[gentoo-user] Can't ping remote system

[gentoo-user] Can't ping remote system

[Grant]

My laptop can't ping my remote system but it can ping others
(google.com, yahoo.com, etc).  I've tried disabling my firewall on
both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
my AT&T business ADSL connection on the remote system be blocking
inbound pings?

- Grant

Re: [gentoo-user] Can't ping remote system

[Michael Hampicke]

[-- Attachment #1: Type: text/plain, Size: 473 bytes --]

Am 01.09.2013 14:28, schrieb Grant:
> My laptop can't ping my remote system but it can ping others
> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
> my AT&T business ADSL connection on the remote system be blocking
> inbound pings?
> 

Possible, have you tried pinging your remote system from a different
location? You may try http://www.downforeveryoneorjustme.com/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Can't ping remote system

[Michael Hampicke]

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

Am 01.09.2013 14:54, schrieb Michael Hampicke:
> Am 01.09.2013 14:28, schrieb Grant:
>> My laptop can't ping my remote system but it can ping others
>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>> my AT&T business ADSL connection on the remote system be blocking
>> inbound pings?
>>
> 
> Possible, have you tried pinging your remote system from a different
> location? You may try http://www.downforeveryoneorjustme.com/
> 


Sorry, wrong link: http://ping.eu/ping/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Can't ping remote system

[Grant]

>>> My laptop can't ping my remote system but it can ping others
>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>> my AT&T business ADSL connection on the remote system be blocking
>>> inbound pings?
>>>
>>
>> Possible, have you tried pinging your remote system from a different
>> location? You may try http://www.downforeveryoneorjustme.com/
>>
>
>
> Sorry, wrong link: http://ping.eu/ping/

I get 100% packet loss when pinging from there.

- Grant

Re: [gentoo-user] Can't ping remote system

[Alan McKinnon]

On 01/09/2013 15:28, Grant wrote:
>>>> My laptop can't ping my remote system but it can ping others
>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>>> my AT&T business ADSL connection on the remote system be blocking
>>>> inbound pings?
>>>>
>>>
>>> Possible, have you tried pinging your remote system from a different
>>> location? You may try http://www.downforeveryoneorjustme.com/
>>>
>>
>>
>> Sorry, wrong link: http://ping.eu/ping/
> 
> I get 100% packet loss when pinging from there.
> 
> - Grant
> 

try an icmp traceroute, if you are lucky you'll get a result that tells
you on which hop the pings cease to work:

traceroute -I

but do read the man page (traceroute is like ps in that there are many
versions around and options don't always match up with what folk say on
mailing lists)

-- 
Alan McKinnon
alan.mckinnon@gmail.com

[gentoo-user] Re: Can't ping remote system

[Nikos Chantziaras]

On 01/09/13 15:28, Grant wrote:
> My laptop can't ping my remote system but it can ping others
> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
> my AT&T business ADSL connection on the remote system be blocking
> inbound pings?

A possible reason is that the packet filter on your router is blocking 
this.  (Meaning the router that also houses the ADSL modem.)  And it's 
actually the router itself that replies to pings; the packets never make 
it to your machine.  Usually there's a setting in the router's settings 
page where you can allow ICMP replies.

So it's worth digging into the router's settings and see what you can 
find, if this is the setup you have.  But since you mentioned "business 
connection", you might actually not have such a SOHO router + modem combo.

Re: [gentoo-user] Can't ping remote system

[Grant]

>>>>> My laptop can't ping my remote system but it can ping others
>>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>>>> my AT&T business ADSL connection on the remote system be blocking
>>>>> inbound pings?
>>>>>
>>>> Possible, have you tried pinging your remote system from a different
>>>> location? You may try http://www.downforeveryoneorjustme.com/
>>>
>>> Sorry, wrong link: http://ping.eu/ping/
>>
>> I get 100% packet loss when pinging from there.
>
> try an icmp traceroute, if you are lucky you'll get a result that tells
> you on which hop the pings cease to work:
>
> traceroute -I
>
> but do read the man page (traceroute is like ps in that there are many
> versions around and options don't always match up with what folk say on
> mailing lists)

I did 'traceroute -w 30 -I ip-address' several times and the last IP
displayed is always the same.  I looked it up and it's an AT&T IP
supposedly located about 1500 miles from my machine which is also on
an AT&T connection.  Does this tell me anything?

- Grant

Re: [gentoo-user] Re: Can't ping remote system

[Grant]

>> My laptop can't ping my remote system but it can ping others
>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>> my AT&T business ADSL connection on the remote system be blocking
>> inbound pings?
>
> A possible reason is that the packet filter on your router is blocking this.
> (Meaning the router that also houses the ADSL modem.)  And it's actually the
> router itself that replies to pings; the packets never make it to your
> machine.  Usually there's a setting in the router's settings page where you
> can allow ICMP replies.
>
> So it's worth digging into the router's settings and see what you can find,
> if this is the setup you have.  But since you mentioned "business
> connection", you might actually not have such a SOHO router + modem combo.

