> > so the packets must be somehow going around the lvs stuff.
> > I think it's a FWM issue too. I'll need to do some more
> > captures to understand what port ranges are being used.
> > From what you say in the howto, basically you hook up on
> > 177, but after that it's not used anymore. the RS and
> > client must negotiate another port to use.
> If X steps in next, there'll be a whole heap of ports at
> 6000 (I think). Look at the writeup for ftp, identd and rsh
> for the problems that LVS gets into when the realserver
> negotiates ports with the client that the director doesn't
> know about.
Ok. Here's something weird and unexpected in troubleshooting this issue.
I start an xnest into my cluster through the director. I've the
firewall mark set to bundle 177, and 6000-6009. It falls out of ipvsadm
-lc after a few minutes, but the connection stays up fine.
While this connection is happening, I fire up iptstate to see what's
going on. It does not show my xnest source IP anywhere in the source
column, but shows 13 ESTABLISHED tcp connections on my xnest IP in the
destination column on port 6005 (I started the xnest @ :5), coming from
the RS I landed on. (no wonder X sucks so hard over the VPN ;-)
I expected to see either my xnest IP or my VIP in the source column. Can
anyone explain that? It seems like state is only kept for the xnest
sessions back out through the director. Does that seem right, or is
iptstate giving me false data?