There is a serious and recent bug in NetworkManager DHCP, which causes problems during IP-address renewal. DHClient keeps declining the IP-address and then the server goes down after the renewal period.
It's listed here: https://bugzilla.redhat.com/show_bug.cgi?id=2109285
loss internet connectivity after Open SSL update
Re: loss internet connectivity after Open SSL update
That bug is not against el7 so it's not that.
Edit: re-reading it, that bug is not applicable to anything except Stream. It says it applies to 8.7 and 9.1 both of which are unreleased RHEL X.next versions. I checked my Rocky 8 system and its NM packages are not at the version that bz says are affected and my RHEL 9.0 system is likewise not at a sufficiently recent version to be affected.
There are reasons why no-one sensible runs Stream...
Edit: re-reading it, that bug is not applicable to anything except Stream. It says it applies to 8.7 and 9.1 both of which are unreleased RHEL X.next versions. I checked my Rocky 8 system and its NM packages are not at the version that bz says are affected and my RHEL 9.0 system is likewise not at a sufficiently recent version to be affected.
There are reasons why no-one sensible runs Stream...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: loss internet connectivity after Open SSL update
so what else could possibly go wrong with my setup? somehow my centos 7 is already working fine but can only work internally, the ip address is reserved in the dhcp settings of ESXi, only left is the internet connectivity.
Re: loss internet connectivity after Open SSL update
1. Post the output of
4. Post the output of
2. Post the output oftraceroute -n 8.8.8.8
3. If available, post the output ofroute
iptables -L -v -n
4. Post the output of
cat /var/lib/NetworkManager/dhclient-*
Re: loss internet connectivity after Open SSL update
lease {BlueMouse wrote: ↑2022/08/02 11:23:021. Post the output of-- please see attachedtraceroute -n 8.8.8.8
2. Post the output of-- command not foundroute
3. If available, post the output ofiptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3171K 6678M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7827 510K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2859 271K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1298 190K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 2393K packets, 474M bytes)
pkts bytes target prot opt in out source destination
39593 5600K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2393K 474M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
2859 271K IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
2859 271K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
1173 60996 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
388 20176 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7878 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
4. Post the output ofcat /var/lib/NetworkManager/dhclient-*
interface "ens33";
fixed-address 192.168.102.205;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 1 2022/08/01 03:32:24;
rebind 4 2022/08/04 04:38:03;
expire 5 2022/08/05 04:38:03;
}
lease {
interface "ens33";
fixed-address 192.168.102.201;
option subnet-mask 255.255.255.0;
option dhcp-lease-time 691200;
option routers 192.168.102.1;
option dhcp-message-type 5;
option dhcp-server-identifier 192.168.102.12;
option domain-name-servers 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 0 2022/07/31 12:58:42;
rebind 4 2022/08/04 06:40:49;
expire 5 2022/08/05 06:40:49;
}
lease {
interface "ens33";
fixed-address 192.168.102.201;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 1 2022/08/01 00:58:41;
rebind 4 2022/08/04 06:56:03;
expire 5 2022/08/05 06:56:03;
}
lease {
interface "ens33";
fixed-address 192.168.102.201;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 4 2022/08/04 21:30:43;
rebind 1 2022/08/08 00:58:41;
expire 2 2022/08/09 00:58:41;
}
lease {
interface "ens33";
fixed-address 192.168.102.205;
option subnet-mask 255.255.255.0;
option dhcp-lease-time 691200;
option routers 192.168.102.1;
option dhcp-message-type 5;
option dhcp-server-identifier 192.168.102.12;
option domain-name-servers 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 5 2022/07/29 05:06:02;
rebind 2 2022/08/02 02:17:40;
expire 3 2022/08/03 02:17:40;
}
lease {
interface "ens33";
fixed-address 192.168.102.205;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 5 2022/07/29 09:27:05;
rebind 2 2022/08/02 07:34:39;
expire 3 2022/08/03 07:34:39;
}
# Created by NetworkManager
send host-name "SMCTES753"; # added by NetworkManager
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
option ms-classless-static-routes code 249 = array of unsigned integer 8;
option wpad code 252 = string;
also request rfc3442-classless-static-routes;
also request ms-classless-static-routes;
also request static-routes;
also request wpad;
also request ntp-servers;
also request root-path;
- Attachments
-
- traceroute.jpg (31.75 KiB) Viewed 878 times
Re: loss internet connectivity after Open SSL update
The commands route, ifconfig, and netstat are old. Alternatives with more functionality are ip and ss.
In order to show (main) routing table, one can do
Code: Select all
ip ro
"Internally" as in "the machine itself"?
How about connections to and from other machines on the same subnet?
Can they connect to this machine and can this machine connect to them?
Further subdivision of the local subnet: are connections with other machines on the same ESXi host same or better than machines not on the same host?
The problem might not be in this machine, but on the configuration of the ESXi, routers, and firewalls (due to switch of ESXi host).
(As said, I don't know ESXi, but on some hypervisors that has been the roadblock, not the VM.)
Re: loss internet connectivity after Open SSL update
thanks for the reply @jlehtone, actually this server is the OS for our Nagios XI. what i meant by "internal" is that it can ping other servers on the same subnet, and even on different subnet, and can also monitor each of its services. I have configured telegram alerts by adding some scripts, so that once there are services that are down or have some issues we will get the alerts via telegram, and that requires internet connectivity. it was working well before, all the rules are set in the FW, routers, and even on the ESXi itself. i have tried to replicate the config settings from my test environment as well..
as for the ip ro here is the result (please see attached)
as for the ip ro here is the result (please see attached)
- Attachments
-
- ip ro.jpg (20.44 KiB) Viewed 855 times