I have verified a couple of times that, with one customer in
particular, IPVS has sent incoming requests to a RS that had been
deleted from the active set of RSes by keepalived. I verified first
that 'ipvsadm -lnf 11' (this customer's site is fwmark 11) showed only
the still-alive RS, but then I made a request, and it went to the
deleted RS. This was verified using tcpdump on the RS.
At the time, of course, the customer was panicking, so the first
action taken was to failover to the other LVS machine. When we did
that, everything started working as desired. Unfortunately, that
leaves us with little opportunity to further troubleshoot the problem.
So, my question is this. Are there any known reasons for this type of
behavior to occur? I realized just today that the kernel is compiled
without module support for security reasons, but that netfilter
connection tracking is compiled in. I seem to recall reading long ago
that connection tracking and IPVS don't mix very well. Could this
lead to my problem? What else could cause it? What steps can I take
to gather more information?
--
Casey Zacek
Senior Engineer
NeoSpire, Inc.
|