https://rancher.com/ logo
Title
d

dazzling-smartphone-17242

10/27/2022, 5:27 PM
I installed Rancher Desktop for the first time on my Windows 10 laptop. First I was getting the error "Error: wsl.exe exited with code 4294967295". After some research I performed a wsl --update. That error went away. Now I get the following when starting Rancher Desktop. Any thoughts on how to proceed? The k3s cache is empty and there is no network connection. 2022-10-27T14:19:55.636Z: Registered distributions: rancher-desktop,rancher-desktop-data 2022-10-27T14:19:55.951Z: Registered distributions: rancher-desktop,rancher-desktop-data 2022-10-27T14:19:56.131Z: Registered distributions: rancher-desktop,rancher-desktop-data 2022-10-27T14:19:56.318Z: Registered distributions: rancher-desktop,rancher-desktop-data 2022-10-27T14:19:56.318Z: data distro already registered
w

wide-mechanic-33041

10/27/2022, 6:28 PM
did you try to reset RD or uninstall/reinstall? while RD running can you rdctl shell and see if any basic network operations work outside of the distro?
d

dazzling-smartphone-17242

10/27/2022, 7:01 PM
I did try a reset and uninstall/reinstalll earlier. For rdctl, was there a specific command I should run? I executed some of the commands listed in the command reference and didn't see any errors.
w

wide-mechanic-33041

10/27/2022, 7:01 PM
its just a shell so pinging your dns server as an example just shows network is live
d

dazzling-smartphone-17242

10/27/2022, 7:07 PM
ok so inside of that shell I can't seem to reach anything on the network
w

wide-mechanic-33041

10/27/2022, 7:07 PM
you have a VPN going?
d

dazzling-smartphone-17242

10/27/2022, 7:08 PM
yes
d

dazzling-smartphone-17242

10/27/2022, 7:14 PM
I'll check it out thanks
I tried the instructions listed in that article> Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1 Get-NetIPInterface -InterfaceAlias "Ethernet 4" | Set-NetIPInterface -InterfaceMetric 5001 Next I started Rancher Desktop. This time I saw it downloading stuff for Kubernetes. No errors in the ui. However, I was not able to access any internal sites from a browser. Also noticed that from rdctl shell I still cannot successfully ping a public or internal hostname. Next, I tried this. Get-NetIPInterface -InterfaceAlias "Ethernet 4" | Set-NetIPInterface -InterfaceMetric 2 That got me access again to my companies internal servers outside the rdctl shell. Still cannot ping anything within that shell. Also it took a solid 5 minutes for the rd gui to start kubernetes. Not sure if that is related to the network interface priority.
w

wide-mechanic-33041

10/27/2022, 8:48 PM
yeah each VPN plays with the route table just a little differently. your company may use a route control policy that resets any changes that you make to the route table so those workarounds may not work. i would startup RD and check the results of
route print
for the network allocated to rancher in WSL.
d

dazzling-smartphone-17242

10/27/2022, 8:58 PM
Checking the route with the rdctl shell
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         host.rancher-de 0.0.0.0         UG    0      0        0 eth0
10.42.0.0       *               255.255.255.0   U     0      0        0 cni0
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0
172.21.112.0    *               255.255.240.0   U     0      0        0 eth0
And from Poweshell
PS C:\windows\system32> route print
===========================================================================
Interface List
 59...00 15 5d 8a 1f 06 ......Hyper-V Virtual Ethernet Adapter #2
 14...02 50 41 00 00 01 ......PANGP Virtual Ethernet Adapter
  8...48 2a e3 92 f7 e9 ......Intel(R) Ethernet Connection (7) I219-LM
  3...5c ff 35 d8 77 f6 ......Lenovo USB Ethernet
 13...c8 b2 9b f7 96 a3 ......Intel(R) Wi-Fi 6 AX200 160MHz
 23...c8 b2 9b f7 96 a4 ......Microsoft Wi-Fi Direct Virtual Adapter
  7...ca b2 9b f7 96 a3 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 17...c8 b2 9b f7 96 a7 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 46...00 15 5d 9c 3a 91 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1       10.0.0.107     25
          0.0.0.0          0.0.0.0         On-link    10.242.132.202      2
         10.0.0.0    255.255.255.0         On-link        10.0.0.107    281
         10.0.0.0    255.255.255.0         On-link    10.242.132.202      2
       10.0.0.107  255.255.255.255         On-link        10.0.0.107    281
       10.0.0.255  255.255.255.255         On-link        10.0.0.107    281
       10.0.0.255  255.255.255.255         On-link    10.242.132.202      2
   10.242.132.202  255.255.255.255         On-link    10.242.132.202    258
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     170.40.0.100  255.255.255.255         On-link    10.242.132.202      2
   170.40.127.100  255.255.255.255         On-link    10.242.132.202      2
     172.21.112.0    255.255.240.0         On-link      172.21.112.1    257
     172.21.112.0    255.255.240.0         On-link    10.242.132.202      2
     172.21.112.1  255.255.255.255         On-link      172.21.112.1    257
   172.21.127.255  255.255.255.255         On-link      172.21.112.1    257
   172.21.127.255  255.255.255.255         On-link    10.242.132.202      2
     192.168.32.0    255.255.240.0         On-link      192.168.32.1   5256
     192.168.32.0    255.255.240.0         On-link    10.242.132.202      2
     192.168.32.1  255.255.255.255         On-link      192.168.32.1   5256
   192.168.47.255  255.255.255.255         On-link      192.168.32.1   5256
   192.168.47.255  255.255.255.255         On-link    10.242.132.202      2
   192.189.252.43  255.255.255.255         10.0.0.1       10.0.0.107     25
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link        10.0.0.107    281
        224.0.0.0        240.0.0.0         On-link      192.168.32.1   5256
        224.0.0.0        240.0.0.0         On-link    10.242.132.202    258
        224.0.0.0        240.0.0.0         On-link      172.21.112.1    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link        10.0.0.107    281
  255.255.255.255  255.255.255.255         On-link      192.168.32.1   5256
  255.255.255.255  255.255.255.255         On-link    10.242.132.202    258
  255.255.255.255  255.255.255.255         On-link      172.21.112.1    257
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  3    281 ::/0                     fe80::aa70:5dff:fead:e7a8
  1    331 ::1/128                  On-link
  3    281 2601:182:d81:25c0::/64   On-link
  3    281 2601:182:d81:25c0::e949/128
                                    On-link
  3    281 2601:182:d81:25c0:49c:39c9:f960:2435/128
                                    On-link
  3    281 2601:182:d81:25c0:890e:3a60:877c:9e00/128
                                    On-link
  3    281 fe80::/64                On-link
 46   5256 fe80::/64                On-link
 59    257 fe80::/64                On-link
  3    281 fe80::49c:39c9:f960:2435/128
                                    On-link
 59    257 fe80::1d85:21d1:a916:bbd7/128
                                    On-link
 46   5256 fe80::25ae:2feb:733c:b70/128
                                    On-link
  1    331 ff00::/8                 On-link
  3    281 ff00::/8                 On-link
 46   5256 ff00::/8                 On-link
 59    257 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
I'm a bit outside my comfort zone here - hope this tells you something
w

wide-mechanic-33041

10/27/2022, 9:00 PM
yeah no worries. This is why i added that feedback to that Issue. you are down in the weeds of the system and things working or not are dependent on how the product is implemented and how the organization has configured their policies
what is the ip in use for the RD distro? I believe ifconfig works in alpine
i am betting your distro is on that 192.168.32.0/20
d

dazzling-smartphone-17242

10/27/2022, 9:03 PM
hey sorry but I am a bit of a newbie with containers. How am I getting what you asked for?
w

wide-mechanic-33041

10/27/2022, 9:04 PM
but there are a mess of duplicated routes in that table that make me think your metric changes went wonky
rdctl shell
gets you into the WSL Alpine distro than
ifconfig
d

dazzling-smartphone-17242

10/27/2022, 9:04 PM
oh ok
gotcha
/mnt/c/data # ifconfig
cni0      Link encap:Ethernet  HWaddr C6:E2:95:35:03:DF
          inet addr:10.42.0.1  Bcast:10.42.0.255  Mask:255.255.255.0
          inet6 addr: fe80::c4e2:95ff:fe35:3df/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:28839 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32143 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5734492 (5.4 MiB)  TX bytes:4152066 (3.9 MiB)

docker0   Link encap:Ethernet  HWaddr 02:42:7A:FE:9C:55
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 00:15:5D:27:FE:52
          inet addr:172.21.115.14  Bcast:172.21.127.255  Mask:255.255.240.0
          inet6 addr: fe80::215:5dff:fe27:fe52/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3511 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3942 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:625548 (610.8 KiB)  TX bytes:3816876 (3.6 MiB)

flannel.1 Link encap:Ethernet  HWaddr E2:E8:34:F5:61:1F
          inet addr:10.42.0.0  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::e0e8:34ff:fef5:611f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:5 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:63610 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63610 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16738980 (15.9 MiB)  TX bytes:16738980 (15.9 MiB)

