Yey another weird cnx issue to a VM

stefws · Jun 22, 2016

Got a PVE FWed VM, that's only randomly letting me connect to it's port 443 from same allowed source, can not figure out why it's not stable.

PVE are latest 4.2.15, pve-kernel 4.4.10-1 and VM is running CentOS 6.8 no iptables/selinux, virtio net driver, no package loss seen in VM

Code:

# netstat -Ieth1
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth1       9000   0   154396      0      0      0    71130      0      0      0 BMRU

Code:

proxmox-ve: 4.2-54 (running kernel: 4.4.10-1-pve)
pve-manager: 4.2-15 (running version: 4.2-15/6669ad2c)
pve-kernel-4.4.10-1-pve: 4.4.10-54
lvm2: 2.02.116-pve2
corosync-pve: 2.3.5-2
libqb0: 1.0-1
pve-cluster: 4.0-42
qemu-server: 4.0-81
pve-firmware: 1.1-8
libpve-common-perl: 4.0-68
libpve-access-control: 4.0-16
libpve-storage-perl: 4.0-55
pve-libspice-server1: 0.12.5-2
vncterm: 1.2-1
pve-qemu-kvm: 2.5-19
pve-container: 1.0-68
pve-firewall: 2.0-29
pve-ha-manager: 1.0-32
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u2
lxc-pve: 1.1.5-7
lxcfs: 2.0.0-pve2
cgmanager: 0.39-pve1
criu: 1.6.0-1
zfsutils: 0.6.5-pve9~jessie
openvswitch-switch: 2.5.0-1

This is a tcpdump from inside VM when attempting multiple connects to it's port 443 from same source:

Code:

15:43:44.387214 IP <redacted src ip>.24181 > <VM dest ip>.https: Flags [S], seq 3176850630, win 27320, options [mss 1366,sackOK,TS val 10219482 ecr 0,nop,wscale 7], length 0
15:43:44.387467 IP <redacted src ip>.24182 > <VM dest ip>.https: Flags [S], seq 1008473592, win 27320, options [mss 1366,sackOK,TS val 10219482 ecr 0,nop,wscale 7], length 0
15:43:44.387673 IP <redacted src ip>.24183 > <VM dest ip>.https: Flags [S], seq 2096917096, win 27320, options [mss 1366,sackOK,TS val 10219482 ecr 0,nop,wscale 7], length 0
15:43:44.387861 IP <redacted src ip>.24184 > <VM dest ip>.https: Flags [S], seq 3658194134, win 27320, options [mss 1366,sackOK,TS val 10219482 ecr 0,nop,wscale 7], length 0
15:43:44.388073 IP <redacted src ip>.24185 > <VM dest ip>.https: Flags [S], seq 3871812358, win 27320, options [mss 1366,sackOK,TS val 10219482 ecr 0,nop,wscale 7], length 0
15:43:44.389757 IP <redacted src ip>.24186 > <VM dest ip>.https: Flags [S], seq 3980983295, win 27320, options [mss 1366,sackOK,TS val 10219482 ecr 0,nop,wscale 7], length 0
15:43:45.388803 IP <redacted src ip>.24181 > <VM dest ip>.https: Flags [S], seq 3176850630, win 27320, options [mss 1366,sackOK,TS val 10220484 ecr 0,nop,wscale 7], length 0
15:43:45.388937 IP <redacted src ip>.24182 > <VM dest ip>.https: Flags [S], seq 1008473592, win 27320, options [mss 1366,sackOK,TS val 10220484 ecr 0,nop,wscale 7], length 0
15:43:45.388982 IP <redacted src ip>.24183 > <VM dest ip>.https: Flags [S], seq 2096917096, win 27320, options [mss 1366,sackOK,TS val 10220484 ecr 0,nop,wscale 7], length 0
15:43:45.389101 IP <redacted src ip>.24184 > <VM dest ip>.https: Flags [S], seq 3658194134, win 27320, options [mss 1366,sackOK,TS val 10220484 ecr 0,nop,wscale 7], length 0
15:43:45.389238 IP <redacted src ip>.24185 > <VM dest ip>.https: Flags [S], seq 3871812358, win 27320, options [mss 1366,sackOK,TS val 10220484 ecr 0,nop,wscale 7], length 0
15:43:45.390908 IP <redacted src ip>.24186 > <VM dest ip>.https: Flags [S], seq 3980983295, win 27320, options [mss 1366,sackOK,TS val 10220484 ecr 0,nop,wscale 7], length 0
15:43:47.392502 IP <redacted src ip>.24181 > <VM dest ip>.https: Flags [S], seq 3176850630, win 27320, options [mss 1366,sackOK,TS val 10222488 ecr 0,nop,wscale 7], length 0
15:43:47.392523 IP <redacted src ip>.24182 > <VM dest ip>.https: Flags [S], seq 1008473592, win 27320, options [mss 1366,sackOK,TS val 10222488 ecr 0,nop,wscale 7], length 0
15:43:47.392575 IP <redacted src ip>.24183 > <VM dest ip>.https: Flags [S], seq 2096917096, win 27320, options [mss 1366,sackOK,TS val 10222488 ecr 0,nop,wscale 7], length 0
15:43:47.392611 IP <redacted src ip>.24184 > <VM dest ip>.https: Flags [S], seq 3658194134, win 27320, options [mss 1366,sackOK,TS val 10222488 ecr 0,nop,wscale 7], length 0
15:43:47.392614 IP <redacted src ip>.24185 > <VM dest ip>.https: Flags [S], seq 3871812358, win 27320, options [mss 1366,sackOK,TS val 10222488 ecr 0,nop,wscale 7], length 0
15:43:47.394737 IP <redacted src ip>.24186 > <VM dest ip>.https: Flags [S], seq 3980983295, win 27320, options [mss 1366,sackOK,TS val 10222488 ecr 0,nop,wscale 7], length 0
15:43:48.221137 IP <redacted src ip>.24268 > <VM dest ip>.https: Flags [S], seq 2578854390, win 65535, options [mss 1359,nop,wscale 5,nop,nop,TS val 2101129584 ecr 0,sackOK,eol], length 0
15:43:48.221176 IP <VM dest ip>.https > <redacted src ip>.24268: Flags [S.], seq 2601881039, ack 2578854391, win 26844, options [mss 8960,sackOK,TS val 87743794 ecr 2101129584,nop,wscale 7], length 0
15:43:48.228653 IP <redacted src ip>.24268 > <VM dest ip>.https: Flags [.], ack 1, win 4125, options [nop,nop,TS val 2101129593 ecr 87743794], length 0
15:43:48.229575 IP <redacted src ip>.24268 > <VM dest ip>.https: Flags [P.], seq 1:224, ack 1, win 4125, options [nop,nop,TS val 2101129593 ecr 87743794], length 223
15:43:48.229607 IP <VM dest ip>.https > <redacted src ip>.24268: Flags [.], ack 224, win 219, options [nop,nop,TS val 87743803 ecr 2101129593], length 0
15:43:48.230110 IP <VM dest ip>.https > <redacted src ip>.24268: Flags [P.], seq 1:836, ack 224, win 219, options [nop,nop,TS val 87743803 ecr 2101129593], length 835
15:43:48.238116 IP <redacted src ip>.24268 > <VM dest ip>.https: Flags [.], ack 836, win 4099, options [nop,nop,TS val 2101129600 ecr 87743803], length 0
15:43:48.239302 IP <redacted src ip>.24268 > <VM dest ip>.https: Flags [P.], seq 224:491, ack 836, win 4099, options [nop,nop,TS val 2101129602 ecr 87743803], length 267
15:43:48.239397 IP <redacted src ip>.24268 > <VM dest ip>.https: Flags [P.], seq 491:497, ack 836, win 4099, options [nop,nop,TS val 2101129602 ecr 87743803], length 6
15:43:48.239517 IP <redacted src ip>.24268 > <VM dest ip>.https: Flags [P.], seq 497:542, ack 836, win 4099, options [nop,nop,TS val 2101129602 ecr 87743803], length 45

Any hints appreciated, TIA!

Richard · Jul 11, 2016

stefws said:
Got a PVE FWed VM, that's only randomly letting me connect to it's port 443 from same allowed source, can not figure out why it's not stable.

Is it ensured that the https service inside the VM works correctly? In other words: when connecting from the subnet where the VM is connected to, i.e. no forwarding between - does it work in that case?

Search

Search

Yey another weird cnx issue to a VM

stefws

Renowned Member

Richard

Renowned Member