|
Ok, problem solved (man, it feels good!). I turned off the firewall on
realserver and it works, so don't have to wonder about changing ISP and have
a clue about what to do next. Thank you Joe and everyone.
Son Nguyen
> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf
> Of Mack.Joseph@xxxxxxxxxxxxxxx
> Sent: Monday, June 20, 2005 8:30 AM
> To: LinuxVirtualServer.org users mailing list.
> Subject: Re: LVS-TUN: How to test if ISP allows it?
>
> Joseph Mack PhD, High Performance Computing & Scientific
> Visualisation LMIT, Supporting the EPA Research Triangle
> Park, NC 919-541-0007 Federal Infrastructure Contact-Ravi
> Nair 919-541-5467 - nair.ravi@xxxxxxx, Federal Visualization
> Contact - Joe Retzer, Ph.D. 919-541-4190 - retzer.joseph@xxxxxxx
>
> lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote on 06/17/2005 02:07:05
> PM:
>
> > Hello,
> >
> > I'm trying to setup a simple LVS, one director and one realserver
> > using LVS-TUN (these machines are on 2 different datacenters).
>
> have you set up LVS-Tun with machines all local, just to test
> that you can do it at all, before you try connecting to a
> realserver out on the internet?
>
> > On the real, I had tunl0 up and also hidden. Debug:
> >
> > client# telnet VIP 80
> >
> > director# tcpdump -ln -i eth0 host RIP
> > tcpdump: listening on eth0
>
> OK
>
> > realserver# tcpdump port 80
> > tcpdump: listening on eth0
> > (and there is nothing coming in)
>
> hmm,
>
> > realserver# tcpdump -i tunl0 port 80
> > tcpdump: listening on tunl0
> > (and there is also nothing)
>
> don't know whether the packet actually goes through tunl0,
> with tunl0 not being a physical device, so don't know whether
> you should expect to see anything here or not.
>
> > director# ipvsadm -L -n
> > IP Virtual Server version 1.0.8 (size=65536) Prot LocalAddress:Port
> > Scheduler Flags
> > -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP
> > VIP:80 wlc
> > -> RIP:80 Tunnel 1 0 1
>
> this is usually a routing problem (most people don't have the
> route from the RIP to the CIP setup properly) and as you've
> found you can't get IPIP packets to the realserver.
> Do you have routing from the DIP to the RIP? can you ping the RIP?
>
> > I also wonder if it's the ISP that drops the ip-encapsulated packet?
>
> The ISP doesn't know that it's an IPIP packet, unless it
> opens it up and looks (which a router isn't going to do).
> All the ISP sees is a regular IP packet from DIP to RIP.
>
> The usual problem with the ISP is that the realserver is
> sending a packet back to the CIP with src_addr=VIP. Since the
> VIP is usually not on the tunnelled realserver's network, the
> ISP may block it on the outbound direction, thinking it to be
> a spoofed packet.
>
> Joe
>
> _______________________________________________
> LinuxVirtualServer.org mailing list -
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to
> lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|
