issues with using LVS with Tunneling

["Yash L. Khemani" <yash@xxxxxxxxxxx>]

hello,

we have ben using LVS for load balancing many groups of servers with
direct routing successfully.  in the past, while we were transitioning
between data centers, we also used LVS with ip tunneling successfully.
we are trying to use LVS with ip tunneling again.  what is different this
time is that we are using a 2.4 kernel instead of a 2.2 kernel, a newer
release of LVS.

i will try and describe our environment.  let me know if you need other
details.

LVS Server:
        based on redhat 7.1
        kernel 2.4.5-ac18smp
        glibc 2.2.3-12
        ipvs 0.9.2
        ipvsadm 1.18-2
        ip of lvs server: $dip
        ip of virtual server: $vip

Real Server:
        based on redhat 7.1
        kernel 2.4.5-ac16
        glibc 2.2.3-10
        ip: $rip

Client:
        ip: $cip

we tried two different real server.  one sits behind a firewall
(linux-ipchains).  the firewall and the lvs server are on the same vlan.
the other real server sits on a seperate network.  the results were the
same in both cases.

the following commands were executed on the lvs server:
        /sbin/ifconfig eth0:3 $vip netmask 255.255.255.192 broadcast \
          $broadcast up
        /sbin/ipvsadm -A -t $vip:80 -s wrr
        /sbin/ipvsadm -a -t $vip:80 -r $rip -i -w 1

next, the following commands were executed on the real server:
        modprobe ipip; \
        ifconfig tunl0 $vip netmask 255.255.255.255 broadcast $vip up; \
        route add -host $vip dev tunl0; \
        echo "1" > /proc/sys/net/ipv4/conf/all/hidden; \
        echo "1" > /proc/sys/net/ipv4/conf/tunl0/hidden

after that, i was unable to connect to port 80 on $vip.

in the instance where the real server is behind the linux ipchains
firewall, running tcpdump looking for packets to/from $rip, i see the
following during the telnet to port 80 attempt:

10:16:09.843697 eth0 < $cip.42863 > $rip.http: S 3066732490:3066732490(0) win 
5840 <mss 1460,sackOK,timestamp 43469480 0,nop,wscale 0> (DF) (ipip)
10:16:15.843686 eth0 < $cip.42863 > $rip.http: S 3066732490:3066732490(0) win 
5840 <mss 1460,sackOK,timestamp 43470080 0,nop,wscale 0> (DF) (ipip)

i ran tcpdump on the real server, however, and i don't see any activity
during the attempt to telnet to port 80 on $vip.

the ipchains rules on the firewall log whenever a packet is denied.
nothing was indicated in the logs created by ipchains with regard to the
connections that were attempted.  i would have expected to see interaction
between the $cip and $rip, or the $dip and $rip.

any help you can provide would be appreciated.

thanks!
yash