[SOLVED] host does not use routing table

m4rtin · 11-08-2012, 03:23 AM

eth0 interface of T60 machine has IP address 10.10.10.2/24. I would like to ping 10.10.11.2 and T60 machine should use 10.10.10.1 gateway for this according to routing table:

Code:

T60:~ # ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:15:58:2A:84:3E  
          inet addr:10.10.10.2  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::215:58ff:fe2a:843e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1409 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:840427 (820.7 Kb)  TX bytes:633204 (618.3 Kb)
          Interrupt:16 Memory:ee000000-ee020000 

T60:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.10.11.0      10.10.10.1      255.255.255.0   UG    0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 wlan0
T60:~ # ping -qc10 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.

--- 10.10.10.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 8996ms
rtt min/avg/max/mdev = 0.571/0.619/0.684/0.039 ms
T60:~ # ping -c2 10.10.11.2
PING 10.10.11.2 (10.10.11.2) 56(84) bytes of data.
From 10.10.10.2 icmp_seq=1 Destination Host Unreachable
From 10.10.10.2 icmp_seq=2 Destination Host Unreachable

--- 10.10.11.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1008ms
pipe 2
T60:~ #

However, T60 assumes that 10.10.11.2 is in the same broadcast domain:

Code:

10:58:40.590788 ARP, Request who-has 10.10.11.2 tell 10.10.10.2, length 28
10:58:41.590776 ARP, Request who-has 10.10.11.2 tell 10.10.10.2, length 28
10:58:42.590787 ARP, Request who-has 10.10.11.2 tell 10.10.10.2, length 28

Any ideas what might cause this? Looks like T60 ignores the routing table. In addition, sometimes if I ping 10.10.11.2 I receive following strange "Redirect Host" message from my router:

Code:

T60:~ # ping 10.10.11.2
PING 10.10.11.2 (10.10.11.2) 56(84) bytes of data.
64 bytes from 10.10.11.2: icmp_seq=1 ttl=63 time=0.259 ms
From 10.10.10.1: icmp_seq=1 Redirect Host(New nexthop: 10.10.11.2)
From 10.10.10.2 icmp_seq=2 Destination Host Unreachable
From 10.10.10.2 icmp_seq=3 Destination Host Unreachable

..and at the same time see following in tcpdump output:

Code:

11:47:05.109178 IP 10.10.10.2 > 10.10.11.2: ICMP echo request, id 7409, seq 1, length 64
11:47:05.109445 IP 10.10.11.2 > 10.10.10.2: ICMP echo reply, id 7409, seq 1, length 64
11:47:05.109472 IP 10.10.10.1 > 10.10.10.2: ICMP redirect 10.10.11.2 to host 10.10.11.2, length 36
11:47:05.110711 ARP, Request who-has 10.10.11.2 tell 10.10.10.2, length 28
11:47:06.110732 ARP, Request who-has 10.10.11.2 tell 10.10.10.2, length 28
11:47:07.110731 ARP, Request who-has 10.10.11.2 tell 10.10.10.2, length 28

However, my routing table still looks fine:

Code:

T60:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.10.11.0      10.10.10.1      255.255.255.0   UG    0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 wlan0
T60:~ #

acid_kewpie · 11-08-2012, 04:24 AM

to me it looks like it's the router being weird, not the host. it's apparently the router that's giving back the ICMP redirect telling the client that the remote box is actually local. I've never dealt with ICMP redirects, but presumably they will be kept by the client for a while and then timeout (as it's not a connection orientated protocol things need to be cached with brute force rules rather than a subtler implicit approach), which is when you'd get the redirect again.

It might be a little more useful to also look at the mac addresses of the boxes in the tcpdump, add an -e to the command and verify that the L2 conversation is only between the client and the router.

m4rtin · 11-08-2012, 05:18 AM

Quote:

Originally Posted by acid_kewpie

to me it looks like it's the router being weird, not the host. it's apparently the router that's giving back the ICMP redirect telling the client that the remote box is actually local. I've never dealt with ICMP redirects, but presumably they will be kept by the client for a while and then timeout (as it's not a connection orientated protocol things need to be cached with brute force rules rather than a subtler implicit approach), which is when you'd get the redirect again.

It might be a little more useful to also look at the mac addresses of the boxes in the tcpdump, add an -e to the command and verify that the L2 conversation is only between the client and the router.

Yes, to me it looks the same. Looks like the information received by ICMP Redirect Message -s are not put to the kernel Forwarding Information Base(route -n), but it's put to the kernel routing cache(route -nC) and as you said, it seems to time out after 600s.
The "ICMP redirect" message is sent by the router interface according to "tcpdump -nei eth0" in T60 machine and conversation is only between T60 and my gateway.

Any other ideas?

acid_kewpie · 11-08-2012, 08:06 AM

Well I'd be looking into the router config. anything gonky about it?

mmheera · 11-08-2012, 11:13 AM

Since you have only one interface,and it's connected to one router, you don't need specific routing entry for any particular network I guess. In any case you should be able to ping your router first, if it is your default gateway. The other networks come second. If your router(the default gateway) is set up correctly, it would know which traffic where to send. It seems the traffic can go out only and can't return. Configure a default gateway and see.

Thanks!

m4rtin · 11-08-2012, 05:18 PM

Quote:

Originally Posted by acid_kewpie

Well I'd be looking into the router config. anything gonky about it?

Finally I just disabled ICMP redirects in the router. I'm afraid it was a router software bug.

acid_kewpie · 11-09-2012, 02:17 AM

curious, what kind of kit is it?

m4rtin · 11-09-2012, 12:34 PM

Quote:

Originally Posted by acid_kewpie

curious, what kind of kit is it?

It is a Juniper M10i with JUNOS 10.4R9.2. I did not find exact JUNOS problem report(PR), but there has been few related to ICMP redirect messages. For example:

Code:

No ICMP host redirect messages are generated when there are multiple VLANs configured on an interface (multiple logical interfaces on a single physical interface).[PR/559317]

acid_kewpie · 11-09-2012, 02:15 PM

Hmm, yeah I wondered if there could be some nasty vlan misconfiguration. I don't see JunOS doing this without due cause.

If you have two IPs on different subnets but the same interface, then the connection is going to enter and leave on the same interface, and a firewall isn't going to like that at all, so here is telling the client to not go via it in the first place. one subnet = one vlan.