On 2021-10-13, Peter J. Philipp <p...@delphinusdns.org> wrote:
> On Wed, Oct 13, 2021 at 08:02:35AM +0200, Michael Hekeler wrote:
>> Hello list,
>>
>> I have question regarding network/routing. However it is not directly
>> openbsd related (I can see the same even on windows machines) I decided
>> to ask here because I know that there are many experienced admins here
>> and there is wealth of expertise on such things on this list.
>>
>> On my site there are about 10 clients which connects to an internet
>> database host.
>> From time to time connection gets lost and sometimes the clients
>> reconnect after a while but sometimes the database app breaks.
This usually points me in the direction of either incorrect firewall
rules, or MTU problems.
One fairly common one with bad PF config is if some packets are allowed
through with creating firewall state; the TCP sequence number checking
doesn't work correctly if state is created on a packet other than the
initial SYN. (This can be avoided by having the first rule either pass
or preferably block all packets, and then refine things in later rules.
If you have a packet go through which doesn't match any of the rules
in the set there is an implicit "pass flags any no state" which you
don't want to match.
MTU problems are most likely if you have a VPN or other tunnel run
from a router passing packets on to hosts connected over a normal
network, the tunnel runs at a reduced MTU but the end hosts don't
know about it. With some firewall configs, fragmentation-needed
messages don't get through properly, ("path mtu blackhole"),
resulting in connections breaking. Usual fix for this is to clamp
MSS on the tunnel router (with PF it's "scrub max-mss") to a value
low enough to fit through the tunnel, which fixes things up for
TCP packets.
>> When doing network diagnostics with mtr(8) which combines the
>> functionality of traceroute(8) and ping(8) it shows the packets hopping
>> through 8 to 9 hosts to reach the destination.
>> When running this tool for a few hours it shows that two hosts in this
>> route produces packet loss (~20%).
>>
>> My Question:
>> is there anything I can do about that by myself or is only option to
>> contact the admin of these hosts and hope that they are willing to fix
>> whatever problem there is?
>
> If you have 9 hops and the packet loss is on hop 4 and 5 but does not carry
> over to the destination you can ignore it. If it carries over to the
> destination ie. hops 6, 7, 8 and 9, then you should look further at reaching
> out.
>
> The reason is as follows: some routers pass packets through their ASIC's for
> forwarding and it doesn't touch their processor at all, it's like offloading
> the entire packet forwarding process. Yet when you talk to the IP of the
> router directly, which is what ping does then the processor in the router
> processes the packet and this may cause packet loss becuase usually they don't
> have a fast cpu here. And ICMP doesn't have much priority in this case
> either.
ICMP responses are often rate-limited too.
That is one common reason, and there is another: the return ICMP
ttl-exceeded messages are routed according to the route table of the
machine generating them (i.e. the intermediate routers). There can
be packet loss (or extra delays or whatever) on that return path
that doesn't affect packets returned from the destination.
(There's no such thing as "a route", there's a decision made at each
hop for which way to send a packet, it can vary from packet to
packet, and it's often [usually, even] not symmetric).
--
Please keep replies on the mailing list.
