I am trying to ping a machine over tailscale and seeing very high latency numbers (> 3000 ms). The machines are very closely geo located. One of them is behind a Comcast router, and another is behind AT&T Fiber. How should I go about debugging this?
Do a traceroute to the machine. Tailscale will very often fallback to a cloud relay which can add a lot of latency to the connection even when they are physically close.
If your traffic is routing through a DERP as explained in Tailscale's troubleshooting guide, you may need to open one or more ports in order to connect your machines directly.
Use the Tailscale CLI to run the tailscale status command. If you see output in the form of relay "code", then your traffic is being routed via a relay server that has “code” as its location.
If there is no relay "code" line in the tailscale status output, then your traffic is not being routed through DERP.
Also, the tailscale ping command will indicate whether a successful ping was by direct path or via DERP.
Example:
tailscale ping node2
pong from node2 (100.99.98.96) via DERP(sea) in 242ms
pong from node2 (100.99.98.96) via 1.2.3.4:1234 in 127ms
Related
Our Company has a VPN connection provided by the ISP in our country , I can Traceroute to a Remote host on another site connected to the VPN but I cant ping to it. The ping command works to hosts on remote site only for a short while right after I do the traceroute to the particular host. Why is it that the ping command only successful right after the tracert command is excueted??
At a guess, this sounds like its potentially Proxy ARP? I would check to see whether or not the Traceroute is temporarily populating your ARP table, allowing the ping to work. Just because you can't ping a device right off the bat doesn't mean its not reachable.
I have two machines:
Ubuntu 16.04 server VM (172.18.6.10)
Proxmox VE5 station (192.168.6.30)
they are communicating through a third machine that forwards packets between the two. I want to create a gre tunnel between the two machines and to do that and make it persistent I have edited the /etc/network/interfaces and added a gre interface and tunnel to be made on boot up as the following:
After they were created I have tried to ping one machine from the other to check connectivity, pinging the gre interface IP address (10.10.10.1 and 10.10.10.2). The issue is that when I ping the Proxmox machine from Ubuntu I get no feedback, but when I run tcpdump on gre1 on Porxmox I see that the packets are received and there is a ICMP reply outgoing:
When I run the ping the other way around and check it with tcpdump on the Ubuntu machine I get nothing. I understand that the issue is when packets leave Proxmox to Ubuntu via gre1 and get lost or blocked because Ubuntu can clearly send Proxmox packets but the reply never comes back. How can I fix this?
Check if you have packet forwarding enabled for the kernel of the 3rd machine that you user for the communication of the other 2 machines
Check /etc/sysctl.conf and see if you have this:
net.ipv4.ip_forward = 1
if it's commented (#) uncomment it, save the file and issue a:
sysctl -p
Then try again the pings...
I need to find the port number of a server, I have the host name and the IP address.
Is this possible?
I need this as when I try to connect to this server through putty its throwing a Network error:Connection refused error, which may be because of the wrong port number
So you are looking for the port number the ssh server on that system listens on. Usually that is port 22 (well known ssh port), but you are right, this can be changed in the ssh server configuration. If so there are two possibilities yo have:
ask the administrator of the ssh server for the port number
make a network scan of the server which shows up all open ports. Note however that this can be regarded as offensive behavior and may be blocked in mid way.
But most likely you are facing another problem: some firewall blocking your requests or the ssh server not listening to request from outside at all.
And a side note: a server is a service, often listening on a port, you can interact with it typically by "speaking" a specific protocol. A system might refer to a computer running software, typically reachable via network these days. Many servers can be operated on a system. A system can be identified by its ip address. Many people confuse this and speak of a "server" when referring to such a "system" which is simply wrong and creates confusion from a technical point of view.
I did a test of NFS service over Cisco ASA 5505 firewall.
With normal interface default ACL, which is "permit ip any any" on inside interface (Level 100), "deny ip any any" on outside interface (level 0). NFS server is connected to outside interface. Everything works great. By look at the the packets go through, I can see inside PC call NFS server's 111 port, negotiate a port using portmap. Finished this TCP connection. Then NFS server (outside PC) use the negotiated port to connect to inside PC and transfers data. Cisco ASA firewall keep TCP states very well and "remembered" the negotiated port, thus let outside PC using this port to talk to inside PC even the outside ACL is "deny ip any any". The firewall is fully stateful, every thing is great so far.
However, as long as I connected the NFS server (outside PC) to Cisco ASA firewall using VPN. Everything changed. By look at the packets, NFS can still go through firewall and negotiate a port by portmap. While after this TCP session is over. Firewall FORGET the negotiated port and block the outside PC using negotiated port to talk back to inside PC.
With or without VPN is the only change. There is just one ACL, on inside interface, permit ip any any. The NFS server is set to can be access from any subnet. There is no NAT and no service-policies setup on this firewall.
Can anyone please explain why Cisco Firewall rules is not "stateful" anymore over VPN? Is it designed to be? What is the best way to let NFS working over VPN without open a range of dynamical ports on outside interface?
One of the strong sides on NFSv4.0 is firewall friendly. No port map required. You need only single TCP port 2049 to be opened. All operations which have have a state on the server require client to send a heard bit, which is typically ~ 90 seconds. We you is in your firewalled setup and quite happy with it.
I am trying to find out the type of the tunnel used for a vpn.. I am trying to determing if the tunnel is tcp or udp.. how do I do that? When I observe the tunnel traffic I am not able to observe anything! In the sense that packets are sent as such..
You need to observe the traffic on the physical network connection, not the traffic in the tunnel itself:
Setup a network packet capture program, such as Wireshark, to capture the traffic on the "real" network interface e.g. your cabled Ethernet connection. On Linux it would be something along the lines of eth0.
(Optional) Shutdown as many processes that use the network as possible.
Cause as much traffic through the VPN tunnel as possible - e.g. download a large file.
Watch in your capture program for any change - the tunnel traffic should now stand out due to sheer volume.
Keep in mind that if you are using an IPSec tunnel, the packets will be ESP, which is neither TCP nor UDP.