Also having problems with tcpdump

tatty

Hi,

Like the previous post I also have a question about LFS258, Lab 3.4. - Deploy a Simple Application. I am using AWS and my kubeadm version is 1.20.

As per the lab sessions I have 2 nodes:

$ kubectl get nodes
NAME              STATUS   ROLES                  AGE   VERSION
ip-172-31-17-67   Ready    control-plane,master   9d    v1.20.5
ip-172-31-27-81   Ready    <none>                 9d    v1.20.5

and I have successfully deployed nginx to the worker node and exposed the service on port 80,
as per instructions 14-15.

$ kubectl get nodes
NAME              STATUS   ROLES                  AGE   VERSION
ip-172-31-17-67   Ready    control-plane,master   9d    v1.20.5
ip-172-31-27-81   Ready    <none>                 9d    v1.20.5
$ kubectl get deployments,pods
NAME                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx   1/1     1            1           4d22h

NAME                         READY   STATUS    RESTARTS   AGE
pod/nginx-7848d4b86f-pkw86   1/1     Running   0          55m
$ kubectl get ep nginx
NAME    ENDPOINTS           AGE
nginx   192.168.14.138:80   55m

Now from the worker node I can get the sample nginx page served up,
so from the machine at 172.31.27.81 I can do:

$ curl 192.168.14.138:80
<!DOCTYPE html>
<html>
<head>
...

But when I try tcpdump I don't see any traffic on the worker node (i even eventually tried issuing it from the control plane node, that is the machine with TCP/IP address of 172.31.17.67)
I tried:-

$ sudo tcpdump -i tunl0
tcpdump: tunl0: That device is not up

and then tcpdump -v without a specific tunnel...

$ sudo tcpdump -v
tcpdump: listening on vxlan.calico, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

but it did not capture any traffic even though I issued several curl 192.168.14.138:80 commands in another session on the same
worker machine.

I also did note that when I issued curl 192.168.14.138:80 on the control plane, I got no HTTP response.

What should I check and what am I doing wrong?

tatty

BTW: I noticed that the person from the previous post, jcremp77 basically said:

Okay...It appears to be a GCP FW rule. Opened up all for internal communication and it works.

but this does not appear to be the source of my problem. Both AWS EC2 instances I am using have the following security:

Inbound rules:

Type         Protocol  Port range  Source
All traffic  All       All         0.0.0.0/0
All traffic  All       All         ::/0 

Outbound rules:

Type         Protocol   Port range Destination
All traffic  All        All        0.0.0.0/0

So, as you can see traffic is not restricted in any way.

jcremp77

Hi tatty- Does PING work between both the tunl0 interfaces (master <--> worker)? Issue the command 'ip a' to get the list of your network interfaces on both master and worker, and take note of the 'tunl0' ip addresses. Try to ping from master to worker or vice versa. These interfaces 'must' be able to communicate or it will not work. Calico builds tunnels between the master and worker on these interfaces. It has been awhile since doing anything in AWS, but I remember that there are 2 different methods for controlling access into and within AWS. Network rules and FW rules (statelss and stateful respectively). Network is for traffic entering and exiting the VPC itself, not within the VPC. Hope this helps.

tatty

OK, after some research I found out that:

"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT [Network Address Translation] instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."
Source: https://docs.projectcalico.org/reference/public-cloud/aws

This in turn points to an AWS document that tells you how to actually disable that check through the AWS console interface, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck. (This document also tells you how to do it via the AWS CLI... but I am not using that.)

I see that the course documentation on how to provision AWS environment is a few years old now... maybe it's time to update it with this information.

jcremp77

Were you able to get it working?

tatty

Yes, I had to do a sudo kubeadm reset on both the control plane and worker node though and reapply everything.

jcremp77

Good, glad you got it working.