CentOS7 AWS AMI Routing Issue

Issues related to configuring your network
Post Reply
Tormod
Posts: 1
Joined: 2015/02/25 16:31:39

CentOS7 AWS AMI Routing Issue

Post by Tormod » 2015/02/25 17:07:57

We use StrongSwan to VPN into our VPC within AWS. We had been using CentOS6.5 without issue but since we upgraded to CentOS7 CentOS 7 x86_64 (2014_09_29) EBS HVM-b7ee8a69-ee97-4a49-9e68-afaee216db2e-ami-d2a117ba.2 (ami-e4ff5c93) there seems to be fairly substantial packet loss as below.

Code: Select all

Cluny-Suite3-SW#ping 10.41.0.186 repeat 100
Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.41.0.186, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!! !!!!!!!!!!!!!.!!!!!!!!!!!!!!!!
Success rate is 97 percent (97/100), round-trip min/avg/max = 25/27/34 ms
Cluny-Suite3-SW#
You can see that 3 packets were dropped out of 100. I know that these packets are making it across the VPN and they appear to leave the VPN instance. However, they never make it to the destination. Below I've done another test which shows 30 packets being sent with 1 (the tenth packet) being dropped.

Code: Select all

Cluny-Suite3-SW#ping 10.41.0.186 repeat 30
Type escape sequence to abort. Sending 30, 100-byte ICMP Echos to 10.41.0.186, timeout is 2 seconds:
!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!
Success rate is 96 percent (29/30), round-trip min/avg/max = 25/26/34 ms
Cluny-Suite3-SW#
The attached output from the VPN instance (i-cc73c92b) shows the packets arriving encapsulated from the public address at the far end of the VPN, being forwarded on to 10.41.0.186 (instance i-ae1f9949), replies coming back from 10.41.0.186 before being encapsulated and sent back over the VPN to the public address at the far end of the VPN.

The only packet missing is the sequence 9 reply. The sequence 9 request does appear to have been forwarded from the VPN instance so this would appear to rule out the packet being lost somewhere in the VPN.

The attached output from the destination instance (10.41.0.186 i-ae1f9949) shows that the sequence 9 request never arrives at the destination. I appreciate that ICMP is not a reliable protocol. I'm just using it to try and illustrate how far the packets are getting and where they are being lost. The problem also appears to affect TCP traffic but this is much harder to illustrate. Like I said earlier we've been using CentOS6.5 to perform the same function without any problems and my gut is that this is an issue with the CentOS 7 AMI.

I'd be grateful for any assistance you could provide which my help me better understand why these packets are being dropped.
Attachments
i-cc73c92b.txt
(6.33 KiB) Downloaded 19 times
i-ae1f9949.txt
(5.08 KiB) Downloaded 28 times

Post Reply