LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: Problems with IPVS

from [Mindaugas] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Problems with IPVS
From: "Mindaugas" <mind@xxxxx>
Date: Tue, 17 Oct 2006 17:43:24 +0300 



 I investigated a bit further and that's what I found:

Where did you tcpdump?


 Dumps attached on previous e-mail were done on bond0 interface which is
facing proxy. tcpdumps done on proxy confirms the problem.

 tcpdump.cap - DNAT case
 tcpdump2.cap - LVS case
 tcpdump3.cap - LVS case and Nokia phone


 1. phone sends SYN packet to proxy;


Means (from previous email context):

Phone --> GRE tunnel --> netwap --> fwmark --> LVS --> proxy


 Yes. netwap is interface on the same server running LVS.


How many devices are we talking about including Phone and proxy?


 Phone, SGSN/GGSN, PIX firewall (one end of GRE is there), server, proxy.


 2. proxy responds with SYN,ACK;
 3. phone sends ACK;
Beautiful, if this goes through LVS, it's already a big step towards a correctly working LVS. 

 Nokia phones works through LVS without problems.


 4. phone sends HTTP GET request;
 5. proxy ACKs packet 4;

Only ACK? No data?


 Yes.


 6. proxy sends HTTP data packet;
 7. proxy sends another HTTP data packet;
 8. proxy sends FIN packet;

 weird things starts here
9. phone once more sends ACK packet acknowledging packet 2 (duplicate of packet 3); 
Does the proxy have SACK/FACK support enabled?


 Proxy is CentOS4 Linux server running Squid.

# sysctl net.ipv4.tcp_fack net.ipv4.tcp_sack
net.ipv4.tcp_fack = 1
net.ipv4.tcp_sack = 1


 10. and one more dupe of packet 3;
 11.-14. proxy repeats packet 6. 4 times.

It has to. Is ECN enabled?


 Once again sysctl says that no. Both on LVS server and on proxy.


 The problem is that LVS does not pass packets 11. to 14. to phone. Why?
Because packet 8 was FIN and LVS is not stateful with regard to TCP sessions and retransmits. 

 But phone did not acknowledged that FIN yet?
In case of DNAT packets 11.-14. are passed to phone which at the end acknowledges packets 6. and 7. and then acknowledges packet 8. thus closing TCP connection. 
Here I don't follow your statements, sorry.
If I setup DNAT instead of LVS then packets 11.-14. are sent to phone. In case of LVS they are not. And after phone receives those packets it sends ACK to packets 6. and 7. and then to 8. 

 Mindaugas
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Why can't i unsubscribe, Erik
Next by Date:  Re: all clients disconnect on failover, Joseph Mack NA3T
Previous by Thread:  Re: Problems with IPVS, Roberto Nibali
Next by Thread:  Re: Problems with IPVS, Roberto Nibali
Indexes:  [Date] [Thread] [Top] [All Lists]