[HELP] Ping to the def. GW works only if tcpdump is on

user · September 6, 2009, 1:53pm

Hi,

I am totally confused. From one of my servers I can ping the default GW only if tcpdump is running on this machine - what the hell is going on??? What does tcpdump change that suddenly the network is available and when I switch off tcpdump nothing is pingable except the local network (but not the gateway)??? Anyone has any idea?

OK, from the beginning.

The IP config of this strange host:

dbsiteui:~ # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:1B:78:99:1F:A0

          inet addr:10.16.61.22  Bcast:10.16.61.255  Mask:255.255.255.0

          inet6 addr: fe80::21b:78ff:fe99:1fa0/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:23299 errors:0 dropped:0 overruns:0 frame:0

          TX packets:17322 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:24057584 (22.9 Mb)  TX bytes:3569924 (3.4 Mb)

          Interrupt:16 Memory:f8000000-f8011100

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:79 errors:0 dropped:0 overruns:0 frame:0

          TX packets:79 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:9533 (9.3 Kb)  TX bytes:9533 (9.3 Kb)

dbsiteui:~ # netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

10.16.61.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0

169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo

0.0.0.0         10.16.61.1      0.0.0.0         UG        0 0          0 eth0

dbsiteui:~ # ip addr sh

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:1b:78:99:1f:a0 brd ff:ff:ff:ff:ff:ff

    inet 10.16.61.22/24 brd 10.16.61.255 scope global eth0

    inet6 fe80::21b:78ff:fe99:1fa0/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000

    link/ether 00:1b:78:99:1f:9e brd ff:ff:ff:ff:ff:ff

4: sit0: <NOARP> mtu 1480 qdisc noqueue

    link/sit 0.0.0.0 brd 0.0.0.0

dbsiteui:~ # ip route sh

10.16.61.0/24 dev eth0  proto kernel  scope link  src 10.16.61.22

169.254.0.0/16 dev eth0  scope link

127.0.0.0/8 dev lo  scope link

default via 10.16.61.1 dev eth0

Now similar host in the same subnet - everything is working fine:


dbsitecu:~ # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:1B:78:99:1F:32

          inet addr:10.16.61.23  Bcast:10.16.61.255  Mask:255.255.255.0

          inet6 addr: fe80::21b:78ff:fe99:1f32/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:951593 errors:0 dropped:0 overruns:0 frame:0

          TX packets:397028 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:202256460 (192.8 Mb)  TX bytes:159600871 (152.2 Mb)

          Interrupt:16 Memory:f8000000-f8011100

eth1      Link encap:Ethernet  HWaddr 00:1B:78:99:1F:30

          inet addr:10.16.200.23  Bcast:10.16.200.255  Mask:255.255.255.0

          inet6 addr: fe80::21b:78ff:fe99:1f30/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:744410 errors:0 dropped:0 overruns:0 frame:0

          TX packets:30 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:55594176 (53.0 Mb)  TX bytes:1994 (1.9 Kb)

          Interrupt:17 Memory:fa000000-fa011100

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:623 errors:0 dropped:0 overruns:0 frame:0

          TX packets:623 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:36547 (35.6 Kb)  TX bytes:36547 (35.6 Kb)


dbsitecu:~ # netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

10.16.61.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0

10.16.200.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo

0.0.0.0         10.16.61.1      0.0.0.0         UG        0 0          0 eth0


dbsitecu:~ # ip addr sh

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:1b:78:99:1f:32 brd ff:ff:ff:ff:ff:ff

    inet 10.16.61.23/24 brd 10.16.61.255 scope global eth0

    inet6 fe80::21b:78ff:fe99:1f32/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:1b:78:99:1f:30 brd ff:ff:ff:ff:ff:ff

    inet 10.16.200.23/24 brd 10.16.200.255 scope global eth1

    inet6 fe80::21b:78ff:fe99:1f30/64 scope link

       valid_lft forever preferred_lft forever

4: sit0: <NOARP> mtu 1480 qdisc noqueue

    link/sit 0.0.0.0 brd 0.0.0.0

dbsitecu:~ # ip route sh

10.16.61.0/24 dev eth0  proto kernel  scope link  src 10.16.61.23

10.16.200.0/24 dev eth1  proto kernel  scope link  src 10.16.200.23

169.254.0.0/16 dev eth0  scope link

127.0.0.0/8 dev lo  scope link

default via 10.16.61.1 dev eth0

Now when I switch on tcp dump on 10.16.61.22 ping to the def. GW is working fine:

dbsiteui:~ # ping 10.16.61.1

PING 10.16.61.1 (10.16.61.1) 56(84) bytes of data.

64 bytes from 10.16.61.1: icmp_seq=1 ttl=255 time=0.402 ms

64 bytes from 10.16.61.1: icmp_seq=2 ttl=255 time=0.696 ms

64 bytes from 10.16.61.1: icmp_seq=3 ttl=255 time=0.546 ms

64 bytes from 10.16.61.1: icmp_seq=4 ttl=255 time=0.421 ms

64 bytes from 10.16.61.1: icmp_seq=5 ttl=255 time=0.312 ms

--- 10.16.61.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4001ms

rtt min/avg/max/mdev = 0.312/0.475/0.696/0.134 ms

But if I stop tcpdump - ping to the GW fails (but still 10.16.61.23 is pingable):


dbsiteui:~ # ping 10.16.61.1

PING 10.16.61.1 (10.16.61.1) 56(84) bytes of data.

--- 10.16.61.1 ping statistics ---

16 packets transmitted, 0 received, 100% packet loss, time 14999ms.

Why 10.16.61.22 behaves in such a strange way?

PS. The system version on both machines is SUSE LINUX Enterprise Server 9 (x86_64) VERSION = 9, PATCHLEVEL = 3

user · September 6, 2009, 3:39pm

OK, I did some troubleshooting and I can specify my question:

why I cannot ping the default gateway unless the network interface is in the promiscuous mode…?

Thanks in advance for any help!
Joanna

ken_yap · September 6, 2009, 3:46pm

Bizarre, and I have no idea, but seeing as you are running a tcpdump, why not look at the ping replies to see if there is anything odd about them?

Wait, perhaps you have blocked ping replies in your firewall rules?

user · September 6, 2009, 4:06pm

Ping in the local network is working fine. If I ping 10.16.61.22 from 10.16.61.23 (or the other way round) it works.
But if I want to ping the default gateway (10.16.61.1) or anything outside the local subnet - it fails unless I enable the promiscuous mode on the eth0.

And if I ping 10.16.61.1 from 10.16.61.23 or some hosts from other subnets (e.g. 10.16.63.41) - the ping is successfull. Only 10.16.61.22 cannot ping 10.16.61.1 unless in promiscuous mode.

Cheers,
Joanna

ab · September 7, 2009, 8:11am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would get a problem with some other network setting. What do you get
from the following commands:

ip addr
ip route

Also have you customized your firewall? By default everything SUSE-ish
allows pings to work in either direction.

Good luck.

ciri fiona wrote:
> Ping in the local network is working fine. If I ping 10.16.61.22 from
> 10.16.61.23 (or the other way round) it works.
> But if I want to ping the default gateway (10.16.61.1) or anything
> outside the local subnet - it fails unless I enable the promiscuous mode
> on the eth0.
>
> And if I ping 10.16.61.1 from 10.16.61.23 or some hosts from other
> subnets (e.g. 10.16.63.41) - the ping is successfull. Only 10.16.61.22
> cannot ping 10.16.61.1 unless in promiscuous mode.
>
> Cheers,
> Joanna
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKpKQiAAoJEF+XTK08PnB5UqkP/R365GkEdKf4uzj90VIj/QrJ
ANgFQM1LZSM5U3Q8h6ZJj79/uXwYUnPrpVE02Up7ExDnEY7U9w1QpoYxbckrLbaP
a9fdPsLRAJnreTCjrVXLPaigTwQ4bYYQYBPr4K9k82l2ydP0p24jA/I2KcAK5AVI
coHe3Ab6ZAKn/xH0SSdn1DuCYoY45kUQTBr9WCuJjjpysiL0deYEdc08YglgWpF3
oLFU6oUnJTveHQqxmCuCaMA5v5nxpygWCvoHgzWOBzukzQW06Lvgjqco3hQGaaAr
mspfb9+/QvKHc/biDuF7gWQD4tJNKs9JEe6+dXimZS1NQjm37/nyBVPRzcuhSkBt
1c7Xw1D1STexSblywi81SQwInW1xQXlnRz2owffuxWwD/GFlHzgj9xUb4Dch/DmG
yKT1fREJuWkpW1Fc7LrzbP4RGRWQzo82ddhUXd79yolTgakjiDmpgnfWt63wN1SL
53xouByOOGuGvnQda5W3Q5FqwnVw1lBjEXsIvy9jveDDNAWQCoZluuIKeuspUcrS
0eD0MxfztldDJcD85UNZNW12eZL3saD2BxELiOOSlw7fsHNQZVk9MduRRIp5DcMu
7Cp3v6DLbTqLN/c9GUXtpheVE9BvaQKmYwUf7TNGNpRLy232CiP5Dmj65mqEH1tD
AW0Tdf5M8xKCWvmOD5yf
=xw8j
-----END PGP SIGNATURE-----

user · September 7, 2009, 9:05am

Please find below:


dbsiteui:/etc/sysconfig # ip addr

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:1b:78:99:1f:a0 brd ff:ff:ff:ff:ff:ff

    inet 10.16.61.22/24 brd 10.16.61.255 scope global eth0

    inet6 fe80::21b:78ff:fe99:1fa0/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000

    link/ether 00:1b:78:99:1f:9e brd ff:ff:ff:ff:ff:ff

4: sit0: <NOARP> mtu 1480 qdisc noqueue

    link/sit 0.0.0.0 brd 0.0.0.0

dbsiteui:/etc/sysconfig # ip route

10.16.61.0/24 dev eth0  proto kernel  scope link  src 10.16.61.22

169.254.0.0/16 dev eth0  scope link

127.0.0.0/8 dev lo  scope link

default via 10.16.61.1 dev eth0

user · September 7, 2009, 11:42am

OK, after some troubleshooting it turned out that there is an IP address conflict (?) and the router is sending packets to the wrong MAC address.
On the other hand after I changed the IP to something else, nothing is responding to the pings at 10.16.61.22 so maybe something got stack in the ARP table on the router or I do not know…?
Anyway after I changed the IP everything works fine.

Thanks for all your comments.
Cheers,
Joanna