DNAT to internal LDAP not reliable

General questions
1

Hello,
I am experiencing a seemingly random failure of port forwarding back to a Windows Server 2016 Read Only Domain Controller for external LDAP connections. External connections to port 389 and 636 will simply stop responding for anywhere from 5 - 45 minutes. Sometimes just port 389 starts responding again, sometimes both 389 and 636. They will respond to queries for a seemingly random amount of time before becoming unreachable again. This appears to affect both TCP and UDP traffic. Sometimes, I am unable to get HTTP or HTTPS responses from the other servers we expose to the outside world when this is happening as well.

To monitor the services, I have a VM external to our network running Icinga 2 and using check_tcp to check the connectivity of 389/tcp and 636/tcp. I am also using curl and ldapsearch on another VM with a different provider to eliminate the possibility of this being a carrier issue.

Things I’ve tried:

  • Increasing the arp table size to 32768
  • Setting up a 1-to-1 NAT with 172.16.0.21
  • Break down a single DNAT rule with “protocol tcp_udp” in to 4 separate DNAT rules declaring the port and tcp or udp
  • Lowered MTU on the OUTSIDE interface down to 1472, then back to 1500
  • Enabled “generic-segmentation” and “scatter-gather” offloading options on both INSIDE and OUTSIDE interfaces
  • Created a firewall rule to allow fragments but I did not see any hits so I deleted the rule
  • Disabled flow control on OUTSIDE and INSIDE interfaces
  • Created pseudo-ethernet interfaces for each external address instead of having them all on eth3

I am coming from a Cisco ASA 5525-X and did not have this issue on that platform. However, I understand that the ASA sets up a direct 1-to-1 NAT/BiNAT which is different to how VyOS handles it.

Our hardware is a Dell R630 with 64gb of ram. Dual Xeon E5-2670 v3, hyperthreading is disabled. We are currently using the two copper ethernet ports for inside and outside.

vyos@vyos:~$ sh ver
Version:          VyOS 1.2.6
Release Train:    crux

Built by:         Sentrium S.L.
Built on:         Fri 11 Sep 2020 11:54 UTC
Build UUID:       bb54bb8d-8c25-4395-bbe4-625798facebd
Build Commit ID:  706d01f247bb83

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Dell Inc.
Hardware model:   PowerEdge R630
Hardware S/N:     25P3GB2
Hardware UUID:    4c4c4544-0035-5010-8033-b2c04f474232

Copyright:        VyOS maintainers and contributors

DNAT counters after about 15 hours-
The 400 range is the LDAP. The counters on 401 seem very high to me.

vyos@vyos:~$ show nat destination stat
rule   pkts    bytes   interface   
----   ----    -----   ---------   
100    92224   8180    eth3        
200    92242   8173    eth3        
300    225     13216   eth3        
400    1520    91116   eth3        
401    3948K   265M    eth3        
402    0       0       eth3        
403    1734    102K    eth3        
500    885     44504   eth3        
600    7168    391K    eth3        
700    434     20753   eth3        
800    192     8416    eth3        
850    16      728     eth3        
851    16      720     eth3        
852    10      400     eth3        
900    1451    79004   eth3

