|
Gerry Reno wrote:
> I have setup a stanza in keepalived.conf for SSH to use an alternate
> port. But whenever I try to ssh into the VIP on the alternate port I
> get a "No route to host". It looks like it gets to the director but it
> never gets to the real server. I see an immediate inactive connection
> in IPVS. All firewalls on both directors and real servers are down.
> keepalived is 1.1.13. All the other IPVS traffic is behaving correctly,
> 80, 8080, 443.
>
> ????
>
> Gerry
>
>
> =====================================================
> On a non-director machine:
> # ssh -p 33322 -v root@xxxxxxxxxxxxx
> OpenSSH_4.5p1, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to 192.168.1.240 [192.168.1.240] port 33322.
> debug1: connect to address 192.168.1.240 port 33322: No route to host
> ssh: connect to host 192.168.1.240 port 33322: No route to host
>
>
> On director:
> # ipvsadm -ln
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP 192.168.1.240:443 rr persistent 600
> -> 192.168.1.201:443 Route 1 0 0
> -> 192.168.1.200:443 Route 1 0 0
> TCP 192.168.1.240:33322 rr persistent 600
> -> 192.168.1.26:22 Route 1 0 0
> -> 192.168.1.25:22 Route 1 0 1
>
>
> keepalived.conf:
> ...
> virtual_server 192.168.1.240 33322 {
> delay_loop 5
> lb_algo rr
> lb_kind DR
> persistence_timeout 600
> protocol TCP
>
> real_server 192.168.1.25 22 {
> weight 1
> inhibit_on_failure
> TCP_CHECK {
> connect_port 22
> connect_timeout 3
> nb_get_retry 3
> delay_before_retry 1
> }
> }
> real_server 192.168.1.26 22 {
> weight 1
> inhibit_on_failure
> TCP_CHECK {
> connect_port 22
> connect_timeout 3
> nb_get_retry 3
> delay_before_retry 1
> }
> }
> }
> ...
>
> master director:
> # ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> qlen 1000
> link/ether 00:0c:29:a7:c7:33 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.150/24 brd 192.168.1.255 scope global eth0
> inet 192.168.1.240/24 scope global secondary eth0
> inet6 fe80::20c:29ff:fea7:c733/64 scope link
> valid_lft forever preferred_lft forever
>
> backup director:
> # ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet 192.168.1.240/32 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> qlen 1000
> link/ether 00:0c:29:54:ef:09 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.151/24 brd 192.168.1.255 scope global eth0
> inet6 fe80::20c:29ff:fe54:ef09/64 scope link
> valid_lft forever preferred_lft forever
>
> realservers:
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> qlen 1000
> link/ether 00:18:f8:0b:55:54 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.25/24 brd 192.168.1.255 scope global eth0
> inet6 fe80::218:f8ff:fe0b:5554/64 scope link
> valid_lft forever preferred_lft forever
>
>
I'm also seeing a lot of these in /var/log/secure:
Sep 19 23:22:12 grp-01-20-01 sshd[22408]: Did not receive identification
string from 192.168.1.150
Sep 19 23:39:42 grp-01-20-01 sshd[22868]: Did not receive identification
string from 192.168.1.150
Sep 19 23:39:47 grp-01-20-01 sshd[22871]: Did not receive identification
string from 192.168.1.150
which I'm assuming is from TCP_CHECK
|
