[lvs-users] solved: last FIN-ACK eaten (by iptables)

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	[lvs-users] solved: last FIN-ACK eaten (by iptables)
From:	"Laurentiu C. Badea (L.C.)" <lc@xxxxxxxx>
Date:	Wed, 10 Sep 2008 12:24:03 -0700

I was writing this earlier as a problem report but since I solved it, Ithought others may benefit from my waste of time.


I had a simple LVS-NAT configuration where LVS lives on a gateway:

  CIP - VIP/LVS - RIP

LVS does run iptables but fairly open, INPUT allows all incoming trafficfor the VIP, OUTPUT allows NEW,ESTABLISHED,RELATED states and FORWARD isopen (for what it's worth, I think ipvs does not go through there atall). So that worked fine.

Until I noticed the real server has many connections in FIN_WAIT2 state.They have the same timeout as TIME_WAIT so I was gonna let it go, butthen I looked at the client and all of them were in LAST_ACK state. Theclient kept resending FIN-ACKs, none of which made it to the server atall. On the LVS, ipvsadm -Lc shows connections in TIME_WAIT state so itdid get them.

Well, long story short, the OUTPUT chain blocked *only* that FIN-ACKpacket for some odd reason. I was sure that ipvs is shortcircuitingiptables and bypassing OUTPUT, but I guess I misinterpreted the littlemap in the HOWTO. All the other packets matched the "NEW" rule. Thiswould would have ended up as INVALID probably. I am now adding rules toallow all OUTPUT towards the RIPs, stateless.


This is how it looked from the network side:
Incoming traffic to LVS (CIP->VIP)
  0.016862  CIP -> VIP HTTP HEAD / HTTP/1.1
  0.017193 VIP -> CIP  [ACK] Seq=1 Ack=117 Win=5888 Len=0
  0.021949 VIP -> CIP  [TCP segment of a reassembled PDU]
  0.022173 VIP -> CIP  [FIN, ACK] Seq=195 Ack=117 Win=5888 Len=0
  0.034046  CIP -> VIP [ACK] Seq=117 Ack=195 Win=6912 Len=0
 *0.046042  CIP -> VIP [FIN, ACK] Seq=117 Ack=196 Win=6912 Len=0*
the above packet does not make it, beyond here retransmits only
  0.250217 VIP -> CIP  [FIN, ACK] Seq=195 Ack=117 Win=5888 Len=0
  0.260110  CIP -> VIP [FIN, ACK] Seq=117 Ack=196 Win=6912 Len=0

0.267333 CIP -> VIP [TCP Dup ACK 11#1] [ACK] Seq=118 Ack=196Win=6912 Len=0 SLE=195 SRE=196

  0.705855  CIP -> VIP [FIN, ACK] Seq=117 Ack=196 Win=6912 Len=0

Coming out the other end towards RIP:
  0.016847  CIP -> RIP HTTP HEAD / HTTP/1.1
  0.017119 RIP -> CIP  [ACK] Seq=1 Ack=117 Win=5888 Len=0
  0.021873 RIP -> CIP  [TCP segment of a reassembled PDU]
  0.022115 RIP -> CIP  [FIN, ACK] Seq=195 Ack=117 Win=5888 Len=0
  0.034021  CIP -> RIP [ACK] Seq=117 Ack=195 Win=6912 Len=0
only two retransmits seen:
  0.250147 RIP -> CIP  [FIN, ACK] Seq=195 Ack=117 Win=5888 Len=0

0.267312 CIP -> RIP [TCP Previous segment lost] [ACK] Seq=118Ack=196 Win=6912 Len=0 SLE=195 SRE=196


The kernel is 2.6.20 with ipvsadm 1.24 (Fedora 5).

--
Laurentiu

lc.vcf
Description: Vcard

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] solved: last FIN-ACK eaten (by iptables), Laurentiu C. Badea (L.C.) <= Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Joseph Mack NA3T Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Laurentiu C. Badea (L.C.) Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Brian Ghidinelli Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Christian Balzer Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Laurentiu C. Badea (L.C.)

Previous by Date:	Re: [lvs-users] LVS-NAT Problems, Joseph Mack NA3T
Next by Date:	Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Joseph Mack NA3T
Previous by Thread:	[lvs-users] LVS-NAT Problems, Zack Gilburd
Next by Thread:	Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Joseph Mack NA3T
Indexes:	[Date] [Thread] [Top] [All Lists]