LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Real server not responding back

To: Julian Anastasov <ja@xxxxxx>
Subject: Re: [lvs-users] Real server not responding back
Cc: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Nick Wilson <vicnickw@xxxxxxxxx>
Date: Fri, 3 Apr 2020 12:14:01 +1100
Thanks for your notes.

        If you see traffic on tunl0 then the IPIP header is already
> removed and you see CIP->VIP TCP packet. Before that, you should see
> IPIP DIP->RIP packet on the ens3 (input device).
>
>
My bad, I can see IPIP with a wider tcpdump filter. Flow is like:

ens3: DIP -> RIP (proto IPIP)
tunl0: CIP -> VIP
ens3: VIP -> CIP (length 0)

        OK, kernel sends SYN+ACK ? Note that the server application (the
> listener) may run in mode where it wants to see the first data, so
> the server may not wakeup for this first packet. In this case, the
> kernel still sends the SYN+ACK (3-way handshake performed without
> wakeup). Wakeup occurs on 3th packet which can come with data, eg.
> GET request (if HTTP). Such mode is suitable for servers that
> expect first data from client, eg. HTTP. OTOH, for SMTP, the
> first packet is sent by server, so this mode should not be used
> by the listener (TCP_DEFER_ACCEPT).
>
>
It does like a SYN+ACK. Application on the real-server I'm using to test is
a simple 'python3 -m http.server', which responds to curl on RIP:8000 but
not on VIP:8000.

> This goes on for 4-5 times until timeout on the client.
>
>         So, if you see VIP->CIP SYN+ACK sent by real server, it
> means the ISP filters the packet and it does not reach the
> client. Client retries. Problem in ISP.
>
>
ISP filtering is the most likely cause of this problem, although they say
otherwise.


>         Check the procedure under Q.3. traceroute will send UDP
> traffic VIP->CIP which should generate ICMP errors. Such ICMP
> errors are sent by every hop in the path to client. Then you
> know which hop receives the traffic from real server. Still,
> some hops may refuse to send ICMP, so such test can be confusing.
>
>
I couldn't get the 'traceroute -n -s VIP CIP' command (how-to Q.3) to work,
because the traceroute package on real-server's Ubuntu 18.04 doesn't
support the '-s' (source IP) argument.

Cheers,

Nick
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>