Dream-Machine-SE wireguard: wgsts1000: possible loop detected, dropping skb of size 65216

MrLimoAK · November 16, 2023, 6:35pm

I’m assuming this is an incompatibility with Ubiquiti’s new Site Magic.

Dream-Machine-SE wireguard: wgsts1000: possible loop detected, dropping skb of size 65216
over and over in the CLI.
Dream Machine SE running:
UniFi OS v3.1.16
Network v7.5.187
Protect 2.8.35

I sent a request back in September when this issue first appeared and did not receive even a single hint/suggestion or solution.

So I’m posing it again.

a1techservices · November 22, 2023, 5:29pm

Thanks for opening this. I get identical issues when Zerotier is running, even before joining a network. Happens instantly when starting Zerotier.

(Date & Time) (Machine name) wireguard: wgsts1000: possible loop detected, dropping skb of size 65216

UDM-SE running:

UnifFi OS v3.1.16
Network v8.0.7
Protect v2.9.42, but not in use.
Wireguard/SiteMagic setup and in use

I’d love to have it installed and actually used IN PLACE OF the built-in wireguard/site magic., so that it can bridge networks with the same network space and VLAN ID (something site magic is loath to do).

Does seem to be an incompatibility with Site Magic.

l0crian · November 28, 2023, 4:11pm

This could be a tunnel recursion issue. If it is, the order of operations causing it would be something like this:

Site Magic comes up
ZeroTier is built over the Site Magic VPN
Site Magic seeing a better path between devices rebuilds it’s VPN over ZeroTier, which is essentially trying to build over itself like a snake eating its tail

If this is what is happening, you can mitigate that by blacklisting the Site Magic path from ZeroTier. You can modify the local.conf file with either of the following 2 options (replacing either the subnet or interface Site Magic is using in your setup):

You’ll have to see if there’s any mechanism to prevent Site Magic from building over the ZeroTier path to prevent that if desired.

{
    "physical": {
        "10.0.0.0/24": {
            "blacklist": true
        }
    },
    "virtual": {},
    "settings": {
        "interfacePrefixBlacklist": [
            "someinterface"
        ]
    }
}

a1techservices · November 28, 2023, 5:30pm

Thank you for this detailed reply!

I forgot to mention that this error pops up in the log prior to ZeroTier joining any network. It literally shows up as soon as ZeroTier is installed.

That’s a great point you make about prohibiting the VPN (SiteMagic/WireGuard) from trying to route over ZeroTier, as eventually it might think that it could do just that. I’ll keep it in mind and try it out if WireGuard tries to do that.

a1techservices · November 28, 2023, 6:28pm

Related discussion Dream-Machine-SE wireguard: wgsts1000: possible loop detected, dropping skb of size 65216 · Issue #2178 · zerotier/ZeroTierOne · GitHub

system · December 28, 2023, 6:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.