0 0 Share PDF

Unable to ping others when connected to overlay on Windows Server 1709 or 1803

Article ID: KB000867

Issue

When a container is connected to an overlay network, ICMP ping will fail.

Prerequisites

Steps below helps you verify that you are affected by this issue:

  1. Host OS can ping public website
   PS C:\Users\docker> ping 8.8.8.8

   Pinging 8.8.8.8 with 32 bytes of data:
   Reply from 8.8.8.8: bytes=32 time=2ms TTL=115   
   ...
  1. Doing the same from a container not connected to overlay works
   PS C:\Users\docker> docker service create --name overlay_no microsoft/iis:windowsservercore-1803
   PS C:\Users\docker> docker exec $(docker ps -q --filter name=overlay_no) ping 8.8.8.8

   Pinging 8.8.8.8 with 32 bytes of data:
   Reply from 8.8.8.8: bytes=32 time=2ms TTL=114
   ...
  1. Same command fails when connected to overlay network
   PS C:\Users\docker> docker network create -d overlay --attachable testnetwork
   PS C:\Users\docker> docker service create --name overlay_yes --network testnetwork microsoft/iis:windowsservercore-1803
   PS C:\Users\docker> docker exec $(docker ps -q --filter name=overlay_yes) ping 8.8.8.8

   Pinging 8.8.8.8 with 32 bytes of data:
   Request timed out.

Root Cause

The issue is still under investigation as of October 2018.

Workaround

This issue affects ICMP ping only; other protocols should function normally. For the purposes of troubleshooting container connectivity and performing health-checks, consider using layer 7 protocols such as HTTP or HTTPS via Invoke-WebRequest.