dpinger "Duplicate Echo Reply Received"

DanBlackaz

Hello,

Below is an example of my Gateway log:

Sep 1 22:27:30 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:26:49 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:26:13 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:22:21 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:18:59 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:18:54 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:18:21 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:14:18 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 22:06:06 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 21:56:25 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 21:55:31 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 21:55:19 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 21:47:24 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 21:45:39 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 21:43:26 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received
Sep 1 21:40:15 dpinger 36209 WAN_5G_DHCP 8.8.8.8: duplicate echo reply received

I have a cable modem connected to WAN and then a 5G Modem connect to WAN_5G. Both are in a Gateway group, Cable modem is Tier 1, 5G backup is Tier 2 and the trigger level is "Member Down".

I don't get these messages for the cable modem connection but I am through the 5G modem. I don't understand why?

Could someone maybe have a look and explain why I might get two echo replies to pfSense?

Thanks :)

johnpoz

@DanBlackaz said in dpinger "Duplicate Echo Reply Received":

why I might get two echo replies to pfSense?

Because you got 2.. Do a sniff on this interface.. And you can see the dpingers going out.. And the response - are you seeing 2 replies twice..

DanBlackaz

@johnpoz Hi and sorry for the delay. I can see a line on the pcap file with a duplicate reply as follows:

10.30.168.171/172 appears to be the IP for the 5G Modem but I can only see one outgoing request so not sure why there would be 2 replies?

Apologies I'm not very good at this stuff - any advice?

johnpoz

@DanBlackaz that is perfect way to show it.. So your not seeing every time, just now and then..

And there is pretty good delay from the first one to the 2nd reply.. Something like 4 ms..

Now just an off the cuff guess, 8.8.8.8 is an anycast address. So in theory what your seeing isn't all that uncommon thing that could happen.. How often do you see these? Do they come in burst? Or is it just constant like your log just random but always happening ever minute or few minutes?

If I had to guess its prob related to what can be used over 5G, MPTCP (multipath tcp) or even PD (packet duplication).. These are common things to help account for packet loss..

If there was way less difference in the time you were getting the response - could be something more local to you packet duplication, especially if it was happening on every single packet. But that your seeing not all the time, points to something upstream going on with mptcp, pd in conjunction with that that 8.8.8.8 is an anycast address to start with.

can you pick another IP to use for monitoring that is not anycast.. What I would do is say a traceroute to 8.8.8.8 and then pick like the 2nd or 3rd hop hop that should be a router just in your isp network.. Do they happen then?

In the big picture, other than log spam I don't see how that would be causing you any issues..

With mptcp an pd, in the process of moving from 1 connection to a different connection for whatever reason, be it a different tower even, etc.. You could see such things happen.. So changing what your monitoring might not get rid of it.. I might just be nature of the beast with these technologies, the log spam sucks for sure.. I don't know if there might be something to do with not logging such duplicates in dpinger?

DanBlackaz

@johnpoz Hi - yes it seems to be a duplicate maybe every 1 - 4 minutes randomly - the time differences are always random between them so it would make sense what you are saying above.

I did a traceroute to 8.8.8.8 and chose a server owned by the ISP which doesn't seem to be an anycast address either and checked it can receive ICMP traffic with no issues and I've set that as the monitor address on that gateway.

dpinger has been up for 10 mins now and no log entries so this seems to have solved it! Thanks once again!

I wasn't have any issues as such, was just concerned with my logs being full of these so thought I'd done something wrong but I guess it does amount to log spam really!

Thanks for your help

johnpoz

@DanBlackaz yeah let it run for a while - if you were seeing them every 1 to 4 minutes and now have 10, yeah could be a indication its gone - but lets give it a day or so..

It could be some oddness with mptcp and or pd, not sure how deep pd has gotten into all the different 5g networks out there. Or even mptcp - but you tie those sorts of technologies along with anycast.. And yeah would expect some duplicate stuff to show up now and then for sure..

In the big picture some duplication isn't going to cause any issues, other than log spam.. But log spam is a real thing that can be problematic for sure. You fill your log with garbage its way harder to spot things that could be indications of real problems, etc

Why I don't log default deny, and only log common udp ports in for may wan blocks, etc.. Reduction of log spam.. I don't need to see some rando UDP port hitting my wan, or a bunch of FA or etc.. But I do want to see syn to my wan IP, and there are a lot of common UDP ports that could be of interest.. So that is what I log, specific UDP traffic I would want to see and any SYN traffic sent to my wan IP that is blocked..