On Fri, 2008-11-21 at 10:13 -0500, Eli Ben-Shoshan wrote:
<snip>
> So now that I have detailed my setup, here is my problem:
>
> When a machine not on these networks tries to access 128.227.74.138:80
>
> 1) the director gets the packet on eth1
> 2) the director replaces the destination mac address of the packet with the
> mac
> address of the realserver and injects it back into the network
> 3) the realserver gets it on its eth1 interface
>
> and this is where I have a problem. At this point, the realserver seems to
> not
> know how to reply back to the client since I am seeing that the realserver is
> generating ICMP host unreachable on the lo interface. Here is the tcpdump
> output. Note that the IP of the machine making the request is 128.227.212.87.
>
> misc07 ~ # tcpdump -s 0 -vv -Z nobody -i lo -n
> tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535
> bytes
> 09:55:35.201415 IP (tos 0xc0, ttl 64, id 5683, offset 0, flags [none], proto
> ICMP (1), length 88) 128.227.74.138 > 128.227.74.138: ICMP host
> 128.227.212.87
> unreachable, length 68
> IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6),
> length
> 60) 128.227.74.138.80 > 128.227.212.87.45432: S, cksum 0x0668 (correct),
> 1327391410:1327391410(0) ack 3340736982 win 5792 <mss 1460,sackOK,timestamp
> 39702124 872235241,nop,wscale 7>
> 09:55:35.201422 IP (tos 0xc0, ttl 64, id 5684, offset 0, flags [none], proto
> ICMP (1), length 88) 128.227.74.138 > 128.227.74.138: ICMP host
> 128.227.212.87
> unreachable, length 68
> IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6),
> length
> 60) 128.227.74.138.80 > 128.227.212.87.45432: S, cksum 0x037a (correct),
> 1327391410:1327391410(0) ack 3340736982 win 5792 <mss 1460,sackOK,timestamp
> 39702874 872235241,nop,wscale 7>
So the realserver is telling itself that it can't get the packets back
to the client. Looks like a routing problem to me.
Given the mass of detail you gave, I'd suggest you see what the iproute2
tools think your routing table is for getting packets back to the
clients from the realserver, because it's clearly tied in a knot.
/sbin/ip route show table local
/sbin/ip route show table main
If that doesn't help, look at your iptables rules. Something is causing
that ICMP message to be generated.
Graeme
|