|
Joseph,
> > /proc/sys/net/ipv4/vs# ipvsadm --list -n
> > IP Virtual Server version 1.2.0 (size=32768)
> > Prot LocalAddress:Port Scheduler Flags
> > -> RemoteAddress:Port Forward Weight ActiveConn
InActConn
> > TCP 212.xx.xx.xx:8080 rr persistent 360
> > -> 10.0.0.21:8080 Tunnel 50 2521 18336
> > -> 10.0.0.20:8080 Tunnel 50 2549 17606
> >
> > It's working fine, but i got some messages from our servicedesk
saying
> > there are problems with long-term connecties especcially like
> > HTTPS-CONNECTS.
> > Problem is, I cannot reproduce the problem for know, at home I
can't
> > reproduce, at work I can't reproduce too...
>
> LVS assumes all realservers (here your squids) have identical
content
> and it doesn't matter which realserver you get the content from.
> This assumption fails for https, when people use persistence
normally
> (I don't think you should be squid'ing https, just let it through)
> and for squids, which in an LVS will develope different content.
> There is a scheduler designed for squids (see the HOWTO), but some
> people finds that it doesn't work well and use the original
scheduler.
> I don't know what the problem is.
Problem is we cannot reproduce the problem but there are customers who
has this.
Just 10 minutes ago I got a report of a school using BorderManager that
gives:
"504 Gateway Timeout - Lost connection to neighbor proxyserver"
"502 Bad Gateway - Mal-formed reply from origin server"
When they point their BorderManager to realserver-1 there are no
problems.
It is not with all sites, especially with Hotmail and searching at
www.vikingdirect.nl and other sites not specified.
I stopped all firewalls on load-balancer and realservers, but that does
not solve the problem, so we can assume there are no packets dropped by
iptables.
> > Other clients had problems with logging in to sites, some people
now
> > set their proxy directly to one of the realservers and problems
are
> > over...
>
> they shouldn't know about a proxy. They should be sending to
whatever:80
> and you should rewrite it to 3128 on the way out and then back to 80
on the
> way back in.
As I say, they have all set their proxy to the load balancer, it's a
remote system and it can't be transparant though to authentication.
> > (they had troubles logging in to hotmail, Dutch MediaMarkt (to
> > upload foto's for print service, see www.mediamarkt.nl -> foto
print
> > service)). There are other people complaining about Windows Update
not
> > want to start (searching for updates ................. and are
then
> > terminating with errorcode xxx and: try again later). At the same
time,
> > same realserver, i do not have problems.
>
> hmm, these are all stateful uses of http, something that wasn't part
of
> the original design of http. I think you're going to have to use
persistence
> or fwmarks with persistence.
As you can see above, we are already using persistant connections.
> No there are still questions:
> - Can this be the MTU (both on WAN and LAN: 1500 bytes, at LB and
> Realservers)? What is MTU's impact on LVS-TUN (maybe ip-encap?)?
>
> MTU and LVS-Tun are written up in the HOWTO. I don't think it's a
solved
> problem.
Is a better way to switch to DR-mode?
> > - Why is the InActConn so high?
> > When I restart the load balancer,
> > everything is zeroed. Then within no-time inactconn is filled, and
then
> > establishing at around 18000.
>
> you've reached equilibrium. If TIME_WAIT=90secs, you're getting
18000/90
> hits/sec.
You're right.
> > - How can I see if connectiontable is full? `dmesg` gives no
output.
> hmm, don't know. probably you can get it with ipvsadm.
Isn't it possible that the hashtable overwrites entries?
Thanks, Janno.
Janno de Wit
DNA Services B.V.
|
