Brent, did you set this value (it might be different on CentOS stock, I'm running 2.6.27):
net.netfilter.nf_conntrack_tcp_be_liberal = 1 That might resolve the remainder of your dropped FIN/RST. Jason Faulkner Linux Engineer, Rackspace Email & Apps jason.faulk...@rackspace.com o: (540) 443-2101 (ex. 505-2101) > -----Original Message----- > From: lvs-users-boun...@linuxvirtualserver.org [mailto:lvs-users- > boun...@linuxvirtualserver.org] On Behalf Of Brent Jensen > Sent: Monday, August 09, 2010 12:26 AM > To: LinuxVirtualServer.org users mailing list. > Subject: Re: [lvs-users] Firewall on LVS NAT > > Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST. > There still are a few so I don't know what is causing this, but it is small > compared to what I was getting before. Those users who had terrible > connection problems seem to have no problems at all now. So thanks Jay for > heading me in the right direction. For some reason this didn't appear to be as > big of a problem in kernel 2.4.x, although it still might have existed. > > I also ran across a script from Golan Zakai > http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html > that greatly automates the custom kernel build in Centos 5. > > Thanks for all of your help, > > Brent > > At 12:39 PM 8/6/2010 -0600, you wrote: > > >Thanks for the heads up. I'll have to brush up on my kernel hacking > >skills. Has anyone been able to successfully run LVS-NAT with stateful > >firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks, > >Brent > > > >On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner > ><jay.faulk...@mailtrust.com> wrote: > > > -----Original Message----- > > > From: lvs-users-boun...@linuxvirtualserver.org > > > [mailto:lvs-users-boun...@linuxvirtualserver.org] On Behalf Of Brent > >Jensen > > > Sent: Friday, August 06, 2010 12:29 AM > > > To: LinuxVirtualServer.org users mailing list. > > > Subject: Re: [lvs-users] Firewall on LVS NAT > > > > > > More info. I now realize that these dropped packets are FIN and RST > > > ACKs > > > > > being blocked, probably because my rules to the VIP include: -m > > > state --state NEW -j ACCEPT. Can these dropped packets affect the > > > TCP connections, resulting in client connection issues? > > > > > > > > > > > > Brent, > > > > > > I feel particularly sad for you, I had to troubleshoot this same > > > issue > >and > > > had a very, very bad week. > > > > > > In my environment, I was able to fix the problem by recompiling my > >kernel > > > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something > >similar > > > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it > >happens, > > > but I suspect that iptables can't get a good take on the "STATE" of > > > a connection in LVS, because LVS partially bypasses netfilter. > > > > > > Give it a shot and let me know how it works. > > > > > > -- > > > Jason Faulkner > > > Linux Engineer > > > Rackspace Email & Apps > > > > > > _______________________________________________ > > > Please read the documentation before posting - it's available at: > > > http://www.linuxvirtualserver.org/ > > > > > > LinuxVirtualServer.org mailing list - > > > lvs-users@LinuxVirtualServer.org Send requests to > > > lvs-users-requ...@linuxvirtualserver.org > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > >_______________________________________________ > >Please read the documentation before posting - it's available at: > >http://www.linuxvirtualserver.org/ > > > >LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > >Send requests to lvs-users-requ...@linuxvirtualserver.org > >or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send > requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
