[SOLVED] Temporary failure in name resolution

M

mn234

Renowned Member
Mar 27, 2016
37
3
73
I am having an extremely weird situation. I recently updated to PVE 9.0.6 and my pfSense to 2.8.1 but I have no idea when this issue began or for what reason because everything was/is working as I expect it except from within the PVE hosts.
  • PVE outbound traffic cannot get past the router or access any network other than within the subnet. I cannot even ping the routers. I can ping other resources on the same subnet.
  • I can access PVE GUI just fine. My PC is on the same subnet
  • VMs don't have any problems and can access traffic past the router (internet, etc)
The error I am getting is "Temporary failure in name resolution".

There are NO firewall rules on this subnet blocking anything. This is my full-access LAN network 192.168.45.0/24. I have made no other changes.

Proof (routers are .2 and .3 because I'm running HA):
1757379782019.png

1757379751356.png

IP addresses of the PVE hosts:

192.168.45.15
192.168.45.16
192.168.45.17

My own PC, which is on the same subnet (192.168.45.101) can access everything as normal. It's only the PVE hosts. I did not turn on any PVE firewall or anything.

Here's an example of one of the hosts vmhost6:

1757379519635.png

DNS server:
1757381566879.png

All the bond (bond0, bond1) connections are up and functional:

Code: 
root@vmhost6:~$ cat /proc/net/bonding/bond1
Ethernet Channel Bonding Driver: v6.14.11-1-pve

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: enlan2 (primary_reselect always)
Currently Active Slave: enlan2
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Peer Notification Delay (ms): 0

Slave Interface: enlan2
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 58:47:ca:7a:f1:d7
Slave queue ID: 0

Slave Interface: enlan4
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 58:47:ca:7a:f1:d8
Slave queue ID: 0

Code: 
root@vmhost6:~$ cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v6.14.11-1-pve

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: enlan1 (primary_reselect always)
Currently Active Slave: enlan1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Peer Notification Delay (ms): 0

Slave Interface: enlan1
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 58:47:ca:7a:f1:d6
Slave queue ID: 0

Slave Interface: enlan3
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 58:47:ca:7a:f1:d9
Slave queue ID: 0

cat /etc/resolv.conf

Code: 
root@vmhost6:/home/root# cat /etc/resolv.conf
search internal.mydomain.com
nameserver 192.168.45.1

dig google.com

Code: 
root@vmhost6:/home/mihai# dig google.com
;; communications error to 192.168.45.1#53: timed out
;; communications error to 192.168.45.1#53: timed out
;; communications error to 192.168.45.1#53: timed out

There are NO hits on the firewall for this traffic, so there should be no reason why this traffic is being timed out.

nslookup google.com (from my own pc, on the same subnet)
Code: 
C:\Users\myname>nslookup google.com
Server:  UnKnown
Address:  192.168.45.1

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4009:81a::200e
          142.250.190.14

ip r
Code: 
root@vmhost6:/home/mihai# ip r
default via 192.168.45.1 dev vmbr0 proto kernel onlink
192.168.45.0/24 dev vmbr0 proto kernel scope link src 192.168.45.15
192.168.46.0/24 dev bond0 proto kernel scope link src 192.168.46.15
 

Attachments

  • 1757379576816.png
    1757379576816.png
    13.7 KB · Views: 0
  • 1757381522972.png
    1757381522972.png
    742 bytes · Views: 0
Last edited:
So I did a little more pinging around and it looks like whenever i ping ANY resources related to the pfsense routers, it fails., including virtual IPs running HAProxy on pfsense.

I can ping ANY other resources within the same subnet.

I cannot ping any resources outside the subnet.
 
I took a packet capture

PVE host 192.168.45.15 trying to ping main router CARP VIP 192.168.45.1 and it is sending back a ICMP echo reply, but the PVE host is not receiving it somehow.

Code: 
02:15:38.504204 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 1, length 64
02:15:38.504276 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 1, length 64
02:15:39.551421 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 2, length 64
02:15:39.551438 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 2, length 64
02:15:40.575608 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 3, length 64
02:15:40.575641 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 3, length 64
02:15:41.599397 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 4, length 64
02:15:41.599413 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 4, length 64
02:15:42.623585 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 5, length 64
02:15:42.623598 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 5, length 64
02:15:43.647518 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 6, length 64
02:15:43.647548 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 6, length 64
02:15:44.672401 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 7, length 64
02:15:44.672421 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 7, length 64
02:15:45.695319 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 8, length 64
02:15:45.695344 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 8, length 64
02:15:46.719863 IP 192.168.45.15 > 192.168.45.1: ICMP echo request, id 32, seq 9, length 64
02:15:46.719876 IP 192.168.45.1 > 192.168.45.15: ICMP echo reply, id 32, seq 9, length 64
 
Last edited:
Solved:


I had reserved a DHCP lease in pfsense for these hosts, even though they also have a static IP.

The MAC address reserved was different than the current virtual bridge so it was breaking network traffic.

I removed all static ip reservations from the DHCP server for the PVE hosts just to be safe.

I used to use to put them on there to be sure I don't re-use the IP, but I've gotten used to checking in with my Netbox for all of my network configurations.
 
Happy you got it solved.

Maybe adjust the thread-title to reflect the actual NW issue, since in fact it was not "name resolution" related. (Even though; "It's always DNS!").
 
gfngfn256 said:
Happy you got it solved.

Maybe adjust the thread-title to reflect the actual NW issue, since in fact it was not "name resolution" related. (Even though; "It's always DNS!").
Click to expand...

That's the error message I got from PVE. I think it's best to leave it like that for anyone searching online.
 
mn234 said:
That's the error message I got from PVE
Click to expand...
You did not include what command gave that anyway.

But you did show:
mn234 said:
root@vmhost6:/home/mihai# dig google.com
;; communications error to 192.168.45.1#53: timed out
Click to expand...
Also you tested pinging IP address which failed.

Your issue had nothing directly todo with DNS.

At the least add to the thread title "Also pinging IP addresses fails".
This will surely help others while searching their similar issue.
 
You must log in or register to reply here.
Top Bottom