|
> > But now I've run out of ideas on what to try next? Any help would
> > be much appreciated?
>
> http://www.ssi.bg/~ja/TUN-HOWTO.txt
>
HI,
I've read Julian's excellent TUN-HOWTO.txt (see:
http://www.ssi.bg/~ja/TUN-HOWTO.txt).
Step 1 as he suggests is to check whether or not the Director is
using a unique address when communicating to the Real Server. The Real
Server's IP (RIP) is 66.98.186.73:
[root@director]# /sbin/ip route get 66.98.186.73
66.98.186.73 via 66.98.226.1 dev eth0 src 66.98.226.52
cache mtu 1500 advmss 1460
I think this looks OK? The source address is the real IP of the
Director not the VIP. The HOWTO suggests the IPIP packets will be dropped
at the Director if the source is the "VIP or another IP address configured
on the Real Server."
This looks fine. Step 2 in the HOWTO suggests to check if the Real
Server is dropping the decapsulated packets, using this command: "ip
route get from CIP to VIP iif tunl0".
My client IP (CIP) is 81.152.187.242, and virtual IP (VIP) is
66.98.227.143. So I do:
[root@realserver]# /sbin/ip route get from 81.152.187.242 to 66.98.227.143 iif
tunl0
Cannot find device "tunl0"
Hmmm ... no 'tunl0'? I assume this refers to one of the interfaces
on the RealServer? eth0?
[root@realserver]# /sbin/ip route get from 81.152.187.242 to 66.98.227.143 iif
eth0
local 66.98.227.143 from 81.152.187.242 dev lo src 66.98.227.143 cache <local>
iif eth0
This looks OK? It seems to say the VIP looks like a local address
on the Real Server and it returns a route to the client via dev lo? The
hidden interface - sounds good. Not sure about the cache <local> bit
though.
So assuming the above test has passed, step 3 in the HOWTO is
to see if the RealServer's gateway passes the packet to the client using
the command, "arp -d GW; traceroute -n -s VIP CIP" on the Real Server. The
Gateway of my Real Server is 66.98.186.1. So I do:
[root@realserver]# /sbin/arp -d 66.98.186.1; traceroute -n -s 66.98.227.143
81.152.187.242
On the Director I do a /usr/bin/tcpdump | tee to truy
[root@director] /usr/sbin/tcpdump | tee look
[root@director] cat look
Below is an excerpt of the tcpdump output:
3712 <nop,nop,timestamp 2036664512 23858358> (DF) [tos 0x10]
18:50:58.928811 ivhou-207-218-245-3.ev1.net > 66.98.227.143: icmp: time
exceeded
in-transit
18:50:58.929089 director.turbo10.com.32768 > ns3.ev1.net.domain: 2509+
PTR? 143
.227.98.66.in-addr.arpa. (44) (DF)
18:50:58.929679 ns3.ev1.net.domain > director.turbo10.com.32768: 2509
NXDomain
0/1/0 (97) (DF)
18:50:58.929943 director.turbo10.com.32768 > ns3.ev1.net.domain: 2510+
PTR? 3.2
45.218.207.in-addr.arpa. (44) (DF)
18:50:58.930798 ns3.ev1.net.domain > director.turbo10.com.32768: 2510*
1/2/2 (1
53) (DF)
18:51:00.581450 director.turbo10.com.48818 > 66.98.186.73.http: S
2825611618:282
5611618(0) win 5840 <mss 1460,sackOK,timestamp 23858555 0,nop,wscale 0>
(DF)
18:51:00.581793 66.98.186.73.http > director.turbo10.com.48818: S
2161123449:216
1123449(0) ack 2825611619 win 5792 <mss 1460,sackOK,timestamp 20967725
23858555,
nop,wscale 0> (DF)
18:51:00.581837 director.turbo10.com.48818 > 66.98.186.73.http: . ack 1
win 5840
<nop,nop,timestamp 23858555 20967725> (DF)
Step 3 of the HOWTO says "after some time we should see
unreachable replies sent from the client". I can't see the client's IP
address in here at all. I don't know how to spot "unreachable replies from
the client".
However, I can see something from my ISP's switch/router/thingy:
18:50:58.928811 ivhou-207-218-245-3.ev1.net > 66.98.227.143: icmp: time
exceeded in-transit
I have no idea if this is good or bad? But the HOWTO goes on to
say "at least we should see on the client the UDP packets generated from
the Real Server."
So I start Ethereal on Windows XP to see if I can see these UDP
packets and re-run the test on the Real Server.
[root@realserver]# arp -d 66.98.186.1; traceroute -n -s 66.98.227.143
81.152.187.242
The first time I started Ethereal I thought I saw 4 UDP packets
but then they stopped. The second time I ran the test Ethereal reports no
UDP packets received by the client at all.
So, Doctor what nasty disease have I got here? Is my ISP blocking
the packets somehow? It seems there is no consistent UDP response from the
client, why is that?
Any ideas on what I should try next?
I should mention I'm using RedHat Enterprise 3.0 installed
straight-out-of-the-box. Is there some default firewall I need to turn off
first?
Any ideas would be much appreciated.
Kind regards,
Nigel
--
Nigel Hamilton
Turbo10 Metasearch Engine
email: nigel@xxxxxxxxxxx
tel: +44 (0) 207 987 5460
fax: +44 (0) 207 987 5468
________________________________________________________________________________
http://turbo10.com Search Deeper. Browse Faster.
|
