Hmmm, after investigating, it appears that the LVS server is routing
traffic to the wrong IP address for traffic coming from the ftp-data
port of the real-server. With the LBs running 2.4, this traffic is
coming from the correct alias on the LB, but with the LBs running 2.6,
the traffic is coming from the external IP address of the LB itself,
and not the external alias the FTP traffic is directed to. Thus the
FTP client tries to connect to the ftp-data port on the LB, and of
course bombs out with "connection refused". Not sure how I missed
this before, but I'm not sure how to fix it either.
--Don
On Tue, 2005-08-30 at 22:19 -0400, Roger Tsang wrote:
> Okay. What does tcpdump on the client side say? Look at where the
> packet was last seen.
>
> Roger
>
> On 8/30/05, Donald J Giuliano <guido@xxxxxxxxxxxxxxxxxxxxx> wrote:
> It seems as though it would have something to do with that,
> but why
> then does active FTP work with the load-balancers running
> 2.4.26?
> The FTP clients behind a NAT (i.e., our users) work fine with
> the
> load-balancers running 2.4.26, but not with the ones running
> 2.6.12. It's the same NAT on the client side either way.
>
> --Don
>
> On Tue, 2005-08-30 at 17:35 -0400, Roger Tsang wrote:
> > Your NAT firewall is blocking active FTP.
> >
> > Roger
> >
> >
> > On 8/30/05, Donald J Giuliano <guido@xxxxxxxxxxxxxxxxxxxxx>
> wrote:
> > Actually, to clarify, it is only active FTP that
> fails on the
> > new
> > load-balancers. Passive FTP works fine. It should
> also be
> > noted that
> > active FTP has no trouble whatsoever on the current
> machines
> > running
> > 2.4.26 .
> >
> > --Don
> >
> > On Tue, 2005-08-30 at 17:30 +0000, Donald J Giuliano
> wrote:
> > > Hi,
> > >
> > > I'm currently working to migrate two
> linux-2.4/keepalived
> > IPVS
> > > load-balancers to new machine running
> linux-2.6 /keepalived.
> > > Everything works perfectly on the old setup, but
> on the new
> > machines
> > > the load-balanced FTP fails when the client is
> behind a NAT
> > > firewall. I'm running the Antefacto ipvs-nfct
> patch on both
> > the 2.4.26
> > > and 2.6.12 configuration so that the LBs can also
> function
> > as
> > > firewalls. I have made no changes to the iptables
> > configuration,
> > > other than removing some superfluous rules
> filtering
> > "unclean" packets,
> > > which aren't supported in 2.6 anyway. All the
> same IPVS
> > kernel modules
> > > are loaded on both machines. The keepalived
> configurations
> > are
> > > identical. Any idea what would cause this
> problem?
> > >
> >
> > _______________________________________________
> > LinuxVirtualServer.org mailing list -
> > lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to
> lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to
> http://www.in-addr.de/mailman/listinfo/lvs-users
> >
>
> _______________________________________________
> LinuxVirtualServer.org mailing list -
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|