Frequent short-lived losses of network connectivity

To: netbsd-users%netbsd.org@localhost
Subject: Frequent short-lived losses of network connectivity
From: "Michael T. Davis" <DAVISM%ecr6.ohio-state.edu@localhost>
Date: Tue, 09 Aug 2011 16:32:21 -0400 (EDT)
        Like Ian Clark...

             http://marc.info/?l=netbsd-users&m=131236812305510&w=1

...I am encountering some strange network behavior.  I'm trying to use
IPFilter (a.k.a. IPF), rather than PF, since I want to maintain compatibility
with an existing ruleset.  For explanation of the problem here, what follows
is what I posted to the IPF mailing list, so far without a response.

|       After an extended period of time running a system under OpenBSD 2.8
|and IPF v3.3.18, I now have a computer running NetBSD 5.1 release with
|IPF v4.1.29.  It was great to just take my existing ruleset and drop it on
|the "new" system, and it "just worked."  I am seeing a couple annoying issues,
|though, which may be related.
|
|       First, SSH connections to systems behind the firewall from outside
|the LAN get dropped every two or three hours.  This is particularly the case
|for SSH connections to the firewall, itself.  The only clue I get that I can
|shortly expect a dropped connection to the firewall is that ipmon (-Dnps)
|will sometimes log an entry for some form of traffic we're tracking wherein
|the IP addresses are not resolved to host names.  If I attempt to reconnect
|to the firewall right away, it seems to take longer than usual to establish
|the connection, and any logged fireall traffic continues to lack host name
|references.  Then in a couple minutes, the SSH connection is dropped again.
|Ater another SSH connection to the firewall, it seems to operate normally for
|a few hours, until the next such incident.
|
|       What might be related is that we have a set of rules in place to
|statefully maintain connections to our DNS servers, which sit upstream from
|our LAN.  Despite this, the firewall will periodically log blocked UDP
|packets to the DNS servers.  Is there a parameter I should consider adjusting
|to increase the time UDP packets are considered part of an established
|connection?  Perhaps the issue is potentially with all UDP packets "timing
|out" too soon, and we're only seeing a problem with name resolution, since the
|process is so tied up with Internet communications in general.
|
|       FWIW, the system is configured as a firewall with two Intel NICs
|plumbed to a bridge (no NAT or explicit IPv6).  An IP address is bound to the
|"internal" NIC.
|
|       I would welcome any guidance in tracking down these issues, and I'm
|happy to provide more details, if necessary.

        Since posting the above, I came across this message thread:

      http://mail-index.netbsd.org/current-users/2008/10/20/msg005251.html

The next-to-last message in the thread indicated that setting the "age" on
various catch-all rules seemed to address the issue.  Along those lines, I'm
wondering if a more general kernel modification (via ipf -T) is in order.

        My dmesg is below.  The FIREWALL kernel is based on i386 GENERIC from
5.1 release, and besides having GATEWAY and BRIDGE_IPF enabled, has a few
features we don't need disabled:

 NFS
 NTFS
 MSDOSFS
 SMBFS
 NFSSERVER
 NETATALK

        We'd like to use the wm<N> NICs, but they're attached via a PCI riser
card, and for whatever reason, only one of them actually has full
functionality.  The miscreant card won't acknowledge an active network cable
that's plugged into it (neither via the system and/or with link/speed LEDs).
If anyone has any insights with this, that would be great, but the above issue
is more important to resolve at this point.

