jtlindsey's questions

On a production server, I have automated task that send the same SSH commands and amount of data over the wire once a minute to a remote production server. The only thing that may change is a few values in the object. This process has been working in a program for years without issues. Without any local changes, we started having random instances of ECONNRESET and Connection lost before handshake errors. It started with a few a day and grew to multiple per hour. The destination server admin says their logs aren't providing useful info...just says Received disconnect from <origin_ip> port 21549:11 or pam_unix(sshd:session): session closed for user <username>.

Since the connection is initially successful (socket connected), ssh -vvv or the equivalent inside my ssh tooling hasn't been helpful in gathering additional data when the connection is broken before all data is sent. Sometimes connections are breaking less than 12 seconds after socket is connected.

I ran mtr <destinatioin_ip> to inspect the trace and with 9 hops there was only packet loss at the last hop, the destination. It would usually be between 12% and 20%. Never less than 6%. But given it's using ping/ICMP which is sometimes throttled, I don't think it reliably confirms a problem with the ssh connection. So I ran mtr -T -P 22 <destination_ip> to check SSH/TCP which frequently shows 0% loss in the first 8 hops and as much as 29% packet loss only at hop 9, the destination. But less frequently, it sometimes shows as much as 50% packet loss at each of the first 8 hops and never making it to hop 9. Confusing.

While doing test like the above or just letting the automations retry on their own, eventually the destination server will block all my SSH connections. At that point ssh -vvv <destination_ip> will hang and then say connection timed out:

ssh -vvv <user@destination_ip>
OpenSSH_7.6p1 Ubuntu-4ubuntu0.7, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "<destination_ip>" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to <destination_ip> [<destination_ip>] port 22.
debug1: connect to address <destination_ip> port 22: Connection timed out
ssh: connect to host <destination_ip> port 22: Connection timed out

To resolve the connection timed out, the destination server admin said he restarts the ssh server. At that point i can connect again but the random disconnects continue until eventually being completely blocked again.

pfSense is the firewall for the origin server network along with Ubiquiti switches. The origin firewall shows no blocked SSH connections and never more than 2-3 ssh connections to the destination server at the same time.

Is the above sufficient to suggest the problem is at least not my server and is likely the destination server (hop 9)? Is there anything else I should be looking at locally to isolate if the cause is local?

I have full control over the local production server. The problem is, without sufficient evidence to confirm the issue is not local, i'm having a hard time escalating the remote team to do additional research on their end.

I'm running ESXi 6.5 embedded host client. When i ssh into the system I can run esxcli vm process list and get the expected output:

testserver1
   World ID: 67909
   Process ID: 0
   VMX Cartel ID: 67908
   UUID: someuuid
   Display Name: testserver1
   Config File: /vmfs/volumes/somelocation/testserver1/testserver1.vmx

But if i run esxcli vm process kill –t=soft –w=67909 I get the error Error: Unknown command or namespace vm process kill –t=soft –w=67909

To confirm i'm running the correct command, i ran esxcli vm process kill -help and get

Error: Invalid option -h

Usage: esxcli vm process kill [cmd options]

Description: 
  kill                  Used to forcibly kill Virtual Machines that are stuck and not responding to normal stop operations.

Cmd options:
  -t|--type=<str>       The type of kill operation to attempt. There are three types of VM kills that can be attempted:   [soft, hard, force]. Users should always
                        attempt 'soft' kills first, which will give the VMX process a chance to shutdown cleanly (like kill or kill -SIGTERM). If that does not work
                        move to 'hard' kills which will shutdown the process immediately (like kill -9 or kill -SIGKILL). 'force' should be used as a last resort
                        attempt to kill the VM. If all three fail then a reboot is required. (required)
  -w|--world-id=<long>  The World ID of the Virtual Machine to kill. This can be obtained from the 'vm process list' command (required)

Can you see anything i'm doing wrong that might be preventing this command from working? I realize there's vim-cmd alternative in docs but i'm trying to figure out why the first option from the docs is responding like it's not even a valid command.

How do i get rsyslog to mirror traffic unmodified (including origin IP) to another port?

I have many devices sending data into port 514 but i need two different applications on the server to receive that data.

I tried adding the following to the bottom of /etc/rsyslog.conf

*.* @@127.0.0.1:1514

# also tried
*.* @127.0.0.1:1514

The application listening on 1514 get's all the data but the source address is always 127.0.0.1. If i send logs directly to port 1514 the application listening at 1514 see's the correct source address but now rsyslog doesn't see the data since it's listening on port 514.

How do i get rsyslog to mirror traffic unmodified (including origin IP) to another port?

For whatever reason the following iptables rules as an alternative to the above are not redirecting traffic on Ubuntu server 18.04LTS to resolve the problem so i was hoping there was a way to tweak my /etc/rsyslog.conf to make sure 1514 saw the original source instead of 127.0.0.1.

Example alternative iptables rule that isn't mirroring traffic (or at least graylog can't see it).

iptables -t mangle -A PREROUTING -p tcp --dport 514 -j TEE --gateway 127.0.0.2
iptables -t nat -A PREROUTING -d 127.0.0.2 -p tcp --dport 514 -j DNAT --to 127.0.0.1:1514

iptables -t mangle -A PREROUTING -p udp --dport 514 -j TEE --gateway 127.0.0.2
iptables -t nat -A PREROUTING -d 127.0.0.2 -p udp --dport 514 -j DNAT --to 127.0.0.1:1514

Note that my ufw rules are 22 ALLOW Anywhere and 514 ALLOW Anywhere

I have a LAN based site that was setup to resolve via a internal domain like dev.example.com via host overrides in DNS resolver (overrides LAN request to dev.example.com to <internalIP:PORT>). It was fast and worked great. Then we needed to access the site remotely. So i setup NAT/Port Forwarding so that <publicIP:PORT> resolved to the <internalIP:PORT>. The NAT setup is lightning fast. Access via WAN is good as expected but LAN access is so much faster to that site now.

A request to <publicIP:PORT> from the LAN is much faster than request to dev.example.com from LAN were and I don't know why. I don't have specific time stamps but its so much faster we noticed it right off the bat and speed wasn't an issue before.

Is NAT/Port Forwarding process Faster than DNS Host Overrides?

I'm trying to export a 60 GB VM from VMware ESXi to my computer via the ESXi embedded host client. Each time i try, it gets about 20 GB of disk-0.vmdk file downloaded (downloading ~1GB/min) and then it stops with Network Error

• VMware ESXi v6.5.0 (build 4887370)
• ESXi embedded host client version 1.23.0 (build 6360286)
• The "Recent Task" pane says 'Completed successfully' next to Export Vm.
• I have no snapshots attached to this vm
• The destination location has 200GB of free space.
• Host and web client connected over ethernet (not wifi).

I've tried 3 times now and it keeps failing. Any idea what the root problem is? Is there another way to export the vm without shutting down the host?

If I have one device (192.168.12.5) on LAN interface that I want to prevent from accessing the internet and i put a rule (top rule #1) on LAN interface to:

Block 
Protocol Ipv4*  
Source 192.168.12.5 Port *  
Destination ANY Port * Gateway *  

The rule works and the machine cannot access the internet. But why does the following not work on the LAN interface?

Block  
Protocol Ipv4*  
Source 192.168.12.5 Port *  
Destination WAN_net Port * Gateway * 

Everywhere I have seen online shows the same technique for doing this (set destination to any). Why is this? I'm trying to block traffic from exiting the WAN from that IP. I would think that would mean my destination should be WAN net.

I'm using DNS Resolver with a new pfSense v2.3.4 installation with "Register DHCP static mappings in the DNS Resolver" checked

I'm using the same setup in a pfSense installation with dedicated hardware. However, the same configuration doesn't work while running pfSense in VMware ESXi. If I manually add each hostname to hostname overides, it works.

What would prevent pfSense "Register DHCP static mappings in the DNS Resolver" from working?

"Disable DNS Forwarder" is not checked under general settings

Static IP Machine DIG
; <<>> DiG 9.10.3-P4-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52331
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.            IN   NS

;; ANSWER SECTION:
.         211203   IN   NS   j.root-servers.net.
.         211203   IN   NS   a.root-servers.net.
.         211203   IN   NS   f.root-servers.net.
.         211203   IN   NS   c.root-servers.net.
.         211203   IN   NS   d.root-servers.net.
.         211203   IN   NS   b.root-servers.net.
.         211203   IN   NS   e.root-servers.net.
.         211203   IN   NS   l.root-servers.net.
.         211203   IN   NS   i.root-servers.net.
.         211203   IN   NS   m.root-servers.net.
.         211203   IN   NS   g.root-servers.net.
.         211203   IN   NS   k.root-servers.net.
.         211203   IN   NS   h.root-servers.net.

;; Query time: 31 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Fri Jul 07 08:50:55 EDT 2017
;; MSG SIZE  rcvd: 239


DHCP Machine DIG

; <<>> DiG 9.10.3-P4-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14538
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.            IN   NS

;; ANSWER SECTION:
.         200667   IN   NS   m.root-servers.net.
.         200667   IN   NS   l.root-servers.net.
.         200667   IN   NS   h.root-servers.net.
.         200667   IN   NS   c.root-servers.net.
.         200667   IN   NS   b.root-servers.net.
.         200667   IN   NS   i.root-servers.net.
.         200667   IN   NS   e.root-servers.net.
.         200667   IN   NS   a.root-servers.net.
.         200667   IN   NS   k.root-servers.net.
.         200667   IN   NS   d.root-servers.net.
.         200667   IN   NS   f.root-servers.net.
.         200667   IN   NS   j.root-servers.net.
.         200667   IN   NS   g.root-servers.net.

;; Query time: 35 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Fri Jul 07 10:31:38 EDT 2017
;; MSG SIZE  rcvd: 239


nslookup FreeNas
Server:      192.168.0.1
Address:   192.168.0.1#53

** server can't find FreeNas: NXDOMAIN


DHCP example

nslookup tpc1
Server:      192.168.0.1
Address:   192.168.0.1#53

** server can't find tpc1: NXDOMAIN


nslookup tpc1.yodomain
Server:      192.168.0.1
Address:   192.168.0.1#53

Name:   tpc1.yodomain
Address: 192.168.0.146

LAN rules for this network

I have a machine running Ubuntu 16LTS with KVM/QEMU for a hypervisor. It has 1 guest running right now (A Ubuntu Server) that is using less than 1% of it's CPU and about 100MB of the 1000MB RAM allocated to it.

The Host is a 8core AMD with 16GB RAM and at idle with no guest running has a load avg of 0.00. With that one guest vm the host load climbs to a load avg of 2.50 - 2.70 and the fans are spinning at max RPMs and stays like that. This is a new problem noticed within the past day.

What would cause the host to have such a high load when that 1 guest vm is running and using so little resources?

update I'm starting to wonder if it has something to do with other machines connected to the guest vm via samba share. I just restarted the host, the guest, and all physical machines that were connected via samba to the guest vm and all has gone back to normal. Before a restart of the VM host or guest would not resolve anything. After they were both running again the problem would immediately start. However now the VM Host load is back to 0.00 and everything else is working normal. I'm not sure what caused the problem.