Jump to content



Photo

3 way ping mystery


  • Please log in to reply
21 replies to this topic

#1 cut

cut

    Neowinian

  • Joined: 28-August 12

Posted 10 September 2012 - 10:48

I have 3 PCs, Windows, Linux 1 and Linux 2.

Windows can ping both Linux 1 and Linux 2
Liunx 1 can ping both Windows and Linux 2
Linux 2 can ping Windows but cannot ping Linux 1

It would sound like a firewall issue but Linux 1 has the firewall disabled.

Where/what else can I look at?


#2 manroweb

manroweb

    Lover of all things tech

  • Tech Issues Solved: 1
  • Joined: 07-April 02
  • Location: Swindon UK

Posted 10 September 2012 - 11:59

How are your devices physically connected together?
Switches/Routers/Access points etc?

#3 Dan~

Dan~

    Neowinian Senior

  • Joined: 21-May 03

Posted 10 September 2012 - 12:13

Hmm, I've never really used linux but the problem is

Linux 2 cannot ping Linux 1.

Have you disabled the firewall on both? Are you pinging by IP address rather than hostname?

#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 10 September 2012 - 15:18

Really need to know how these devices are connected - same switch/router lan ports? Are any of them wireless? Is there a nat between any of them?

Also great question is the name or IP - ping by IP for testing, or you might just have a name resolution issue. Once you know you can ping by IP you can move to name resolution problems.

On the box your trying to ping from -- try to ping the IP, then look at the arp table. Do you show the correct MAC for the IP your trying to ping. If not - you need to find out why, never going to be able to ping if you don't know the mac. This can be an issue sometimes via wireless.

On linux you can view the arp table arp -n

example
budman@ubuntu:~$ arp -n
Address				  HWtype  HWaddress		   Flags Mask			Iface
192.168.1.40			 ether   2c:76:8a:ad:f6:56   C					 eth0
192.168.1.253			ether   00:50:56:00:00:02   C					 eth0
budman@ubuntu:~$ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_req=1 ttl=128 time=1.47 ms
64 bytes from 192.168.1.100: icmp_req=2 ttl=128 time=0.557 ms
64 bytes from 192.168.1.100: icmp_req=3 ttl=128 time=0.607 ms
64 bytes from 192.168.1.100: icmp_req=4 ttl=128 time=0.499 ms
64 bytes from 192.168.1.100: icmp_req=5 ttl=128 time=0.820 ms
64 bytes from 192.168.1.100: icmp_req=6 ttl=128 time=0.690 ms
^C
--- 192.168.1.100 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms
rtt min/avg/max/mdev = 0.499/0.775/1.478/0.330 ms
budman@ubuntu:~$ arp -n
Address				  HWtype  HWaddress		   Flags Mask			Iface
192.168.1.40			 ether   2c:76:8a:ad:f6:56   C					 eth0
192.168.1.253			ether   00:50:56:00:00:02   C					 eth0
192.168.1.100			ether   18:03:73:b1:0d:d3   C					 eth0

bad no mac example;
budman@ubuntu:~$ ping 192.168.1.32
PING 192.168.1.32 (192.168.1.32) 56(84) bytes of data.
^C
--- 192.168.1.32 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

budman@ubuntu:~$ arp -n
Address				  HWtype  HWaddress		   Flags Mask		    Iface
192.168.1.32					 (incomplete)							  eth0
192.168.1.253		    ether   00:50:56:00:00:02   C					 eth0
192.168.1.100		    ether   18:03:73:b1:0d:d3   C					 eth0



#5 Geoffrey B.

Geoffrey B.

    LittleNeutrino

  • Tech Issues Solved: 11
  • Joined: 25-July 05
  • Location: Ohio
  • OS: Windows 7 Ultimate
  • Phone: Nokia Lumia 928 WP8.10.14203.306

Posted 10 September 2012 - 15:20

are they all on the same subnet, that can cause it sometimes.

#6 Sparky101

Sparky101

    Neowinian

  • Joined: 24-November 06

Posted 12 September 2012 - 14:04

Yeah, I would check the subnet masks, make sure they're all the same. If Linux2 thinks Linux1 is in a different subnet than itself then it will send the pings to its default gateway rather than direct to Linux1.

#7 OP cut

cut

    Neowinian

  • Joined: 28-August 12

Posted 17 September 2012 - 08:04

How are your devices physically connected together?
Switches/Routers/Access points etc?

