Re: [lvs-users] LVS DR dropping the FIN packets
Thomas Pedoussaut wrote: I came across a very strange problem. I'm replying here to have a track in archive in case someone else has the same issue. For one of my dozen of services ( a straight TCP connection), the TCP-FIN packets that are arriving on the load balancer are never passed to the real server. I activated the logs of iptable and could see the FIN packets being dropped. No idea why the FIN are dropped and not the other ones. I obviously have the --state ESTABLISHED,RELATED -j ACCEPT in my iptable rules. Basically, all packets (SYN and non-SYN) are allowed by the --state NEW iptables but not by the ESTABLISHED,RELATED, because the director never sees the replies from the real server and so never creates a conntrack for that connection. When a FIN packet arrives, it is not validated as a --state NEW, because it's flag FIN is activated and so, that particular packet is dropped. I had a quick look at /proc/net/ip_conntrack before, during and after the connection but nothing specific to that connection seems to be inserted (the module is loaded and other traffic gets tracked). So the solution is to change the iptables rule from -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $VPORT -j ACCEPT to -A RH-Firewall-1-INPUT -m tcp -p tcp --dport $VPORT -j ACCEPT Google doesn't really help. Someone had a similar problem last year but was never publicly solved. And now I hope this post will get crawled and indexed. -- Thomas Pedoussaut http://www.synerginetworking.com/blog/ ___ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] LVS DR dropping the FIN packets
On Fri, 25 Apr 2008, Thomas Pedoussaut wrote: So the solution is to change the iptables rule from -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $VPORT -j ACCEPT to -A RH-Firewall-1-INPUT -m tcp -p tcp --dport $VPORT -j ACCEPT thanks. In retrospect (of course) it's obvious. You can't do stateful inspection of packets with LVS-DR Joe -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! ___ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
[lvs-users] LVS-DR: mail clients getting connection refused or no route to host after a while
I have my mailservers setup as realservers in my LVS-DR network. It works well with the exception that after some amount of time (a few hours usually) the remote clients begin getting messages that they are unable to connect to mail.domain or smtp.domain (these resolve to the VIP of LVS-DR). When I try and telnet to the mail ports from these remote mail clients I see one of two things: connection refused no route to host These clients are internal and on the same subnet so I try telnetting directly to the mailservers and all accesses work just fine coming in direct like that. So I tried restarting keepalived. This managed to clear the access for port 25 and port 110 but not for port 143. Port 143 still won't connect. Nothing else seems to help until I reboot both director boxes and then and only then can the client regain access to port 143 for a few hours until the problem starts again. I looked through the howto's and the only thing I found that seems somewhat related is the discussion in section 28.14 Long sessions through LVS DR director terminated by icmp-host-prohibited (ICMP type 3 code 10). I don't know if I've bumped into this but I cannot figure out anything else that might be the cause. Gerry ___ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] LVS-DR: mail clients getting connection refused or no route to host after a while
On Fri, 25 Apr 2008, Gerry Reno wrote: I have my mailservers setup as realservers in my LVS-DR network. It works well with the exception that after some amount of time (a few hours usually) the remote clients begin getting messages that they are unable to connect to mail.domain or smtp.domain (these resolve to the VIP of LVS-DR). When I try and telnet to the mail ports from these remote mail clients I see one of two things: connection refused nothing listening on that port no route to host VIP not known to routing system. So I tried restarting keepalived. This managed to clear the access for port 25 and port 110 but not for port 143. Port 143 still won't connect. Nothing else seems to help until I reboot both director boxes and then and only then can the client regain access to port 143 for a few hours until the problem starts again. on the assumption that it's keepalived, can you run the setup with just one director, setup with ipvsadm and no keepalived, and see how long it takes to jam up the system? Joe -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! ___ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users