Config-

vyos@vyos:~$ show conf
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group ACCESSCONTROL-INTERNAL {
            ...
        }
        address-group FORMS-INTERNAL {
            address 172.16.1.230
        }
        address-group HELPDESK-INTERNAL {
            address 10.80.0.40
        }
        address-group HVAC-INTERNAL {
            address 10.90.0.10
        }
        address-group LDAP-INTERNAL {
            address 172.16.0.21
        }
        address-group MOODLE-INTERNAL {
            address 10.80.0.30
        }
        address-group NS02-INTERNAL {
            address 10.80.2.11
        }
        address-group NS03-INTERNAL {
            address 10.80.2.12
        }
        address-group SECURITYDVR-INTERNAL {
            ...
        }
        address-group VPN-INTERNAL {
            address 10.80.3.20
            description "OpenVPN Proxy VRRP"
        }
        network-group HVAC-VENDOR {
            ...
        }
        network-group SECURITY-VENDOR {
            ...
        }
        network-group SHUNNED-RANGES {
            description "Bad actors"
            network 85.93.20.0/24
            ...
        }
        port-group ACCESSCONTROL-PORTS-TCP {
            port https
        }
        port-group FORMS-PORTS-TCP {
            port http
            port https
        }
        port-group HELPDESK-PORTS-TCP {
            port http
            port https
        }
        port-group HVAC-PORTS-TCPUDP {
            ...
        }
        port-group LDAP-PORTS-TCPUDP {
            port 389
            port 636
        }
        port-group MOODLE-PORTS-TCP {
            port http
            port https
        }
        port-group NS02-PORTS-TCPUDP {
            port domain
        }
        port-group NS03-PORTS-TCPUDP {
            port domain
        }
        port-group SECURITYDVR-PORTS-TCPUDP {
            ...
        }
        port-group VPN-PORTS-TCP {
            ...
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    name OUTSIDE-IN {
        default-action drop
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid"
            state {
                invalid enable
            }
        }
        rule 10 {
            action drop
            description "Drop bad actors"
            source {
                group {
                    network-group SHUNNED-RANGES
                }
            }
        }
        rule 100 {
            action accept
            description "NS02"
            destination {
                group {
                    address-group NS02-INTERNAL
                    port-group NS02-PORTS-TCPUDP
                }
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 200 {
            action accept
            description "NS03"
            destination {
                group {
                    address-group NS03-INTERNAL
                    port-group NS03-PORTS-TCPUDP
                }
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 300 {
            action accept
            description "VPN Proxy VRRP"
            destination {
                group {
                    address-group VPN-INTERNAL
                    port-group VPN-PORTS-TCP
                }
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 400 {
            action accept
            description "LDAP - 76.191.126.251"
            destination {
                group {
                    address-group LDAP-INTERNAL
                    port-group LDAP-PORTS-TCPUDP
                }
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 500 {
            action accept
            description "Forms"
            destination {
                group {
                    address-group FORMS-INTERNAL
                    port-group FORMS-PORTS-TCP
                }
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 600 {
            action accept
            description "Moodle"
            destination {
                group {
                    address-group MOODLE-INTERNAL
                    port-group MOODLE-PORTS-TCP
                }
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 700 {
            action accept
            description "HVAC"
            ...
        }
        rule 800 {
            action accept
            description "Access Control appliance"
            ...
        }
        rule 850 {
            action accept
            description "Security DVRs"
            ...
        }
        rule 900 {
            action accept
            description "HelpDesk"
            destination {
                group {
                    address-group HELPDESK-INTERNAL
                    port-group HELPDESK-PORTS-TCP
                }
            }
            protocol tcp
            state {
                new enable
            }
        }
    }
    name OUTSIDE-LOCAL {
        default-action drop
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid"
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            description "Respond to ICMP echo request"
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        duplex auto
        hw-id 24:6e:96:00:f3:c0
        smp-affinity auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        hw-id 24:6e:96:00:f3:c2
        smp-affinity auto
        speed auto
    }
    ethernet eth2 {
        address 10.99.0.1/29
        description INSIDE-COPPER
        disable-flow-control
        duplex auto
        hw-id 24:6e:96:00:f3:e0
        offload-options {
            generic-segmentation on
            scatter-gather on
        }
        smp-affinity auto
        speed auto
    }
    ethernet eth3 {
        address 76.191.126.242/28
        address 76.191.126.243/28
        address 76.191.126.244/28
        address 76.191.126.245/28
        address 76.191.126.246/28
        address 76.191.126.247/28
        address 76.191.126.248/28
        address 76.191.126.249/28
        address 76.191.126.250/28
        address 76.191.126.251/28
        address 76.191.126.252/28
        address 76.191.126.253/28
        address 76.191.126.254/28
        address x.x.142.162/28
        address x.x.142.163/28
        address x.x.142.164/28
        address x.x.142.165/28
        address x.x.142.166/28
        address x.x.142.167/28
        address x.x.142.168/28
        address x.x.142.169/28
        address x.x.142.170/28
        address x.x.142.171/28
        address x.x.142.172/28
        address x.x.142.173/28
        address x.x.142.174/28
        description OUTSIDE-COPPER
        disable-flow-control
        duplex full
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
        }
        hw-id 24:6e:96:00:f3:e1
        mtu 1500
        offload-options {
            generic-segmentation on
            scatter-gather on
        }
        smp-affinity auto
        speed 1000
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 100 {
            description "NS02 - TCP/UDP - domain"
            destination {
                address 76.191.126.243
                port 53
            }
            inbound-interface eth3
            protocol tcp_udp
            translation {
                address 10.80.2.11