Currently, they are all connected to the same switch.

Hmm, I've never really used linux but the problem is

Linux 2 cannot ping Linux 1.

Have you disabled the firewall on both? Are you pinging by IP address rather than hostname?

Yup, firewall is disabled on both. Im pinging by IPs....

Really need to know how these devices are connected - same switch/router lan ports? Are any of them wireless? Is there a nat between any of them?

Also great question is the name or IP - ping by IP for testing, or you might just have a name resolution issue. Once you know you can ping by IP you can move to name resolution problems.

On the box your trying to ping from -- try to ping the IP, then look at the arp table. Do you show the correct MAC for the IP your trying to ping. If not - you need to find out why, never going to be able to ping if you don't know the mac. This can be an issue sometimes via wireless.

On linux you can view the arp table arp -n

example

budman@ubuntu:~$ arp -n
Address				  HWtype  HWaddress		   Flags Mask			Iface
192.168.1.40			 ether   2c:76:8a:ad:f6:56   C					 eth0
192.168.1.253			ether   00:50:56:00:00:02   C					 eth0
budman@ubuntu:~$ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_req=1 ttl=128 time=1.47 ms
64 bytes from 192.168.1.100: icmp_req=2 ttl=128 time=0.557 ms
64 bytes from 192.168.1.100: icmp_req=3 ttl=128 time=0.607 ms
64 bytes from 192.168.1.100: icmp_req=4 ttl=128 time=0.499 ms
64 bytes from 192.168.1.100: icmp_req=5 ttl=128 time=0.820 ms
64 bytes from 192.168.1.100: icmp_req=6 ttl=128 time=0.690 ms
^C
--- 192.168.1.100 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms
rtt min/avg/max/mdev = 0.499/0.775/1.478/0.330 ms
budman@ubuntu:~$ arp -n
Address				  HWtype  HWaddress		   Flags Mask			Iface
192.168.1.40			 ether   2c:76:8a:ad:f6:56   C					 eth0
192.168.1.253			ether   00:50:56:00:00:02   C					 eth0
192.168.1.100			ether   18:03:73:b1:0d:d3   C					 eth0

bad no mac example;
budman@ubuntu:~$ ping 192.168.1.32
PING 192.168.1.32 (192.168.1.32) 56(84) bytes of data.
^C
--- 192.168.1.32 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

budman@ubuntu:~$ arp -n
Address				  HWtype  HWaddress		   Flags Mask			Iface
192.168.1.32					 (incomplete)							  eth0
192.168.1.253			ether   00:50:56:00:00:02   C					 eth0
192.168.1.100			ether   18:03:73:b1:0d:d3   C					 eth0

These devices are all connect to the same switch. On this there is also a router and some other Windows PCs, which can ping each other.

I (and I think anyone else should) ping by IP.

Yes I can confirm that the mac in the arp table is correct.


are they all on the same subnet, that can cause it sometimes.

Yeah, I would check the subnet masks, make sure they're all the same. If Linux2 thinks Linux1 is in a different subnet than itself then it will send the pings to its default gateway rather than direct to Linux1.

Yup, also confirming they are all on the same subnet....

#8 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 17 September 2012 - 11:13

So that makes no sense then, none. Unless you have mask wrong with some really lucky/unlucky ip choices to where they fall in the mask. Points to firewall on the host to be honest.

I would sniff on the one you can not ping - does he see the pings? If so then clearly he is not answering for a reason, or does he answer just really slow and your getting timeouts?

Or something really weird on the switch, try changing ports around. Is it a smart switch, or just a dumb switch - could you be blocking stuff on it?

#9 GreenMartian

GreenMartian

    Neowinian Senior

  • Joined: 28-August 04
  • Location: adelaide, au

Posted 17 September 2012 - 11:31

Maybe show us the dump of ifconfig, arp, and route on both linux boxes?

#10 OP cut

cut

    Neowinian

  • Joined: 28-August 12

Posted 17 September 2012 - 11:52

So that makes no sense then, none. Unless you have mask wrong with some really lucky/unlucky ip choices to where they fall in the mask. Points to firewall on the host to be honest.

I would sniff on the one you can not ping - does he see the pings? If so then clearly he is not answering for a reason, or does he answer just really slow and your getting timeouts?

