Re: LVS-TUN: How to test if ISP allows it?

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: LVS-TUN: How to test if ISP allows it?
From:	Mack.Joseph@xxxxxxxxxxxxxxx
Date:	Mon, 20 Jun 2005 11:30:25 -0400

Joseph Mack PhD, High Performance Computing & Scientific Visualisation
LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007 Federal
Infrastructure Contact-Ravi Nair 919-541-5467 - nair.ravi@xxxxxxx,
Federal Visualization  Contact - Joe Retzer, Ph.D. 919-541-4190 -
retzer.joseph@xxxxxxx

lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote on 06/17/2005 02:07:05
PM:

> Hello,
>
> I'm trying to setup a simple LVS, one director and one
> realserver using
> LVS-TUN (these machines are on 2 different datacenters).

have you set up LVS-Tun with machines all local, just
to test that you can do it at all, before you try connecting
to a realserver out on the internet?

> On the real, I had tunl0 up and also hidden. Debug:
>
> client# telnet VIP 80
>
> director# tcpdump -ln -i eth0 host RIP
> tcpdump: listening on eth0

OK

> realserver# tcpdump port 80
> tcpdump: listening on eth0
> (and there is nothing coming in)

hmm,

> realserver# tcpdump -i tunl0 port 80
> tcpdump: listening on tunl0
> (and there is also nothing)

don't know whether the packet actually goes through
tunl0, with tunl0 not being a physical device,
so don't know whether you should expect to see
anything here or not.

> director# ipvsadm -L -n
> IP Virtual Server version 1.0.8 (size=65536)
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP  VIP:80 wlc
>   -> RIP:80             Tunnel  1      0          1

this is usually a routing problem (most people don't have
the route from the RIP to the CIP setup properly) and as
you've found you can't get IPIP packets to the realserver.
Do you have routing from the DIP to the RIP? can you ping the RIP?

> I also wonder if it's the ISP that drops the ip-encapsulated
> packet?

The ISP doesn't know that it's an IPIP packet, unless it opens
it up and looks (which a router isn't going to do).
All the ISP sees is a regular IP packet from DIP to RIP.

The usual problem with the ISP is that the realserver is sending
a packet back to the CIP with src_addr=VIP. Since the VIP is usually
not on the tunnelled realserver's network, the ISP may
block it on the outbound direction, thinking it to be a spoofed
packet.

Joe

<Prev in Thread]	Current Thread	[Next in Thread>
LVS-TUN: How to test if ISP allows it?, Son Nguyen Re: LVS-TUN: How to test if ISP allows it?, Mack . Joseph <= RE: LVS-TUN: How to test if ISP allows it?, Son Nguyen RE: LVS-TUN: How to test if ISP allows it?, Joseph Mack NA3T RE: LVS-TUN: How to test if ISP allows it?, Son Nguyen RE: LVS-TUN: How to test if ISP allows it?, Joseph Mack NA3T RE: LVS-TUN: How to test if ISP allows it? Solved: firewall on RIP, Son Nguyen

Previous by Date:	Re: LVS -Nat, timeout - frame loading failed, Mack . Joseph
Next by Date:	Problem 2 nics on the RS, Egger Lothar
Previous by Thread:	LVS-TUN: How to test if ISP allows it?, Son Nguyen
Next by Thread:	RE: LVS-TUN: How to test if ISP allows it?, Son Nguyen
Indexes:	[Date] [Thread] [Top] [All Lists]