Intermittent TCP connect issues when using tinc 1.0.23 and IPv6

[Guus Sliepen]

On Thu, Nov 28, 2013 at 11:49:50AM +0000, tomp at Tomp.co.uk wrote:

[...]
> However we have an cron process that runs every 1 minute and makes
> several HTTP requests over the VPN every 10s.
> 
> About 10-12 times a day we are getting these errors after the
> specified 5 second connect timeout set in the app.
> 
> Request failed: connect() timed out!
> 
> If we disable the VPN and just route the requests over the internet
> (as I said they are publically routable addresses) then we do not
> see these errors, suggesting this is not an application problem.

Tinc itself changes its symmetric encryption keys every hour. This could cause
a few packets to be dropped. If that happens with the HTTP connection you make
every 10 seconds, and the HTTP connection's TCP stream doesn't resend the
missed packets within your 5 second timeout, then this might explain the
dropped connections. You can try setting KeyExpire to a larger value (86400 for
example) and see if that reduces the frequency of those timeouts.

Another issue might be the fact that tinc encapsulates the TCP packets from the
HTTP request inside UDP packets, and some router along the way might be
configured to give lower priority to UDP packets, causing them to drop more
often, and hence causing the HTTP request to time out.

You can try to run tinc with with a high debugging level and let it log to a
file, so you can check afterwards if tinc itself reported anything strange
happening:

tincd -n <netname> -d5 --logfile=/var/log/tinc.log

Beware that at -d5, it could grow quite large.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20131128/a6c8a3a2/attachment.sig>