I bet you're right.  This sort of thing occurred to me earlier so I
went to look for that type of setting but I need the access code from
the bottom of the device which I can't get until tomorrow.  I will try
then and report back.

Thanks,
Grant

Re: [gentoo-user] Can't ping remote system

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1517 bytes --]

On Sunday 01 Sep 2013 16:04:17 Grant wrote:
> >>>>> My laptop can't ping my remote system but it can ping others
> >>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
> >>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'. 
> >>>>> Could my AT&T business ADSL connection on the remote system be
> >>>>> blocking inbound pings?
> >>>> 
> >>>> Possible, have you tried pinging your remote system from a different
> >>>> location? You may try http://www.downforeveryoneorjustme.com/
> >>> 
> >>> Sorry, wrong link: http://ping.eu/ping/
> >> 
> >> I get 100% packet loss when pinging from there.
> > 
> > try an icmp traceroute, if you are lucky you'll get a result that tells
> > you on which hop the pings cease to work:
> > 
> > traceroute -I
> > 
> > but do read the man page (traceroute is like ps in that there are many
> > versions around and options don't always match up with what folk say on
> > mailing lists)
> 
> I did 'traceroute -w 30 -I ip-address' several times and the last IP
> displayed is always the same.  I looked it up and it's an AT&T IP
> supposedly located about 1500 miles from my machine which is also on
> an AT&T connection.  Does this tell me anything?
> 
> - Grant

Out of interest, does it show the same with you use the -T option?  It could 
well be a congested link.  Try again in off peak times to see if it still 
drops packets.  If it happens off peak it could well be a misconfigured node.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Can't ping remote system

[Alan McKinnon]

On 01/09/2013 17:04, Grant wrote:
>>>>>> My laptop can't ping my remote system but it can ping others
>>>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>>>>> my AT&T business ADSL connection on the remote system be blocking
>>>>>> inbound pings?
>>>>>>
>>>>> Possible, have you tried pinging your remote system from a different
>>>>> location? You may try http://www.downforeveryoneorjustme.com/
>>>>
>>>> Sorry, wrong link: http://ping.eu/ping/
>>>
>>> I get 100% packet loss when pinging from there.
>>
>> try an icmp traceroute, if you are lucky you'll get a result that tells
>> you on which hop the pings cease to work:
>>
>> traceroute -I
>>
>> but do read the man page (traceroute is like ps in that there are many
>> versions around and options don't always match up with what folk say on
>> mailing lists)
> 
> I did 'traceroute -w 30 -I ip-address' several times and the last IP
> displayed is always the same.  I looked it up and it's an AT&T IP
> supposedly located about 1500 miles from my machine which is also on
> an AT&T connection.  Does this tell me anything?


Yes, it tells you that all hops up to that point at least respond to
the kinds of icmp packets traceroute uses. The first hop that fails to
answer isn't answering.

You are looking for possible reasons why icmp might not be working out
properly - that router is your first suspect. Admittedly, it might be
blocking traceroute pings and still allow the responses you seek, but
you have to start somewhere :-)

The problem you are trying to track down is notoriously tricky to nail
down exactly as too many ISPs out there obsessively block useful icmp
traffic. They believe it's security. I believe it's security theatre and
makes fault finding on a live network infernally difficult.

Mick is on the right track - deal with each issue one by one till you
hit paydirt.



-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Can't ping remote system

[Grant]

>> >>>>> My laptop can't ping my remote system but it can ping others
>> >>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>> >>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.
>> >>>>> Could my AT&T business ADSL connection on the remote system be
>> >>>>> blocking inbound pings?
>> >>>>
>> >>>> Possible, have you tried pinging your remote system from a different
>> >>>> location? You may try http://www.downforeveryoneorjustme.com/
>> >>>
>> >>> Sorry, wrong link: http://ping.eu/ping/
>> >>
>> >> I get 100% packet loss when pinging from there.
>> >
>> > try an icmp traceroute, if you are lucky you'll get a result that tells
>> > you on which hop the pings cease to work:
>> >
>> > traceroute -I
>> >
>> > but do read the man page (traceroute is like ps in that there are many
>> > versions around and options don't always match up with what folk say on
>> > mailing lists)
>>
>> I did 'traceroute -w 30 -I ip-address' several times and the last IP
>> displayed is always the same.  I looked it up and it's an AT&T IP
>> supposedly located about 1500 miles from my machine which is also on
>> an AT&T connection.  Does this tell me anything?
>>
>> - Grant
>
> Out of interest, does it show the same with you use the -T option?  It could
> well be a congested link.  Try again in off peak times to see if it still
> drops packets.  If it happens off peak it could well be a misconfigured node.

