Fix Tair Internal Endpoint Unreachable Errors Caused by CIDR Conflicts - Tair (Redis® OSS-Compatible)

This error occurs when the CIDR block of your Elastic Compute Service (ECS) instance or Docker container overlaps with the CIDR block assigned to your Tair instance. Because the client's routing table resolves the destination IP locally instead of forwarding it to Tair, packets never reach the instance.

Symptom

Pinging the internal endpoint of a Tair instance from an ECS instance or Docker container fails with the following output:

PING r-bp1****l7ein86xv6m.redis.rds.aliyuncs.com(172.17.0.31) 56(84) bytes of data.
From xxxx (172.17.0.1) icmp_seq=1 Destination Host Unreachable
From xxxx (172.17.0.1) icmp_seq=2 Destination Host Unreachable
From xxxx (172.17.0.1) icmp_seq=3 Destination Host Unreachable

Diagnose the conflict

Confirm the CIDR conflict before applying a fix.

Ping the internal endpoint to get the Tair instance's internal IP address. In the example above, the internal IP address is 172.17.0.31.

Check the client's routing table. On a Linux-based Docker container, run:

route -n

The output is similar to:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.17.2.253    0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
172.17.0.0      0.0.0.0         255.255.255.0   U     0      0        0 br-350b446c181a

In this example, the br-350b446c181a network interface card (NIC) owns the 172.17.0.0/24 CIDR block. Because 172.17.0.31 falls within that range, Docker routes packets to the local bridge instead of forwarding them to Tair.

Solutions

Resolve the conflict by changing the network configuration on the client side or on the Tair instance side.

Solution 1: Change the default CIDR block of the Docker bridge

Reconfigure Docker's default bridge to use a non-overlapping CIDR block. This example applies to a Linux Docker host using the default docker0 bridge.

Important

Stopping Docker or changing its CIDR block interrupts running containers. Perform this operation during off-peak hours and verify that the new CIDR block does not conflict with existing containers or applications.

Stop the Docker service.
```
sudo systemctl stop docker
```
Open the Docker daemon configuration file. The file is typically located at /etc/docker/daemon.json (the filename may vary).
```
sudo vim /etc/docker/daemon.json
```
Back up the original file before making changes.
Add the bip parameter with a CIDR block that does not overlap with 172.17.0.31. For example:
```
{
    "bip": "192.168.0.1/24"
}
```
bip sets the IP address and subnet of the docker0 bridge. All containers on the default bridge receive addresses from this subnet.
Save and close the file.
Start the Docker service to apply the change.
```
sudo systemctl start docker
```

Solution 2: Change the vSwitch of the Tair instance

Change the vSwitch of your Tair instance to one whose CIDR block does not overlap with the client's CIDR block.

Note

Because different VPCs cannot communicate over internal networks, you can only switch to a vSwitch within the same VPC. Changing the vSwitch causes a transient connection interruption of about 30 seconds. Perform this operation during off-peak hours and make sure your application has an automatic reconnection mechanism.

What's next

Connect to Tair and Redis instances