How to diagnostic UDP discovery failed situation

Bright Zhao startryst at gmail.com
Wed Jun 21 03:11:47 CEST 2017 

I found the server(1.1.1.1) didn’t receive the MTU probe from client, so I add iptables -A INPUT -p udp —port 443 -j ACCEPT.

After this, I see one packet matching on the server side, and the MTU negotiation works, but when I tear down the tinc, and re-establish the tinc connection, the counter of below UDP/443 never increase, and also my other tinc nodes never add this statement on iptables, but they alll works well for the MTU negotiation(finally works on UDP)

pkts bytes target     prot opt in     out     source               destination         
    1   104 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:https 

The above statement is necessary, or not?

> On 21 Jun 2017, at 8:22 AM, Bright Zhao <startryst at gmail.com> wrote:
> 
> Hi, experts
> 
> for example, the below case:
> 
> You can see a lot of back and forth MTU probe packets been exchanged between tinc nodes, but it’s weird that, from the debug log, one line shows "No response to MTU probes from node1”, but it indeed received a lot of MTU probe response, and finally it get the conclusion of "Packet for node1 (1.1.1.1 port 443) larger than minimum MTU”.
> 
> 2017-06-21 08:12:05 tinc.myvpn[18854]: Got MTU probe length 1341 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:05 tinc.myvpn[18854]: Got MTU probe length 619 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 396 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 77 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 1033 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Sending MTU probe length 798 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 607 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:06 tinc.myvpn[18854]: Got MTU probe length 902 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 143 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 1156 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 723 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Sending MTU probe length 617 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 993 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:07 tinc.myvpn[18854]: Got MTU probe length 546 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 901 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 1246 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 786 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Sending MTU probe length 221 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 910 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:08 tinc.myvpn[18854]: Got MTU probe length 649 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 218 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 526 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 353 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Sending MTU probe length 547 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 602 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:09 tinc.myvpn[18854]: Got MTU probe length 201 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 543 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 141 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 445 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Sending MTU probe length 806 to node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 1418 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:10 tinc.myvpn[18854]: Got MTU probe length 309 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 192 from node1 (1.1.1.1 port 443)
> 
> 2017-06-21 08:12:11 tinc.myvpn[18854]: No response to MTU probes from node1 (1.1.1.1 port 443)
> 
> 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 1247 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:11 tinc.myvpn[18854]: Got MTU probe length 1104 from node1 (1.1.1.1 port 443)
> 2017-06-21 08:12:38 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:12:53 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:13:04 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:13:05 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP
> 2017-06-21 08:13:08 tinc.myvpn[18854]: Packet for node1 (1.1.1.1 port 443) larger than minimum MTU, forwarding via TCP
> 
> 
> 
> Also you can see from tcpdump that, 192.168.31.114 received the MTU probe response on it’s port 8201
> 
> 08:14:21.497863 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 980
> 08:14:22.529725 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 72
> 08:14:22.529805 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 868
> 08:14:22.530085 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 1353
> 08:14:22.531425 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 76
> 08:14:22.532885 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 876
> 08:14:22.534025 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1356
> 08:15:31.904410 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 868
> 08:15:31.905610 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 868
> 08:15:31.907070 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1340
> 08:15:32.209491 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 113
> 08:15:32.209631 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 549
> 08:15:32.209651 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 637
> 08:15:32.210451 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 116
> 08:15:32.211271 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 556
> 08:15:32.212111 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 644
> 08:16:41.634229 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 588
> 08:16:41.634909 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 76
> 08:16:41.635909 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 620
> 08:16:42.173050 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 433
> 08:16:42.173210 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 447
> 08:16:42.173250 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 1209
> 08:16:42.174150 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 436
> 08:16:42.174970 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 452
> 08:16:42.175890 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1212
> 08:17:51.201088 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 324
> 08:17:51.202368 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 1020
> 08:17:51.203788 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 980
> 08:17:52.251311 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 369
> 08:17:52.251451 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 784
> 08:17:52.251511 IP 1.1.1.1.https > 192.168.31.114.8201: UDP, length 981
> 08:17:52.252351 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 372
> 08:17:52.253511 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 788
> 08:17:52.254471 IP 192.168.31.114.8201 > 1.1.1.1.https: UDP, length 988

More information about the tinc mailing list