Hello, On 25.06.23 07:49, Matthias Petermann wrote:
4) Run the test with tcpdump from DomU -> this is currently ongoing. I will followup as soon I have the results.
This is the follow-up I promised. I was lucky this morning to catch one occurance of the issue while tcpdump was running in the DomU. Because of the huge volume, I just captured the meta data (default output of tcpdump to stdout) and even here, the resulting log grow quickly to 5 GB. So I cut it down to the relevant time window and uploaded it here:
https://paste.petermann-it.de/?2ea9787bbff024f4#71N5aXYoQTdDq3tXVxBXjfmDAuw9Wdof3Dkyim99xcYGFor better classification, here is the rough timelime of the events I'd like to comment below:
1) 08:52:07.595169 Begin active monitoring Continuous ssh package flow from srv-net.lan (DomU) -> vhost2.lan (Dom0) 2) 08:52:07.595831 Notified a lot of ARP related traffic ssh package flow seems to be slowed down / paused Client (ssh) reported "Connection to srv-net.lan closed by remote host." 3) 08:52:21.xxxxxx Client (backup script) reported that it created a new ssh connection to the remote host and started the next dump.Somewhere between 2) and 3) there should be the answer to the question. Please apologize for the noise in the log file this host is quite busy and I fear that removing lines that I consider unrelated might result in unintentional misdirection of the analysis.
So far, thanks for all your time support and valuable support - it helps a lot to understand the system even better.
Kind regards Matthias
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature