LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Long sessions through LVS DR director terminatedbyicmp-host-prohibit

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Long sessions through LVS DR director terminatedbyicmp-host-prohibited (ICMP type 3 code 10)
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Tue, 13 Mar 2007 16:00:11 -0700 (PDT)
On Tue, 13 Mar 2007, Klaas Jan Wierenga wrote:

Hi all,

thanks for the nice complete report.

short answer - I don't know, but I'm not as close to the code as others on the ml.

I have a problem where sometimes some long standing mp3 streaming sessions over HTTP are terminated because the LVS-DR director sends an "ICMP type 3 code 10 - host unreachable" packet to the client (which is the source of the mp3 stream). When this happens the client stops sending packets for 15 minutes 15 minutes (the TCP idle session timeout of LVS?)

well possibly. the idle timeout is only for idle connections. Not having any other ideas, you could double it and see what happens.

2. Where is this ICMP packet generated in linux/net/ipv4/ipvs/* source files? Answer: nowhere!, at least not with type 3 code 10


3. Could it be that this ICMP packet is generated by some sort of denial-of-service defense code that I'm unaware of?

nope. nothing hidden in LVS.

Answer: net/ipv4/netfilter/ipt_REJECT.c: send_unreach(*pskb, ICMP_HOST_ANO);

So it appears that netfilter (iptables?) is sending it. Why?

do you have any iptables rules? (if so delete them for the moment).

This could be due to the firewall rule:

OK you do.

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


But why is this sent on an existing, established and active connection? Or is there some TCP timeout because the director only sees incoming packets on the connection? Maybe this rings a bell with someone.

unlikely. In LVS-DR the director makes reasonable guesses as to the state of the realserver's connection, based on timeouts etc. Hopefully it's behaviour looks the same as a normal 2-ended connection, at least on the outside.


Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

<Prev in Thread] Current Thread [Next in Thread>