            }
        }
        rule 200 {
            description "NS03 - TCP/UDP - domain"
            destination {
                address 76.191.126.244
                port 53
            }
            inbound-interface eth3
            protocol tcp_udp
            translation {
                address 10.80.2.12
            }
        }
        rule 300 {
            description "VPN - TCP - OpenVPN ports"
            ...
        }
        rule 400 {
            description "LDAP - TCP/UDP - ldap/ldaps"
            destination {
                address 76.191.126.251
                port 389
            }
            inbound-interface eth3
            protocol tcp
            translation {
                address 172.16.0.21
            }
        }
        rule 401 {
            destination {
                address 76.191.126.251
                port 389
            }
            inbound-interface eth3
            protocol udp
            translation {
                address 172.16.0.21
            }
        }
        rule 402 {
            destination {
                address 76.191.126.251
                port 636
            }
            inbound-interface eth3
            protocol udp
            translation {
                address 172.16.0.21
            }
        }
        rule 403 {
            destination {
                address 76.191.126.251
                port 636
            }
            inbound-interface eth3
            protocol tcp
            translation {
                address 172.16.0.21
            }
        }
        rule 500 {
            description "Forms - TCP - http/https"
            destination {
                address 76.191.126.252
                port 80,443
            }
            inbound-interface eth3
            protocol tcp
            translation {
                address 172.16.1.230
            }
        }
        rule 600 {
            description "Moodle - TCP - http/https"
            destination {
                address 76.191.126.248
                port 80,443
            }
            inbound-interface eth3
            protocol tcp
            translation {
                address 10.80.0.30
            }
        }
        rule 700 {
            description "CH HVAC - TCP/UDP - http/https/custom"
            ...
        }
        rule 800 {
            description "Access Control - TCP - https"
            ...
        }
        rule 850 {
            description "Security DVR - CH - TCP"
            ...
        }
        rule 851 {
            description "Security DVR - TP - TCP "
            ...
        }
        rule 852 {
            description "Security DVR - MK - TCP"
            ...
        }
        rule 900 {
            description "HelpDesk - TCP - http/https"
            destination {
                address 76.191.126.246
                port 80,443
            }
            inbound-interface eth3
            protocol tcp
            translation {
                address 10.80.0.40
            }
        }
    }
    source {
        rule 5 {
            outbound-interface eth3
            source {
                address 10.80.2.11
            }
            translation {
                address 76.191.126.243
            }
        }
        rule 6 {
            outbound-interface eth3
            source {
                address 10.80.2.12
            }
            translation {
                address 76.191.126.244
            }
        }
        rule 7 {
            outbound-interface eth3
            source {
                address 172.16.0.51
            }
            translation {
                address 76.191.126.253
            }
        }
        rule 8 {
            outbound-interface eth3
            source {
                address 172.17.0.50
            }
            translation {
                address 76.191.126.253
            }
        }
        rule 9 {
            outbound-interface eth3
            source {
                address 172.18.0.50
            }
            translation {
                address 76.191.126.253
            }
        }
        rule 11 {
            outbound-interface eth3
            source {
                address 10.80.3.0/24
            }
            translation {
                address 76.191.126.247
            }
        }
        rule 13 {
            outbound-interface eth3
            source {
                address 172.16.0.28
            }
            translation {
                address 76.191.126.251
            }
        }
        rule 14 {
            outbound-interface eth3
            source {
                address 172.16.0.21
            }
            translation {
                address 76.191.126.251
            }
        }
        rule 15 {
            outbound-interface eth3
            source {
                address 10.80.0.30
            }
            translation {
                address 76.191.126.248
            }
        }
        rule 100 {
            description "Masquerade outgoing"
            outbound-interface eth2
            translation {
                address 76.191.126.242
            }
        }
        rule 200 {
            description "Masquerade incoming"
            outbound-interface eth3
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 76.191.126.241 {
            }
        }
        route 10.0.0.0/10 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.65.0.0/24 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.80.0.0/16 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.90.0.0/24 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.91.0.0/24 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.92.0.0/24 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.97.0.0/29 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.100.0.0/16 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.101.0.0/16 {
            next-hop 10.99.0.3 {
            }
        }
        route 10.102.0.0/16 {
            next-hop 10.99.0.3 {
            }
        }
        route 172.16.0.0/12 {
            next-hop 10.99.0.3 {
            }
        }
        route 172.16.0.0/16 {
            next-hop 10.99.0.3 {
            }
        }
    }
}
service {
    lldp {
        interface eth2 {
        }
    }
    snmp {
        community public {
            authorization ro
            network 172.16.0.0/16
            network 172.17.0.0/16
            network 172.18.0.0/16
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name bellevuechristian.org
    domain-search {
        domain bellevuechristian.org
    }
    host-name vyos
    ip {
        arp {
            table-size 32768
        }
    }
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server 172.16.0.21
    name-server 172.16.0.20
    name-server 172.16.0.28
    ntp {
        server 209.51.161.238 {
        }
        server 216.218.192.202 {
        }
        server 216.218.254.202 {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
        host 172.16.0.109 {
            facility all {
                level err
            }
        }
    }
    time-zone America/Los_Angeles
}