The last IP displayed is the same with the -T option.  Off-peak at the
destination?  I've actually been trying all day under those
conditions.  You don't think it's likely to be the ICMP setting on the
server's modem/router?

- Grant

Re: [gentoo-user] Can't ping remote system

[Grant]

>>>>>>> My laptop can't ping my remote system but it can ping others
>>>>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>>>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>>>>>> my AT&T business ADSL connection on the remote system be blocking
>>>>>>> inbound pings?
>>
>> I did 'traceroute -w 30 -I ip-address' several times and the last IP
>> displayed is always the same.  I looked it up and it's an AT&T IP
>> supposedly located about 1500 miles from my machine which is also on
>> an AT&T connection.  Does this tell me anything?
>
> Yes, it tells you that all hops up to that point at least respond to
> the kinds of icmp packets traceroute uses. The first hop that fails to
> answer isn't answering.
>
> You are looking for possible reasons why icmp might not be working out
> properly - that router is your first suspect. Admittedly, it might be
> blocking traceroute pings and still allow the responses you seek, but
> you have to start somewhere :-)

So the culprit is the first IP that should appear in the list but
doesn't?  If so, how is that helpful since it's not displayed?

- Grant

Re: [gentoo-user] Can't ping remote system

[Alan McKinnon]

On 01/09/2013 20:07, Grant wrote:
>>>>>>>> My laptop can't ping my remote system but it can ping others
>>>>>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>>>>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>>>>>>> my AT&T business ADSL connection on the remote system be blocking
>>>>>>>> inbound pings?
>>>
>>> I did 'traceroute -w 30 -I ip-address' several times and the last IP
>>> displayed is always the same.  I looked it up and it's an AT&T IP
>>> supposedly located about 1500 miles from my machine which is also on
>>> an AT&T connection.  Does this tell me anything?
>>
>> Yes, it tells you that all hops up to that point at least respond to
>> the kinds of icmp packets traceroute uses. The first hop that fails to
>> answer isn't answering.
>>
>> You are looking for possible reasons why icmp might not be working out
>> properly - that router is your first suspect. Admittedly, it might be
>> blocking traceroute pings and still allow the responses you seek, but
>> you have to start somewhere :-)
> 
> So the culprit is the first IP that should appear in the list but
> doesn't?  If so, how is that helpful since it's not displayed?


This is where it gets tricky. You identify the last router in the list
for which you have an address or name, and contact the NOC team for that
organization. Ask them for the next hop in routing for the destination
address you are trying to ping and hope that they will be kind enough to
help you out.


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Can't ping remote system

[Grant]

>>>>>>>>> My laptop can't ping my remote system but it can ping others
>>>>>>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>>>>>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>>>>>>>> my AT&T business ADSL connection on the remote system be blocking
>>>>>>>>> inbound pings?
>>>>
>>>> I did 'traceroute -w 30 -I ip-address' several times and the last IP
>>>> displayed is always the same.  I looked it up and it's an AT&T IP
>>>> supposedly located about 1500 miles from my machine which is also on
>>>> an AT&T connection.  Does this tell me anything?
>>>
>>> Yes, it tells you that all hops up to that point at least respond to
>>> the kinds of icmp packets traceroute uses. The first hop that fails to
>>> answer isn't answering.
>>>
>>> You are looking for possible reasons why icmp might not be working out
>>> properly - that router is your first suspect. Admittedly, it might be
>>> blocking traceroute pings and still allow the responses you seek, but
>>> you have to start somewhere :-)
>>
>> So the culprit is the first IP that should appear in the list but
>> doesn't?  If so, how is that helpful since it's not displayed?
>
> This is where it gets tricky. You identify the last router in the list
> for which you have an address or name, and contact the NOC team for that
> organization. Ask them for the next hop in routing for the destination
> address you are trying to ping and hope that they will be kind enough to
> help you out.

Oh man that's funny.  Really?  Let's say they do pass along the info.
Then I hunt down contact info for the culprit router based on its IP
and tell them their stuff isn't working and hope they fix it?
Actually, since the last IP displayed is from AT&T and my server's ISP
is AT&T, I suppose it's extremely likely that the culprit is either an
AT&T router somewhere or my own server and I could find out by calling
AT&T.

- Grant

Re: [gentoo-user] Can't ping remote system

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2192 bytes --]

On Sunday 01 Sep 2013 19:50:53 Grant wrote:

> >> So the culprit is the first IP that should appear in the list but
> >> doesn't?  If so, how is that helpful since it's not displayed?
> > 
> > This is where it gets tricky. You identify the last router in the list
> > for which you have an address or name, and contact the NOC team for that
> > organization. Ask them for the next hop in routing for the destination
> > address you are trying to ping and hope that they will be kind enough to
> > help you out.
> 
> Oh man that's funny.  Really?  Let's say they do pass along the info.
> Then I hunt down contact info for the culprit router based on its IP
> and tell them their stuff isn't working and hope they fix it?
> Actually, since the last IP displayed is from AT&T and my server's ISP
> is AT&T, I suppose it's extremely likely that the culprit is either an
> AT&T router somewhere or my own server and I could find out by calling
> AT&T.

