"bad udp cksum" on DNS requests from PVE

[syd]

Hi,
I have two routers as KVMs (CentOS5) with VLANs on my PVE (v1.7). My LAN is connected to the first router by NIC eth0.11 and I want to connect PVE as a client to this gateway also. So the gateway for PVE is VM working on this PVE. The gateway on PVE is set via vmbr11. There is connection. On VM router is NAT for PVE and I have connection with Internet on this PVE, except DNS requests. resolv.conf is OK and PVE doing requests, but when I catch them on gateway they looks like that:

172.21.1.10.42503 > dns1.inetia.pl.domain: [bad udp cksum  92af!]  8029+ A? wp.pl. (23) 05:09:50.577472 IP (tos 0x0, ttl  64, id  53374, offset 0, flags [none], proto: UDP (17), length: 51)

while from other computers in LAN (connected to the same switch on VLAN ID 11) is like that:

172.21.2.2.elad > dns1.inetia.pl.domain: [udp sum ok]  2+ A? wp.pl. (23) 05:08:07.970854 IP (tos 0x0, ttl  55, id 47714, offset 0, flags [none], proto: UDP (17), length: 206)

A difference is "bad udp cksum". I cannot ping google.com, but I can ping 209.85.148.104 on PVE.

Anybody know where can be a problem?

There are my PVE settings:

vitek:/# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 vmbr0
172.21.0.0      0.0.0.0         255.255.0.0     U     0      0        0 vmbr11
0.0.0.0         172.21.1.1      0.0.0.0         UG    0      0        0 vmbr11

vitek:/# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4782/64 scope link
       valid_lft forever preferred_lft forever
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.10/24 brd 172.16.1.255 scope global vmbr0
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4782/64 scope link
       valid_lft forever preferred_lft forever
6: vmbr11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet 172.21.1.10/16 brd 172.21.255.255 scope global vmbr11
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.11@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
8: vmbr22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4782/64 scope link
       valid_lft forever preferred_lft forever
9: eth1.22@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4782/64 scope link
       valid_lft forever preferred_lft forever
10: vmbr33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
11: eth0.33@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
12: vmbr44: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4782/64 scope link
       valid_lft forever preferred_lft forever
13: eth1.44@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4782/64 scope link
       valid_lft forever preferred_lft forever
14: vmbr88: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
15: eth0.88@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::226:b9ff:fe3f:4781/64 scope link
       valid_lft forever preferred_lft forever
16: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
17: vmtab102i0d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 5e:f0:0c:bd:53:d2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5cf0:cff:febd:53d2/64 scope link
       valid_lft forever preferred_lft forever
18: vmtab102i11d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 52:6a:f0:35:07:34 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::506a:f0ff:fe35:734/64 scope link
       valid_lft forever preferred_lft forever
19: vmtab102i33d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether da:ce:f1:e3:84:e8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::d8ce:f1ff:fee3:84e8/64 scope link
       valid_lft forever preferred_lft forever
20: vmtab101i22d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether fe:3e:85:dc:06:03 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc3e:85ff:fedc:603/64 scope link
       valid_lft forever preferred_lft forever
21: vmtab101i33d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 9e:6f:53:ff:93:b4 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9c6f:53ff:feff:93b4/64 scope link
       valid_lft forever preferred_lft forever

/etc/network/interfaces:

# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  172.16.1.10
        netmask  255.255.255.0
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

auto vmbr11
iface vmbr11 inet static
        address  172.21.1.10
        netmask  255.255.0.0
        gateway  172.21.1.1
        bridge_ports eth0.11
        bridge_stp off
        bridge_fd 0

auto vmbr22
iface vmbr22 inet manual
        bridge_ports eth1.22
        bridge_stp off
        bridge_fd 0

auto vmbr33
iface vmbr33 inet manual
        bridge_ports eth0.33
        bridge_stp off
        bridge_fd 0

auto vmbr44
iface vmbr44 inet manual
        bridge_ports eth1.44
        bridge_stp off
        bridge_fd 0

auto vmbr88
iface vmbr88 inet manual
        bridge_ports eth0.88
        bridge_stp off
        bridge_fd 0

Edit in 2013:
This problem is still here, even in PVE 2.1. It seems that if the third hop is on router which is KVM on the same PVE, something goes wrong with UDP packet or more. Effect is that: You can have traffic through two routers on the same PVE from LAN to Internet (2 hops), but when You want to communicate with router2 behind router1 and packet needs to back to LAN through Your router1 on this KVM (it's 3 hops), You will lost packets somehow. It's very strange, because ping works, but SSH or WWW doesn't. Tested on different Linux distros as routers.


I will be thankful for suggestions.
Regards,
syd

 

[syd]

I just replied to refresh the thread only, if it does works like that.

Thanks for looking here.
Regards,
syd