Here is a very basic diagram of my critical path-
Untitled Diagram

2

A little more information:

vyos@vyos:~$ show hardware cpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                24
On-line CPU(s) list:   0-23
Thread(s) per core:    1
Core(s) per socket:    12
Socket(s):             2
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 63
Model name:            Intel(R) Xeon(R) CPU E5-2670 v3 @ 2.30GHz
Stepping:              2
CPU MHz:               1200.261
CPU max MHz:           3100.0000
CPU min MHz:           1200.0000
BogoMIPS:              4601.27
Virtualization:        VT-x
L1d cache:             32K
L1i cache:             32K
L2 cache:              256K
L3 cache:              30720K

vyos@vyos:~$ show hardware pci
00:00.0 Host bridge: Intel Corporation Haswell-E DMI2 (rev 02)
00:01.0 PCI bridge: Intel Corporation Haswell-E PCI Express Root Port 1 (rev 02)
00:02.0 PCI bridge: Intel Corporation Haswell-E PCI Express Root Port 2 (rev 02)
00:03.0 PCI bridge: Intel Corporation Haswell-E PCI Express Root Port 3 (rev 02)
00:03.2 PCI bridge: Intel Corporation Haswell-E PCI Express Root Port 3 (rev 02)
00:04.0 System peripheral: Intel Corporation Haswell-E DMA Channel 0 (rev 02)
00:04.1 System peripheral: Intel Corporation Haswell-E DMA Channel 1 (rev 02)
00:04.2 System peripheral: Intel Corporation Haswell-E DMA Channel 2 (rev 02)
00:04.3 System peripheral: Intel Corporation Haswell-E DMA Channel 3 (rev 02)
00:04.4 System peripheral: Intel Corporation Haswell-E DMA Channel 4 (rev 02)
00:04.5 System peripheral: Intel Corporation Haswell-E DMA Channel 5 (rev 02)
00:04.6 System peripheral: Intel Corporation Haswell-E DMA Channel 6 (rev 02)
00:04.7 System peripheral: Intel Corporation Haswell-E DMA Channel 7 (rev 02)
00:05.0 System peripheral: Intel Corporation Haswell-E Address Map, VTd_Misc, System Management (rev 02)
00:05.1 System peripheral: Intel Corporation Haswell-E Hot Plug (rev 02)
00:05.2 System peripheral: Intel Corporation Haswell-E RAS, Control Status and Global Errors (rev 02)
00:05.4 PIC: Intel Corporation Haswell-E I/O Apic (rev 02)
00:11.0 Unassigned class [ff00]: Intel Corporation Wellsburg SPSR (rev 05)
00:11.4 SATA controller: Intel Corporation Wellsburg sSATA Controller [AHCI mode] (rev 05)
00:16.0 Communication controller: Intel Corporation Wellsburg MEI Controller #1 (rev 05)
00:16.1 Communication controller: Intel Corporation Wellsburg MEI Controller #2 (rev 05)
00:1a.0 USB controller: Intel Corporation Wellsburg USB Enhanced Host Controller #2 (rev 05)
00:1c.0 PCI bridge: Intel Corporation Wellsburg PCI Express Root Port #1 (rev d5)
00:1c.4 PCI bridge: Intel Corporation Wellsburg PCI Express Root Port #5 (rev d5)
00:1c.7 PCI bridge: Intel Corporation Wellsburg PCI Express Root Port #8 (rev d5)
00:1d.0 USB controller: Intel Corporation Wellsburg USB Enhanced Host Controller #1 (rev 05)
00:1f.0 ISA bridge: Intel Corporation Wellsburg LPC Controller (rev 05)
00:1f.2 SATA controller: Intel Corporation Wellsburg 6-Port SATA Controller [AHCI mode] (rev 05)
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 01)
01:00.1 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 01)
02:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS-3 3108 [Invader] (rev 02)
06:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
06:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
07:00.0 PCI bridge: Renesas Technology Corp. Device 001d
08:00.0 PCI bridge: Renesas Technology Corp. Device 001d
09:00.0 PCI bridge: Renesas Technology Corp. Device 001a
0a:00.0 VGA compatible controller: Matrox Electronics Systems Ltd. G200eR2 (rev 01)
7f:08.0 System peripheral: Intel Corporation Haswell-E QPI Link 0 (rev 02)
7f:08.2 Performance counters: Intel Corporation Haswell-E QPI Link 0 (rev 02)
7f:08.3 System peripheral: Intel Corporation Haswell-E QPI Link 0 (rev 02)
7f:09.0 System peripheral: Intel Corporation Haswell-E QPI Link 1 (rev 02)
7f:09.2 Performance counters: Intel Corporation Haswell-E QPI Link 1 (rev 02)
7f:09.3 System peripheral: Intel Corporation Haswell-E QPI Link 1 (rev 02)
7f:0b.0 System peripheral: Intel Corporation Haswell-E R3 QPI Link 0 & 1 Monitoring (rev 02)
7f:0b.1 Performance counters: Intel Corporation Haswell-E R3 QPI Link 0 & 1 Monitoring (rev 02)
7f:0b.2 Performance counters: Intel Corporation Haswell-E R3 QPI Link 0 & 1 Monitoring (rev 02)
7f:0c.0 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0c.1 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0c.2 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0c.3 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0c.4 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0c.5 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0c.6 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0c.7 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0d.0 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0d.1 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0d.2 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0d.3 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
7f:0f.0 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
7f:0f.1 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
7f:0f.2 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
7f:0f.3 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
7f:0f.4 System peripheral: Intel Corporation Haswell-E System Address Decoder & Broadcast Registers (rev 02)
