I think this may be a bug in LVS. I have an LVS-NAT on a machine that also does IPsec with the clients (not with the real servers).
Client----ClientIPsec========ServerIPsec/LVS-----RealServer When the real server sends back a packet that is too big for IPsec to encode, I see an "ICMP Fragmentation Needed" sent by VIP to itself (VIP->VIP on the "lo" interface). That does not make it outside so the connection hangs while the real server blindly retransmits its packet. Took me a while to figure out what is happening since listening on the physical interface did not show the ICMP. I'm going to read LVS-Tun for some ideas but I don't think it's normal for that ICMP to be sent to itself. -- Laurentiu _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