It could well be your router and it is easy to confirm this after you set it 
up to respond to ping (or set it to forward all packets with ICMP protocol to 
your server while you're troubleshooting this).

After you set up your router/server to respond you should be getting a 
different mtr or traceroute output showing any hops in between you and your 
server that are dropping packets.  You may have to contact them if they are 
running a saturated link which is not allowing you to use the service you are 
paying them for.  Here's an example of saturated links:

# mtr -r -c 9 -n bbc.co.uk
Start: Sun Sep  1 20:03:24 2013
HOST: dell_xps                    Loss%   Snt   Last   Avg  Best  Wrst StDev
[snip ...]

  4.|-- 195.66.224.103             0.0%     9   65.8  41.1  26.0  77.3  19.1
  5.|-- ???                       100.0     9    0.0   0.0   0.0   0.0   0.0
  6.|-- ???                       100.0     9    0.0   0.0   0.0   0.0   0.0
  7.|-- 132.185.254.109            0.0%     9   28.1  32.5  27.0  55.7   9.7
  8.|-- 132.185.255.140            0.0%     9   27.0  27.5  26.4  29.0   0.6
  9.|-- 212.58.251.195             0.0%     9   27.5  28.0  27.1  28.9   0.4


-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Can't ping remote system

[Grant]

>> >> So the culprit is the first IP that should appear in the list but
>> >> doesn't?  If so, how is that helpful since it's not displayed?
>> >
>> > This is where it gets tricky. You identify the last router in the list
>> > for which you have an address or name, and contact the NOC team for that
>> > organization. Ask them for the next hop in routing for the destination
>> > address you are trying to ping and hope that they will be kind enough to
>> > help you out.
>>
>> Oh man that's funny.  Really?  Let's say they do pass along the info.
>> Then I hunt down contact info for the culprit router based on its IP
>> and tell them their stuff isn't working and hope they fix it?
>> Actually, since the last IP displayed is from AT&T and my server's ISP
>> is AT&T, I suppose it's extremely likely that the culprit is either an
>> AT&T router somewhere or my own server and I could find out by calling
>> AT&T.
>
> It could well be your router and it is easy to confirm this after you set it
> up to respond to ping (or set it to forward all packets with ICMP protocol to
> your server while you're troubleshooting this).

I called AT&T and they say the Westell 6100 modem/router I have will
not respond to pings.  They said I could put it into bridged mode and
set up PPPoE on the computer connected to it which would cause ICMP
packets to pass through to the computer.  Would you guys recommend
that?  For sure I won't attempt this until I'm in the same room as the
device.

- Grant

[gentoo-user] Re: Can't ping remote system

[Nikos Chantziaras]

On 02/09/13 21:17, Grant wrote:
>>>>> So the culprit is the first IP that should appear in the list but
>>>>> doesn't?  If so, how is that helpful since it's not displayed?
>>>>
>>>> This is where it gets tricky. You identify the last router in the list
>>>> for which you have an address or name, and contact the NOC team for that
>>>> organization. Ask them for the next hop in routing for the destination
>>>> address you are trying to ping and hope that they will be kind enough to
>>>> help you out.
>>>
>>> Oh man that's funny.  Really?  Let's say they do pass along the info.
>>> Then I hunt down contact info for the culprit router based on its IP
>>> and tell them their stuff isn't working and hope they fix it?
>>> Actually, since the last IP displayed is from AT&T and my server's ISP
>>> is AT&T, I suppose it's extremely likely that the culprit is either an
>>> AT&T router somewhere or my own server and I could find out by calling
>>> AT&T.
>>
>> It could well be your router and it is easy to confirm this after you set it
>> up to respond to ping (or set it to forward all packets with ICMP protocol to
>> your server while you're troubleshooting this).
>
> I called AT&T and they say the Westell 6100 modem/router I have will
> not respond to pings.  They said I could put it into bridged mode and
> set up PPPoE on the computer connected to it which would cause ICMP
> packets to pass through to the computer.  Would you guys recommend
> that?  For sure I won't attempt this until I'm in the same room as the
> device.

You'll lose the router functionality doing that.  If you need to connect 
other machines to it, then it will only be able to act as a switch, 
meaning that everything you connect to it will either need to be on the 
same subnet, or you need to configure another machine to act as a router 
if you need to connect different subnets.  And the machine will also 
need to be always on in order to provide internet connectivity to other 
machines, since it will be the one that talks to the ADSL modem.

You'll also be losing NAT, which is quite nice for redirecting traffic 
on specific ports to whatever machine you want.  As with the router 
functionality, you will need to configure a Linux machine to do NAT if 
you want to keep having that feature.

There's also the issue of not being able to set up a firewall on the 
router itself anymore.  You can still do that on the target machine 
itself, of course, but there's the issue of creating a firewall on the 
machine you want to protect, which is not optimal (the analogy here 
being that if you want to protect something, you put it behind a wall 
rather than hardening it; even if it's hardened, it still gets hit.)

Or, you might not care about any of the above, in which case using the 
device as a simple ASDL modem (which is what bridging means) will work 
just fine.

Re: [gentoo-user] Can't ping remote system

[Alan McKinnon]

On 01/09/2013 20:50, Grant wrote:
>>>>>>>>>> My laptop can't ping my remote system but it can ping others
>>>>>>>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall on
>>>>>>>>>> both ends with '/etc/init.d/shorewall stop && shorewall clear'.  Could
>>>>>>>>>> my AT&T business ADSL connection on the remote system be blocking
>>>>>>>>>> inbound pings?
>>>>>
>>>>> I did 'traceroute -w 30 -I ip-address' several times and the last IP
>>>>> displayed is always the same.  I looked it up and it's an AT&T IP
>>>>> supposedly located about 1500 miles from my machine which is also on
>>>>> an AT&T connection.  Does this tell me anything?
>>>>
>>>> Yes, it tells you that all hops up to that point at least respond to
>>>> the kinds of icmp packets traceroute uses. The first hop that fails to
>>>> answer isn't answering.
>>>>
>>>> You are looking for possible reasons why icmp might not be working out
>>>> properly - that router is your first suspect. Admittedly, it might be
>>>> blocking traceroute pings and still allow the responses you seek, but
>>>> you have to start somewhere :-)
>>>
>>> So the culprit is the first IP that should appear in the list but
>>> doesn't?  If so, how is that helpful since it's not displayed?
>>
>> This is where it gets tricky. You identify the last router in the list
>> for which you have an address or name, and contact the NOC team for that
>> organization. Ask them for the next hop in routing for the destination
>> address you are trying to ping and hope that they will be kind enough to
>> help you out.
> 
> Oh man that's funny.  Really?  Let's say they do pass along the info.
> Then I hunt down contact info for the culprit router based on its IP
> and tell them their stuff isn't working and hope they fix it?
> Actually, since the last IP displayed is from AT&T and my server's ISP
> is AT&T, I suppose it's extremely likely that the culprit is either an
> AT&T router somewhere or my own server and I could find out by calling
> AT&T.


Well, I did try to convey a sense of what it sometimes takes to deal
with such things. Usually your ISP deals with it for you and you'd be
amazed how often they pick up the phone to do exactly what I described.

But I think this is getting OT to your actual problem. AT&T's routers
are probably not the cause, it only came up because of issues with
pinging things, and that is not what you are trying to solve.

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Can't ping remote system

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 4054 bytes --]

On Tuesday 03 Sep 2013 07:12:05 Alan McKinnon wrote:
> On 01/09/2013 20:50, Grant wrote:
> >>>>>>>>>> My laptop can't ping my remote system but it can ping others
> >>>>>>>>>> (google.com, yahoo.com, etc).  I've tried disabling my firewall
> >>>>>>>>>> on both ends with '/etc/init.d/shorewall stop && shorewall
> >>>>>>>>>> clear'.  Could my AT&T business ADSL connection on the remote
> >>>>>>>>>> system be blocking inbound pings?
> >>>>> 
> >>>>> I did 'traceroute -w 30 -I ip-address' several times and the last IP
> >>>>> displayed is always the same.  I looked it up and it's an AT&T IP
> >>>>> supposedly located about 1500 miles from my machine which is also on
> >>>>> an AT&T connection.  Does this tell me anything?
> >>>> 
> >>>> Yes, it tells you that all hops up to that point at least respond to
> >>>> the kinds of icmp packets traceroute uses. The first hop that fails to
> >>>> answer isn't answering.
> >>>> 
> >>>> You are looking for possible reasons why icmp might not be working out
> >>>> properly - that router is your first suspect. Admittedly, it might be
> >>>> blocking traceroute pings and still allow the responses you seek, but
> >>>> you have to start somewhere :-)
> >>> 
> >>> So the culprit is the first IP that should appear in the list but
> >>> doesn't?  If so, how is that helpful since it's not displayed?
> >> 
> >> This is where it gets tricky. You identify the last router in the list
> >> for which you have an address or name, and contact the NOC team for that
> >> organization. Ask them for the next hop in routing for the destination
> >> address you are trying to ping and hope that they will be kind enough to
> >> help you out.
> > 
> > Oh man that's funny.  Really?  Let's say they do pass along the info.
> > Then I hunt down contact info for the culprit router based on its IP
> > and tell them their stuff isn't working and hope they fix it?
> > Actually, since the last IP displayed is from AT&T and my server's ISP
> > is AT&T, I suppose it's extremely likely that the culprit is either an
> > AT&T router somewhere or my own server and I could find out by calling
> > AT&T.
> 
> Well, I did try to convey a sense of what it sometimes takes to deal
> with such things. Usually your ISP deals with it for you and you'd be
> amazed how often they pick up the phone to do exactly what I described.
> 
> But I think this is getting OT to your actual problem. AT&T's routers
> are probably not the cause, it only came up because of issues with
> pinging things, and that is not what you are trying to solve.