7f:0f.5 System peripheral: Intel Corporation Haswell-E System Address Decoder & Broadcast Registers (rev 02)
7f:0f.6 System peripheral: Intel Corporation Haswell-E System Address Decoder & Broadcast Registers (rev 02)
7f:10.0 System peripheral: Intel Corporation Haswell-E PCIe Ring Interface (rev 02)
7f:10.1 Performance counters: Intel Corporation Haswell-E PCIe Ring Interface (rev 02)
7f:10.5 System peripheral: Intel Corporation Haswell-E Scratchpad & Semaphore Registers (rev 02)
7f:10.6 Performance counters: Intel Corporation Haswell-E Scratchpad & Semaphore Registers (rev 02)
7f:10.7 System peripheral: Intel Corporation Haswell-E Scratchpad & Semaphore Registers (rev 02)
7f:12.0 System peripheral: Intel Corporation Haswell-E Home Agent 0 (rev 02)
7f:12.1 Performance counters: Intel Corporation Haswell-E Home Agent 0 (rev 02)
7f:12.2 System peripheral: Intel Corporation Haswell-E Home Agent 0 Debug (rev 02)
7f:12.4 System peripheral: Intel Corporation Haswell-E Home Agent 1 (rev 02)
7f:12.5 Performance counters: Intel Corporation Haswell-E Home Agent 1 (rev 02)
7f:12.6 System peripheral: Intel Corporation Haswell-E Home Agent 1 Debug (rev 02)
7f:13.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Target Address, Thermal & RAS Registers (rev 02)
7f:13.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Target Address, Thermal & RAS Registers (rev 02)
7f:13.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel Target Address Decoder (rev 02)
7f:13.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel Target Address Decoder (rev 02)
7f:13.6 System peripheral: Intel Corporation Haswell-E DDRIO Channel 0/1 Broadcast (rev 02)
7f:13.7 System peripheral: Intel Corporation Haswell-E DDRIO Global Broadcast (rev 02)
7f:14.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 0 Thermal Control (rev 02)
7f:14.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 1 Thermal Control (rev 02)
7f:14.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 0 ERROR Registers (rev 02)
7f:14.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 1 ERROR Registers (rev 02)
7f:14.4 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
7f:14.5 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
7f:14.6 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
7f:14.7 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
7f:16.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Target Address, Thermal & RAS Registers (rev 02)
7f:16.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Target Address, Thermal & RAS Registers (rev 02)
7f:16.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel Target Address Decoder (rev 02)
7f:16.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel Target Address Decoder (rev 02)
7f:16.6 System peripheral: Intel Corporation Haswell-E DDRIO Channel 2/3 Broadcast (rev 02)
7f:16.7 System peripheral: Intel Corporation Haswell-E DDRIO Global Broadcast (rev 02)
7f:17.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 0 Thermal Control (rev 02)
7f:17.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 1 Thermal Control (rev 02)
7f:17.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 0 ERROR Registers (rev 02)
7f:17.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 1 ERROR Registers (rev 02)
7f:17.4 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
7f:17.5 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
7f:17.6 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
7f:17.7 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
7f:1e.0 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
7f:1e.1 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
7f:1e.2 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
7f:1e.3 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
7f:1e.4 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
7f:1f.0 System peripheral: Intel Corporation Haswell-E VCU (rev 02)
7f:1f.2 System peripheral: Intel Corporation Haswell-E VCU (rev 02)
80:01.0 PCI bridge: Intel Corporation Haswell-E PCI Express Root Port 1 (rev 02)
80:03.0 PCI bridge: Intel Corporation Haswell-E PCI Express Root Port 3 (rev 02)
80:04.0 System peripheral: Intel Corporation Haswell-E DMA Channel 0 (rev 02)
80:04.1 System peripheral: Intel Corporation Haswell-E DMA Channel 1 (rev 02)
80:04.2 System peripheral: Intel Corporation Haswell-E DMA Channel 2 (rev 02)
80:04.3 System peripheral: Intel Corporation Haswell-E DMA Channel 3 (rev 02)
80:04.4 System peripheral: Intel Corporation Haswell-E DMA Channel 4 (rev 02)
80:04.5 System peripheral: Intel Corporation Haswell-E DMA Channel 5 (rev 02)
80:04.6 System peripheral: Intel Corporation Haswell-E DMA Channel 6 (rev 02)
80:04.7 System peripheral: Intel Corporation Haswell-E DMA Channel 7 (rev 02)
80:05.0 System peripheral: Intel Corporation Haswell-E Address Map, VTd_Misc, System Management (rev 02)
80:05.1 System peripheral: Intel Corporation Haswell-E Hot Plug (rev 02)
80:05.2 System peripheral: Intel Corporation Haswell-E RAS, Control Status and Global Errors (rev 02)
80:05.4 PIC: Intel Corporation Haswell-E I/O Apic (rev 02)
ff:08.0 System peripheral: Intel Corporation Haswell-E QPI Link 0 (rev 02)
ff:08.2 Performance counters: Intel Corporation Haswell-E QPI Link 0 (rev 02)
ff:08.3 System peripheral: Intel Corporation Haswell-E QPI Link 0 (rev 02)
ff:09.0 System peripheral: Intel Corporation Haswell-E QPI Link 1 (rev 02)
ff:09.2 Performance counters: Intel Corporation Haswell-E QPI Link 1 (rev 02)
ff:09.3 System peripheral: Intel Corporation Haswell-E QPI Link 1 (rev 02)
