In this article:

    Applicable To

    • Twingate Component: Connector

    Symptoms

    • Able to connect to resource on expected ports.
    • Ping/ICMP attempts fail to resource
    • Able to ping the Twingate Resource directly via SSH or terminal on the Connector's host.

    Cause

    Some Linux distributions restrict permissions to send ICMP packets for security reasons based on the group id. The default is “1 0”, which means no group is allowed to create ICMP Echo sockets. e.g. net.ipv4.ping_group_range="1 0”. This is a kernel level attribute that is handled through sysctl.

    Resolution

    Set a range of group IDs (minimum / maximum inclusive) that are allowed to create ICMP Echo sockets.

    For connectors that were deployed via systemd:

    1. Verify current value
      sysctl net.ipv4.ping_group_range
    2. If set to default “1 0”, The following command will write the sysctl setting to the configuration file.
      echo 'net.ipv4.ping_group_range = 0 2147483647' | sudo tee -a /etc/sysctl.conf
    3. Apply the updated configuration
      sudo sysctl -p

    For connectors that were deployed as a Docker container:

    • you will need to pass the sysctl setting at the container level during deployment.

      --sysctl net.ipv4.ping_group_range="0 2147483647"

    Additional consideration for LXC containers

    For connectors deployed on LXC containers, such as with Proxmox, the container must be created as a Privileged container to allow ping access to resources via the connector. 

    If you have already created an unprivileged LXC container, consider creating a backup, then ensure you select "Privileged" for the privilege level settings when restoring the container.