|
Hello,
On Wed, 8 Aug 2001, Hayden Myers wrote:
> > - ICMP_PORT_UNREACH: when there is no real services defined or when
> > the real service does not work (the last depends on the used method
> > for deliveryng TCP/UDP requests locally)
>
> tcpdump showed a large number of destination port unreachable messages.
>
> 15:48:04.693986 eth0 > 64.77.118.84 > 209.178.165.214: icmp: 64.77.118.84
> tcp port www unreachable [tos 0xc0]
There is one case more where ICMP_PORT_UNREACH can be replied
from LVS: when packet is received from the client, this packet is from
the virtual service but there is no existing connection. In such case
the packet does not contain the needed information to start new
connection, eg. there is no correct TCP flags (SYN). So, may be the
connections are already expired or you are hit from invalid
packets (attack)? Actually, this needs debugging but I don't know how
deep you can go into this testing: production environment, etc. Let me
know if you are brave enough to go further :)
> Hayden Myers
Regards
--
Julian Anastasov <ja@xxxxxx>
|