veth52c77457 Link encap:Ethernet  HWaddr B6:BD:A9:F2:AC:F0
          inet6 addr: fe80::b4bd:a9ff:fef2:acf0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:194 errors:0 dropped:0 overruns:0 frame:0
          TX packets:220 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14644 (14.3 KiB)  TX bytes:21019 (20.5 KiB)

veth5fe9ccff Link encap:Ethernet  HWaddr 56:98:4D:9E:82:86
          inet6 addr: fe80::5498:4dff:fe9e:8286/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:17345 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19919 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4382115 (4.1 MiB)  TX bytes:2761896 (2.6 MiB)

veth6179d0ae Link encap:Ethernet  HWaddr FE:D0:4E:7C:03:14
          inet6 addr: fe80::fcd0:4eff:fe7c:314/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:5643 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5758 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:537654 (525.0 KiB)  TX bytes:525864 (513.5 KiB)
w

wide-mechanic-33041

10/27/2022, 9:05 PM
wsl shares some key parts of the route table with the Host and the Internet Connection Sharing service provides NAT, but yeah this is the downside
got it… so 172.21.115.14 is in
172.21.112.0    255.255.240.0         On-link      172.21.112.1    257
     172.21.112.0    255.255.240.0         On-link    10.242.132.202      2
     172.21.112.1  255.255.255.255         On-link      172.21.112.1    257
that 2nd copy of the subnetIP is a problem. can you run a route delete in your Host (elevated prompt)
route delete 172.21.112.0 mask 255.255.240.0 10.242.132.202
then do a route print and just copy that little section around that 172.21 space
the question is if the VPN policy puts the bad route back at the lower metric
d

dazzling-smartphone-17242

10/27/2022, 9:09 PM
wouldnt surprise me
I am doing all of this outside of the shell....just a normal elevated windows command prompt or powershell?
w

wide-mechanic-33041

10/27/2022, 9:10 PM
doing a preflight WSL2 health check for folks would really help. this isn’t really an RD thing, but more the WSL2 framework
yeah that is in an elevated/UAC’d posh or cmd window
d

dazzling-smartphone-17242

10/27/2022, 9:11 PM
PS C:\windows\system32> route delete 172.21.112.0 mask 255.255.240.0 10.242.132.202
The route deletion failed: Element not found.
typo ?
w

wide-mechanic-33041

10/27/2022, 9:12 PM
wouldn’t put it past me. 😉
d

dazzling-smartphone-17242

10/27/2022, 9:12 PM
172.21.112.0
maybe should be .1
w

wide-mechanic-33041

10/27/2022, 9:12 PM
can never remember if windows requires the specific interface the route is on
you can always do
route delete 172.21.112.0
and then
route add 172.21.112.0 mask 255.255.240.0 172.21.112.1
d

dazzling-smartphone-17242

10/27/2022, 9:14 PM
ok
w

wide-mechanic-33041

10/27/2022, 9:15 PM
sorry route print doesn’t provide all the info so it then needs info from the adapters to then drive another command. not the easiest to do over a chat. 😅
d

dazzling-smartphone-17242

10/27/2022, 9:15 PM
172.21.112.0    255.255.240.0         On-link      172.21.112.1      2
     172.21.112.1  255.255.255.255         On-link      172.21.112.1    257
   172.21.127.255  255.255.255.255         On-link      172.21.112.1    257
     192.168.32.0    255.255.240.0         On-link      192.168.32.1   5256
     192.168.32.0    255.255.240.0         On-link    10.242.132.202      2
     192.168.32.1  255.255.255.255         On-link      192.168.32.1   5256
   192.168.47.255  255.255.255.255         On-link      192.168.32.1   5256
   192.168.47.255  255.255.255.255         On-link    10.242.132.202      2
   192.189.252.43  255.255.255.255         10.0.0.1       10.0.0.107     25
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link        10.0.0.107    281
        224.0.0.0        240.0.0.0         On-link      192.168.32.1   5256
        224.0.0.0        240.0.0.0         On-link    10.242.132.202    258
        224.0.0.0        240.0.0.0         On-link      172.21.112.1    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link        10.0.0.107    281
  255.255.255.255  255.255.255.255         On-link      192.168.32.1   5256
  255.255.255.255  255.255.255.255         On-link    10.242.132.202    258
  255.255.255.255  255.255.255.255         On-link      172.21.112.1    257
w

wide-mechanic-33041

10/27/2022, 9:16 PM
k that looks pretty good. can you ping things in your intranet
sorry from
rdctl shell
d

dazzling-smartphone-17242

10/27/2022, 9:17 PM
ell from intranet I cant - lost access to internal servers again
w

