On Tue, 19 Mar 2013 07:04:02 +0100 in <caodhi7opnvfifb3uwzsr0awdesmg7uz0-f+zu4syr+peh1q...@mail.gmail.com>, Baptiste Baptiste <[email protected]> wrote:
Hello, > conntrack is a bad idea with haproxy ;) Could you elaborate ? Does HAProxy already fill the connection table of the underlying OS so conntrackd is just not required ? The connection tracking at the OS firewall level is not recommended for high traffic in order to ensure that the LB tiers running firewall and LB with HA will not drop a TCP session that get to finish on an other LB by the firewall (should never happen in theory, in practice, that might). I can yes disable the conntrack on the firewall on some VIP and let HAProxy handle gracefully the should never happen case that happen :p Thks. -- Jérôme Benoit aka fraggle La Météo du Net - http://grenouille.com OpenPGP Key ID : 9FE9161D Key fingerprint : 9CA4 0249 AF57 A35B 34B3 AC15 FAA0 CB50 9FE9 161D
signature.asc
Description: PGP signature
