|
I've attempted to simplify things on this new attempt (fyi, there is no
eth0 on any of the machines):
DIP = 74.52.166.34 bound to eth1
VIP = 74.52.166.35 bound to eth1:35
RS1 = 74.52.166.50 bound to eth1
RS1VIP = 74.52.166.35 bound to lo:35
RS2 = 74.52.166.130 bound to eth1
RS2VIP = 74.52.166.35 bound to lo:35
Ok.
On Director:
[root@lb1 ~]# sysctl -p
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.eth1.arp_ignore = 0
net.ipv4.conf.eth1.arp_announce = 0
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.eth1.send_redirects = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
You should disable rp_filter.
net.ipv4.conf.default.accept_source_route = 0
On both RS's:
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.eth1.arp_ignore = 1
net.ipv4.conf.eth1.arp_announce = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
Ok.
Care to show the ipvsadm -L -n output?
[root@lb1 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 74.52.166.35:23 rr
-> 74.52.166.50:23 Route 1 0 0
-> 74.52.166.130:23 Route 1 0 0
Looks perfect.
The preferred way of dealing with this is by instrumenting
arp_{announce,ignore} in the proc-fs.
I've cleared out all the arptables stuff and are trying to use the
arp_{announce,ignore} as suggested but I am unsure which interfaces need
what setting. The mini-HOWTO isn't too clear on this.
The interface carrying the the VIP, since this is the one we should not
send/reply arp probes for the VIP. Only the director needs to reply to
arp on the VIP.
Can you tcpdump on the director? Are you sure there's not some
filtering of illicit traffic on switch ports on your ISP's side?
Yes. Running "tcpdump -n -i eth1 port 23" on the director shows lots of
these when I try and telnet from my home machine:
11:37:45.031014 IP 70.241.143.240.3165 > 74.52.166.35.telnet: S
2050237163:2050237163(0) win 65535 <mss 1452,nop,nop,sackOK>
In earlier days I would have said missing arp handling, yours seems to
be ok. So please disable rp_filter and try again. Also check your kernel
messages, e.g. the dropped packets from the reverse path filtering go
there if log_martians is enabled.
Running "tcpdump -n -i any port 23" on the 2 RS's shows nothing when I
try to telnet to the VIP.
Ok, so packets are dropped at the director.
Thanks very much for your assistance.
We're glad to help out, if time permits.
Best regards,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
| 