Home / server / Questions / 838073
In Process
Alexey
Asked: 2017-03-14 13:51:38 +0800 CST

Apache not receiving packets. tcpdump shows them

  • 772

Having an AWS EC2 instance in VPC, trying to add a secondary ENI to it. The interface has been successfully added with a security group I'm currently using for my primary instance ENI. Then a new Elastic IP has been added to the above mentioned newly created secondary interface. Private IP address is added and the new elastic IP is mapped to it. So it looks like 50.50.50.50 -> 10.0.120.1 . eth1 secondary interface is up:

eth1      Link encap:Ethernet  HWaddr 02:7e:51:91:9d:ed
          inet addr:10.0.120.1  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::7e:51ff:fe91:9ded/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:274 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12390 (12.3 KB)  TX bytes:2362 (2.3 KB)

So far so good.

I have a local apache2 instance listening on all interfaces on both 80 and 443 ports. This can be verified by looking at netstat -apn output. Apache is there, really listening on all interfaces:

tcp6       0      0 :::80                   :::*                    LISTEN      13603/apache2

If I try to do telnet 10.0.120.1 80 where 10.0.120.1 is the local IP of the newly added interface, it responds just fine.

If I try, however, the same, but from an external network (my local machine, for example) : telnet 50.50.50.50 80 with tcpdump -i eth1 launched on the instance, it times out and here is what I see in tcpdump output:

21:46:31.907721 IP my.external.ip.61809 > 10.0.120.1.http: Flags [S], seq 3126348761, win 8192, options [mss 1360,nop,wscale 2,nop,nop,sackOK], length 0
21:46:34.910779 IP my.external.ip.61809 > 10.0.120.1.http: Flags [S], seq 3126348761, win 8192, options [mss 1360,nop,wscale 2,nop,nop,sackOK], length 0
21:46:40.902797 IP my.external.ip.61809 > 10.0.120.1.http: Flags [S], seq 3126348761, win 8192, options [mss 1360,nop,nop,sackOK], length 0
21:47:02.982563 IP my.external.ip.61817 > 10.0.120.1.http: Flags [S], seq 3180271658, win 8192, options [mss 1360,nop,wscale 2,nop,nop,sackOK], length 0
21:47:05.984170 IP my.external.ip.61817 > 10.0.120.1.http: Flags [S], seq 3180271658, win 8192, options [mss 1360,nop,wscale 2,nop,nop,sackOK], length 0
21:47:11.981669 IP my.external.ip.61817 > 10.0.120.1.http: Flags [S], seq 3180271658, win 8192, options [mss 1360,nop,nop,sackOK], length 0
21:47:14.042766 ARP, Request who-has 10.0.120.1 tell 10.0.0.1, length 42
21:47:15.040646 ARP, Request who-has 10.0.120.1 tell 10.0.0.1, length 42
21:47:16.040884 ARP, Request who-has 10.0.120.1 tell 10.0.0.1, length 42

so the kernel actually receives the incoming packets, which probably means that everything is fine with the security group, at least incoming connection. But apache doesn't receive anything and logs nothing to its access log. At the same time, it responds and works fine with all other vhosts, whose IPs mapped to old primary ENI.

firewall amazon-ec2 iptables amazon-web-services apache-2.4

0 Answers