Network error location Case ICMP Host * * * unreachable-admin prohibited

Source: Internet
Author: User
Tags 0xc0 net domain

This method solves the problem of a master that is not linked to salt minion.


Http://www.cnblogs.com/sammyliu/p/4981194.html

Network error location case ICMP Host * * * Unreachable-admin prohibited 1. Environmental

A physical server 9.115.251.86, which creates two virtual machines, two network cards per virtual machine: vm1:eth0-9.*.*.232 eth1:10.0.0.14 vm2:eth0-9.8.*.219 eth1 : 10.0.0.10, running DHCP Agent, managing DNSMASQ, providing DHCP service

Two pieces of eth1 connected to a bridge on the physical machine:

Bridge name Bridge     ID               STP enabled     interfaces
mgtbr0          8000.fa8013216b56       no              tap0
                                                        Vnet1
                                                        vnet12
                                                        vnet13
                                                        vnet14
                                                        vnet16
                                                        vnet18 Vnet2 vnet5
2. Error

A virtual machine vmchild1 is created on the VM1, and a BOOTP request is made at startup to obtain the IP address from the DHCP Agent. DHCP Agent-managed DNSMASQ can receive BOOTP requests normally and send back requests, but VM1 cannot receive them.

VM2 on tcpdump:

15:30:14.135874 IP (Tos 0x0, TTL, id 46594, offset 0, flags [None], Proto UDP (), length 401) 10.0.0.10.40589 ; 10.0.0.14.8472:OTV, Flags [I] (0x08), overlay 0, instance 1027 IP (Tos 0xc0, TTL, id 57625, offset 0, flags [None], PR  Oto UDP (), length 351) 50-0-0-10.static.sonic.net.bootps > 50-0-0-15.static.sonic.net.bootpc:bootp/dhcp, Reply, Length 323, XID 0x11f7631f, secs, Flags [None] Your-ip 50-0-0-15.static.sonic.net, Server-ip 50-0-0 
            -10.static.sonic.net client-ethernet-address fa:16:3e:ba:43:4c (oui Unknown) vendor-rfc1048 Extensions Magic Cookie 0x63825363 dhcp-message option, length 1:offer server-id option 54,  Length 4:50-0-0-10.static.sonic.net lease-time option, length 4:86400 RN option, length 4: 43200 RB option, length 4:75600 subnet-mask Option 1, length 4:255.255.255.0 BR Option, Length 4:50-0-0-255.static.sonic.net domain-name option, Length: "Openstacklocal" Domain-name-server O
            Ption 6, Length 4:50-0-0-10.static.sonic.net default-gateway Option 3, Length 4:50-0-0-1.static.sonic.net Classless-static-route Option 121, Length: (60.0.0.0/24:0.0.0.0), (default:50-0-0-1.static.sonic.net) 15:30:14  .136118 IP (Tos 0xc0, TTL, id 10816, offset 0, flags [None], Proto ICMP (1), length 429) 10.0.0.100 > 10.0.0.10: ICMP host 10.0.0.14 unreachable-admin prohibited, Length 409 IP (Tos 0x0, TTL, id 46594, offset 0, flags [No NE], Proto UDP (a), length 401) 10.0.0.10.40589 > 10.0.0.14.8472:otv, Flags [I] (0x08), overlay 0, instance 1027

And found another problem:

root@controller:~/s1# Ping 10.0.0.13
ping 10.0.0.13 (10.0.0.13) bytes of data.
Bytes from 10.0.0.13:icmp_seq=1 ttl=64 time=0.630 ms from
10.0.0.13:icmp_seq=2 Redirect Host (New nexthop:10.0.0.  Bytes from
10.0.0.13:icmp_seq=2 ttl=64 time=0.628 ms from 10.0.0.13:icmp_seq=3 Redirect
Host (New nexthop: 10.0.0.13)
3. Positioning

The initial inference is that a firewall blocked the BOOTP packet, so the firewall on the vm1,vm2 all turned off, invalid. Finally, check the physical machine iptables:

[root@rh65 ~]# iptables-l Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT UDP            --Anywhere anywhere UDP dpt:domain ACCEPT TCP--anywhere anywhere             TCP Dpt:domain ACCEPT UDP--anywhere anywhere UDP Dpt:bootps ACCEPT TCP--anywhere Anywhere TCP Dpt:bootps ACCEPT all – anywhere anywhere state related,e     stablished ACCEPT ICMP--anywhere anywhere ACCEPT all--anywhere anywhere ACCEPT             All--anywhere anywhere ACCEPT--anywhere anywhere ACCEPT TCP--anywhere Anywhere state NEW TCP dpt:domain ACCEPT UDP--anywhere anywhere state NE W UDP dpt:domain ACCEPT TCP--Anywhere anywhere state NEW TCP dpt:ftp ACCEPT TCP-- Ywhere ANYWHEre state New TCP dpt:ssh ACCEPT TCP--Anywhere anywhere state new TCP dpt:16509             ACCEPT TCP--Anywhere anywhere state NEW TCP dpt:16514 ACCEPT TCP--anywhere Anywhere state new TCP dpt:http ACCEPT TCP--Anywhere anywhere state new TCP  Dpts:vnc-server:cvsup REJECT All--anywhere anywhere Reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all-anywhere 192             .168.122.0/24 state related,established ACCEPT All--192.168.122.0/24 anywhere ACCEPT all-anywhere      Anywhere REJECT All--anywhere anywhere Reject-with icmp-port-unreachable REJECT             All--anywhere anywhere Reject-with icmp-port-unreachable ACCEPT All-anywhere        Anywhere    State related,established ACCEPT ICMP--anywhere anywhere ACCEPT all--anywhere a   Nywhere ACCEPT all – anywhere anywhere ACCEPT all – anywhere anywhere REJECT all --Anywhere anywhere reject-with icmp-host-prohibited

Discovery FORWARD blocked ICMP-related packages. 4. Address

Run the service iptables on the physical machine stop will iptables shutdown, problem resolution.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.