In this article:

    Applicable To

    • Twingate Component: Connector

    Overview

    Twingate user experiences issue where they are unable to ping protected resource but are able to reach resource via typical TCP and/or UDP ports.

    Symptoms

    • Able to connect to resource on expected ports.
    • Ping attempts fail to resource
    • Can ping resource from connector.

    Cause

    Some Linux distributions restrict permissions to send ICMP packets for security reasons based on the group id. The default is “1 0”, which means no group is allowed to create ICMP Echo sockets. e.g. net.ipv4.ping_group_range="0 1”. This is a kernel level attribute that is handled through sysctl.

    Resolution

    Set a range of group IDs (minimum / maximum inclusive) that are allowed to create ICMP Echo sockets.

    For connectors that were deployed via systemd:

    1. Verify current value

    sysctl net.ipv4.ping_group_range

    1. If set to default “0 1”, The following command will write the sysctl setting to the configuration file.

    echo 'net.ipv4.ping_group_range = 0 2147483647' | sudo tee -a /etc/sysctl.conf

    For connectors that were deployed as a Docker container:

    • you will need to pass the sysctl setting at the container level during deployment.

      --sysctl net.ipv4.ping_group_range="0 2147483647"