Or something really weird on the switch, try changing ports around. Is it a smart switch, or just a dumb switch - could you be blocking stuff on it?

proof.png

Ive included a screenshot that shows on Linux 2 that the mask is default and correct. Ive also reran the command to shutdown the firewall.

Ill sniff in about 2 hours and get with the results as I cant right now.

Maybe show us the dump of ifconfig, arp, and route on both linux boxes?

By dumps, I imagine the same thing as in the screenshot, correct?

#11 OP cut

cut

    Neowinian

  • Joined: 28-August 12

Posted 17 September 2012 - 12:04

I used tcpdump on the box I could not reach........Surprising results.

It seems that it DOES recieve the ping and it actually replies but I do not see it on the command line. This was ran on Linux 2 (box that does NOT reply)

13:58:22.992748 IP 192.168.100.115.ssh > linux2box..28107: Flags [P.], ack 2511154091, win 6068, length 196
13:58:22.993473 IP linux2box..28107 > 192.168.100.115.ssh: Flags [.], ack 196, win 4112, length 0
13:58:22.995735 IP 192.168.100.115.45340 > 192.168.100.100.domain: 2+ PTR? 115.100.168.192.in-addr.arpa. (46)
13:58:22.998776 IP 192.168.100.100.domain > 192.168.100.115.45340: 2 NXDomain* 0/1/0 (153)
13:58:23.003244 IP 192.168.100.100.domain > 192.168.100.115.46194: 3* 1/0/0 (95)
13:58:23.005639 IP 192.168.100.115.36789 > 192.168.100.100.domain: 4+ PTR? 100.100.168.192.in-addr.arpa. (46)
13:58:23.008618 IP 192.168.100.100.domain > 192.168.100.115.36789: 4 NXDomain* 0/1/0 (153)
13:58:23.902042 IP 192.168.100.199 > 192.168.100.115: ICMP echo request, id 5773, seq 1, length 64
13:58:23.902459 IP 192.168.100.115 > 192.168.100.199: ICMP echo reply, id 5773, seq 1, length 64
13:58:23.904009 IP 192.168.100.115.fido > 192.168.100.100.domain: 5+ PTR? 199.100.168.192.in-addr.arpa. (46)
13:58:23.907282 IP 192.168.100.100.domain > 192.168.100.115.fido: 5 NXDomain* 0/1/0 (153)
13:58:23.997979 IP 192.168.100.115.38366 > 192.168.100.100.domain: 6+[|domain]
13:58:24.001001 IP 192.168.100.100.domain > 192.168.100.115.38366: 6 NXDomain[|domain]
13:58:24.003131 IP 192.168.100.115.52267 > 192.168.100.100.domain: 7+[|domain]
13:58:24.006145 IP 192.168.100.100.domain > 192.168.100.115.52267: 7 NXDomain[|domain]
13:58:24.901941 IP 192.168.100.199 > 192.168.100.115: ICMP echo request, id 5773, seq 2, length 64
13:58:24.902274 IP 192.168.100.115 > 192.168.100.199: ICMP echo reply, id 5773, seq 2, length 64
13:58:24.950779 IP edited..59290 > 239.255.255.250.1900: UDP, length 133
13:58:24.955935 IP 192.168.100.100.domain > 192.168.100.115.47203: 8* 1/0/0 (95)
13:58:24.957545 IP 192.168.100.115.32870 > 192.168.100.100.domain: 9+ PTR? 250.255.255.239.in-addr.arpa. (46)
13:58:24.960529 IP 192.168.100.100.domain > 192.168.100.115.32870: 9 NXDomain 0/1/0 (103)
13:58:25.901936 IP 192.168.100.199 > 192.168.100.115: ICMP echo request, id 5773, seq 3, length 64
13:58:25.902267 IP 192.168.100.115 > 192.168.100.199: ICMP echo reply, id 5773, seq 3, length 64
13:58:26.901958 IP 192.168.100.199 > 192.168.100.115: ICMP echo request, id 5773, seq 4, length 64
13:58:26.902287 IP 192.168.100.115 > 192.168.100.199: ICMP echo reply, id 5773, seq 4, length 64
13:58:27.712914 ARP, Request who-has 192.168.100.115 ((oui Unknown)) tell linux2box., length 46
13:58:27.713037 ARP, Reply 192.168.100.115 is-at macadd (oui Unknown), length 28
13:58:27.970501 IP edited..59290 > 239.255.255.250.1900: UDP, length 133
13:58:28.152491 IP 192.168.100.115.52475 > 192.168.100.199.1194: UDP, length 69
13:58:28.523900 IP linux2box..28107 > 192.168.100.115.ssh: Flags [P.], ack 196, win 4112, length 52


#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 17 September 2012 - 12:14

so it is sending reply to your ping -- do a sniff on the box that sending, its not seeing replies?

