RE: [rhelv5-list] RHEL5 VMware VM: ICMP 'port unreachable' with lots ofUDP traffic

Mon, 27 Aug 2007 10:12:09 -0700 

Hi Guy,

Assuming the data-link layer has been validated with iperf or something
similar for duplex matching, packet loss and bandwidth, intermittent network
switch issues dealing with vmware esx's trunking?  Check the RHEL 5 boxes'
inbound firewall rules perhaps?  Possibly set up Nagios to monitor the
network switch(es), VM and Kerberos?  Hope that helps.

Barry
VCP

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Guy Waugh
Sent: Sunday, August 26, 2007 7:08 PM
To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list
Subject: [rhelv5-list] RHEL5 VMware VM: ICMP 'port unreachable' with lots
ofUDP traffic

Hello,

I have a RHEL5 VMware virtual machine running on a VMware ESX 3.0.2 
server. It is currently the only virtual machine running on the VMware 
server.

The RHEL5 server has the httpd RPM installed, together with a compiled 
version of PHP 4.4.7. I'm also using a couple of compiled apache 
modules, mod_auth_cookie and mod_auth_kerb. I'm using mod_auth_kerb to 
Kerberos-protect an intranet.

When a user accesses a Kerberos-protected page, apache authenticates the 
user against a Kerberos KDC in the same subnet as the apache server. 
Apache authenticates the user for each item on the web page, and because 
there are quite a few images on the web page, there are quite a few 
(around 30) authentications against the Kerberos KDC for each page 
access. (Actually, I have found a patch to mod_auth_kerb that caches the 
authentication information and results in a very small number of actual 
username/password checks against the Kerberos KDC. However, I'm thinking 
that with enough users using the patched server, this problem is going 
to recur...)

The problem I'm having is that the apache server (RHEL5 VM) sends back 
an 'ICMP port unreachable' message to the KDC roughly every 20 packets 
or so (variable). There it is, happily sending UDP packets between RHEL5 
apache VM (from a high port) and RHEL3 KDC (Kerberos 5 - port 88), when 
suddenly the apache server sends the 'port unreachable' packet.

FYI, here is a packet dump... 10.200.0.72 is the apache server and 
10.200.0.1 is the KDC:


   6.419340  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.419548   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.421944  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.424311   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP
   6.436367  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.436631   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.439016  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.441649   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP
   6.453587  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.453790   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.455863  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.458278   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP
   6.484476  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.484683   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.486920  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.489017  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.489299   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP
   6.489361   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.489494  10.200.0.72 -> 10.200.0.1   ICMP Destination unreachable 
(Port unreachable)
   6.515883  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.516059   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.518263  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.520637   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP
   6.536783  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.536847   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.539213  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.541309   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP
   6.551802  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.551860   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.554321  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.556499   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP
   6.573668  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.573730   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.573862  10.200.0.72 -> 10.200.0.1   ICMP Destination unreachable 
(Port unreachable)
   6.594280  10.200.0.72 -> 10.200.0.1   KRB5 AS-REQ
   6.594330   10.200.0.1 -> 10.200.0.72  KRB5 AS-REP
   6.596684  10.200.0.72 -> 10.200.0.1   KRB5 TGS-REQ
   6.598720   10.200.0.1 -> 10.200.0.72  KRB5 TGS-REP

Would anyone have any idea about what is causing this, or what I could 
do to try to find out what is causing it? I guess I could run up an 
RHEL5 physical (i.e. not a VMWare virtual) server and see if the problem 
persists, or go down a number of other similar paths... I'd rather not 
have to do that if I can help it 8-)

Thanks,
Guy.

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to