[nsd-users] nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out
trashcan at odo.in-berlin.de
Thu Dec 27 11:24:33 UTC 2012
Hi Willem --
On 27.12.2012, at 10:03, Willem Toorop <willem at NLnetLabs.nl> wrote:
> Op 26-12-12 16:23, Michael Grimm schreef:
>> Both servers are running well, serving all requests as expected, and the master is delivering all zones with afxr at startup perfectly well. But, I get the following error messages (for IPv6 address, only!) in the *slave*'s syslog:
>> | nsd: Could not tcp connect to a:a:a:a::1:1: Operation timed out
>> tcpdump at the *master* tells me (shortend to the relevant part):
>> | pass in on em0: (flowlabel 0x360ed, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1:1.15298 > a:a:a:a::1:1.53: Flags [S], cksum 0xfedd (incorrect -> 0x7df6), seq 1459122906, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 333780857 ecr 0], length 0
> I suspect the master and the slave are on the same host causing the
> checksum error (because checksum calculation is offloaded to the NIC).
> Is this true?
No, both jails are located at distinct servers (within the same datacenter, though).
> Is this the only packet you saw for the handshake? Did you see an
> Syn/Ack after this packet? I.e. A packet returning from a:a:a:a::1:1
> with "Flags [S.]"?
No, but I cannot see those flags for any tcpdump logfile entry over the last 30 minutes, capturing traffic by:
| tcpdump -n -e -ttt -s 256 -v -i pflog0 (pf firewall)
| tcpdump -n -e -ttt -s 256 -v -i em0 (outside interface)
(I do have to admit that I'm not that much an expert to tcpdump.)
BTW, my firewall rules regarding nameserver traffic are as follows:
| pass in log on em0 inet6 proto tcp from any to a:a:a:a::1:1 port = domain flags S/SA keep state tag ip6domain
| pass in log on em0 inet6 proto udp from any to a:a:a:a::1:1 port = domain keep state tag ip6domain
> Do you see the tcp6 listening socket on the master with "sockstat -l"?
Yes, both servers listen at udp6 and tcp6 addresses.
> Do you use carp devices for the jails. I have seen some weird ipv6
> routing behaviour with those myself.
No, I do only use my regular em0 device.
Thanks that you could confirm my configuration. Therefore, I'm now very much suspecting my host/jail setup and/or routing. I can reach every nsd server using a simple "telnet 188.8.131.52 53" from distinct servers, but failing miserably with "telnet a:a:a:a::1:1 53".
Further hints are highly welcome.
Thanks and with kind regards,
More information about the nsd-users