ff:0b.0 System peripheral: Intel Corporation Haswell-E R3 QPI Link 0 & 1 Monitoring (rev 02)
ff:0b.1 Performance counters: Intel Corporation Haswell-E R3 QPI Link 0 & 1 Monitoring (rev 02)
ff:0b.2 Performance counters: Intel Corporation Haswell-E R3 QPI Link 0 & 1 Monitoring (rev 02)
ff:0c.0 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0c.1 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0c.2 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0c.3 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0c.4 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0c.5 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0c.6 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0c.7 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0d.0 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0d.1 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0d.2 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0d.3 System peripheral: Intel Corporation Haswell-E Unicast Registers (rev 02)
ff:0f.0 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
ff:0f.1 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
ff:0f.2 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
ff:0f.3 System peripheral: Intel Corporation Haswell-E Buffered Ring Agent (rev 02)
ff:0f.4 System peripheral: Intel Corporation Haswell-E System Address Decoder & Broadcast Registers (rev 02)
ff:0f.5 System peripheral: Intel Corporation Haswell-E System Address Decoder & Broadcast Registers (rev 02)
ff:0f.6 System peripheral: Intel Corporation Haswell-E System Address Decoder & Broadcast Registers (rev 02)
ff:10.0 System peripheral: Intel Corporation Haswell-E PCIe Ring Interface (rev 02)
ff:10.1 Performance counters: Intel Corporation Haswell-E PCIe Ring Interface (rev 02)
ff:10.5 System peripheral: Intel Corporation Haswell-E Scratchpad & Semaphore Registers (rev 02)
ff:10.6 Performance counters: Intel Corporation Haswell-E Scratchpad & Semaphore Registers (rev 02)
ff:10.7 System peripheral: Intel Corporation Haswell-E Scratchpad & Semaphore Registers (rev 02)
ff:12.0 System peripheral: Intel Corporation Haswell-E Home Agent 0 (rev 02)
ff:12.1 Performance counters: Intel Corporation Haswell-E Home Agent 0 (rev 02)
ff:12.2 System peripheral: Intel Corporation Haswell-E Home Agent 0 Debug (rev 02)
ff:12.4 System peripheral: Intel Corporation Haswell-E Home Agent 1 (rev 02)
ff:12.5 Performance counters: Intel Corporation Haswell-E Home Agent 1 (rev 02)
ff:12.6 System peripheral: Intel Corporation Haswell-E Home Agent 1 Debug (rev 02)
ff:13.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Target Address, Thermal & RAS Registers (rev 02)
ff:13.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Target Address, Thermal & RAS Registers (rev 02)
ff:13.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel Target Address Decoder (rev 02)
ff:13.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel Target Address Decoder (rev 02)
ff:13.6 System peripheral: Intel Corporation Haswell-E DDRIO Channel 0/1 Broadcast (rev 02)
ff:13.7 System peripheral: Intel Corporation Haswell-E DDRIO Global Broadcast (rev 02)
ff:14.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 0 Thermal Control (rev 02)
ff:14.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 1 Thermal Control (rev 02)
ff:14.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 0 ERROR Registers (rev 02)
ff:14.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 0 Channel 1 ERROR Registers (rev 02)
ff:14.4 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
ff:14.5 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
ff:14.6 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
ff:14.7 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 0 & 1 (rev 02)
ff:16.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Target Address, Thermal & RAS Registers (rev 02)
ff:16.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Target Address, Thermal & RAS Registers (rev 02)
ff:16.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel Target Address Decoder (rev 02)
ff:16.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel Target Address Decoder (rev 02)
ff:16.6 System peripheral: Intel Corporation Haswell-E DDRIO Channel 2/3 Broadcast (rev 02)
ff:16.7 System peripheral: Intel Corporation Haswell-E DDRIO Global Broadcast (rev 02)
ff:17.0 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 0 Thermal Control (rev 02)
ff:17.1 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 1 Thermal Control (rev 02)
ff:17.2 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 0 ERROR Registers (rev 02)
ff:17.3 System peripheral: Intel Corporation Haswell-E Integrated Memory Controller 1 Channel 1 ERROR Registers (rev 02)
ff:17.4 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
ff:17.5 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
ff:17.6 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
ff:17.7 System peripheral: Intel Corporation Haswell-E DDRIO (VMSE) 2 & 3 (rev 02)
ff:1e.0 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
ff:1e.1 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
ff:1e.2 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
ff:1e.3 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
ff:1e.4 System peripheral: Intel Corporation Haswell-E Power Control Unit (rev 02)
ff:1f.0 System peripheral: Intel Corporation Haswell-E VCU (rev 02)
ff:1f.2 System peripheral: Intel Corporation Haswell-E VCU (rev 02)

