[lvs-users] IPsec and LVS-NAT: fragmentation issue

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [lvs-users] IPsec and LVS-NAT: fragmentation issue
From: "Laurentiu C. Badea (L.C.)" <lc@xxxxxxxx>
Date: Fri, 19 Sep 2008 13:35:25 -0700
I think this may be a bug in LVS. I have an LVS-NAT on a machine that 
also does IPsec with the clients (not with the real servers).


When the real server sends back a packet that is too big for IPsec to 
encode, I see an "ICMP Fragmentation Needed" sent by VIP to itself 
(VIP->VIP on the "lo" interface). That does not make it outside so the 
connection hangs while the real server blindly retransmits its packet. 
Took me a while to figure out what is happening since listening on the 
physical interface did not show the ICMP.

I'm going to read LVS-Tun for some ideas but I don't think it's normal 
for that ICMP to be sent to itself.


<Prev in Thread] Current Thread [Next in Thread>