tinc Digest, Vol 109, Issue 7

tomp at tomp.co.uk tomp at tomp.co.uk
Thu Nov 28 15:48:48 CET 2013 

Thanks for replying so quickly Guus.

I will try increasing the re-keying time to 86400, and am now running 
the servers in debug 5 mode logging to a file, so will get all output.

Its interesting what you say about UDP being given lower priority, the 
two end points of this VPN are actually within the same data center, but 
are being routed within the DC's core routers (because its going between 
2 different public IP ranges).

When I did a download speed test over HTTP over the VPN, I started to 
see replay window errors (default setting of 128).

Does that perhaps suggest that the DC's routers are re-ordering UDP 
traffic?

Thanks
Tom


On 2013-11-28 14:28, tinc-request at tinc-vpn.org wrote:
> Send tinc mailing list submissions to
> 	tinc at tinc-vpn.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> or, via email, send a message with subject or body 'help' to
> 	tinc-request at tinc-vpn.org
> 
> You can reach the person managing the list at
> 	tinc-owner at tinc-vpn.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tinc digest..."
> 
> Today's Topics:
> 
>    1. Re: Intermittent TCP connect issues when using tinc 1.0.23
>       and IPv6 (Guus Sliepen)
>    2. Re: Intermittent TCP connect issues when using tinc 1.0.23
>       and IPv6 (Guus Sliepen)
>    3. Re: Intermittent TCP connect issues when using tinc 1.0.23
>       and IPv6 (tomp at tomp.co.uk)
> 
> On Thu, Nov 28, 2013 at 11:49:50AM +0000, tomp at Tomp.co.uk wrote:
> 
> [...]
>> However we have an cron process that runs every 1 minute and makes
>> several HTTP requests over the VPN every 10s.
>> 
>> About 10-12 times a day we are getting these errors after the
>> specified 5 second connect timeout set in the app.
>> 
>> Request failed: connect() timed out!
>> 
>> If we disable the VPN and just route the requests over the internet
>> (as I said they are publically routable addresses) then we do not
>> see these errors, suggesting this is not an application problem.
> 
> Tinc itself changes its symmetric encryption keys every hour. This 
> could cause
> a few packets to be dropped. If that happens with the HTTP connection 
> you make
> every 10 seconds, and the HTTP connection's TCP stream doesn't resend 
> the
> missed packets within your 5 second timeout, then this might explain 
> the
> dropped connections. You can try setting KeyExpire to a larger value 
> (86400 for
> example) and see if that reduces the frequency of those timeouts.
> 
> Another issue might be the fact that tinc encapsulates the TCP packets 
> from the
> HTTP request inside UDP packets, and some router along the way might 
> be
> configured to give lower priority to UDP packets, causing them to drop 
> more
> often, and hence causing the HTTP request to time out.
> 
> You can try to run tinc with with a high debugging level and let it 
> log to a
> file, so you can check afterwards if tinc itself reported anything 
> strange
> happening:
> 
> tincd -n <netname> -d5 --logfile=/var/log/tinc.log
> 
> Beware that at -d5, it could grow quite large.
> 
> On Thu, Nov 28, 2013 at 12:12:57PM +0000, tomp at tomp.co.uk wrote:
> 
>> [thomas.parrott at rsuk-mhb-fw01 ~]$ grep '11:59:' /var/log/messages
> 
> It seems your syslog is configured to only store certain log messages 
> in
> /var/log/messages. Could you check /var/log/syslog and /var/log/debug 
> as well?
> It might be better to let tinc log to its own log file in this case.
> 
> List-Post: <mailto:tinc at tinc-vpn.org>
> Content-Transfer-Encoding: 7bit
> From: tomp at tomp.co.uk
> Precedence: list
> MIME-Version: 1.0
> To: <tinc at tinc-vpn.org>
> References: <969babf1ebb9049f76e1a2fe09e53f0e at Tomp.co.uk>
>  <af2e4101e521ec8ac3f5aee0d7897356 at tomp.co.uk>
> In-Reply-To: <af2e4101e521ec8ac3f5aee0d7897356 at tomp.co.uk>
> Date: Thu, 28 Nov 2013 14:28:23 +0000
> Reply-To: tinc at tinc-vpn.org
> Message-ID: <06a8625b5f2d31bee1eacd76c358e918 at tomp.co.uk>
> Content-Type: text/plain; charset=UTF-8;
>  format=flowed
> Subject: Re: Intermittent TCP connect issues when using tinc 1.0.23 
> and IPv6
> Message: 3
> 
> I can confirm this issue is also occurring when using tinc 1.1pre9 
> with
> elliptic encryption.
> 
> On 2013-11-28 12:12, tomp at tomp.co.uk wrote:
>> Here's some more info, as a timeout just occurred using rsync from
>> rsukmhb to rps sites:
>> 
>> Nov 28 11:59:01 rsuk-mhb-pubweb101 php: ict-pubweb [SyncSites]
>> (21294) Info: Plugin started
>> Nov 28 11:59:01 rsuk-mhb-pubweb101 php: ict-pubweb [SyncSites]
>> (21294) Info: Last sync build time: 2013-11-27 09:50:40
>> Nov 28 11:59:16 rsuk-mhb-pubweb101 php: ict-pubweb [SyncSites]
>> (21294) Error: Rsync failed: rsync error: timeout waiting for daemon
>> connection (code 35) at socket.c(279) [receiver=3.0.6]
>> Nov 28 11:59:16 rsuk-mhb-pubweb101 php: ict-pubweb [SyncSites]
>> (21294) Info: Plugin stopped
>> 
>> Rsync is configured with a connection timeout of 15s, so the
>> connection was started at 11:59:01 and timed out at 11:59:16.
>> 
>> At the same time our import cron process ran from rps to the same
