f



Stupid Stupid 11.00 "Feature".

For days, we've been having networking problems with a server just being put
into production.   It had been tested thoroughly, but it seems that as soon
as we shifted it to the prod subnet, it lost connectivity.  Everything at
the OS level appeared to be configured correctly.

Second day of this, I notice that after the server boots, I get ~minutes in
which the networking DOES work, after which point, my session is killed, and
I am unable to initiate more.

Third day, network guy who is scrutinizing firewall/router logs notices that 
our server is pinging its gateway every 3 minutes and 3 seconds.

After some research, we find the following:

11.00 pings it's gateway every 183 seconds, and it it doesn't get a
response, it drops the route.  Actually, it doesn't even drop it from the
routing table, it stops using it.  This is a "feature" to allow failing over
to a secondary gateway in case of the failure of the primary.  In our case,
our gateway is also a firewall that drops ICMP.  Once discovered, we were
able to turn off this "feature" using ndd.

1)  Cute feature, but why is it enabled by default?

2)  Many gateways have their own protocols to ensure failover.  Why does
this need to be done at the OS level?

3)  If it's going to drop the route, why doesn't it do so VISIBLY, and
remote it from the routing table?


AFAICT, someone needs their peepee slapped, and hard.



-- 
..............................................................................

"The human rights group [Amnesty International] said Israel has arrested
 more than 1,500 Palestinians in the past year, and that many of the
 detainees were tortured"

                              -Laurie Copans, Associated Press, (28/08/2001)

..............................................................................
dswan@m3m3t1ccand1ru.com                        http://www.memeticcandiru.com
0
3r1c_3
7/10/2003 6:22:39 PM
comp.sys.hp.hpux 4408 articles. 1 followers. dewi.bening (7) is leader. Post Follow

4 Replies
357 Views

Similar Articles

[PageSpeed] 47

On Thu, 10 Jul 2003 18:22:39 GMT, 3r1c_3$7r4d4@salmahayeksknockers.edu wrote:

[snipped long explanation]

>  AFAICT, someone needs their peepee slapped, and hard.

This _is_ a weird feature, but as long as rfc1812 says:

   4.3.3.6 Echo Request/Reply

     A router MUST implement an ICMP Echo server function that receives
     Echo Requests sent to the router, and sends corresponding Echo
     Replies.

it seems the only thing to blame HP for is (possibly) lack of
documentation on this feature.

I'm not saying you should reconfigure your firewall to respond to icmp 
echo-reqs, but when it actually routes packets and otherwise acts like a 
router, chances are some systems will expect it to behave like a router.  

(And I must admit, I don't see the big risk by letting your own hosts, or
at least your own servers, ping your firewall.)


- Eirik
-- 
New and exciting signature!

0
Eirik
7/10/2003 8:12:34 PM
Eirik Seim <eirik@mi.uib.no> wrote:

> This _is_ a weird feature, but as long as rfc1812 says:

>   4.3.3.6 Echo Request/Reply

>     A router MUST implement an ICMP Echo server function that receives
>     Echo Requests sent to the router, and sends corresponding Echo
>     Replies.

I definitely agree our networking group shouldn't be doing this.  I suspect
this is the result of rote application of an internal standard.

> it seems the only thing to blame HP for is (possibly) lack of
> documentation on this feature.

Feature is cute, but shouldn't be enabled by default.    Same goes for all
special-purpose features that may impact other functionality.


> I'm not saying you should reconfigure your firewall to respond to icmp 
> echo-reqs, but when it actually routes packets and otherwise acts like a 
> router, chances are some systems will expect it to behave like a router.  

> (And I must admit, I don't see the big risk by letting your own hosts, or
> at least your own servers, ping your firewall.)

Niether do I, particularly when it's all internal.... but it ain't my call.


-- 
..............................................................................

"In June 1967, we again had a choice:  The Egyptian Army concentrations in
 the Sinai approaches do not prove that Nasser was really about to attack 
 us.  We must be honest with ourselves.  We decided to attack him"
 
                                                           -Menachem Begin

..............................................................................
dswan@m3m3t1ccand1ru.com                        http://www.memeticcandiru.com
0
3r1c_3
7/11/2003 6:18:36 AM
Rick Jones <foo@bar.baz.invalid> wrote:

>> 1)  Cute feature, but why is it enabled by default?
> Because enough customers asked for dead gateway detection in the
> timeframe of HP-UX 10.20 that it was added and enabled for 11.0.

That explains why we have it, but not why it's enabled by default.  I've no
problem with it being available for those who may need it, but it's of
little use to those who don't even know about it, and havn't made the extra
configurations necessary.


>> 2) Many gateways have their own protocols to ensure failover.  Why
>> does this need to be done at the OS level?

> It is done in the host's networking stack because not all gateways
> had/have that failover functionality you describe.  The host needs to
> be liberal in what it accepts, and that means accepting gateways
> without their own failover mechanisms.

Fair enough.

>> 3) If it's going to drop the route, why doesn't it do so VISIBLY,
>> and remote it from the routing table?

> If the route were simply removed from the output of netstat -r that
> would probably just confuse people and make them think that something
> was deleting routes. 

At least that would be a far more tangible troubleshooing starting point
than routes that look like they should work, but don't.


>> AFAICT, someone needs their peepee slapped, and hard.

> You might include the firewall for not responding to ICMP echo
> requests from the "inside" side :)

I definitely agree.   I think denying ICMP internally is ridiculous.


-- 
..............................................................................

"In the name of "security" Israel has effectively legalized torture, held 
 people under administrative detention and allowed the security forces to
 carry out extra-judicial and other unlawful killings with impunity"
        
                           -Amnesty International Press Release, 23/12/98

..............................................................................
dswan@m3m3t1ccand1ru.com                        http://www.memeticcandiru.com
0
3r1c_3
7/11/2003 6:26:16 AM
3r1c_3$7r4d4@salmahayeksknockers.edu wrote:
> Rick Jones <foo@bar.baz.invalid> wrote:

>>> 1)  Cute feature, but why is it enabled by default?
>> Because enough customers asked for dead gateway detection in the
>> timeframe of HP-UX 10.20 that it was added and enabled for 11.0.
> That explains why we have it, but not why it's enabled by default.
> I've no problem with it being available for those who may need it,
> but it's of little use to those who don't even know about it, and
> havn't made the extra configurations necessary.

I can only presume that when the decision was made, no-one figured
there would be many devices out there acting as IP routers that did
not adhere to the protocol standards :)

>>> 3) If it's going to drop the route, why doesn't it do so VISIBLY,
>>> and remote it from the routing table?

>> If the route were simply removed from the output of netstat -r that
>> would probably just confuse people and make them think that something
>> was deleting routes. 

> At least that would be a far more tangible troubleshooing starting point
> than routes that look like they should work, but don't.

I suppose I could see both sides.  It would certainly be worth calling
the RC and having an enhancement request submitted so it can flow
though official channels.  

Not that it helps in your specific situation (since the hrose is
already gone as it were) in another forum, I saw mention that some of
the ndd output might show a flag for a dead gateway - probably one of
the things that can be retrieved via ndd /dev/ip - ndd /dev/ip ?
should give a complete list.
ftp://ftp.cup.hp.com/dist/networking/briefs/annotated_ndd.tx might
also help.  I must say that I've never used the ndd thing to see a
gateway marked dead myself.

rick jones
-- 
oxymoron n, commuter in a gas-guzzling luxury SUV with an American flag
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to raj in cup.hp.com  but NOT BOTH...
0
Rick
7/15/2003 11:04:31 PM
Reply: