Re: Why is networking so flaky?

Henrik Goldman <henrik_goldman@xxxxxxxxxxxx> wrote:
The most annoying this is that the machine actually works completely
well until 1 minute after bootup. Within the first minute or so I am
able to connect to access external ftp's by dns names or browse
through mozilla. Then shortly after everything is blocked and
either dns or the routes stops working.

Using the ndd(1m) command check the value of ip_ire_gw_probe:

ndd -get /dev/ip ip_ire_gw_probe

If it is "1" then it is possible your default router is being
anti-social and not responding to ICMP Echo Requests (pings) from the
HP-UX system. The HP-UX stack will use those by default as part of
"dead gateway detection."

You can disable that with "ndd -set" and then adding that to the
/etc/rc.config.d/nddconf file to have it applied at the next boot.

My routes look like the following (my ip is 192.168.0.9 and the gateway is
at 192.168.0.1):

netstat -nr
Routing tables
Destination Gateway Flags Refs Interface Pmtu
127.0.0.1 127.0.0.1 UH 0 lo0 4136
192.168.0.9 192.168.0.9 UH 0 lan0 4136
192.168.0.0 192.168.0.9 U 2 lan0 1500
127.0.0.0 127.0.0.1 U 0 lo0 0
default 192.168.0.1 UG 0 lan0 0


Still I get complete packet loss:

ping 192.168.0.1
PING 192.168.0.1: 64 byte packets

----192.168.0.1 PING Statistics----
8 packets transmitted, 0 packets received, 100% packet loss


Still when I get complete packet loss from inside out I can still access
from outside-in, which makes it very weird.

When you say "access" do you mean you are able to get FTP connected to
the HP-UX system and you get a prompt, or do you mean pings? How much
of a "proxy" is your NET/router/whatever?

rick jones
--
denial, anger, bargaining, depression, acceptance, rebirth...
where do you want to be today?
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...
.

Relevant Pages

  • Re: Cant Resolve Certain internet DNS names
    ... Our firewall was already using 1500 MTU, but the Checkpoint SmartDefense ... Why are some websites using non-RFC compliant packets for DNS? ... > DNS server, but this reduces DNS efficiency because queries that won't fit ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email
    ... emails being sent to AOL and Comcast plus a few other mom and pops to hang ... I have that there is no way that a DNS inspect command could cause only ... long responses have the response dropped, ... 1500 byte packets these days, that they can just send back longer ...
    (comp.dcom.sys.cisco)
  • A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vu
    ... DNS transaction ID (OpenBSD ported BIND 9 into their code tree, ... fragmentation ID normalization feature (e.g. "scrub out random- ... packets and raw IP packets. ...
    (Bugtraq)
  • Re: IP Tables DNS issues
    ... >I'm having problem with my IP tables allowing DNS queries, ... ># Log packets with impossible source addresses ... There is significant discussion of the merits of DROP verses DENY ... (send RESET or ICMP Type 3). ...
    (comp.security.firewalls)
  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... I changed the DNS rules as you suggested, and the firewall works perfectly - ... > # Allow out access to my ISP's Domain name server. ... > so your udp packets never match this rule and default to ...
    (freebsd-questions)