+1 on Alan's hunch.  I have not used Squid to comment on the specifics and 
also Grant stated that another proxy gave him similar symptoms.  From my 
limited knowledge a proxy could be stalling because of cache configuration 
problems, like running out fs space, or inodes and also running out of memory 
if it has to process simultaneous requests from too many clients at a time.  
If the problem also manifests when the clients are within the same subnet, 
then this is unlikely to be a network issue.

If all other causes are eliminated then a network related problem could be 
associated with TCP Window Scaling - but this would primarily show up on the 
transmission of larger files.  This is why I initially asked if the problem 
shows up on video/audio downloads rather than small web pages.

It's probably OT describing this problem here (Google can do it much better) 
but a quick test would show if this solves the problem:

echo 0 > /proc.sys/net/ipv4/tcp_default_window_scaling

Please check the man page because this key may have changed over time and 
indeed it may not be a problem in later kernels who may have been coded so as 
to compensate for dodgy routers.  This will slow down the connection because a 
smaller window size will be used, but there shouldn't be a problem of 
oversized packets being dropped by a misconfigured router on the way.  Shout 
if you need more detail.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Re: Can't ping remote system

[Grant]

>> I called AT&T and they say the Westell 6100 modem/router I have will
>> not respond to pings.  They said I could put it into bridged mode and
>> set up PPPoE on the computer connected to it which would cause ICMP
>> packets to pass through to the computer.  Would you guys recommend
>> that?  For sure I won't attempt this until I'm in the same room as the
>> device.
>
> You'll lose the router functionality doing that.  If you need to connect
> other machines to it, then it will only be able to act as a switch, meaning
> that everything you connect to it will either need to be on the same subnet,
> or you need to configure another machine to act as a router if you need to
> connect different subnets.  And the machine will also need to be always on
> in order to provide internet connectivity to other machines, since it will
> be the one that talks to the ADSL modem.
>
> You'll also be losing NAT, which is quite nice for redirecting traffic on
> specific ports to whatever machine you want.  As with the router
> functionality, you will need to configure a Linux machine to do NAT if you
> want to keep having that feature.
>
> There's also the issue of not being able to set up a firewall on the router
> itself anymore.  You can still do that on the target machine itself, of
> course, but there's the issue of creating a firewall on the machine you want
> to protect, which is not optimal (the analogy here being that if you want to
> protect something, you put it behind a wall rather than hardening it; even
> if it's hardened, it still gets hit.)
>
> Or, you might not care about any of the above, in which case using the
> device as a simple ASDL modem (which is what bridging means) will work just
> fine.

That's actually exactly what I want.  The Gentoo system connected to
the single-port Westell modem/router is already set up as a
router/firewall and it is the one doing NAT.  Thank you for the
run-down.  Now I feel like I know exactly what this change will mean.

- Grant

Re: [gentoo-user] Can't ping remote system

[Grant]

>>> This is where it gets tricky. You identify the last router in the list
>>> for which you have an address or name, and contact the NOC team for that
>>> organization. Ask them for the next hop in routing for the destination
>>> address you are trying to ping and hope that they will be kind enough to
>>> help you out.
>>
>> Oh man that's funny.  Really?  Let's say they do pass along the info.
>> Then I hunt down contact info for the culprit router based on its IP
>> and tell them their stuff isn't working and hope they fix it?
>> Actually, since the last IP displayed is from AT&T and my server's ISP
>> is AT&T, I suppose it's extremely likely that the culprit is either an
>> AT&T router somewhere or my own server and I could find out by calling
>> AT&T.
>
> Well, I did try to convey a sense of what it sometimes takes to deal
> with such things. Usually your ISP deals with it for you and you'd be
> amazed how often they pick up the phone to do exactly what I described.

You did, and I suppose it has to come down to that at some point.
Thank you for your help Alan.

