loss internet connectivity after Open SSL update

General support questions
BlueMouse
Posts: 4
Joined: 2007/09/25 11:07:22

Re: loss internet connectivity after Open SSL update

Post by BlueMouse » 2022/08/01 17:50:50

There is a serious and recent bug in NetworkManager DHCP, which causes problems during IP-address renewal. DHClient keeps declining the IP-address and then the server goes down after the renewal period.
It's listed here: https://bugzilla.redhat.com/show_bug.cgi?id=2109285

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: loss internet connectivity after Open SSL update

Post by TrevorH » 2022/08/01 18:20:04

That bug is not against el7 so it's not that.

Edit: re-reading it, that bug is not applicable to anything except Stream. It says it applies to 8.7 and 9.1 both of which are unreleased RHEL X.next versions. I checked my Rocky 8 system and its NM packages are not at the version that bz says are affected and my RHEL 9.0 system is likewise not at a sufficiently recent version to be affected.

There are reasons why no-one sensible runs Stream...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

de3jay
Posts: 13
Joined: 2022/07/21 03:27:38

Re: loss internet connectivity after Open SSL update

Post by de3jay » 2022/08/02 04:05:43

so what else could possibly go wrong with my setup? somehow my centos 7 is already working fine but can only work internally, the ip address is reserved in the dhcp settings of ESXi, only left is the internet connectivity.

BlueMouse
Posts: 4
Joined: 2007/09/25 11:07:22

Re: loss internet connectivity after Open SSL update

Post by BlueMouse » 2022/08/02 11:23:02

1. Post the output of
traceroute -n 8.8.8.8
2. Post the output of
route
3. If available, post the output of
iptables -L -v -n

4. Post the output of
cat /var/lib/NetworkManager/dhclient-*

de3jay
Posts: 13
Joined: 2022/07/21 03:27:38

Re: loss internet connectivity after Open SSL update

Post by de3jay » 2022/08/03 03:37:13

BlueMouse wrote:
2022/08/02 11:23:02
1. Post the output of
traceroute -n 8.8.8.8
-- please see attached
2. Post the output of
route
-- command not found
3. If available, post the output of
iptables -L -v -n

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3171K 6678M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7827 510K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2859 271K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1298 190K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 2393K packets, 474M bytes)
pkts bytes target prot opt in out source destination
39593 5600K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2393K 474M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination

Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination

Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination

Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
2859 271K IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination

Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
2859 271K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
2859 271K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
1173 60996 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
388 20176 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7878 ctstate NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination

4. Post the output of
cat /var/lib/NetworkManager/dhclient-*
lease {
interface "ens33";
fixed-address 192.168.102.205;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 1 2022/08/01 03:32:24;
rebind 4 2022/08/04 04:38:03;
expire 5 2022/08/05 04:38:03;
}
lease {
interface "ens33";
fixed-address 192.168.102.201;
option subnet-mask 255.255.255.0;
option dhcp-lease-time 691200;
option routers 192.168.102.1;
option dhcp-message-type 5;
option dhcp-server-identifier 192.168.102.12;
option domain-name-servers 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 0 2022/07/31 12:58:42;
rebind 4 2022/08/04 06:40:49;
expire 5 2022/08/05 06:40:49;
}
lease {
interface "ens33";
fixed-address 192.168.102.201;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 1 2022/08/01 00:58:41;
rebind 4 2022/08/04 06:56:03;
expire 5 2022/08/05 06:56:03;
}
lease {
interface "ens33";
fixed-address 192.168.102.201;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 4 2022/08/04 21:30:43;
rebind 1 2022/08/08 00:58:41;
expire 2 2022/08/09 00:58:41;
}
lease {
interface "ens33";
fixed-address 192.168.102.205;
option subnet-mask 255.255.255.0;
option dhcp-lease-time 691200;
option routers 192.168.102.1;
option dhcp-message-type 5;
option dhcp-server-identifier 192.168.102.12;
option domain-name-servers 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 5 2022/07/29 05:06:02;
rebind 2 2022/08/02 02:17:40;
expire 3 2022/08/03 02:17:40;
}
lease {
interface "ens33";
fixed-address 192.168.102.205;
option subnet-mask 255.255.255.0;
option routers 192.168.102.1;
option dhcp-lease-time 691200;
option dhcp-message-type 5;
option domain-name-servers 192.168.102.12;
option dhcp-server-identifier 192.168.102.12;
option dhcp-renewal-time 345600;
option dhcp-rebinding-time 604800;
option domain-name "intra.local";
renew 5 2022/07/29 09:27:05;
rebind 2 2022/08/02 07:34:39;
expire 3 2022/08/03 07:34:39;
}
# Created by NetworkManager

send host-name "SMCTES753"; # added by NetworkManager

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
option ms-classless-static-routes code 249 = array of unsigned integer 8;
option wpad code 252 = string;

also request rfc3442-classless-static-routes;
also request ms-classless-static-routes;
also request static-routes;
also request wpad;
also request ntp-servers;
also request root-path;
Attachments
traceroute.jpg
traceroute.jpg (31.75 KiB) Viewed 863 times

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: loss internet connectivity after Open SSL update

Post by jlehtone » 2022/08/03 06:39:52

de3jay wrote:
2022/08/03 03:37:13
BlueMouse wrote:
2022/08/02 11:23:02
2. Post the output of

Code: Select all

route
-- command not found
The commands route, ifconfig, and netstat are old. Alternatives with more functionality are ip and ss.
In order to show (main) routing table, one can do

Code: Select all

ip ro
which is short form of ip route show
de3jay wrote:
2022/08/02 04:05:43
somehow my centos 7 is already working fine but can only work internally
"Internally" as in "the machine itself"?

How about connections to and from other machines on the same subnet?
Can they connect to this machine and can this machine connect to them?

Further subdivision of the local subnet: are connections with other machines on the same ESXi host same or better than machines not on the same host?

The problem might not be in this machine, but on the configuration of the ESXi, routers, and firewalls (due to switch of ESXi host).
(As said, I don't know ESXi, but on some hypervisors that has been the roadblock, not the VM.)

de3jay
Posts: 13
Joined: 2022/07/21 03:27:38

Re: loss internet connectivity after Open SSL update

Post by de3jay » 2022/08/03 09:37:55

thanks for the reply @jlehtone, actually this server is the OS for our Nagios XI. what i meant by "internal" is that it can ping other servers on the same subnet, and even on different subnet, and can also monitor each of its services. I have configured telegram alerts by adding some scripts, so that once there are services that are down or have some issues we will get the alerts via telegram, and that requires internet connectivity. it was working well before, all the rules are set in the FW, routers, and even on the ESXi itself. i have tried to replicate the config settings from my test environment as well..

as for the ip ro here is the result (please see attached)
Attachments
ip ro.jpg
ip ro.jpg (20.44 KiB) Viewed 840 times

Post Reply