Ping only works twice

Question

I have created a vm inside a xen host. By following this guide, I have managed to ping www.google.com, but it only ping-pongs twice before getting Destination Host Unreachable. If I restart the vm, I can again ping twice before failing.

$ - ping www.google.com

PING www.google.com (216.58.208.228) 56(84) bytes of data.
64 bytes from par10s22-in-f4.1e100.net (216.58.208.228): icmp_seq=1 ttl=51 time=17.3 ms
64 bytes from par10s22-in-f4.1e100.net (216.58.208.228): icmp_seq=2 ttl=51 time=17.4 ms
From static.12.166.76.144.clients.your-server.de (144.76.166.12): icmp_seq=3 Redirect Host(New nexthop: 144.76.166.1)
64 bytes from 216.58.208.228: icmp_seq=3 ttl=51 time=17.3 ms
From wservervm (144.76.166.25) icmp_seq=4 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=5 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=6 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=7 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=8 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=9 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=10 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=11 Destination Host Unreachable
From wservervm (144.76.166.25) icmp_seq=12 Destination Host Unreachable

The ip of the host(the external thats is used to access the server from outside) is used as a default gateway for the vm. I dont know what other information to give. What could be the reason for this?

The output of arp -n for the guest is:

Address                  HWtype  HWaddress           Flags Mask            Iface
144.76.166.12            ether   d4:3d:7e:ec:ef:f8   C                     eth0
144.76.166.1                     (incomplete)                              eth0

and for the host:

Address                  HWtype  HWaddress           Flags Mask            Iface
144.76.166.27                    (incomplete)                              xenbr0
144.76.166.1             ether   cc:e1:7f:ac:52:96   C                     xenbr0
144.76.166.25            ether   00:16:3e:b0:23:21   C                     xenbr0
144.76.166.28                    (incomplete)                              xenbr0
144.76.166.29                    (incomplete)                              xenbr0

/etc/network/interfaces of the host

# loopback
auto lo
iface lo inet loopback

# physical network interface
auto  eth0
iface eth0 inet manual

# bridge public
auto xenbr0
iface xenbr0 inet static
  address   144.76.166.12
  netmask   255.255.255.224
  gateway   144.76.166.1
  bridge_ports eth0
  bridge_stp off       # disable Spanning Tree Protocol
  bridge_waitport 0    # no delay unless port available
  bridge_fd 0          # no forwarding delay
# up route add -net 188.40.103.64 netmask 255.255.255.192 gw 188.40.103.65 eth0

# bridge internal
auto xenbr1
iface xenbr1 inet static
  address   10.0.10.1
  broadcast 10.0.10.255
  netmask   255.255.255.0
  pre-up brctl addbr xenbr1

# ipv6
iface eth0 inet6 static
  address 2a01:4f8:200:420b::2
  netmask 64
  gateway fe80::1

brctl show:

bridge name bridge id       STP enabled interfaces
xenbr0      8000.d43d7eeceff8   no      eth0
                            vif6.0
xenbr1      8000.000000000000   no

I think the main thing to focus here is that it successfully ping-pongs two times before failing.

