|
Hello list
I'm having a weird problem. I have a LVS box setup which forwards a
Class C (using fwmark) to a couple real servers. It appears the packets
coming from the real server going back to the client are getting dropped
by the LVS box for some reason.
I have ethereal running on both LVS interfaces and the real server.
When I try to telnet to the VIP port 80 I see the SYN packet enter the
LVS on e0. It exits the LVS on e1 and enters the real server on e0.
The real server sends a SYN,ACK packet back. I see the SYN,ACK packet
leave the real server. It enters the LVS on e1 but doesn't exit the LVS
on e0.
The Real Server has the LVS box setup as a default gateway
The LVS box has my core router setup as its default gateway
The LVS box is set to NAT outbound connections from the real servers RIP
NAT'ing is only setup to NAT packets with source of 192.168.15.x (the
Real IP's on the real servers) The VIP is not in that netblock so it
should be NAT'd
IP Forwarding is turn on in the LVS box. NAT is working for the real
server when it makes direct connections.
The LVS box is also doing LVS-NAT with some other machines on different
ports.
I don't see the packet leaving the LVS box at all. It isn't even getting
NATted that I can tell. Any help would be appreciated. I don't think
it is an LVS problem actually but I don't know what to do..
With LVS-DR the LVS portion of the LVS box should only come into play
when the packets enter the router on e0 and are marked with fwmark 1.
Packets going from the real server to the client should pass through the
LVS box as if it was a normal router.
Here is my LVS box config.
[root@lvsd-2 sysconfig]# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- 0.0.0.0/0 159.250.20.0/24 tcp dpt:80 MARK set
0x1
MARK tcp -- 0.0.0.0/0 159.250.20.0/24 tcp dpt:443 MARK
set 0x1
[root@lvsd-2 sysconfig]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.15.0/24 0.0.0.0/0
[root@lvsd-2 sysconfig]# ipvsadm -L -n
FWM 1 wlc
-> 192.168.15.41:0 Route 1 0 0
When I telnet to 159.250.20.1:80 from 63.170.156.3 I see the following packets
src 63.170.156.3:2108 -> 159.250.20.1:80 SYN *enter LVS on e0
src 63.170.156.3:2108 -> 159.250.20.1:80 SYN *EXIT LVS on e1
src 63.170.156.3:2108 -> 159.250.20.1:80 SYN *enter Real Server on e0
src 159.250.20.1:80 -> 63.170.156.3:2108 SYN,ACK *exit the Real Server on e0
src 159.250.20.1:80 -> 63.170.156.3:2108 SYN,ACK *enter the LVS on e1
*** I should see the packet leaving the LVS on e0 but I don't
The sequence numbers on the packets match up. the LVS-DR part is working, the
response part is not.
Where should I be looking?
--
Matthew Crocker <matthew@xxxxxxxxxxx>
Crocker Communications, Inc.
|
