|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] XEN PV networking: checksum issues
I have recently upgraded my domU firewall to the latest release of pfSense which now uses FreeBSD 10.1 as the base, thus supporting paravirtualized drivers for the network; the previous version used FreeBSD 8.3 which did not have that support. The pfSense system was and still is an HVM domU with a few PCI devices being passed through and one paravirtualized network I/f connecting to the LAN through the xenbr0 interface in dom0 (made up of two bonded Intel cards connected to a switch). Since the recent upgrade TCP communication from the dom0 or any of the other domUs which involves packets passing through the firewall or terminating at the firewall (e.g. ssh, http, rsync) is completely broken. ICMP (ping) and UDP (e.g. DNS resolution) still works from all domUs and the dom0 to both the firewall domU as well as the internet behind the firewall. Also all other external systems residing in the same LAN segment as the XEN host still work flawlessly (i.e. TCP works as does ICMP and UDP). Investigation through tcpdump seems to link the issue to incorrect checksums in the packets arriving from the dom0 or any of the domUs which are then dropped by the pfSense firewall. A parial tcpdump output for an attempted failing http communication looks as follows: =================tcpdump: listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes 01:19:43.554073 IP (tos 0x0, ttl 64, id 58166, offset 0, flags [DF], proto TCP (6), length 60) vm-host.local.com.47469 > www.external.com.http: Flags [S], cksum 0x9d63 (incorrect -> 0xce9b), seq 2585868784, win 29200, options [mss 1460,sackOK,TS val 25811654 ecr 0,nop,wscale 7], length 0 01:19:44.546760 IP (tos 0x0, ttl 64, id 58167, offset 0, flags [DF], proto TCP (6), length 60) vm-host.local.com.47469 > www.external.com.http: Flags [S], cksum 0x9d63 (incorrect -> 0xce37), seq 2585868784, win 29200, options [mss 1460,sackOK,TS val 25811754 ecr 0,nop,wscale 7], length 0 01:19:46.546863 IP (tos 0x0, ttl 64, id 58168, offset 0, flags [DF], proto TCP (6), length 60) vm-host.local.com.47469 > www.external.com.http: Flags [S], cksum 0x9d63 (incorrect -> 0xcd6f), seq 2585868784, win 29200, options [mss 1460,sackOK,TS val 25811954 ecr 0,nop,wscale 7], length 0 ... ================= and that goes on until the http communication times-out.The network setup is the recommended XEN bridging approach linking all domUs (including the firewall) together on the xenbr0 interface which is then linked to the local LAN network. Packets from PCs in the local LAN (which are also arriving through the xenbr0 interface) do have correct checksums and thus are not affected. I understand that for performance reasons network communication within the same XEN system using netfront/netback does not calculate checksums as they are not required/don't add any benefit because everything is managed through shared memory. Regardless of the fact that checksums for the above stated reason are not required, is there a parameter that ensures that network packets do arrive with correct checksums - ideally on just that one virtual interface that's connected to the firewall. In case there's no such parameter, what's the best/recommended course of action to resolve this pressing issue? Many thanks in advance, Atom2 _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |