LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Ultramonkey/LVS-TUN connection stalls on client

To: Julian Anastasov <ja@xxxxxx>
Subject: Re: Ultramonkey/LVS-TUN connection stalls on client
Cc: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From: Nigel Hamilton <nigel@xxxxxxxxxxx>
Date: Wed, 25 Feb 2004 05:46:14 -0600 (CST)
> >     But now I've run out of ideas on what to try next? Any help would
> > be much appreciated?
> 
>       http://www.ssi.bg/~ja/TUN-HOWTO.txt
> 


HI,

        I've read Julian's excellent TUN-HOWTO.txt (see: 
http://www.ssi.bg/~ja/TUN-HOWTO.txt).

        Step 1 as he suggests is to check whether or not the Director is
using a unique address when communicating to the Real Server. The Real 
Server's IP (RIP) is 66.98.186.73:

[root@director]# /sbin/ip route get 66.98.186.73
66.98.186.73 via 66.98.226.1 dev eth0  src 66.98.226.52 
    cache  mtu 1500 advmss 1460
        
        I think this looks OK? The source address is the real IP of the
Director not the VIP. The HOWTO suggests the IPIP packets will be dropped
at the Director if the source is the "VIP or another IP address configured 
on the Real Server."

        This looks fine. Step 2 in the HOWTO suggests to check if the Real
Server is dropping the decapsulated packets, using this command:  "ip
route get from CIP to VIP iif tunl0".

        My client IP (CIP) is 81.152.187.242, and virtual IP (VIP) is  
66.98.227.143. So I do:

[root@realserver]# /sbin/ip route get from 81.152.187.242 to 66.98.227.143 iif 
tunl0
Cannot find device "tunl0"

        Hmmm ... no 'tunl0'? I assume this refers to one of the interfaces
on the RealServer? eth0?

[root@realserver]# /sbin/ip route get from 81.152.187.242 to 66.98.227.143 iif 
eth0
local 66.98.227.143 from 81.152.187.242 dev lo  src 66.98.227.143 cache <local> 
 iif eth0
        
        This looks OK? It seems to say the VIP looks like a local address
on the Real Server and it returns a route to the client via dev lo? The
hidden interface - sounds good. Not sure about the cache <local> bit
though.

        So assuming the above test has passed, step 3 in the HOWTO is
to see if the RealServer's gateway passes the packet to the client using
the command, "arp -d GW; traceroute -n -s VIP CIP" on the Real Server. The
Gateway of my Real Server is 66.98.186.1. So I do:

[root@realserver]# /sbin/arp -d 66.98.186.1; traceroute -n -s 66.98.227.143 
81.152.187.242

        On the Director I do a /usr/bin/tcpdump | tee to truy

[root@director] /usr/sbin/tcpdump | tee look
[root@director] cat look        

        Below is an excerpt of the tcpdump output:

3712 <nop,nop,timestamp 2036664512 23858358> (DF) [tos 0x10] 
18:50:58.928811 ivhou-207-218-245-3.ev1.net > 66.98.227.143: icmp: time 
exceeded
 in-transit
18:50:58.929089 director.turbo10.com.32768 > ns3.ev1.net.domain:  2509+ 
PTR? 143
.227.98.66.in-addr.arpa. (44) (DF)
18:50:58.929679 ns3.ev1.net.domain > director.turbo10.com.32768:  2509 
NXDomain 
0/1/0 (97) (DF)
18:50:58.929943 director.turbo10.com.32768 > ns3.ev1.net.domain:  2510+ 
PTR? 3.2
45.218.207.in-addr.arpa. (44) (DF)
18:50:58.930798 ns3.ev1.net.domain > director.turbo10.com.32768:  2510* 
1/2/2 (1
53) (DF)
18:51:00.581450 director.turbo10.com.48818 > 66.98.186.73.http: S 
2825611618:282
5611618(0) win 5840 <mss 1460,sackOK,timestamp 23858555 0,nop,wscale 0> 
(DF)
18:51:00.581793 66.98.186.73.http > director.turbo10.com.48818: S 
2161123449:216
1123449(0) ack 2825611619 win 5792 <mss 1460,sackOK,timestamp 20967725 
23858555,
nop,wscale 0> (DF)
18:51:00.581837 director.turbo10.com.48818 > 66.98.186.73.http: . ack 1 
win 5840
 <nop,nop,timestamp 23858555 20967725> (DF)

        Step 3 of the HOWTO says "after some time we should see
unreachable replies sent from the client". I can't see the client's IP
address in here at all. I don't know how to spot "unreachable replies from
the client".

        However, I can see something from my ISP's switch/router/thingy:

18:50:58.928811 ivhou-207-218-245-3.ev1.net > 66.98.227.143: icmp: time 
exceeded in-transit

        I have no idea if this is good or bad? But the HOWTO goes on to 
say "at least we should see on the client the UDP packets generated from 
the Real Server."

        So I start Ethereal on Windows XP to see if I can see these UDP 
packets and re-run the test on the Real Server.

[root@realserver]# arp -d 66.98.186.1; traceroute -n -s 66.98.227.143 
81.152.187.242

        The first time I started Ethereal I thought I saw 4 UDP packets 
but then they stopped. The second time I ran the test Ethereal reports no 
UDP packets received by the client at all.

        So, Doctor what nasty disease have I got here? Is my ISP blocking
the packets somehow? It seems there is no consistent UDP response from the
client, why is that?

        Any ideas on what I should try next? 

        I should mention I'm using RedHat Enterprise 3.0 installed
straight-out-of-the-box. Is there some default firewall I need to turn off
first?
        
        Any ideas would be much appreciated.

Kind regards,


Nigel



-- 
Nigel Hamilton
Turbo10 Metasearch Engine

email:  nigel@xxxxxxxxxxx
tel:    +44 (0) 207 987 5460
fax:    +44 (0) 207 987 5468
________________________________________________________________________________
http://turbo10.com              Search Deeper. Browse Faster.

<Prev in Thread] Current Thread [Next in Thread>