-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/15/2017 07:10 AM, Philip Le Riche wrote: > We have Shorewall 4 protecting the school network from a group of > Raspberry Pis, which we operate from PCs on the school network > using VNC running through Shorewall. For some weeks we've had > frequent problems with VNC sessions hanging for around 30 seconds. > I've been trying to track it down with increasingly focussed > Wireshark captures, and this is what seems to be happening on one > fairly typical hang: > > Two Pis are being controlled from separate PCs. I have ping running > from the firewall to one of the Pis and also from the firewall to > the default gateway on the school network. > > Hundreds of packets are passing through the firewall from one of > the Pis to the PC controlling it, containing VNC screen update > data. These are interspersed every second by a ping/reply to one of > the Pis and a ping/reply to the default gateway. > > Suddenly TCP retransmissions of VNC traffic start appearing. Often > at this point you see one or two other packets, such as an ntp or a > VNC from the other Pi, but this may only be because they're no > longer being hidden amongst a mass of VNC. > > More retransmissions from the Pi(s) but nothing on the school > network NIC, and in particular, no pings to the default gateway. > > After around 10 seconds, the Pi network NIC sends ICMP network > unreachable to both Pis. > > Sometimes I've seen ICMP host unreachable, I think from the school > network NIC back to a Pi. Other times I've seen RST, ACK packets > from one of the VNC client PCs - I don't see RST, ACK in the > standard TCP state diagram. > > After a total of around 30 seconds, everything seems to recover, > and pings reappear on the school network, though VNC generally has > to open a new TCP connection. > > Only fairly recently have we regularly run more than one Pi at the > same time. Maybe we're just running out of kernel buffers? Or we > need a more powerful machine to run Shorewall? (It's an > unremarkable desktop machine maybe 5 years old.) Or maybe I've just > got something misconfigured. Ideas please? >
Are you monitoring ARP traffic between the Shorewall box and the School network? - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZQuwVAAoJEJbms/JCOk0QLLAQAIebQp/lFW8prkbDxSqPQnju kWxyczgs+Am6jS9BsfVKWh4WJNhomdBVJIjutVtich4yxK5pG5yyuHIly593YWy4 qK4y6ytVo625H+wyPMd1b8TQ1NzvUmNoKK/rmTY6bgtcbSR5oK9jFFKzmoxu3jN2 I2y5e0vaHL95nyfNuJM9BsoIUG1/gsyzbU9JGqEn+OHbbiCFunugLzeqN5WxUYrK hZZkLSuK6YryWAfMegf3f2Fe7q8to7CuicpmhECHM4qE76Yz5EVyGbxXpMx+ETBn klL/Pbip1nDlvlMuYXEANBjFq7zou2EAqo0DTOK0igcP7CupFesiS52aoLzt41Li MTlqSfSzGrM22XD90S/8fJYvNrPymjnrlrDiatxYUrDfhQ7IvGU1CWIs0+2sb+JE C0z9/sqc0V1/ONAm0xZSrf4+8BQgvLAZLBDbsxS3YLciVkTNmQ7/5crMYmhPv4Iz PEG6r+fIfdykiIS9gC3lsjE9UU1jD7bIQmxLaD7vbD1IOoJOxMu+h/Ij0+AwEpe4 NfZyHfhiVjOZwxVdlaCUNRpNgeh15CX7/u8V5YEkL2LBaPQ63g1B/1bQkWkV2h68 lYfk/8zHusO1WyxmmCcxunwU77xXTD2oNvkpqRyP1D4Mz9weW/xPwGErF6W2cj7U gHDPH30a1MpQKQ3pxDLo =WHhS -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
