Joseph Mack PhD, High Performance Computing & Scientific Visualisation
LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007 Federal
Infrastructure Contact-Ravi Nair 919-541-5467 - nair.ravi@xxxxxxx,
Federal Visualization Contact - Joe Retzer, Ph.D. 919-541-4190 -
retzer.joseph@xxxxxxx
lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote on 06/17/2005 02:07:05
PM:
> Hello,
>
> I'm trying to setup a simple LVS, one director and one
> realserver using
> LVS-TUN (these machines are on 2 different datacenters).
have you set up LVS-Tun with machines all local, just
to test that you can do it at all, before you try connecting
to a realserver out on the internet?
> On the real, I had tunl0 up and also hidden. Debug:
>
> client# telnet VIP 80
>
> director# tcpdump -ln -i eth0 host RIP
> tcpdump: listening on eth0
OK
> realserver# tcpdump port 80
> tcpdump: listening on eth0
> (and there is nothing coming in)
hmm,
> realserver# tcpdump -i tunl0 port 80
> tcpdump: listening on tunl0
> (and there is also nothing)
don't know whether the packet actually goes through
tunl0, with tunl0 not being a physical device,
so don't know whether you should expect to see
anything here or not.
> director# ipvsadm -L -n
> IP Virtual Server version 1.0.8 (size=65536)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP VIP:80 wlc
> -> RIP:80 Tunnel 1 0 1
this is usually a routing problem (most people don't have
the route from the RIP to the CIP setup properly) and as
you've found you can't get IPIP packets to the realserver.
Do you have routing from the DIP to the RIP? can you ping the RIP?
> I also wonder if it's the ISP that drops the ip-encapsulated
> packet?
The ISP doesn't know that it's an IPIP packet, unless it opens
it up and looks (which a router isn't going to do).
All the ISP sees is a regular IP packet from DIP to RIP.
The usual problem with the ISP is that the realserver is sending
a packet back to the CIP with src_addr=VIP. Since the VIP is usually
not on the tunnelled realserver's network, the ISP may
block it on the outbound direction, thinking it to be a spoofed
packet.
Joe
|