And top output when ldap/ldaps are not responding from outside-

2020-11-03_08-06
2020-11-03_08-061106Ă—915 170 KB

vyos@vyos:~$ show interfaces ethernet eth3 stat
NIC statistics:
     rx_packets: 554500416
     tx_packets: 652931662
     rx_bytes: 394958921541
     tx_bytes: 566822780702
     rx_broadcast: 5297
     tx_broadcast: 29
     rx_multicast: 0
     tx_multicast: 8809
     multicast: 0
     collisions: 0
     rx_crc_errors: 0
     rx_no_buffer_count: 0
     rx_missed_errors: 0
     tx_aborted_errors: 0
     tx_carrier_errors: 0
     tx_window_errors: 0
     tx_abort_late_coll: 0
     tx_deferred_ok: 0
     tx_single_coll_ok: 0
     tx_multi_coll_ok: 0
     tx_timeout_count: 0
     rx_long_length_errors: 0
     rx_short_length_errors: 0
     rx_align_errors: 0
     tx_tcp_seg_good: 9591846
     tx_tcp_seg_failed: 0
     rx_flow_control_xon: 0
     rx_flow_control_xoff: 0
     tx_flow_control_xon: 0
     tx_flow_control_xoff: 0
     rx_long_byte_count: 394958921541
     tx_dma_out_of_sync: 0
     lro_aggregated: 0
     lro_flushed: 0
     tx_smbus: 0
     rx_smbus: 0
     dropped_smbus: 0
     os2bmc_rx_by_bmc: 0
     os2bmc_tx_by_bmc: 0
     os2bmc_tx_by_host: 0
     os2bmc_rx_by_host: 0
     tx_hwtstamp_timeouts: 0
     rx_hwtstamp_cleared: 0
     rx_errors: 0
     tx_errors: 0
     tx_dropped: 0
     rx_length_errors: 0
     rx_over_errors: 0
     rx_frame_errors: 0
     rx_fifo_errors: 0
     tx_fifo_errors: 0
     tx_heartbeat_errors: 0
     tx_queue_0_packets: 26012272
     tx_queue_0_bytes: 13963402176
     tx_queue_0_restart: 0
     tx_queue_1_packets: 27974249
     tx_queue_1_bytes: 16091155075
     tx_queue_1_restart: 0
     tx_queue_2_packets: 32373121
     tx_queue_2_bytes: 16359326796
     tx_queue_2_restart: 0
     tx_queue_3_packets: 26854391
     tx_queue_3_bytes: 12599318006
     tx_queue_3_restart: 0
     tx_queue_4_packets: 32606350
     tx_queue_4_bytes: 15112335155
     tx_queue_4_restart: 0
     tx_queue_5_packets: 30114612
     tx_queue_5_bytes: 14280594152
     tx_queue_5_restart: 0
     tx_queue_6_packets: 166269792
     tx_queue_6_bytes: 160157046315
     tx_queue_6_restart: 0
     tx_queue_7_packets: 310726875
     tx_queue_7_bytes: 315515169549
     tx_queue_7_restart: 0
     rx_queue_0_packets: 58071596
     rx_queue_0_bytes: 47560065575
     rx_queue_0_drops: 0
     rx_queue_0_csum_err: 178
     rx_queue_0_alloc_failed: 0
     rx_queue_1_packets: 75825966
     rx_queue_1_bytes: 43924698195
     rx_queue_1_drops: 0
     rx_queue_1_csum_err: 7
     rx_queue_1_alloc_failed: 0
     rx_queue_2_packets: 77590208
     rx_queue_2_bytes: 53158071145
     rx_queue_2_drops: 0
     rx_queue_2_csum_err: 17
     rx_queue_2_alloc_failed: 0
     rx_queue_3_packets: 65143344
     rx_queue_3_bytes: 47064070504
     rx_queue_3_drops: 0
     rx_queue_3_csum_err: 2
     rx_queue_3_alloc_failed: 0
     rx_queue_4_packets: 85082327
     rx_queue_4_bytes: 51668521591
     rx_queue_4_drops: 0
     rx_queue_4_csum_err: 8
     rx_queue_4_alloc_failed: 0
     rx_queue_5_packets: 58899037
     rx_queue_5_bytes: 45565513341
     rx_queue_5_drops: 0
     rx_queue_5_csum_err: 7
     rx_queue_5_alloc_failed: 0
     rx_queue_6_packets: 62749141
     rx_queue_6_bytes: 48045447066
     rx_queue_6_drops: 0
     rx_queue_6_csum_err: 4
     rx_queue_6_alloc_failed: 0
     rx_queue_7_packets: 71138804
     rx_queue_7_bytes: 55754543058
     rx_queue_7_drops: 0
     rx_queue_7_csum_err: 112
     rx_queue_7_alloc_failed: 0

