Re: [lvs-users] LVS-DR stuck in SYN packets?

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] LVS-DR stuck in SYN packets?
From:	Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx>
Date:	Tue, 25 Mar 2014 06:56:05 +0000

Maybe,

But rp_filter just controls where the reply packet goes, default
setting is out of any interface (which I've always thought is a bit
crazy).
I would start with a one arm one VLAN configuration for simplicity and
diagnosis, and it could be the switch has MAC spoofing protection
turned on.


On 24 March 2014 21:18, Tiago <sytker@xxxxxxxxx> wrote:
> I tried both, but it didn't work.
>
> Maybe my switch/gw is rejecting packets from my realservers directly to
> customers because of RPF filter?
>
>
> 2014-03-24 18:03 GMT-03:00 Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx>:
>
>> I've never used that method before, I would think you would need to be
>> careful with your rp_filter settings?
>>
>> The ones I know that do work with the DR mode LVS arp problem are:
>>
>> http://pdfs.loadbalancer.org/quickstartguideLBVMv7.pdf
>> Page 30: loopback + arp_ignore sysctl values
>>
>> or forget the loopback and use just
>> Page 29: iptables method
>>
>>
>>
>>
>> On 24 March 2014 20:57, Tiago <sytker@xxxxxxxxx> wrote:
>> > Hi Malcom,
>> >
>> > Answering:
>> >>Is the apache server responding to BOTH the RIP & the VIP? (RIP for
>> >>health checks, VIP for load balanced traffic)
>> >
>> > root@web1:/var/log/apache2# netstat -ntlpd | grep :80
>> > tcp        0      0 0.0.0.0:80              0.0.0.0:*
>> LISTEN
>> >      10159/apache2
>> >
>> >
>> >>And how have you solved the ARP problem for the loopback adapter?
>> >
>> > As we have completely separate vlans, the traffic which comes to VIP
>> > doesn't reach RIP network segment. So, per some instructions I didn't
>> take
>> > any measure on it, I hope that approach is correct.
>> >
>> > Basically I have:
>> > LVS server:
>> >
>> > eth1 (vlan 2054) with public IPs
>> > eth0 (vlan 1296) with private IPs
>> >
>> > So I have VIP on top of eth1.
>> > And I have an 10.56.213.6 on top of eth0.
>> >
>> > Real servers:
>> > eth1 (vlan 2054) with public IPs
>> > eth0 (vlan 1296) with private IPs
>> >
>> > So I have VIP on lo:0
>> > And I have 10.56.213.20 on top of eth0 on realserver 1 and I have
>> > 10.56.213.21 on top of eth0 on realserver 2.
>> >
>> > Thanks
>> >
>> >
>> >
>> >
>> > 2014-03-24 17:40 GMT-03:00 Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx>:
>> >
>> >> Tiago,
>> >>
>> >> Is the apache server responding to BOTH the RIP & the VIP? (RIP for
>> >> health checks, VIP for load balanced traffic)
>> >> And how have you solved the ARP problem for the loopback adapter?
>> >>
>> >>
>> >>
>> >> On 24 March 2014 20:00, Tiago <sytker@xxxxxxxxx> wrote:
>> >> > Hello all,
>> >> >
>> >> > I'm trying to setup an LVS-DR here for a couple of webservers. My
>> >> scenario
>> >> > is:
>> >> >
>> >> > Eth1 and eth0 are in separated vlans.
>> >> >
>> >> >    1. My realservers ips: 10.56.213.31-10.56.213.32 at eth0
>> >> >    2.
>> >> >    3. myrealip** at eth1 (its a public IP)
>> >> >    4.
>> >> >    5.
>> >> >    6. root@lvs1:~# ipvsadm
>> >> >    7. IP Virtual Server version 1.2.1 (size=4096)
>> >> >    8. Prot LocalAddress:Port Scheduler Flags
>> >> >    9.   -> RemoteAddress:Port           Forward Weight ActiveConn
>> >> InActConn
>> >> >    10. TCP  myrealip**:http wlc
>> >> >    11.   -> 10.56.213.31:http            Route   1      0          0
>> >> >    12.   -> 10.56.213.32:http            Route   1      0          0
>> >> >    13.
>> >> >    14. On realservers:
>> >> >    15. lo:0      Link encap:Local Loopback
>> >> >    16.           inet addr:myrealip**  Mask:255.255.255.255
>> >> >    17.           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>> >> >    18.
>> >> >    19. route -n:
>> >> >    20. myrealip**  0.0.0.0         255.255.255.255 UH    0      0
>> >>  0
>> >> >    lo
>> >> >    21.
>> >> >    22.
>> >> >    23. When someone try to access myrealip**:80 I have:
>> >> >    24.   -> 10.56.213.31:http            Route   1      0          1
>> >> >    25.   -> 10.56.213.32:http            Route   1      0          0
>> >> >    26.
>> >> >    27. And on realserver 10.56.213.31:
>> >> >    28.
>> >> >    29. root@web1:/var/log/apache2# tcpdump -ni eth0 host 216.5.78.123
>> >> (my
>> >> >    source ip)
>> >> >    30. tcpdump: WARNING: eth0: no IPv4 address assigned
>> >> >    31. tcpdump: verbose output suppressed, use -v or -vv for full
>> >> protocol
>> >> >    decode
>> >> >    32. listening on eth0, link-type EN10MB (Ethernet), capture size
>> 65535
>> >> >    bytes
>> >> >    33. 13:40:35.267880 IP 216.5.78.123.37026 > myrealip**.80: Flags
>> [S],
>> >> >    seq 2186878409, win 14600, options [mss 1460,sackOK,TS val
>> 164050646
>> >> ecr
>> >> >    0,nop,wscale 7], length 0
>> >> >    34. 13:40:36.270371 IP 216.5.78.123.37026 > myrealip**.80: Flags
>> [S],
>> >> >    seq 2186878409, win 14600, options [mss 1460,sackOK,TS val
>> 164051646
>> >> ecr
>> >> >    0,nop,wscale 7], length 0
>> >> >    35. 13:40:38.276806 IP 216.5.78.123.37026 > myrealip**.80: Flags
>> [S],
>> >> >    seq 2186878409, win 14600, options [mss 1460,sackOK,TS val
>> 164053646
>> >> ecr
>> >> >    0,nop,wscale 7], length 0
>> >> >    36. 13:40:42.294667 IP 216.5.78.123.37026 > myrealip**.80: Flags
>> [S],
>> >> >    seq 2186878409, win 14600, options [mss 1460,sackOK,TS val
>> 164057646
>> >> ecr
>> >> >    0,nop,wscale 7], length 0
>> >> >    37. 13:40:50.328756 IP 216.5.78.123.37026 > myrealip**.80: Flags
>> [S],
>> >> >    seq 2186878409, win 14600, options [mss 1460,sackOK,TS val
>> 164065646
>> >> ecr
>> >> >    0,nop,wscale 7], length 0
>> >> >    38.
>> >> >    39. But I can't see the answer going back to me in any interface I
>> >> have
>> >> >    at these realservers. I don't get any HTTP HIT at apache either.
>> >> >
>> >> > Obviously it seems I'm missing something here, however, I can't see
>> >> clearly
>> >> > what is it.
>> >> >
>> >> > Can you help on this?
>> >> >
>> >> > Thanks in advance!
>> >> > _______________________________________________
>> >> > Please read the documentation before posting - it's available at:
>> >> > http://www.linuxvirtualserver.org/
>> >> >
>> >> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> >> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> >> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >>
>> >> Malcolm Turnbull.
>> >>
>> >> Loadbalancer.org Ltd.
>> >> Phone: +44 (0)870 443 8779
>> >> http://www.loadbalancer.org/
>> >>
>> >> _______________________________________________
>> >> Please read the documentation before posting - it's available at:
>> >> http://www.linuxvirtualserver.org/
>> >>
>> >> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> >> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>> >>
>> > _______________________________________________
>> > Please read the documentation before posting - it's available at:
>> > http://www.linuxvirtualserver.org/
>> >
>> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
>>
>>
>> --
>> Regards,
>>
>> Malcolm Turnbull.
>>
>> Loadbalancer.org Ltd.
>> Phone: +44 (0)870 443 8779
>> http://www.loadbalancer.org/
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users



