Ammar Lakis's questions

I have a docker cluster with an OpenVPN container as an access server and a dns container as a forwarder. All containers are connected to a docker overlay network called vpn, but some run as a docker swarm stack and others are running independently from swarm.

An OpenVPN client can connect and use dns to resolve internal containers names, I had to add an iptables masquerade rule to achieve this, but can't ping containers in stack despite being accessible from OpenVPN container. I've checked iptables rules and routing tables and couldn't figure out why it returns host unreachable while trying to ping a stack service from an OpenVPN client.

Due to need to scale, I'm setting a new l2tp server using l2tpns and trying to balance the load between my two l2tp servers using LVS

LVS configuration

ipvsadm -A -u 192.168.10.10:1701 -s sh
ipvsadm -A -u 192.168.10.10:1701 -r 10.10.10.2 -m
ipvsadm -A -u 192.168.10.10:1701 -r 10.10.10.3 -m

Each of the l2tp servers is working as standalone but cannot work behind the LVS, so the problem is with the LVS when it passes the traffic to l2tp servers, and I', getting the following error in l2tpns log

Out of sequence tunnel 2, (0 is not the expected 1)
Duplicate SCCRQ?
Control message (91 bytes): (unacked 1) l-ns 1 l-nr 1 r-ns 0 r-nr 0

Any ideas why does it fail to establish a successful connection with l2tp ?

I'm searching for a way to log every command executed on a cisco switch/router, I have a catalyst 2960s with lanbase image, and a catalyst 4500e with ipbase image.

I've found a way to log commands executed in config mode with the following configuration

archive
    log config
     logging enable 100
     notify syslog
     hidekeys

but I want to log every command including show version for example. Any ideas ?

I'm trying to redirect the traffic coming from clients to external proxy server.

I've the following architecture

                        +----------------------------+                       
                        |                            |                       
                        |        External Server     |                       
                        |                            |                       
                        +------------+---------------+                       
                                     |eth0 public ip                         
                                     |                                       
                                     |                                       
                                     |                                       
                                     |eth0 pubic ip                          
                        +------------+---------------+                       
                        |                            |                       
                        |      Localnet Gateway      |                       
                        |                            |                       
                        +------------+---------------+                       
                                     |eth0 192.168.1.1                       
                                     |                                       
                                     |                                       
                                     |                                       
                                     |                                       
                                     |                                       
+---------------------+              |                 +--------------------+
|                     |              | eth0 192.168.1.3|                    |
|   Client            +--------------+-----------------+   Clients gateway  |
|                     |eth0 192.168.1.2                |                    |
|                     |                                |                    |
+---------------------+                                +--------------------+

I ran sshuttle on clients' gateway and it tunnels all traffic from Clients gateway server to the external server, but not the traffic coming from clients. When dumping tcp connections on Clients gateway I can see the response and reply to the client but can't connect to the internet. These are iptables after running sshuttle:

*nat
:PREROUTING ACCEPT [145:13378]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:sshuttle-12300 - [0:0]
-A PREROUTING -j sshuttle-12300
-A POSTROUTING -s 192.168.1.2/32 -j SNAT --to-source 192.168.1.3
-A OUTPUT -j sshuttle-12300
-A sshuttle-12300 -d 127.0.0.0/8 -p tcp -j RETURN
-A sshuttle-12300 -p tcp -j REDIRECT --to-ports 12300

and the tcpdump -nni eth0 host 192.168.1.2 and port 80 output:

21:10:22.812066 IP 85.12.58.8.80 > 192.168.1.2.64833: Flags [R.], seq 0, ack 1, win 0, length 0
21:10:23.313912 IP 192.168.1.2.64833 > 85.12.58.8.80: Flags [S], seq 4176760380, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:10:23.313926 IP 85.12.58.8.80 > 192.168.1.2.64833: Flags [R.], seq 0, ack 1, win 0, length 0
21:10:23.316556 IP 192.168.1.2.64834 > 212.73.221.202.80: Flags [S], seq 1828956934, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:10:23.316571 IP 212.73.221.202.80 > 192.168.1.2.64834: Flags [R.], seq 0, ack 1828956935, win 0, length 0
21:10:23.816987 IP 192.168.1.2.64834 > 212.73.221.202.80: Flags [S], seq 1828956934, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:10:23.817020 IP 212.73.221.202.80 > 192.168.1.2.64834: Flags [R.], seq 0, ack 1, win 0, length 0
21:10:24.317986 IP 192.168.1.2.64834 > 212.73.221.202.80: Flags [S], seq 1828956934, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:10:24.318001 IP 212.73.221.202.80 > 192.168.1.2.64834: Flags [R.], seq 0, ack 1, win 0, length 0
21:10:24.323263 IP 192.168.1.2.64836 > 38.124.168.119.80: Flags [S], seq 695092282, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:10:24.323277 IP 38.124.168.119.80 > 192.168.1.2.64836: Flags [R.], seq 0, ack 695092283, win 0, length 0
21:10:24.831593 IP 192.168.1.2.64836 > 38.124.168.119.80: Flags [S], seq 695092282, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:10:24.831623 IP 38.124.168.119.80 > 192.168.1.2.64836: Flags [R.], seq 0, ack 1, win 0, length 0

as you can see the server responses to the client but still unable to connect to the internet.

any help ?

I have 2 linux boxes running centos 6.5 each with 2 interfaces bonded together, linked to a Cisco 2960-S switch with lacp configured ports.

The configuration on the switch

port-channel load-balance src-dst-mac
!
interface Port-channel1
 switchport access vlan 100
 switchport mode access
!
interface Port-channel2
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet0/1
 switchport access vlan 100
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
 channel-protocol lacp
 channel-group 1 mode active
!
interface GigabitEthernet0/2
 switchport access vlan 100
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
 channel-protocol lacp
 channel-group 1 mode active
!
interface GigabitEthernet0/3
 switchport access vlan 100
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
 channel-protocol lacp
 channel-group 2 mode active
!
interface GigabitEthernet0/4
 switchport access vlan 100
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
 channel-protocol lacp
 channel-group 2 mode active
!

and on the both linux sides I've loaded the kernel bonding module with the configuration

alias bond0 bonding
options bond0 miimon=100 mode=4 lacp_rate=1

Now the problem is that I transfer many files from one server to another monitoring the traffic graphs showing that the speed doesn't exceed the 1Gb/s speed for the bonding interface bond0.

is there any problem with the configuration ? shouldn't the speed be doubled to 2Gb/s ?

I'm running some HP Proliant DL360 G6 servers with vmware esxi, and I have a Synology Diskstation appliance, all connected to a layer3 switch "Cisco Catalyst 4500" in a specific vlan and every server has its own static ip address with no dhcp pools configured in this network.

The problem is that sometimes when I call the Diskstation ip address a vmware server, specifically the first server, responds although it has its own static ip and doesn't conflict with any other server.

Sometimes the Diskstation responds and it works.

What could the cause be? it first looked to me like an ip conflict or something cause of observed ip range in vmware, but still can't see how to solve this problem.

I have haproxy installed on CentOs6.4 x64 but I need to see the stats from the terminal with command haproxy -s

The man file says

  -s     Show statistics (only if compiled in).  Statistics are only available if compiled in with the  'STATTIME'  option.   It's  only
         used during code optimization phases, and will soon disappear.

removed the current version with yum and compiled the source code with

make TARGET=linux2628 USE_EPOLL=1 USE_OPENSSL=1 STATTIME=1 ARCH=x86_64 && make install

everything works fine and the HAProxy is working but the -s option still not working

any ideas why this happening ?