>> server that was running the rsync client:
>> 
>> Nov 28 11:59:01 rsuk-mhb-pubweb101 httpd: pubweb.infinity.local
>> rsuk-mhb-pubweb101.ictnw.net 2001:1b40:5600:1::76 - ict-pubweb
>> [28/Nov/2013:11:59:01 +0000] "GET
>> /v1/cmsEvents?limit=1000&sort%5B0%5D=rowId-asc&filter%5B0%5D=siteId-in-value-2&filter%5B1%5D=rowId-gt-value-933&filter%5B2%5D=eventType-eq-value-lead
>> HTTP/1.0" 200 - "-" "Icc HTTP Client"
>> 
>> I am running tinc with debug mode 5 on both firewalls so here is a
>> sample of the logs from both at that time:
>> 
>> rsukmhb site (where rsync client is):
>> -----------------------------------------
>> 
>> [thomas.parrott at rsuk-mhb-fw01 ~]$ grep '11:59:' /var/log/messages
>> 
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 224 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 88
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 87
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 108 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 82
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:01 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 136 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 82
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 79
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 89
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 89
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 80
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 79
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:02 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:03 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 139 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:04 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:04 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:08 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:08 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:10 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:11 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:11 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:11 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:11 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:11 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 224 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:11 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:11 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:12 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:13 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:14 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:16 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:16 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:21 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:21 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:21 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:21 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 224 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:21 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:21 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:29 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:29 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:29 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:29 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 224 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:29 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:29 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:34 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 129 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:39 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:39 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:39 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:39 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 224 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:39 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:39 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:42 rsuk-mhb-fw01 tinc.dcvpn[24911]: Got MTU probe length
>> 1443 from rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:42 rsuk-mhb-fw01 tinc.dcvpn[24911]: Got MTU probe length
>> 1443 from rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:42 rsuk-mhb-fw01 tinc.dcvpn[24911]: Got MTU probe length
>> 1443 from rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending MTU probe
>> length 1451 to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending MTU probe
>> length 1443 to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending MTU probe
>> length 1443 to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending MTU probe
>> length 1443 to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Got MTU probe length
>> 1443 from rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Got MTU probe length
>> 1443 from rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Got MTU probe length