It seems you have misconfigured network, probably wrong gateway ip address. Try with setting it to 144.76.166.1. — Diamond, Mar 08 '16 at 12:01
@bangal There must be more to it than that. If that was the full explanation, the redirect wouldn't break connectivity. — kasperd, Mar 08 '16 at 12:10
In order to answer this question, I think we are going to need to know the netmask on all three nodes. What is the netmask configured on `144.76.166.25`, `144.76.166.12`, and `144.76.166.1`? — kasperd, Mar 08 '16 at 12:13
@bangal the main idea is that the host will function like a default gateway for the guests.My server is from hetzner and I guess their 144.76.166.1 ip is a gateway but I can only ping it from the host machine(144.76.166.12) and not from the guest.The guests can only communicate between them and with the host. not the default gateway of the subnet. — SteveL, Mar 08 '16 at 12:13
@kasperd ,on *.25 and *.12 the mask is 255.255.255.224 , on the *.1 I dont know cause I dont have access to the machine. — SteveL, Mar 08 '16 at 12:24
@SteveL, have you set the network in Host as mentioned in the docu in `routing mode`? See the part again for `/etc/xen/xend-config.sxp` config option and see it is done as required. And also make sure `ip_forward` is enabled. — Diamond, Mar 08 '16 at 12:25
@SteveL I don't see anything obviously wrong with those netmasks. If the netmask on `144.76.166.1` happens to be `255.255.255.240`, then that might explain the problem. But it is also possible that the netmasks are indeed correct, and the problem is something else. You should include the output of `arp -n` on each host in your question. — kasperd, Mar 08 '16 at 12:29
@SteveL It appears you included the same output twice rather than including the output from two different hosts. — kasperd, Mar 08 '16 at 12:56
@kasperd , I only have 1 xen host and 1 xen guest, I included their arp. — SteveL, Mar 08 '16 at 13:02
@SteveL Assuming `xenbr0` is a bridge device, you should include information about that bridge as well. You can include the output of `brctl show` or the equivalent `ip` command. And if you are using `ebtales`, you should also include the output of `ebtables-save`. — kasperd, Mar 08 '16 at 13:09
@kasperd , I included the /etc/network/interfaces file which sets the bridge and the brctl show output, this comment chain is becoming dangerously long — SteveL, Mar 08 '16 at 13:18
@SteveL It appears `144.76.166.1` is responding to ARP requests from `144.76.166.12` but not to ARP requests from `144.76.166.25`. You can look at the output of `tcpdump -pni eth0 arp` to confirm. — kasperd, Mar 08 '16 at 13:20

score 1 · Accepted Answer · answered Mar 09 '16 at 08:44

You're either routing or bridging when providing access to a domain. It looks like you're attempting to do both at the same time, and chances are that triggers the redirect and indirectly breaks connectivity because of your firewall rules.

Consider the following cases:

You do Bridging. Packets are ran through the iptables FORWARD chain and delivered directly from your host to guest, without actual routing. It's important to know that FORWARD chain applies even for bridging by default. Usually providers will ask you to bind a specific Virtual MAC address for this to work for security reasons (spoofing & al).
You do Routing. Packets are ran through the iptables FORWARD chain and then routed using the kernel routing table to the correct destination. Usually this means you're using addresses of a different subnet or /32 single-addresses with routing handled specificly by the provider.

Here, you're doing a bit of both:

You have a bridge connecting the DomU to Host's Connection
Yet the DomU attempts to route through the Host to reach the provider gateway
The provider realizes this, maybe because it doesn't use the indicated Virtual MAC address if you've set one, and sends an ICMP REDIRECT message to notify the guest of what's happening

I'm not sure why this doesn't work exactly, considering ICMP Redirect is disabled on almost all major Linux distributions out of the box, and should work despite the problems asymetric routing can bring. This is probably a problem with the provider's gateway being too picky with ARP & MAC changes somehow...

Either way, since your Dom0 and DomU IP addresses are both in the same netmask, you have to do full bridging in your case. Simply correct the gateway address of the DomU to point toward .1, the provider gateway. Don't forget to adjust firewall rules as neccessary, as even bridged packets go through the FORWARD chain by default.

Source: I run Xen on a test box that provides access to different domains through NAT'ing, Bridging, and routing depending on domain

hi, all the toturials i found are using the xm toolstack, I can only use the xl(xm is not working) , the toturials I saw since they use the xm they change the /etc/xen/xend-config.sxp file to enable the routing and disable the bridging, the /etc/xen/xl.conf is for xl, should I use the same commands as the xm config to configure the network? — SteveL, Mar 09 '16 at 10:04
I was on the edge of jumping out of the window for hours while trying to solve this... in the end we decided to just rent a couple more servers instead of splitting it... your answer was probably correct and the problem was a combination of picky gateway from the provider and a faulty configuration since I set up everything according to tutorials that were using xm while I was using xl(I had a bad day...) — SteveL, Mar 09 '16 at 19:37

score 0 · Answer 2 · answered Mar 08 '16 at 11:43

0

It looks like your firewall is blocking the connection.

Try turning the firewall off (temporarily) then try pinging again and see if it does it more than twice.

answered Mar 08 '16 at 11:43

Gaza

215
2
12

networking is not my thing ,I guess iptables -L should print all the firewall rules right? right now it has accept to everything – SteveL Mar 08 '16 at 11:54

Ping only works twice

2 Answers2