LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: [lvs-users] LVS-DR generates TONS of icmp unreachables

To: "Joseph Mack" <mack@xxxxxxxxxxx>
Subject: RE: [lvs-users] LVS-DR generates TONS of icmp unreachables
Cc: <wensong@xxxxxxxxxxxx>, "Jerry Glomph Black" <black@xxxxxxxx>, "Julian Anastasov" <uli@xxxxxxxxxxxxxxxxxxxxxx>, <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: "Jivko Velev" <jiko@xxxxxxxxxx>
Date: Thu, 20 Jan 2000 13:21:23 -0800
> > In these cases your VIP will receive
> > ICMP packets /dest unreachable, source quench and friends/ if
> you dont route
>
> is source quench used in Linux? Richard Stevens (TCP protocols, ca 1992)
> says it is deprecated since the TCPIP stack times out at about the same
> time as the source quench packets arrive.

I am not familiar with Linux TCP/IP stack implementation, so i really dont
know is it deprecated or not.

> > When you receive a ICMP packet it contains the full IP header
> of the packet
> > that cause this ICMP to be generated + 64bytes of its data, so you can
> > assume that you have the TCP/UDP header too. So it is possible
> to implements
> > "Persitance rules" for ICMP packages.
>
> In VS-DR the director never sees the replies from the realservers and will
> have no way of knowing which realserver is responsible for these ICMP
> replies. Not seeing the replies is a Good Thing in that it keeps the
> throughput of the LVS high. However it does make monitoring the health of
> the LVS difficult. The problem of PORT_UNREACH is discussed in sect 14.16
> of the HOWTO in this context.

TCP connection is a full duplex connection and as i understood with VS-DR
and VS-TUN Redirector doesnt see only the server-client side of the channel,
but the other side we have TCP confirmation packets flowing from client to
sever and they still go throught the redirector.
Is that true ? If it is not and real server is using his own IP/ but not the
VIP/ when replies you will get into trouble at least with some firewalls.

Jiko

<Prev in Thread] Current Thread [Next in Thread>