On Thu, Aug 09, 2012 at 11:54:08PM +0530, Rahul Nair wrote:
> Willy,
>
> >From your description, it could be an issue with some connection
> tracking somewhere caused by excess of source addr:ports.
>
> Ohh ok..
> Also I just found that as per the documentation in this link , it says that
> "it can cause problems when IP connection tracking is enabled on the
> machine, because a same connection may be seen twice with different states".
> Does this mean that I need to disable the nf_conntrack module by adding
> "net.netfilter.nf_conntrack_acct = 0" to "/etc/sysctl.conf" ?
You can't disable nf_conntrack using a sysctl. You need to unload the
module itself. It's not nf_conntrack_acct but nf_conntrack.
> Bu default this module seems to be enabled.
> cat /proc/sys/net/netfilter/nf_conntrack_acct
> 1
>
> Following are the answers to your questions:
>
> What's your haproxy version and kernel version ?
>
> - HA-Proxy version: 1.4.8 2010/06/16
Be careful, this is quite outdated ! 2 years of fixes have been merged
since :
$ git log --pretty=oneline v1.4.8..|grep -c BUG
72
=> Your version has 72 bugs that have already been fixed now.
I don't remember of any affecting transparent proxying though, but
when you fix the issue you'd be advised to update it.
> - Kernel Version: 2.6.32-24-server
> - OS: Ubuntu 10.04
You should also check that your kernel is up to date, as what you're
observing might as well simply be a kernel bug.
> Are you sure all your servers route back through your haproxy box ?
>
> - Yes the default gateway of all the real servers is HAProxy server.
> - On real servers I have multiple IPs of two different networks
> - One which we use for communication between HAproxy server and Real
> servers.
> - And One which is used by the real servers to communicate with our
> internal application servers
OK.
> Did you test only from one source machine or did you have many clients ?
>
> - This issue occurs intermittently from one or two different source IPs
> - At the same time when I check the functionality from another source
> IP, it works fine.
Fine, then it really makes me think about a conntrack issue. Also, you
should ensure that your client never directly talks to the server without
passing via haproxy (which I can imagine you do during your tests when
observing the issue). It only makes the problem worse with conntrack.
Regards,
Willy
