Error FAQ

Last change on 2023-01-30 • Created on 2020-03-25 • ID: RO-5AE54

Introduction

This article provides answers to common error messages on Robot.

Robot general

When I log in, I receive the error message Please activate cookies in your browser.

To use Robot, you need to configure your browser needs to accept cookies.

When I submit an order, everything seems to be OK, but nothing happens (confirmation emails, entry under domains/CHProv (KK) orders)!

Most likely, you entered an invalid email address on your Robot account. To fix this, go to Robot and click on the user icon in the top-right corner. Then click on Settings-> Email interface. -> Then enter a valid email address at Robot order confirmation address. You need to enter a valid email address here for Robot to function properly.

MAC errors

Reasons you received an abuse email regarding MAC-Errors

You will receive this kind of abuse message if your server is sending us packets with source-MAC that we do not permit.
Therefore, this issue is caused by outgoing traffic only!

The following MACs are allowed:

  • MAC of your physical NIC
  • MAC of iDRAC/KVM (if present on your server)
  • virtual MACs generated on Robot for additional single IPs

Our system policy prohibits using MACs that we do not allow:

  • Manually changing the hardware address (MAC)

The majority of customers affected by this kind of abuse are running some kind of virtualization where the system can generate new MACs on the fly.

Some servers also redistribute traffic that was not meant for them, for example, broadcasts.

We analyze the MAC addresses we learn at your server's switchport, and if there is a discrepancy with our records, you receive a mail like this one.

Possible solutions

Configuration issue of the VM-Host

If you are using virtualization with additional IPs, you need to check your configuration.
There are two types of possible configurations:

  1. Bridged setup

You should use this configuration with additional single IPs which have their own virtual MAC address. The virtual NICs of your VM can be in the same virtual switch/bridge as your physical NIC. You can create virtual MACs for your additional single IP via Robot (Server -> IP). The maximum number of single IPs is 6 per server.

  1. Routed setup

You should use this configuration with additional subnets. It is not possible to generate virtual MACs for your additional subnets, because subnets are routed onto one of your server's IPs. Therefore, you should also route these IPs within your server. Please make sure to place these VMs in a different virtual switch/bridge than your physical NIC.

Outdated ESXI Version

Certain outdated ESXI versions can cause a MAC with the suffix ::C4:70 to appear in your abuse report. If that is the case, please update ESXI immediately as this MAC appears in conjunction with an unpatched remote code execution vulnerability. After the update, you need to reboot the server so the fix can take effect.

Please see these security advisories: https://www.vmware.com/security/advisories/VMSA-2021-0010.html https://www.vmware.com/security/advisories/VMSA-2021-0002.html

On Hetzner Docs: https://docs.hetzner.com/robot/dedicated-server/virtualization/vmware-esxi

Proxmox Host Firewall

Some Proxmox systems may have an entry in PVE-FW, which sends a TCP/RST reply on port 43 if they receive broadcasted traffic not addressed to this host.

This causes our switch to learn the MAC of the broadcasted traffic and generate this mail. The solution is to update Proxmox and reboot the server. If this is not possible for some reason, you can block outgoing port 43 with a local firewall as a rough fix. But we highly suggest keeping your systems always up-to-date.

Here are some links where this issue is being discussed:

https://forum.hetzner.com/index.php?thread/28368-abuse-meldung-bzgl-mac-adressen/&postID=279208#codeLine_3_fea0f3 https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/page-3#post-416219 https://forum.proxmox.com/threads/proxmox-generate-2-mac-address-visibile-on-the-switch-not-allowed-by-the-data-center.95946/#post-417099

Other possible problems

  1. vSwitch - You are allowed to use any MAC within the VLAN of your vSwitch. Please make sure that you are using these MACs only with the correct VLAN and not at your untagged "normal" uplink.

  2. VPN adapter - If you are using Layer-2 VPN/tunnel adapter, please make sure it is not in the same virtual switch/bridge as your physical NIC.

General troubleshooting

tcpdump

Please monitor your outgoing traffic with tcpdump or Wireshark. It often helps to leave tcpdump running for quite some time and for each (virtual) interface. Please also use a negative filter to dump only the traffic that is problematic. For example: tcpdump -Q out -ni %interfacename% ether host not %allowedMAC% and ether host not %allowedMAC%

If you are still unsure how to proceed, please open a support ticket via Robot.

Table of Contents