Routing issue with XEN / XCP

To: debian-user@lists.debian.org
Subject: Routing issue with XEN / XCP
From: Andy Hawkins <andy@gently.org.uk>
Date: Fri, 25 Jul 2014 15:15:24 +0000 (UTC)
Message-id: <[🔎] slrnlt4t4c.leu.andy@xcp-mailnews.gently.org.uk>

Hi all,

I have an XCP host based on Debian, that contains a number of virtual
machines for my internal network. A basic diagram of my network is here:

https://www.gently.org.uk/gently-network.jpeg

The 'gateway' vm is the only thing connected directly to the cable modem.
eth0 receives its IP address via DHCP. eth1 is a fixed 'internal'
(192.168.x.x) address, as are the ip addresses of the 'mailnews' vm, and
seperate (physical) NAS server and other machines on the internal network.

The gateway contains firewall rules to forward incoming traffic from the
internet to appropriate internal machines, allow ssh access, imap etc.

Up until recently, all was working perfectly. Last week I accidentally
rebooted the xcp host machine (typing reboot into the wrong console window!)
and since then I've been experiencing some odd behaviour:

1. From the internet, I can use the port forwarded SSH port connected to the
NAS server to perform file transfers from the NAS.

2. From any virtual machine on the XCP host, I can perform ssh transfers
from any other machine in my network (including other virtual machines on
the same XCP host).

3. If I try to perform the same transfer from the internet to the ssh port
on (say) the 'mailnews' virtual machine, I get next to no traffic at all. It
appears that a few packets will flow initially, but the connection then
stalls.

As far as I can tell all the iptables rules for forwarding are set up
correctly in the 'gateway' virtual machine (as I can successfully make
transfers from the internet to the nas server). However, any ports that are
forwarded to virtual machines on the XCP hosts show this slow behaviour.

I should point out that it's not just ssh traffic that's affected. If I use
(for example) Thunderbird from my work PC to access the imap server on the
'mailnews' virtual machine, I see the same stalling behaviour. 

Today I've installed the perdition imap proxy on the NAS machine, and
changed the forwarding rule on 'gateway' such that incoming imap traffic is
sent to the imap port on 'nas', which then makes a connection to the
'mailnews' imap port. This works perfectly, with no speed issues.

It seems to me that something is confusing the networking side of the XEN /
XCP machine, in that packets that are rewritten by iptables on the 'gateway'
machine are not being correctly handled, causing the slow connections.

Can anyone offer any suggestions as to what I can try to work out what's
going on? As I said, as far as I'm aware no changes were made other than a
reboot of the xcp host. I've even tried going back in kernel versions on
both 'gateway' vm and xcp host, without any success (that's about the only
thing I can think that would have changed as a result of the reboot).

Thanks in advance for any advice you can offer. Pointers to documentation or
more appropriate places to ask are appreciated if necessary.

Cheers

Andy

Reply to:

Prev by Date: Re: /var partition seems locked or read only
Next by Date: Re: 30 second wait kernel 3.14.12-1
Previous by thread: Re: kernel errors present - how to resolve them please?
Next by thread: NFS Client
Index(es):
- Date
- Thread