[nsd-users] nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out

Michael Grimm trashcan at odo.in-berlin.de
Thu Dec 27 11:24:33 UTC 2012

Hi Willem --

On 27.12.2012, at 10:03, Willem Toorop <willem at NLnetLabs.nl> wrote:
> Op 26-12-12 16:23, Michael Grimm schreef:

>> Both servers are running well, serving all requests as expected, and the master is delivering all zones with afxr at startup perfectly well. But, I get the following error messages (for IPv6 address, only!) in the *slave*'s syslog:
>> | nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out
>> tcpdump at the *master* tells me (shortend to the relevant part):
>> | pass in on em0: (flowlabel 0x360ed, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1:1.15298 > a:a:a:a::1:1.53: Flags [S], cksum 0xfedd (incorrect -> 0x7df6), seq 1459122906, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 333780857 ecr 0], length 0
> I suspect the master and the slave are on the same host causing the
> checksum error (because checksum calculation is offloaded to the NIC).
> Is this true?

No, both jails are located at distinct servers (within the same datacenter, though).

> Is this the only packet you saw for the handshake? Did you see an
> Syn/Ack after this packet? I.e. A packet returning from a:a:a:a::1:1
> with "Flags [S.]"?

No, but I cannot see those flags for any tcpdump logfile entry over the last 30 minutes, capturing traffic by:

| tcpdump -n -e -ttt -s 256 -v -i pflog0		(pf firewall)
| tcpdump -n -e -ttt -s 256 -v -i em0		(outside interface)

(I do have to admit that I'm not that much an expert to tcpdump.)

BTW, my firewall rules regarding nameserver traffic are as follows:

| pass in log on em0 inet6 proto tcp from any to a:a:a:a::1:1 port = domain flags S/SA keep state tag ip6domain
| pass in log on em0 inet6 proto udp from any to a:a:a:a::1:1 port = domain keep state tag ip6domain

> Do you see the tcp6 listening socket on the master with "sockstat -l"?

Yes, both servers listen at udp6 and tcp6 addresses.

> Do you use carp devices for the jails. I have seen some weird ipv6
> routing behaviour with those myself.

No, I do only use my regular em0 device.

Thanks that you could confirm my configuration. Therefore, I'm now very much suspecting my host/jail setup and/or routing. I can reach every nsd server using a simple "telnet 53" from distinct servers, but failing miserably with "telnet a:a:a:a::1:1 53".

Further hints are highly welcome.

Thanks and with kind regards,

More information about the nsd-users mailing list