#13 OP cut

cut

    Neowinian

  • Joined: 28-August 12

Posted 17 September 2012 - 14:23

so it is sending reply to your ping -- do a sniff on the box that sending, its not seeing replies?

OK, we are getting somewhere: The machine is not seeing the replies from Linux 1.

root@mylocalmachine:~# tcpdump -i eth2 > results
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
13 packets captured
78 packets received by filter
35 packets dropped by kernel
root@mylocalmachine:~# cat results
16:20:16.308831 IP mylocalmachine.local.ssh > localsite.net.27235: Flags [P.], seq 2762984911:2762985107, ack 2735301118, win 2387, length 196
16:20:16.308882 IP mylocalmachine.local.ssh > localsite.net.27235: Flags [P.], seq 196:248, ack 1, win 2387, length 52
16:20:16.309384 IP localsite.net.27235 > mylocalmachine.local.ssh: Flags [.], ack 196, win 4380, length 0
16:20:16.309672 IP mylocalmachine.local.27450 > 192.168.100.100.domain: 41740+ PTR? 199.100.168.192.in-addr.arpa. (46)
16:20:16.309791 IP localsite.net.27235 > mylocalmachine.local.ssh: Flags [P.], seq 1:85, ack 248, win 4367, length 84
16:20:16.309883 IP localsite.net.27235 > mylocalmachine.local.ssh: Flags [P.], seq 85:137, ack 248, win 4367, length 52
16:20:16.312555 IP 192.168.100.100.domain > mylocalmachine.local.27450: 41740 NXDomain* 0/1/0 (153)
16:20:16.313252 IP mylocalmachine.local.7622 > 192.168.100.100.domain: 56557+ PTR? 100.100.168.192.in-addr.arpa. (46)
16:20:16.316045 IP 192.168.100.100.domain > mylocalmachine.local.7622: 56557 NXDomain* 0/1/0 (153)
16:20:16.360744 IP mylocalmachine.local.ssh > localsite.net.27235: Flags [.], ack 137, win 2387, length 0
16:20:16.377800 IP mylocalmachine.local.ssh > localsite.net.27235: Flags [P.], seq 248:284, ack 137, win 2387, length 36
16:20:16.416444 IP6 fe80::217:3fff:fe99:e4ab.mdns > ff02::fb.mdns: 0 PTR (QM)? 100.100.168.192.in-addr.arpa. (46)
16:20:16.416502 IP mylocalmachine.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 100.100.168.192.in-addr.arpa. (46)

Also some are getting dropped by the kernel (which could be those)

#14 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 17 September 2012 - 15:22

set your capture to only be icmp, that should rule out the drops being what your looking for in your capture.

So this make it even more interesting -- what would keep the replies from getting back, since it looks like your capture on the box you were pinging that it was putting replies back on the wire.

What kind of switch is this? Is it possible its doing any filtering? I don't see any icmp in that capture at all?

I would be doing captures on both boxes at the same time, only for icmp and then create your traffic. What are you seeing?

So for example here is from my ubuntu box pinging another box. At the same time you should be doing the capture on the box your pinging.

pingtest.jpg

I would also verify your listening on the correct interface - eth2 seems odd to me in your post.

#15 OP cut

cut

    Neowinian

  • Joined: 28-August 12

Posted 18 September 2012 - 08:03

set your capture to only be icmp, that should rule out the drops being what your looking for in your capture.

Couldnt remember the way to filter, sorry.

What kind of switch is this? Is it possible its doing any filtering? I don't see any icmp in that capture at all?

Dumb simple switch. Nothing about it special.


I would also verify your listening on the correct interface - eth2 seems odd to me in your post.

The PC has 2 network cards. The first one (eth1) is ****ed up so Im on eth2. Ive also confirmed it with a ifconfig.

Ill try this in a second....