>> 1443 from rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:43 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:44 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:45 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:46 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:47 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 118 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:49 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:49 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:49 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:49 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 224 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:49 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:49 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Clamping MSS of
>> packet from rsukmhb to rps to 1369
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 86
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 112 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of
>> 106 bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 89
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> Nov 28 11:59:55 rsuk-mhb-fw01 tinc.dcvpn[24911]: Sending packet of 74
>> bytes to rps (2001:1b40:5000:9::2 port 655)
>> 
>> rps site (where rsync server is):
>> -----------------------------------------
>> 
>> [thomas.parrott at rps-fw03 ~]$ grep '11:59:' /var/log/messages
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 433
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 88
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 115
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:01 rps-fw03 tinc.dcvpn[17321]: Sending packet of 75
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 78
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 78
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1417
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1443
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 1035
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 89
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 89
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 79
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 98
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:02 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:03 rps-fw03 tinc.dcvpn[17321]: Sending packet of 107
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:10 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:11 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:11 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:11 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:11 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:11 rps-fw03 tinc.dcvpn[17321]: Sending packet of 433
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:11 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:11 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:12 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:13 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:14 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:21 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:21 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:21 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:21 rps-fw03 tinc.dcvpn[17321]: Sending packet of 433
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:21 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:21 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:29 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:29 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:29 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:29 rps-fw03 tinc.dcvpn[17321]: Sending packet of 433
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:29 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:29 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:34 rps-fw03 tinc.dcvpn[17321]: Sending packet of 122
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:39 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:39 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:39 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:39 rps-fw03 tinc.dcvpn[17321]: Sending packet of 433
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:39 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:39 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:42 rps-fw03 tinc.dcvpn[17321]: Sending MTU probe length
>> 1451 to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:42 rps-fw03 tinc.dcvpn[17321]: Sending MTU probe length
>> 1443 to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:42 rps-fw03 tinc.dcvpn[17321]: Sending MTU probe length
>> 1443 to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:42 rps-fw03 tinc.dcvpn[17321]: Sending MTU probe length
>> 1443 to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:42 rps-fw03 tinc.dcvpn[17321]: Got MTU probe length 1443
>> from rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:42 rps-fw03 tinc.dcvpn[17321]: Got MTU probe length 1443
>> from rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:42 rps-fw03 tinc.dcvpn[17321]: Got MTU probe length 1443
>> from rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:43 rps-fw03 tinc.dcvpn[17321]: Got MTU probe length 1443
>> from rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:43 rps-fw03 tinc.dcvpn[17321]: Got MTU probe length 1443
>> from rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:43 rps-fw03 tinc.dcvpn[17321]: Got MTU probe length 1443
>> from rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:43 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:44 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:45 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:46 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:47 rps-fw03 tinc.dcvpn[17321]: Sending packet of 118
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:49 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:49 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:49 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:49 rps-fw03 tinc.dcvpn[17321]: Sending packet of 433
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:49 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:49 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Clamping MSS of packet
>> from rps to rsukmhb to 1369
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Sending packet of 86
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Sending packet of 105
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Sending packet of 80
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> Nov 28 11:59:55 rps-fw03 tinc.dcvpn[17321]: Sending packet of 74
>> bytes to rsukmhb (2001:1b40:5000:19::2 port 655)
>> 
>> Neither firewalls are heaving loaded.
>> 
>> Thanks
>> Tom
>> 
>> 
>> On 2013-11-28 11:49, tomp at Tomp.co.uk wrote:
>>> Hi,
>>> I am using tinc 1.0.23 in router mode and am having trouble with
>>> intermittent TCP connect timeouts that do not occur when routing the
>>> TCP over the internet directly.
>>> I am using a pure IPv6 setup (i.e direct IPv6 connections, and
>>> tunneled IPv6 subnets).
>>> My configs are as follows:
>>> Site 1:
>>> -----------------------
>>> tinc.conf:
>>> Name = rsukmhb
>>> AddressFamily = ipv6
>>> BindToAddress = 2001:1b40:5000:19::2
>>> ConnectTo = rps
>>> IffOneQueue = yes
>>> tinc-up:
>>> #!/bin/sh
>>> logger -t tinc Bringing up interface $INTERFACE
>>> ip -6 link set "$INTERFACE" up
>>> ip -6 link set "$INTERFACE" txqueuelen 10
>>> ip -6 addr add fdd1:c52a:3c24:3384::2/64 dev "$INTERFACE"
>>> subnet-up:
>>> #!/bin/sh
>>> [ -z "$NAME" ] && exit 0
>>> [ "$NAME" = "$NODE" ] && exit 0
>>> logger -t tinc Adding route to $SUBNET for $NODE on $NAME
>>> ip -6 route replace $SUBNET dev $INTERFACE
>>> Site 2:
>>> -----------------------
>>> tinc.conf:
>>> Name = rps
>>> AddressFamily = ipv6
>>> BindToAddress = 2001:1b40:5000:9::2
>>> ConnectTo = rsukmhb
>>> IffOneQueue = yes
>>> tinc-up:
>>> #!/bin/sh
>>> logger -t tinc Bringing up interface $INTERFACE
>>> ip -6 link set "$INTERFACE" up
>>> ip -6 link set "$INTERFACE" txqueuelen 10
>>> ip -6 addr add fdd1:c52a:3c24:3384::1/64 dev "$INTERFACE
>>> subnet-up:
>>> #!/bin/sh
>>> [ -z "$NAME" ] && exit 0
>>> [ "$NAME" = "$NODE" ] && exit 0
>>> logger -t tinc Adding route to $SUBNET for $NODE on $NAME
>>> ip -6 route replace $SUBNET dev $INTERFACE
>>> The VPN tun interfaces use private IPv6 IP addresses in the
>>> fdd1:c52a:3c24:3384::/64 range.
>>> I am then using the host entries at each site to advertise an IPv6
>>> /64 subnet used internally (although still publically routable
>>> address
>>> subnet) so that it is routed over the VPN tunnel to the other side.
>>> 
>>> This is working pretty well and I am getting around 80MBits/sec
>>> throughput.
>>> However we have an cron process that runs every 1 minute and makes
>>> several HTTP requests over the VPN every 10s.
>>> About 10-12 times a day we are getting these errors after the
>>> specified 5 second connect timeout set in the app.
>>> Request failed: connect() timed out!
>>> 
>>> If we disable the VPN and just route the requests over the internet
>>> (as I said they are publically routable addresses) then we do not 
>>> see
>>> these errors, suggesting this is not an application problem.
>>> We are also running Cacti and Nagios over the VPN for monitoring the
>>> remote site.
>>> The traffic level is low, averaging about 20 kbps, but quiet bursty,
>>> as every few minutes nagios/cacti runs, and the rest of the time the
>>> tunnel is quiet except for this cron app that makes a very small 
>>> HTTP
>>> request every 10s.
>>> 
>>> Do you know what I could be looking at to fix this?
>>> I have found these posts that suggest a similar connect() timeout
>>> issue:
>>> Page 12 of this doc:
>>> http://tinc-vpn.org/presentations/fosdem-2011/ec2_vpn_fosdem2011.pdf
>>> http://thr3ads.net/tinc-devel/2010/10/1964008-Tweaks-for-high-bandwidth-tinc
>>> I have tried disabled replay protection, setting IffOneQueue,
>>> lowering and increasing the txqueuelen, setting priority of the tinc
>>> process.
>>> None of these settings have improved things though.
>>> Any thoughts would be much appreciated.
>>> Thanks
>>> Tom
> 
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

More information about the tinc mailing list