wide-mechanic-33041

10/27/2022, 9:17 PM
hmmm. the rest of your route table had a bunch of duplicate routes
or your VPN is seeing you messing w the route table so it drops and restores the broken one
d

dazzling-smartphone-17242

10/27/2022, 9:18 PM
and from shell I can ping public servers, not internal
w

wide-mechanic-33041

10/27/2022, 9:19 PM
k that is interesting as normally VPNs leverage a force tunnel, but they may just send intranet traffic to them and everything else to the internet
i might suggest reboot and start fresh. make sure you can access your intranet machines from the host. browser type stuff
d

dazzling-smartphone-17242

10/27/2022, 9:20 PM
I obviously need to get internal server access back....
then address WSL issue
w

wide-mechanic-33041

10/27/2022, 9:20 PM
than start up RD (or any wSL2 distro) and see what happens to the route table
d

dazzling-smartphone-17242

10/27/2022, 9:20 PM
ok will do
appreciate the assistance thus far
w

wide-mechanic-33041

10/27/2022, 9:21 PM
and then be very precise with the routes that you change if you can.
lots of folks have WSL2 issues and VPNs. Very few suppliers built with virtual networking in mind so even though those routes in the virtual switch are all local (the on-link) they step all over them
d

dazzling-smartphone-17242

10/27/2022, 9:22 PM
ok I am rebooting now
👍 1
w

wide-mechanic-33041

10/27/2022, 9:24 PM
need to start feeding the fam, but will check back tonight or tomorrow morn. just make sure you have a known good experience in the host with traffic going to the intranet and internet that is supposed to. than make small changes and test for success. avoid big loops that might grab the wrong thing. And snap the
route print
in between so you can see if something goes haywire.
d

dazzling-smartphone-17242

10/27/2022, 9:29 PM
sounds good Justin. I am finishing up for the day shortly. FYI I have intranet access back after a reboot. Thats good news.
Hi @wide-mechanic-33041. I am in the office this morning(no VPN), but can revisit this in the afternoon(ET). I found this link and in particular it mentions wsl-vpnkit . Any experience with this? Maybe worth a try?
w

wide-mechanic-33041

10/28/2022, 1:12 PM
Cant speak for the Rancher team, but it follows a hostforwarder model like was done for DNS in RD so it is a pattern that some folks are using rather than the netflows via hyper-v vswitch. As you can see adding that project in is a bit interesting. If it works for your case def flag back here and the rancher team could eval what pulling that model in for Windows similar to pulling hostforwarder from lima.
d

dazzling-smartphone-17242

10/28/2022, 1:13 PM
ok will do. I am also checking some channels within our company to see what others have done to get this going. I will report back so it could possibly help others. So far I am in waiting mode.
w

wide-mechanic-33041

10/28/2022, 1:21 PM
like for my vpn supplier there is no active blocking to the interface its due to a broken route for the subnet ip which breaks traffic to the gateway so there is rarely a silver bullet with all these situations. So working upstream to get our suppliers to wise up on modern tooling.
p

prehistoric-keyboard-66463

10/28/2022, 3:05 PM
Hello, vtunnel (https://github.com/rancher-sandbox/rancher-desktop/tree/main/src/go/vtunnel) is not here to solve such issue ?
w

wide-mechanic-33041

10/28/2022, 5:38 PM
same basic model as vpnkit, but don’t know if it is in place. and if it is well doesn’t seem to fix the issues for some of us. 😉
d

dazzling-smartphone-17242

10/28/2022, 9:06 PM
Update....I am working with the networking team within my company to hopefully resolve this. I won't be trying vpnkit at the moment as it may not be necessary.
p

prehistoric-keyboard-66463

11/08/2022, 12:43 PM
I also tried on my side. To sum up:
• I have McAfee/Trellix (Including endpoint security : a local firewall • I have a VPN client (Cisco Anyconnect) So I face 2 problems, like a lot of Rancher Desktop users. 1. McAfee is filtering network flows from WSL2. Even if you activate the wsl2 support in the McAfee profile, default rules blocks incoming traffic. And WSL2 network flows are considered as incoming traffic. 2. VPN Client is tunneling all local network traffic, so it broke all WSL2 -> Windows host traffic (since wsl2 is goign trough windows host to access network)
You can find solutions to solve those 2 problems but secops may be angry about weaknesses you introduce. My thought is that the DD value for enterprises lies in the way they dealt this issue : by translating all network flows in userspace with vpnkit. This bypass firewall locking & vpn routing. And it works surprinsingly well.
So it would be an amazing improvment if Rancher Desktop could implement a slirp solution! Please check this