2

In RHEL 6.1, I'm running 3x VMs and 2x virtual switches as per the following simplified description:

BRIDGES

  • sw-backend
  • sw-dmz

VMs

  • firewall -> eth0: sw-backend and eth1: sw-dmz
  • be-vm -> eth0: sw-backend - default gw is the firewall VM
  • dmz-vm -> eth0: sw-dmz - default gw is the firewall VM

The firewall VM has a rule allowing be-vm to SSH to dmz-vm. I can ping from be-vm to dmz-vm and even establish connections, but no data seems to pass through. i.e:

be-vm# telnet dmz-vm 22
Trying dmz-vm...
Connected to dmz-vm (x.x.x.x)
Escape character is '^]'.

... and that's as far as it gets.

The reason for the title mentioning changes between RHEL5 and RHEL6 is that these exact VMs and networks set-up work fine in RHEL 5.7.

Thanks!

Gman
  • 63
  • 1
  • 6
  • have you tried running tcpdump to see where exactly the connection fails? – dyasny Aug 15 '11 at 10:07
  • Yes... you can see the handshake getting established OK, and a few more packets, then you just see the source re-transmitting and not getting anything back. – Gman Aug 15 '11 at 10:35
  • sounds like your firewall rule is one way only, meaning be can send to dmz, but not vice versa. – dyasny Aug 16 '11 at 06:33
  • No, that's not it. Otherwise the connection wouldn't even get established. And it worked fine with RHEL5. Turns out it may have been the virtio driver in RHEL5 with a RHEL6 host. Running with e1000 works, as did CentOS 6. – Gman Aug 24 '11 at 05:21
  • you didn't update the virtio drivers? – dyasny Aug 24 '11 at 05:45

2 Answers2

1

The following guest is a VM acting as a firewall between 2 other guests:

  • RHEL5 guest on RHEL5 host using virtio_net = works fine
  • RHEL5 guest on RHEL6 host using virtio_net = doesn't work 100%.. packets get dropped after TCP handshake between guests
  • RHEL5 guest on RHEL6 host using e1000 = works fine
  • RHEL6 guest on RHEL6 host using virtio_net = works fine

Hope this helps someone. Very odd!!

Gman
  • 63
  • 1
  • 6
0

"telnet dmz-vm"

Is not SSH per "firewall VM has a rule allowing be-vm to SSH to dmz-vm." Any chance the telnet port 23 is somehow mapped to something else (e.g. SSH)?

user48838
  • 7,431
  • 2
  • 18
  • 14
  • Oops. Sorry. I meant telnet dmz-vm 22 :) – Gman Aug 15 '11 at 01:22
  • Why are you telnetting to it regardless? That is probably the proper telnet response, only what may be missing is the version banner, which may or may not display depending on the actual version. – user48838 Aug 15 '11 at 04:11
  • SSH or Telnet both fail. Running 'ssh -v ' shows that the connection is established and then it just hangs. I've always been able to telnet to port 22 and see the SSH version banner. – Gman Aug 15 '11 at 05:34
  • Have you been able to verify that the SSH server is actually working? If so, how? – user48838 Aug 15 '11 at 06:33
  • Yes. I can ssh from the firewall-vm to both dmz-vm and be-vm. I just can't SSH from be-vm straight to dmz-vm. I've just set-up a CentOS 6 VM exactly the same way the RHEL5 VM was set-up and it works fine (same firewall rules and everything) so it looks like something in RHEL5 but I'm not sure what. – Gman Aug 15 '11 at 06:41
  • Any other network applications working correctly while running under RHEL5? – user48838 Aug 15 '11 at 07:12
  • You mean on dmz or be VMs, or the firewall VM? – Gman Aug 15 '11 at 07:21
  • All of the above or at least against the non-working situation/combination. – user48838 Aug 15 '11 at 07:59
  • It's not just SSH if that's what you're referring to. Any apps that try to communicate via the firewall VM to the DMZ do not work with the same symptoms. – Gman Aug 15 '11 at 08:25
  • For testing, is it possible to rebuild another VM instance of the firewall? – user48838 Aug 15 '11 at 09:01
  • I've narrowed it down to being a problem with the virtio_net driver in the RHEL5 firewall VM. I just tried changing it to use e1000 and I can connect fine from the be-vm to dmz-vm. If I use CentOS 6, virtio_net works fine. Yet the RHEL5 guest (firewall VM) using virtio on a RHEL5 host is also fine. Go figure!! – Gman Aug 15 '11 at 09:04
  • Yes. I actually built 2 instances of the firewall. One using CentOS6 and another using RHEL5. The CentOS 6 VM worked just fine using virtio. The RHEL5 VM had the same problem as the original one, which is good in a way, and the only way around it was to use e1000 instead of virtio. Interesting that the same VM on a RHEL5 host using virtio works... – Gman Aug 15 '11 at 09:06
  • It seems like you found your solution, although not ideal, but it happens. – user48838 Aug 15 '11 at 09:42