[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] HELP: xenbr on vlan if --> tcp checksum error



Lockenvitz, Jan (EXT) wrote:
Hi

I'm testing around with xen 3.0 snapshot from last week. And i'm now
having a problem with a xenbr which is based on a vlan if (dot1q).

this is all in dom0

os: debian testing network: tg3

I can start the bridge based on my normal physical eth0 which is
working without any problems. My clan without bridge is also working.
 I can start the bridge based on a vlan if with help of the following
command:

# network-bridge start netdev=vlan100 bridge=xenbr0

The bridge is started (as i think) correctly. My interfaces and
bridge looks like this:

# ifconfig

 [ ... ]

# brctl show

bridge name bridge id STP enabled interfaces xenbr0 8000.feffffffffff no pvlan100 vif0.0

a ping to an other machine is fine

But i can't ssh to any other machine. I started tracing on another
machine and ethereal shows an incorrect TCP checksum. And the TCP
checksum is this case seems to depend on the packet size. I also
traced in dom0 on the following IF: vlan100, pvlan100 and eth0 (where
the vlan is bound to) On vlan100 i can see the same packets as on the
destination machine, but on pvlan100 and eth0 the TCP checksum is
correct.

Is this problem known?

This sounds like an issue we found in our test-lab when using two physical ethernetcards in a machine (and bridges on both). When the 1th domainU is configured as a NAT-firewall, a 2nd domainU on the inside network, behind this firewall can succesfully ping through the NAT-firewall to an other physical machine in the outside network. However, from this 2nd domainU it is not possible to ssh/telnet through this NAT-firewall to the machine on the outside network.
When the firewall is only routing, the issue does not occur.



 ----xen-br1          outside network
       |
      eth0
      xxxxx            1th domainU (firewall/router)
      eth1
       |
 ----xen-br2          inside network
       |
      eth0
      xxxxx            2nd domainU


The issue does also not occur when a second physical machine is used which is connected to the inside network. Then, the NAT-firewall does it's job succesfully.

We found this in both in the three weeks old testing, the released stable of this week, the 32 and the 64 bit version. Distribution is Debian stable(sarge)

[root@dom0]# brctl show
bridge name     bridge id               STP enabled     interfaces
xen-br0         8000.000e2e333b62       no              eth0
                                                        vif1.0
...
xen-br1         8000.0000212fecc1       no              eth1
xen-br2         8000.0011091e4b64       no              eth2



Can someone help to solve this? I can post some traces if necessary

Thanx in advance, Jan


Regards,
Luc

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.