- Grant

Re: [gentoo-user] Can't ping remote system

[Alan McKinnon]

On 05/09/2013 15:04, Grant wrote:
>>>> This is where it gets tricky. You identify the last router in the list
>>>> for which you have an address or name, and contact the NOC team for that
>>>> organization. Ask them for the next hop in routing for the destination
>>>> address you are trying to ping and hope that they will be kind enough to
>>>> help you out.
>>>
>>> Oh man that's funny.  Really?  Let's say they do pass along the info.
>>> Then I hunt down contact info for the culprit router based on its IP
>>> and tell them their stuff isn't working and hope they fix it?
>>> Actually, since the last IP displayed is from AT&T and my server's ISP
>>> is AT&T, I suppose it's extremely likely that the culprit is either an
>>> AT&T router somewhere or my own server and I could find out by calling
>>> AT&T.
>>
>> Well, I did try to convey a sense of what it sometimes takes to deal
>> with such things. Usually your ISP deals with it for you and you'd be
>> amazed how often they pick up the phone to do exactly what I described.
> 
> You did, and I suppose it has to come down to that at some point.
> Thank you for your help Alan.


You're welcome, and I hope you get the issue satisfactorily solved (I
don't envy you at all)


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Can't ping remote system

[Grant]

> +1 on Alan's hunch.  I have not used Squid to comment on the specifics and
> also Grant stated that another proxy gave him similar symptoms.  From my
> limited knowledge a proxy could be stalling because of cache configuration
> problems, like running out fs space, or inodes and also running out of memory
> if it has to process simultaneous requests from too many clients at a time.
> If the problem also manifests when the clients are within the same subnet,
> then this is unlikely to be a network issue.

Which hunch was that?  I snipped a lot above but I couldn't find it in there.

It's just one user (me) and I've fiddled with the cache (including
disabling it) and at least fs space and memory are good.

> If all other causes are eliminated then a network related problem could be
> associated with TCP Window Scaling - but this would primarily show up on the
> transmission of larger files.  This is why I initially asked if the problem
> shows up on video/audio downloads rather than small web pages.
>
> It's probably OT describing this problem here (Google can do it much better)
> but a quick test would show if this solves the problem:
>
> echo 0 > /proc.sys/net/ipv4/tcp_default_window_scaling
>
> Please check the man page because this key may have changed over time and
> indeed it may not be a problem in later kernels who may have been coded so as
> to compensate for dodgy routers.  This will slow down the connection because a
> smaller window size will be used, but there shouldn't be a problem of
> oversized packets being dropped by a misconfigured router on the way.  Shout
> if you need more detail.

I've tried all of these with no noticeable change:

echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

Not that anyone here should bother to read it, but here's a link to my
thread on the squid list where I tried all kinds of stuff:

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-3-5-hangs-the-entire-system-td4660893.html

I think at this point I'm hoping that putting the server's
modem/router into bridged mode so it will respond to pings will clear
this up.  I think that's conceivable if the modem/router is also
failing to return Fragmentation Needed since its MTU is 1492.  Testing
the proxy from within the server's LAN as you suggested in my other
thread could also be informative.  Please let me know if there's
anything else I should try.

- Grant

Re: [gentoo-user] Can't ping remote system

[Grant]

>>>>> This is where it gets tricky. You identify the last router in the list
>>>>> for which you have an address or name, and contact the NOC team for that
>>>>> organization. Ask them for the next hop in routing for the destination
>>>>> address you are trying to ping and hope that they will be kind enough to
>>>>> help you out.
>>>>
>>>> Oh man that's funny.  Really?  Let's say they do pass along the info.
>>>> Then I hunt down contact info for the culprit router based on its IP
>>>> and tell them their stuff isn't working and hope they fix it?
>>>> Actually, since the last IP displayed is from AT&T and my server's ISP
>>>> is AT&T, I suppose it's extremely likely that the culprit is either an
>>>> AT&T router somewhere or my own server and I could find out by calling
>>>> AT&T.
>>>
>>> Well, I did try to convey a sense of what it sometimes takes to deal
>>> with such things. Usually your ISP deals with it for you and you'd be
>>> amazed how often they pick up the phone to do exactly what I described.
>>
>> You did, and I suppose it has to come down to that at some point.
>> Thank you for your help Alan.
>
> You're welcome, and I hope you get the issue satisfactorily solved (I
> don't envy you at all)

Well at this point I think the problem is that the server's Westell
6100 modem/router doesn't respond to pings unless it's in bridged mode
(according AT&T).  I'll put it into bridged mode the next time I'm
there.

- Grant

Re: [gentoo-user] Can't ping remote system

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 4548 bytes --]

On Thursday 05 Sep 2013 14:17:14 Grant wrote:
> > +1 on Alan's hunch.  I have not used Squid to comment on the specifics
> > and also Grant stated that another proxy gave him similar symptoms. 
> > From my limited knowledge a proxy could be stalling because of cache
> > configuration problems, like running out fs space, or inodes and also
> > running out of memory if it has to process simultaneous requests from
> > too many clients at a time. If the problem also manifests when the
> > clients are within the same subnet, then this is unlikely to be a
> > network issue.
> 
> Which hunch was that?  I snipped a lot above but I couldn't find it in
> there.