Regards,
Mike

**

Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
    2006, 2007, 2008, 2009, 2010
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 5.1 (FIREWALL) #0: Mon Jul 25 20:06:23 EDT 2011
        root@:/usr/src/sys/arch/i386/compile/FIREWALL
total memory = 511 MB
avail memory = 491 MB
timecounter: Timecounters tick every 10.000 msec
timecounter: Timecounter "i8254" frequency 1193182 Hz quality 100
VIA Technologies, Inc. VT82C694T ( )
mainbus0 (root)
cpu0 at mainbus0 apid 0: Intel 686-class, 997MHz, id 0x686
ioapic0 at mainbus0 apid 2: pa 0xfec00000, version 11, 24 pins
acpi0 at mainbus0: Intel ACPICA 20080321
acpi0: X/RSDT: OemId <VIA694,AWRDACPI,30302e32>, AslId <AWRD,00000000>
acpi0: SCI interrupting at int 9
acpi0: fixed-feature power button present
timecounter: Timecounter "ACPI-Fast" frequency 3579545 Hz quality 1000
ACPI-Fast 24-bit timer
acpibut0 at acpi0 (PWRB, PNP0C0C): ACPI Power Button
attimer1 at acpi0 (TMR, PNP0100): io 0x40-0x43 irq 0
pcppi1 at acpi0 (SPKR, PNP0800): io 0x61
midi0 at pcppi1: PC speaker (CPU-intensive output)
sysbeep0 at pcppi1
npx1 at acpi0 (COPR, PNP0C04): io 0xf0-0xff irq 13
npx1: reported by CPUID; using exception 16
pckbc1 at acpi0 (PS2K, PNP0303) (kbd port): io 0x60,0x64 irq 1
apm0 at acpi0: Power Management spec V1.2
attimer1: attached to pcppi1
pckbd0 at pckbc1 (kbd slot)
pckbc1: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0
pchb0: vendor 0x1106 product 0x0691 (rev. 0xc4)
agp0 at pchb0 (v2): aperture at 0xf0000000, size 0x10000000
ppb0 at pci0 dev 1 function 0: vendor 0x1106 product 0x8598 (rev. 0x00)
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled
vga1 at pci0 dev 6 function 0: vendor 0x1002 product 0x4752 (rev. 0x27)
wsdisplay0 at vga1 kbdmux 1: console (80x25, vt100 emulation), using wskbd0
wsmux1: connecting to wsdisplay0
drm at vga1 not configured
pcib0 at pci0 dev 7 function 0
pcib0: vendor 0x1106 product 0x0686 (rev. 0x40)
viaide0 at pci0 dev 7 function 1
viaide0: VIA Technologies VT82C686A (Apollo KX133) ATA100 controller
viaide0: bus-master DMA support present
viaide0: primary channel configured to compatibility mode
viaide0: primary channel interrupting at ioapic0 pin 14
atabus0 at viaide0 channel 0
viaide0: secondary channel configured to compatibility mode
viaide0: secondary channel ignored (disabled)
vendor 0x1106 product 0x3057 (miscellaneous bridge, revision 0x40) at pci0 dev 
7 function 4 not configured
fxp0 at pci0 dev 13 function 0: i82559 Ethernet, rev 8
fxp0: interrupting at ioapic0 pin 17
fxp0: Ethernet address 00:e0:81:20:84:98
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1 at pci0 dev 14 function 0: i82559 Ethernet, rev 8
fxp1: interrupting at ioapic0 pin 18
fxp1: Ethernet address 00:e0:81:20:84:99
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 4
inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
wm0 at pci0 dev 16 function 0: Intel i82543GC 1000BASE-T Ethernet, rev. 2
wm0: interrupting at ioapic0 pin 18
wm0: 32-bit 33MHz PCI bus
wm0: 64 word (6 address bits) MicroWire EEPROM
wm0: Ethernet address 00:03:47:0d:52:1d
makphy0 at wm0 phy 1: Marvell 88E1000 Gigabit PHY, rev. 2
makphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 
1000baseT-FDX, auto
wm1 at pci0 dev 17 function 0: Intel i82543GC 1000BASE-T Ethernet, rev. 2
wm1: interrupting at ioapic0 pin 19
wm1: 32-bit 33MHz PCI bus
wm1: 64 word (6 address bits) MicroWire EEPROM
wm1: Ethernet address 00:03:47:de:2f:bc
makphy1 at wm1 phy 1: Marvell 88E1000 Gigabit PHY, rev. 4
makphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 
1000baseT-FDX, auto
isa0 at pcib0
isapnp0 at isa0 port 0x279: ISA Plug 'n Play device support
isapnp0: no ISA Plug 'n Play devices found
timecounter: Timecounter "clockinterrupt" frequency 100 Hz quality 0
wd0 at atabus0 drive 0: <SanDisk SDCFX4-4096>
wd0: drive supports 4-sector PIO transfers, LBA addressing
wd0: 3919 MB, 7964 cyl, 16 head, 63 sec, 512 bytes/sect x 8027712 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 4 (Ultra/66)
wd0(viaide0:0:0): using PIO mode 4, Ultra-DMA mode 4 (Ultra/66) (using DMA)
Kernelized RAIDframe activated
pad0: outputs: 44100Hz, 16-bit, stereo
audio0 at pad0: half duplex, playback, capture
wd0: transfer error, downgrading to Ultra-DMA mode 3
wd0(viaide0:0:0): using PIO mode 4, Ultra-DMA mode 3 (using DMA)
wd0d: error reading fsbn 0 (wd0 bn 0; cn 0 tn 0 sn 0), retrying
wd0: (aborted command, interface CRC error)
wd0: transfer error, downgrading to Ultra-DMA mode 2
wd0(viaide0:0:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA)
wd0d: error reading fsbn 0 (wd0 bn 0; cn 0 tn 0 sn 0), retrying
wd0: (aborted command, interface CRC error)
wd0: transfer error, downgrading to Ultra-DMA mode 1
wd0(viaide0:0:0): using PIO mode 4, Ultra-DMA mode 1 (using DMA)
wd0d: error reading fsbn 0 (wd0 bn 0; cn 0 tn 0 sn 0), retrying
wd0: (aborted command, interface CRC error)
wd0: soft error (corrected)
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
warning: no /dev/console
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
Prev by Date: wip/php-fpm deletes /tmp (per_user_tmp) during system startup
Next by Date: NetBSD Hackathon: August 10th to 14th (last announcement)
Previous by Thread: wip/php-fpm deletes /tmp (per_user_tmp) during system startup
Next by Thread: Lua Workshop 2011
Indexes:
Home | Main Index | Thread Index | Old Index