 6 * * * > 7 * * * > 8 * * * > 9 *^C > > # traceroute -s 172.20.11.62 10.215.236.123 > traceroute to 10.215.236.123 (10.215.236.123), 30 hops max, 60 byte > packets > 1 172.20.11.50 (172.20.11.50) 0.518 ms 0.612 ms 0.569 ms > 2 172.20.4.210 (172.20.4.210) 2.008 ms 2.009 ms 1.966 ms > 3 10.215.4.242 (10.215.4.242) 6.316 ms 6.314 ms 6.317 ms > 4 172.20.4.14 (172.20.4.14) 8.094 ms 8.028 ms 8.549 ms^C > > I'm attaching a shorewall dump while performing the ping from $FW > (10.215.246.91) to 10.215.236.123. Hi Vieri, Last week you asked the list about a possible arp cache issue. Did you find a solution there or is the issue you report now probably related? Since you didn't let us know what came out last week I'm not sure both things are related or not. Simon |