- Posted on
- • Artificial Intelligence
Artificial Intelligence Network Troubleshooting on Linux
- Author
-
-
- User
- linuxbash
- Posts by this author
- Posts by this author
-
Artificial Intelligence Network Troubleshooting on Linux
When your model download stalls at 97%, a Ray worker never joins the cluster, or an API call times out during inference, the culprit often isn’t your code—it’s the network. AI workloads push more data, more often, across more services than a typical app: model weights from Hugging Face, datasets from object stores, Docker image pulls, distributed training traffic, and telemetry. That’s a lot of moving pieces to diagnose under pressure.
This article shows how to blend classic Linux networking tools with a touch of AI-assisted summarization to troubleshoot AI network issues faster. You’ll get a practical toolkit, a repeatable workflow, and real-world examples—all in Bash.
Why AI networking needs a smarter approach
High data volume: Multi-GB model weights and datasets amplify minor packet loss or DNS delays.
Many dependencies: pip/conda/PyPI, Docker registries, Hugging Face, cloud object storage, internal services.
Distributed systems: Frameworks like PyTorch, Ray, or Dask rely on open ports and consistent name resolution.
Opaque symptoms: “Connection reset” or “context deadline exceeded” errors hide root cause across layers (DNS, TLS, routing, MTU, firewall).
A structured, scriptable workflow reduces guesswork; AI can then summarize, correlate, and suggest likely causes—so you move from “it’s slow” to “IPv6 path issue to ASXXXX causing TLS handshakes to flap” in minutes.
Install the essentials (apt, dnf, zypper)
The commands below install the same core toolset across Debian/Ubuntu, RHEL/Fedora, and openSUSE.
- Debian/Ubuntu (apt):
sudo apt update
sudo apt install -y mtr-tiny traceroute dnsutils iperf3 tcpdump nmap jq nftables curl python3 python3-pip
- RHEL/Fedora (dnf):
sudo dnf install -y mtr traceroute bind-utils iperf3 tcpdump nmap jq nftables curl python3 python3-pip
- openSUSE (zypper):
sudo zypper refresh
sudo zypper install -y mtr traceroute bind-utils iperf3 tcpdump nmap jq nftables curl python3 python3-pip
Optional: local LLM for offline summaries (Ollama):
curl -fsSL https://ollama.com/install.sh | sh
# Example: ollama run llama3 "Summarize the following text..."
A 60-second triage: confirm the basics
Before deep diving, quickly verify DNS, reachability, routing, and protocol family.
- DNS and reachability (IPv4 vs IPv6):
dig +short huggingface.co A
dig +short huggingface.co AAAA
ping -c 5 -4 huggingface.co
ping -c 5 -6 huggingface.co || echo "IPv6 ping failed"
- Measure timing breakdown to a target:
curl -4 -L -o /dev/null -s -w 'dns=%{time_namelookup} connect=%{time_connect} tls=%{time_appconnect} starttransfer=%{time_starttransfer} total=%{time_total}\n' https://huggingface.co
curl -6 -L -o /dev/null -s -w 'dns=%{time_namelookup} connect=%{time_connect} tls=%{time_appconnect} starttransfer=%{time_starttransfer} total=%{time_total}\n' https://huggingface.co || echo "IPv6 curl failed"
- Default route and egress interface:
ip route get 1.1.1.1
If IPv6 consistently fails while IPv4 succeeds, prefer IPv4 temporarily for critical pulls:
curl -4 -O https://huggingface.co/path/to/model
Note: Prefer protocol selection over globally disabling IPv6. For a longer-term policy, adjust address selection in /etc/gai.conf instead of turning IPv6 off.
1) Pin down loss, latency, and bad paths
Identify whether the problem is on your LAN, WAN, or the destination’s edge.
- Continuous path testing:
mtr -rwbc 100 huggingface.co
# -r report mode, -w wide, -b show both hostnames & IP, -c cycles
- Throughput check between hosts (for distributed training nodes): On one host (server):
iperf3 -s
On another (client):
iperf3 -c SERVER_IP -P 4 -t 15
Parallel streams (-P) often expose bottlenecks hidden by single TCP flow.
- Spot-check traceroute (layer 3 path):
traceroute -n huggingface.co
What to look for:
Large variation in latency or sudden loss starting mid-path.
Good ping but bad curl TLS times (handshake/connect) suggests congestion, packet filtering, or MTU issues.
Good LAN iperf3 but poor WAN curl: likely upstream or ISP peering.
2) Verify sockets, ports, and firewalls for AI tooling
Distributed AI frameworks and notebooks rely on specific ports. Common examples:
PyTorch distributed default: 29500/tcp
Ray: 6379/tcp (Redis), 8265/tcp (Dashboard), worker/gossip ports vary
Jupyter: 8888/tcp
List listening ports and bound interfaces:
ss -tulpn
- Scan a target node from a peer (non-intrusive TCP connect scan):
nmap -Pn -p 29500,6379,8265,8888 TARGET_HOST
- Inspect nftables (default firewall on many modern distros):
sudo nft list ruleset
If a service binds to 127.0.0.1 only, remote nodes can’t connect. Adjust the service bind address (0.0.0.0 or specific interface) and verify the firewall allows inbound traffic from your training nodes. Make changes cautiously and always maintain SSH access to avoid locking yourself out.
3) Capture what the packets say (when you need proof)
When symptoms are intermittent, a short, focused capture can settle debates fast.
