On Sunday 02 March 2008 15:56:45 Guus Sliepen wrote: > On Fri, Feb 29, 2008 at 01:41:54PM +0200, Pavel Georgiev wrote: > > I have a VPN mesh with ~10 nodes. A recently added node experience > > the 'Received UDP packet from unknown source' problem. I read in the faq > > this is probably caused by a NAT rule on wither side, but I dont have > > such rules. > > > > The thing is that IP in the 'Received UDP packet from unknown source ' > > message is exactly what I have configured. The problem solves itself with > > time and this is marked in the logs as: > > > > tinc.vpn[25833]: Lost 219 packets from UA_VPN > > > > When the tunnel works, both source and destination port of the udp > > packets is 655, while when I experience the problem the source port of > > the node that has the problems is 602/601. I run tcpdump on that node and > > the packets have exactly that port when they leave the box, so its not > > something that gets rewritten on the way to the other node. > > Since tinc only sets up the socket for UDP once, tinc itself never > changes the source port. So either there is NAT somewhere (on the > network between the nodes or on either the sending or receiving node), > or you have a buggy kernel, or a buggy network card/cable/router. If you > run tcpdump on the box sending those strange UDP packets, and it already > has source port 602/601 there, it's either NAT on that box or a buggy > kernel...
It was NAT indeed. The box had two 2 IP addresses and both were configured to have a gateway in /etc/network/interfaces, so sometimes packets were originating with source IP = second IP. This was not obvious as I do masquerading of outgoing traffic so those packets were reported by tcpdump with source IP = primary IP. It was a tricky one, I caught it by luck (had the same configuration error in /etc/network/interfaces on another box without NAT and saw it was using both IPs as source). Thanks for the reply, I hope this will help someone else fighting the same problem. _______________________________________________ tinc mailing list [email protected] http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