It was Alan's statement that this problem is not related to your AT&T router.



> It's just one user (me) and I've fiddled with the cache (including
> disabling it) and at least fs space and memory are good.

OK, this points away from your proxy configuration then.  I noticed you 
mentioning that the problem is manifested with a different proxy application, 
points to a network problem, unless the cache fs set up is exactly the same.  
As long as you have enough disk space and enough inodes, plus enough RAM, then 
all points to a network problem.


> > If all other causes are eliminated then a network related problem could
> > be associated with TCP Window Scaling - but this would primarily show up
> > on the transmission of larger files.  This is why I initially asked if
> > the problem shows up on video/audio downloads rather than small web
> > pages.

I have to come back to this.  I tried the www.google.com/nexus/ you mentioned 
and noticed that the page eats up 1.3MB to load fully, before it starts 
downloading a flash video.  So seems to be a relatively large amount of data 
that brings up this problem and this could point to tcp window scaling.


> I've tried all of these with no noticeable change:
> 
> echo 0 > /proc/sys/net/ipv4/tcp_ecn
> echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc

This should be *disabled* (double negative).  PMTU discovery is necessary if 
any nodes are using smaller than the default 1500 byte ethernet MTU value.  So 
you better set it as:

echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc


> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

This is typically enabled, but if you notice that a connection stalls and then 
later on it works fine again, it could be related to a firewall/router not 
responding as it should to tcp_window_scaling.  In this case disabling this 
would fix the problem when traversing problematic nodes.

If you saw no difference, this suggests that window scaling is not an issue.


> Not that anyone here should bother to read it, but here's a link to my
> thread on the squid list where I tried all kinds of stuff:
> 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-3-5-hangs-the-en
> tire-system-td4660893.html

I read it and if the squid experts say it is a network problem, then it could 
well be - although the network problems can be more difficult to diagnose and 
resolve.


> I think at this point I'm hoping that putting the server's
> modem/router into bridged mode so it will respond to pings will clear
> this up.  

Well, we don't *know* that the router is the cause of the problem - yet.  
Setting it up in fully bridged mode and exposing your desktop directly to the 
Internet will definitely eliminate the router, because it will only be dealing 
with ATM packet encapsulation.


> I think that's conceivable if the modem/router is also
> failing to return Fragmentation Needed since its MTU is 1492.  Testing
> the proxy from within the server's LAN as you suggested in my other
> thread could also be informative.  Please let me know if there's
> anything else I should try.

I would start with the simplest tests first, which involve isolating suspect 
system components one at a time.  Trying to use the same laptop-desktop 
machines within the LAN, takes the router out the equation - full 1500 byte 
MTU will be used by both laptop and desktop.

If that works as intended then setting the router into fully bridged mode will 
eliminate that node and any problems that it may have with tcp window 
extensions.

Troubleshooting public nodes becomes more difficult, unless you happen to 
travel around and use networks that bypass the suspect nodes.  For all we know 
it could be the particular hotel firewall/router that is causing the problem.  
;-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Can't ping remote system

[Grant]

>> > +1 on Alan's hunch.  I have not used Squid to comment on the specifics
>> > and also Grant stated that another proxy gave him similar symptoms.
>> > From my limited knowledge a proxy could be stalling because of cache
>> > configuration problems, like running out fs space, or inodes and also
>> > running out of memory if it has to process simultaneous requests from
>> > too many clients at a time. If the problem also manifests when the
>> > clients are within the same subnet, then this is unlikely to be a
>> > network issue.
>>
>> Which hunch was that?  I snipped a lot above but I couldn't find it in
>> there.
>
> It was Alan's statement that this problem is not related to your AT&T router.
>
> I have to come back to this.  I tried the www.google.com/nexus/ you mentioned
> and noticed that the page eats up 1.3MB to load fully, before it starts
> downloading a flash video.  So seems to be a relatively large amount of data
> that brings up this problem and this could point to tcp window scaling.

It also happens on very lightweight sites, but never on
squid-cache.org for some reason.

>> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
>
> This is typically enabled, but if you notice that a connection stalls and then
> later on it works fine again, it could be related to a firewall/router not
> responding as it should to tcp_window_scaling.  In this case disabling this
> would fix the problem when traversing problematic nodes.
>
> If you saw no difference, this suggests that window scaling is not an issue.

I just tested again and 'echo 0 >
/proc/sys/net/ipv4/tcp_window_scaling' on both the client and server
did not fix the stalls.

> I would start with the simplest tests first, which involve isolating suspect
> system components one at a time.  Trying to use the same laptop-desktop
> machines within the LAN, takes the router out the equation - full 1500 byte
> MTU will be used by both laptop and desktop.

OK I will try this as soon as I'm back in that location.

Thanks a lot,
Grant