[nSLUG] Problems with Eastlink Hosting Multiple IPs on One Network Interface

Jim Campbell jim at jcampbell.ca
Mon Nov 14 23:26:03 AST 2005


Jason Kenney wrote:
> Hi,
>
>> We have three static IPs handled by a Cyberguard SG570 firewall 
>> appliance (embedded Linux 2.4.26). Two of the static IPs are aliases 
>> on the same firewall port. We have had this arrangement for about 14 
>> months. Starting about a month ago we have a high packet loss to the 
>> aliased IPs. I have had several long talks with their tech support, 
>> basically they believe that the problem is that the ARP table (IP to 
>> MAC table) on their end is not getting updated as fast as the packets 
>> originating from our firewall are changing this relationship.They 
>> have no idea why this behaviour has only occurred recently. Running a 
>> tcpdump on the internet interface while pinging an
>
> Did they indicate more precisely what "recently" is?
Recently is my time estimate. I start getting reports of ftp problems 
about two weeks ago. According to their records, there haven't been any 
changes in that time range. However, Eastlink did an upstream router 
software upgrade on Nov 10 which they were hoping would fix the problem, 
they also swapped the cable modem and I swapped our firewall appliance 
hardware as well as trying a firmware upgrade on it.
>
>> aliased IP on the firewall from an external client shows the firewall 
>> responding to each and every ping but only about 30% of the replies 
>> actually make it back to the client. Eastlink say that another 
>> customer with a different firewall make are also reporting the same 
>> problem. We are running the identical  firewall hardware handling 
>> five static IPs on a single interface with Aliant with no difficulty.
>>
>> I would be interested in hearing reports from anybody else out there 
>> with a similar network arrangement (Linux 2.4 kernel aliasing static 
>> IPs) with Eastlink. Does it work for you?
>
> I don't have a static IP, just the regular residential service, but 
> I've noticed another problem for at least two months now.
> It has been much better this week however, and I haven't seen the 
> usual strange behaviour:
>
> - Failure to open any new connections, except to peers for about 5-10 
> minutes.
>
> For example, my MSN Messenger would continue to work correctly, but 
> any website I tried to visit would just time out (the DNS would 
> resolve though). I could however get to any of Dalhousie. (But not 
> cnn.com, etc.)
>
> A temporarily outdated or not updating ARP table somewhere up their 
> line might explain this I guess. I know at least three other people on 
> different subnets who had the same problem, but I haven't heard any 
> complains in the last couple days, so maybe it's been fixed.
>
> I had a theory it might have been due to poorly implemented traffic 
> shaping, but this was hard to test, and unclear. It was clear it was 
> something in Eastlink, since everywhere else died, but proxying 
> through Dal worked fine.
>
> Maybe it's related. *shrug*
>
>
> Jason
>
>
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug
>
> 
>


!DSPAM:43795554112732128816748!




More information about the nSLUG mailing list