Welcome to the Linux Foundation Forum!

Also having problems with tcpdump

tatty Posts: 8
edited April 2021 in LFS258 Class Forum


Like the previous post I also have a question about LFS258, Lab 3.4. - Deploy a Simple Application. I am using AWS and my kubeadm version is 1.20.

As per the lab sessions I have 2 nodes:

$ kubectl get nodes
NAME              STATUS   ROLES                  AGE   VERSION
ip-172-31-17-67   Ready    control-plane,master   9d    v1.20.5
ip-172-31-27-81   Ready    <none>                 9d    v1.20.5

and I have successfully deployed nginx to the worker node and exposed the service on port 80,
as per instructions 14-15.

$ kubectl get nodes
NAME              STATUS   ROLES                  AGE   VERSION
ip-172-31-17-67   Ready    control-plane,master   9d    v1.20.5
ip-172-31-27-81   Ready    <none>                 9d    v1.20.5
$ kubectl get deployments,pods
NAME                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx   1/1     1            1           4d22h

NAME                         READY   STATUS    RESTARTS   AGE
pod/nginx-7848d4b86f-pkw86   1/1     Running   0          55m
$ kubectl get ep nginx
nginx   55m

Now from the worker node I can get the sample nginx page served up,
so from the machine at I can do:

$ curl
<!DOCTYPE html>

But when I try tcpdump I don't see any traffic on the worker node (i even eventually tried issuing it from the control plane node, that is the machine with TCP/IP address of
I tried:-

$ sudo tcpdump -i tunl0
tcpdump: tunl0: That device is not up

and then tcpdump -v without a specific tunnel...

$ sudo tcpdump -v
tcpdump: listening on vxlan.calico, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel

but it did not capture any traffic even though I issued several curl commands in another session on the same
worker machine.

I also did note that when I issued curl on the control plane, I got no HTTP response.

What should I check and what am I doing wrong?


  • tatty
    tatty Posts: 8

    BTW: I noticed that the person from the previous post, jcremp77 basically said:

    Okay...It appears to be a GCP FW rule. Opened up all for internal communication and it works.

    but this does not appear to be the source of my problem. Both AWS EC2 instances I am using have the following security:

    Inbound rules:
    Type         Protocol  Port range  Source
    All traffic  All       All
    All traffic  All       All         ::/0 
    Outbound rules:
    Type         Protocol   Port range Destination
    All traffic  All        All

    So, as you can see traffic is not restricted in any way.

  • jcremp77
    jcremp77 Posts: 37

    Hi tatty- Does PING work between both the tunl0 interfaces (master <--> worker)? Issue the command 'ip a' to get the list of your network interfaces on both master and worker, and take note of the 'tunl0' ip addresses. Try to ping from master to worker or vice versa. These interfaces 'must' be able to communicate or it will not work. Calico builds tunnels between the master and worker on these interfaces. It has been awhile since doing anything in AWS, but I remember that there are 2 different methods for controlling access into and within AWS. Network rules and FW rules (statelss and stateful respectively). Network is for traffic entering and exiting the VPC itself, not within the VPC. Hope this helps.

  • tatty
    tatty Posts: 8

    OK, after some research I found out that:

    "Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT [Network Address Translation] instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."
    Source: https://docs.projectcalico.org/reference/public-cloud/aws

    This in turn points to an AWS document that tells you how to actually disable that check through the AWS console interface, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck. (This document also tells you how to do it via the AWS CLI... but I am not using that.)

    I see that the course documentation on how to provision AWS environment is a few years old now... maybe it's time to update it with this information.

  • jcremp77
    jcremp77 Posts: 37

    Were you able to get it working?

  • tatty
    tatty Posts: 8
    edited April 2021

    Yes, I had to do a sudo kubeadm reset on both the control plane and worker node though and reapply everything.

  • jcremp77
    jcremp77 Posts: 37

    Good, glad you got it working.


Upcoming Training