Re: [lvs-users] ipvsadm and packets leaving a gre tunnel

Fri, 01 Aug 2008 09:19:40 -0700 

On Fri, 1 Aug 2008, Marco Lorig wrote:
With the tunnel in place, can you initiate an outbound SSH connection from the realserver to the client machine? Are you absolutely sure that the path this will follow the same route as the data from the realserver under normal conditions? 


I have a sneaking feeling that the realserver is sending 
packets of 1460 bytes (ethernet MTU less L2 framing) but 
the "secondary" director, ie. the tunnel endpoint at the 
realserver's end, is dropping them because they don't fit 
inside the tunnel.


I do a scp both times only from the client to the server:

client:# scp file [EMAIL PROTECTED]:/tmp/


This works. The client sends the first packets with a mtu 
which doesn´t fit into the tunnel and recieves ICMP 
UNREACHABLE Need to fragment.


client:# scp [EMAIL PROTECTED]:/tmp/file .


This doesn´t work. The Realserver tries to send packets 
which doesn´t fit into the tunnel but DOES NOT receive any 
ICMP packet.



so ip_vs() is not handling icmp correctly at least for 
LVS-NAT. Thanks for tracking this down. icmp handling has 
been built into LVS since the really early days. I doubt if 
gre was in anyone's mind at the time. I think it was mostly 
for host unreachable.


Horms, Julian,

Is there a fix for this?


I tried setting sysctl nat_icmp_send to 1 but that doesn´t 
change the behaviour at all.



ip_vs() does its own nat'ing, so using commands from 
iptables will not help.


Joe


There was only one attempt which worked (the realserver 
got an ICMP UNREACHABLE NEED TO FRAG)  but unfortunately I 
can´t reproduce it.



So the realserver is never going to realise that it´s 
packets are too big.


I think, that´s the gist of the matter.

Any ideas?

Thanks in advance.
Have a nice weekend.

cheers

Marco

_______________________________________________
LinuxVirtualServer.org mailing list - [email protected]
Send requests to [EMAIL PROTECTED]
or go to http://lists.graemef.net/mailman/listinfo/lvs-users



--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
_______________________________________________
LinuxVirtualServer.org mailing list - [email protected]
Send requests to [EMAIL PROTECTED]
or go to http://lists.graemef.net/mailman/listinfo/lvs-users






















					Reply via email to