Received UDP packet from unknown source 1.2.3.4 (port 12345)

Pavel Georgiev pavel at netclime.com
Tue Mar 4 12:28:05 CET 2008 

On Sunday 02 March 2008 15:56:45 Guus Sliepen wrote:
> On Fri, Feb 29, 2008 at 01:41:54PM +0200, Pavel Georgiev wrote:
> > I have a VPN mesh with ~10 nodes. A recently added node experience
> > the 'Received UDP packet from unknown source' problem. I read in the faq
> > this is probably caused by a NAT rule on wither side, but I dont have
> > such rules.
> >
> > The thing is that IP in the 'Received UDP packet from unknown source '
> > message is exactly what I have configured. The problem solves itself with
> > time and this is marked in the logs as:
> >
> > tinc.vpn[25833]: Lost 219 packets from UA_VPN
> >
> > When the tunnel works, both source and destination port of the udp
> > packets is 655, while when I experience the problem the source port of
> > the node that has the problems is 602/601. I run tcpdump on that node and
> > the packets have exactly that port when they leave the box, so its not
> > something that gets rewritten on the way to the other node.
>
> Since tinc only sets up the socket for UDP once, tinc itself never
> changes the source port. So either there is NAT somewhere (on the
> network between the nodes or on either the sending or receiving node),
> or you have a buggy kernel, or a buggy network card/cable/router. If you
> run tcpdump on the box sending those strange UDP packets, and it already
> has source port 602/601 there, it's either NAT on that box or a buggy
> kernel...

It was NAT indeed. The box had two 2 IP addresses and both were configured to 
have a gateway in /etc/network/interfaces, so sometimes packets were 
originating with source IP = second IP. This was not obvious as I do 
masquerading of outgoing traffic so those packets were reported by tcpdump 
with source IP = primary IP. It was a tricky one, I caught it by luck (had 
the same configuration error in /etc/network/interfaces on another box 
without NAT and saw it was using both IPs as source).

Thanks for the reply, I hope this will help someone else fighting the same 
problem.

More information about the tinc mailing list