jessie -> stretch: Debian router fails specific connections

Kernels & Hardware, configuring network, installing services

jessie -> stretch: Debian router fails specific connections

Postby reinhard.munz » 2018-08-01 23:35

Hi,

I have a Debian VM running on Citrix XenServer as router in a remote site. I upgraded this router from jessie to stretch few days ago and by now several clients have reported that specific websites stopped loading and specific mail accounts stopped synchronizing since that day. All other connections work as before.

I am using shorewall but when I turn on logging all connections are logged as accepted and none are logged as rejected or dropped. Clients often hang at TLS handshakes and most of the not working connections are TLS encrypted. However, I have seen one or two unencrypted websites that don't work. All these connections work flawlessly when I revert to a previous snapshot with jessie.

The symptoms of my problem sound exactly like the ones described for a Ubuntu 18.04 system here: https://ubuntuforums.org/showthread.php?t=2391692
If it's indeed the same problem, then it would have carried over into buster and must have been around for some time. I'm thus hoping that someone knows a simple and quick solution. So if you do, I'm all ears.

Otherwise there's not much I can do at the moment. I'm limited in the abilities to debug. I cannot boot the snapshot of the faulty system without interfering with the working one. And I do not have a second Citrix cluster to move it to.

I am only writing this to see whether by chance anyone has had the same problem and found a solution other than reinstalling the machine (as the one did for the Ubuntu system). I didn't find much else by googling although that might be due to the fact I'm not even sure what the exact problem is and what I should google for. Unfortunately, most additional debugging must wait until I am on site again later this year.

Please let me know if I should provide any additional information.

Thanks,
Reinhard
reinhard.munz
 
Posts: 2
Joined: 2018-08-01 22:47

Re: jessie -> stretch: Debian router fails specific connecti

Postby p.H » 2018-08-03 11:01

Do you use PPPoE too ?
Have you considered an "MTU black hole" issue ?
p.H
 
Posts: 423
Joined: 2017-09-17 07:12

Re: jessie -> stretch: Debian router fails specific connecti

Postby reinhard.munz » 2018-08-03 12:08

Thanks p.H, exactly the hint I needed.

Turns out CLAMPMSS=No in the default shorewall.conf. I replaced the previous conf and missed to change that option. My bad. Thanks for the help.
reinhard.munz
 
Posts: 2
Joined: 2018-08-01 22:47

Re: jessie -> stretch: Debian router fails specific connecti

Postby p.H » 2018-08-04 06:27

Glad it helped. Be aware that MSS clamping is just a workaround which does not fix the real issue and works only with TCP connections. Other protocols such as UDP, ICMP, non-TCP based VPNs... are still affected.
p.H
 
Posts: 423
Joined: 2017-09-17 07:12


Return to System configuration

Who is online

Users browsing this forum: SavoyRoad, w4kh and 3 guests

fashionable