- Targeted TLS capture for a single host:
sudo tcpdump -i any -w capture.pcap 'host huggingface.co and port 443'
# Reproduce the issue for ~30–60s, then Ctrl-C
- Analyze in Wireshark or with command-line tools:
tcpdump -nnr capture.pcap 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' | head
Clues:
Many SYN retransmissions: path/firewall/blackhole or asymmetric routing.
TLS ClientHello repeats: middlebox interference or PMTU issues.
RSTs from remote: rate limiting or WAF response to unusual traffic patterns.
4) Automate diagnostics and summarize with an LLM
Capture consistent evidence with a script, then use a local LLM to summarize and suggest next steps.
- Save this as netdiag.sh and make executable:
cat > netdiag.sh <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
OUT="netdiag-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$OUT"
endpoints=(
"huggingface.co"
"files.pythonhosted.org"
"pypi.org"
"docker.io"
)
{
echo "=== System ==="
uname -a
echo
echo "=== IP / Routes ==="
ip addr
ip route
echo
echo "=== DNS servers ==="
grep -E '^(nameserver|search)' /etc/resolv.conf || true
} > "$OUT/system.txt" 2>&1
for host in "${endpoints[@]}"; do
hfile="${host//./_}"
{
echo "=== $host: DNS ==="
echo "- A:"
dig +short "$host" A
echo "- AAAA:"
dig +short "$host" AAAA
echo
echo "=== $host: Ping v4 ==="
ping -c 5 -4 "$host" || true
echo
echo "=== $host: Ping v6 ==="
ping -c 5 -6 "$host" || true
echo
echo "=== $host: curl timing v4 ==="
curl -4 -L -o /dev/null -s -w 'dns=%{time_namelookup} connect=%{time_connect} tls=%{time_appconnect} starttransfer=%{time_starttransfer} total=%{time_total}\n' "https://$host" || true
echo
echo "=== $host: traceroute (numeric) ==="
traceroute -n "$host" | sed 's/\s\+/ /g'
} > "$OUT/$hfile.txt" 2>&1
done
# Socket and firewall snapshot
{
echo "=== Listening sockets ==="
ss -tulpn || true
echo
echo "=== nftables ruleset ==="
sudo nft list ruleset || true
} > "$OUT/security.txt" 2>&1
# Optional quick MTR to one endpoint for loss/latency patterns
mtr -rwbc 50 huggingface.co > "$OUT/mtr_huggingface.txt" 2>&1 || true
echo "Wrote diagnostics to $OUT/"
EOF
chmod +x netdiag.sh
- Run it:
./netdiag.sh
- Summarize locally with an LLM (optional):
tar -czf diag.tgz netdiag-*/
ollama run llama3 "You are a network SRE. Summarize likely root causes and next actions based on the following diagnostic files. Be concise and reference specific measurements.\n$(base64 -w0 diag.tgz)"
Tip: If the archive is large, paste only key snippets (curl timings, MTR reports, and errors) into the prompt.
Real-world examples (and quick fixes)
1) Slow model downloads only over IPv6
Symptom: ping6 works; curl -6 shows long connect/tls time, while curl -4 is fast.
Cause: suboptimal IPv6 path or PMTU blackhole on the route.
Actions:
Prefer IPv4 for critical transfers:
curl -4 -O URLReport to your network team/ISP with MTR evidence.
For a longer-lived policy, adjust address selection via /etc/gai.conf instead of disabling IPv6 system-wide.
2) Ray dashboard unreachable from a peer node
Symptom: nmap -Pn -p 8265 RAY_HOST shows filtered/closed.
Cause: local firewall drops inbound 8265/tcp, or Ray bound to localhost.
Actions:
Confirm Ray is listening on the right interface:
ss -tulpn | grep 8265Allow the port in your firewall policy (nftables/firewalld) from your cluster subnet.
Re-test from a peer node with
nmapor a browser.
3) pip install intermittently fails with “Temporary failure in name resolution”
Symptom: dig pypi.org fails while other domains resolve; or resolv.conf points to an unreachable DNS.
Cause: wrong DNS servers (VPN, captive portal), or DNS over flaky link.
Actions:
Check
/etc/resolv.confandsystemd-resolve --status(if using systemd-resolved).Temporarily test with a reliable resolver:
dig @1.1.1.1 pypi.org
- Fix upstream DNS config or VPN split-tunnel settings.
Pro tips
Compare IPv4 vs IPv6 results for every failing endpoint; asymmetry is common.
Use
curl -vto see TLS SNI/ALPN details and proxy behavior when corporate proxies are in play.Keep a small allowlist of ports your AI stack needs; audit with
ssduring incidents.Save and timestamp every diagnostic run. Trending mtr/iperf3/curl metrics is the fastest way to prove a regression.
Conclusion and next steps
AI workloads magnify minor network issues into major blockers. With a repeatable Bash-first workflow—DNS and reachability checks, path and throughput validation, socket/firewall sanity, and targeted captures—you can isolate faults quickly. Add a local LLM to summarize noisy outputs into crisp hypotheses and action items.
Your next step:
1) Install the toolchain with your package manager.
2) Save and run the netdiag.sh script the next time something’s “just slow.”
3) Customize endpoints and ports for your stack (Hugging Face mirrors, object store, orchestrator ports).
4) Keep a small library of known-good baselines for faster diffs during incidents.
Got a tricky case or want a deeper dive (e.g., PMTU detection, QUIC/HTTP3, or zero-trust proxies)? Turn those diagnostics into a reproducible gist and iterate—your future self (and your models) will thank you.