Dear all,
We have a problem.
We're setting up LVS and squid in front of our webserver as an
accelerator/load balancer (we're going to add more webservers soon,
however at the moment we've only got one). So:
Director --> Squidaccelerator*2 --> webserver
We're using LVS-DR, and it seems to work quite happily, I changed my
hosts file to the VIP of the Director and was using the site without
any problems.
So, we thought, we'll use iptables/DNAT to direct everything in the
office to the VIP which was destined to the webserver, to give us a
bigger test.
This appeared to work, until someone wanted to upload a file through
http. The thing just hung, and eventually timed out.
Further investigation (after quickly removing the DNAT rule ;-) has
revealed that it is the size of the outgoing packets which is causing
it to fail - some are getting lost, due to being too big, and
something isn't negociating the MTU properly. Analysis with Ethereal
reveal a large packet missing, and TCP desparately trying to get the
other end to resend it!
The strange thing is, that it works fine going directly to the VIP
(just Masquerading outwards), and, perhaps more interestingly, if
there is a DNAT rule direct to Squid, it works also! Which implies
that its an interaction between LVS and DNAT. (we've got to DSL lines
here, admittedly from roughly the same supplier, but with different
hardware, and symptoms persist whichever one we use)
Does anyone have any ideas on this, and whether there's anything we
can do about it?
Thanks
Chris Beauchamp
Internet Systems Admin
digitalbrain PLC
|