vyos@vyos:~$ show interfaces ethernet eth2 stat
NIC statistics:
     rx_packets: 653013901
     tx_packets: 553180919
     rx_bytes: 566880047592
     tx_bytes: 394943490785
     rx_broadcast: 228
     tx_broadcast: 39
     rx_multicast: 134218
     tx_multicast: 9346
     multicast: 134218
     collisions: 0
     rx_crc_errors: 0
     rx_no_buffer_count: 0
     rx_missed_errors: 0
     tx_aborted_errors: 0
     tx_carrier_errors: 0
     tx_window_errors: 0
     tx_abort_late_coll: 0
     tx_deferred_ok: 0
     tx_single_coll_ok: 0
     tx_multi_coll_ok: 0
     tx_timeout_count: 0
     rx_long_length_errors: 0
     rx_short_length_errors: 0
     rx_align_errors: 0
     tx_tcp_seg_good: 32201340
     tx_tcp_seg_failed: 0
     rx_flow_control_xon: 0
     rx_flow_control_xoff: 0
     tx_flow_control_xon: 0
     tx_flow_control_xoff: 0
     rx_long_byte_count: 566880047592
     tx_dma_out_of_sync: 0
     lro_aggregated: 0
     lro_flushed: 0
     tx_smbus: 0
     rx_smbus: 0
     dropped_smbus: 0
     os2bmc_rx_by_bmc: 0
     os2bmc_tx_by_bmc: 0
     os2bmc_tx_by_host: 0
     os2bmc_rx_by_host: 0
     tx_hwtstamp_timeouts: 0
     rx_hwtstamp_cleared: 0
     rx_errors: 0
     tx_errors: 0
     tx_dropped: 0
     rx_length_errors: 0
     rx_over_errors: 0
     rx_frame_errors: 0
     rx_fifo_errors: 0
     tx_fifo_errors: 0
     tx_heartbeat_errors: 0
     tx_queue_0_packets: 57942339
     tx_queue_0_bytes: 47562576641
     tx_queue_0_restart: 0
     tx_queue_1_packets: 75628480
     tx_queue_1_bytes: 43909044681
     tx_queue_1_restart: 0
     tx_queue_2_packets: 77468828
     tx_queue_2_bytes: 53148947517
     tx_queue_2_restart: 0
     tx_queue_3_packets: 64977874
     tx_queue_3_bytes: 47037310338
     tx_queue_3_restart: 0
     tx_queue_4_packets: 84875873
     tx_queue_4_bytes: 51653212004
     tx_queue_4_restart: 0
     tx_queue_5_packets: 58766682
     tx_queue_5_bytes: 45556264629
     tx_queue_5_restart: 0
     tx_queue_6_packets: 62571697
     tx_queue_6_bytes: 48038758304
     tx_queue_6_restart: 0
     tx_queue_7_packets: 70949146
     tx_queue_7_bytes: 55747779752
     tx_queue_7_restart: 0
     rx_queue_0_packets: 26164973
     rx_queue_0_bytes: 13966627225
     rx_queue_0_drops: 0
     rx_queue_0_csum_err: 0
     rx_queue_0_alloc_failed: 0
     rx_queue_1_packets: 27876155
     rx_queue_1_bytes: 16056292344
     rx_queue_1_drops: 0
     rx_queue_1_csum_err: 0
     rx_queue_1_alloc_failed: 0
     rx_queue_2_packets: 32294055
     rx_queue_2_bytes: 16318749136
     rx_queue_2_drops: 0
     rx_queue_2_csum_err: 0
     rx_queue_2_alloc_failed: 0
     rx_queue_3_packets: 26771430
     rx_queue_3_bytes: 12581094081
     rx_queue_3_drops: 0
     rx_queue_3_csum_err: 0
     rx_queue_3_alloc_failed: 0
     rx_queue_4_packets: 32664502
     rx_queue_4_bytes: 15111391355
     rx_queue_4_drops: 0
     rx_queue_4_csum_err: 0
     rx_queue_4_alloc_failed: 0
     rx_queue_5_packets: 30051284
     rx_queue_5_bytes: 14263675897
     rx_queue_5_drops: 0
     rx_queue_5_csum_err: 0
     rx_queue_5_alloc_failed: 0
     rx_queue_6_packets: 166495596
     rx_queue_6_bytes: 160424617384
     rx_queue_6_drops: 0
     rx_queue_6_csum_err: 0
     rx_queue_6_alloc_failed: 0
     rx_queue_7_packets: 310695906
     rx_queue_7_bytes: 315545544566
     rx_queue_7_drops: 0
     rx_queue_7_csum_err: 0
     rx_queue_7_alloc_failed: 0
3

Try to open ICMP type 3 code 4 for forward. And check if increased packets in that rule?

4

Thank you for looking at my issue and the suggestion. It’s always nice to have multiple people looking at the same problem just in case something gets missed.
I have made the configuration change to allow ICMP type 3 code 4 and will continue to monitor outside connectivity today.

5

Unfortunately, we’re still seeing the same issue. It appears that all port forwarding fails to forward when our external Icinga sees the ldap connection go down. I am also unable to reach any of the web servers we also set up forwards for. ICMP still responds when the port forwards are not functioning. Is there a buffer or queue that might be filling up that I could check?

6

Try to check what do you see in dmesg in that time.
sudo dmesg -T

7

Thank you, Viacheslav, for your time and suggestions.
After some further investigation, it appears my organization has been under a DoS attack since Saturday targeting our LDAP server. There is something to be said about the power of VyOS where I mistook a DoS attack as a MTU or port forwarding issue that I couldn’t solve. Disabling the port 389 forwards, adding some more IP ranges to our bad actors ranges, and connections to 636 have been stable for 5 hours and counting.

1 Like