Ask Your Question
0

SSL Traffic from network node to VM

asked 2013-06-10 11:45:05 -0500

glenbot gravatar image

updated 2013-06-10 13:41:42 -0500

darragh-oreilly gravatar image

Im having an issue with SSL traffic from the network node to a VM. I am not sure where this is getting hung up. Im trying to download a file from github with wget but it locks up acknowleging a packet from GitHub. Bitbucket.org uses the same certificate type from Digicert and it works.

On the VM I'm running:

ubuntu@testnetwork:~$ openssl s_client -showcerts -connect github.com:443
CONNECTED(00000003)

Here is the tcpdump from the VM:

16:36:32.071382 IP 172.16.16.12.56210 > github.com.https: Flags [S], seq 3347835015, win 14600,   options [mss 1460,sackOK,TS val 254765 ecr 0,nop,wscale 6], length 0
16:36:32.155526 IP github.com.https > 172.16.16.12.56210: Flags [S.], seq 3139130773, ack 3347835016, win 5792, options [mss 1460,sackOK,TS val 751610489 ecr 254765,nop,wscale 10], length 0
16:36:32.155590 IP 172.16.16.12.56210 > github.com.https: Flags [.], ack 1, win 229, options [nop,nop,TS val 254786 ecr 751610489], length 0
16:36:32.156474 IP 172.16.16.12.56210 > github.com.https: Flags [P.], seq 1:227, ack 1, win 229, options [nop,nop,TS val 254786 ecr 751610489], length 226
16:36:32.204544 IP github.com.https > 172.16.16.12.56210: Flags [.], ack 227, win 7, options [nop,nop,TS val 751610505 ecr 254786], length 0
16:36:32.206941 IP github.com.https > 172.16.16.12.56210: Flags [P.], seq 2897:3691, ack 227, win 7, options [nop,nop,TS val 751610506 ecr 254786], length 794
16:36:32.207115 IP 172.16.16.12.56210 > github.com.https: Flags [.], ack 1, win 229, options [nop,nop,TS val 254799 ecr 751610505,nop,nop,sack 1 {2897:3691}], length 0
16:36:55.057510 IP 172.16.16.12.56208 > github.com.https: Flags [F.], seq 227, ack 1, win 229, options [nop,nop,TS val 260512 ecr 169352456,nop,nop,sack 1 {2897:3692}], length 0
16:37:32.225034 IP github.com.https > 172.16.16.12.56210: Flags [F.], seq 3691, ack 227, win 7, options [nop,nop,TS val 751625505 ecr 254799], length 0
16:37:32.225134 IP 172.16.16.12.56210 > github.com.https: Flags [.], ack 1, win 229, options [nop,nop,TS val 269803 ecr 751610505,nop,nop,sack 1 {2897:3692}], length 0

The TCPdump on the permiscious mode ethernet port on the network node shows:

11:36:32.042296 IP 172.16.1.104.56210 > 204.232.175.90.https: Flags [S], seq 3347835015, win 14600, options [mss 1460,sackOK,TS val 254765 ecr 0,nop,wscale 6], length 0
11:36:32.089359 IP 204.232.175.90.https > 172.16.1.104.56210: Flags [S.], seq 3139130773, ack 3347835016, win 5792, options [mss 1460,sackOK,TS val 751610489 ecr 254765,nop,wscale 10], length 0
11:36:32.107097 IP 172.16.1.104.56210 > 204.232 ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2013-06-10 12:24:06 -0500

darragh-oreilly gravatar image

This sounds like a path mtu issue - the length of the IP packet is probably 1500 bytes. What are you using between the network and compute node? I see GRE adding 46 bytes and VLAN tagging adds 4 bytes. You can use something like traceroute to measure the path mtu between the nodes. Or you could try this quick test on the instance:

$ sudo ip link set mtu 1400 dev eth0
edit flag offensive delete link more

Comments

You were right. It was an MTU issue. Once I ran your command I was able to wget the file from GitHub. Is there a more permenant way to resolve this?

glenbot gravatar imageglenbot ( 2013-06-10 13:05:52 -0500 )edit

BTW, i am using this config on the Network node: https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/OVS_MultiNode/OpenStack_Grizzly_Install_Guide.rst#35-quantum and the network and compute node are connected via a crosslink cable.

glenbot gravatar imageglenbot ( 2013-06-10 13:10:28 -0500 )edit

Try bumping the MTU on the interfaces on each side of the crossover up to 1546. Then the instances should work with their default 1500.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-06-10 13:17:25 -0500 )edit

I using Quantum with OVS, GRE -- the OVS section of ovs_quantum_plugin.ini has tenant_network_type = gre

glenbot gravatar imageglenbot ( 2013-06-10 13:26:40 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2013-06-10 11:45:05 -0500

Seen: 1,306 times

Last updated: Jun 10 '13