-- 
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] LVS-DR stuck in SYN packets?, Tiago Re: [lvs-users] LVS-DR stuck in SYN packets?, Malcolm Turnbull Re: [lvs-users] LVS-DR stuck in SYN packets?, Tiago Re: [lvs-users] LVS-DR stuck in SYN packets?, Malcolm Turnbull Re: [lvs-users] LVS-DR stuck in SYN packets?, Tiago Re: [lvs-users] LVS-DR stuck in SYN packets?, Malcolm Turnbull <= Re: [lvs-users] LVS-DR stuck in SYN packets?, Ferenc Wagner Re: [lvs-users] LVS-DR stuck in SYN packets?, Tiago Re: [lvs-users] LVS-DR stuck in SYN packets?, Tiago Re: [lvs-users] LVS-DR stuck in SYN packets?, Tiago

Previous by Date:	Re: [lvs-users] passive ftp configuration issue, Malcolm Turnbull
Next by Date:	Re: [lvs-users] LVS-DR stuck in SYN packets?, Ferenc Wagner
Previous by Thread:	Re: [lvs-users] LVS-DR stuck in SYN packets?, Tiago
Next by Thread:	Re: [lvs-users] LVS-DR stuck in SYN packets?, Ferenc Wagner
Indexes:	[Date] [Thread] [Top] [All Lists]