Graeme Fowler wrote:
> On Fri, 2008-11-21 at 10:13 -0500, Eli Ben-Shoshan wrote:
> <snip>
>> So now that I have detailed my setup, here is my problem:
>>
>> When a machine not on these networks tries to access 128.227.74.138:80
>>
>> 1) the director gets the packet on eth1
>> 2) the director replaces the destination mac address of the packet with the
>> mac
>> address of the realserver and injects it back into the network
>> 3) the realserver gets it on its eth1 interface
>>
>> and this is where I have a problem. At this point, the realserver seems to
>> not
>> know how to reply back to the client since I am seeing that the realserver
>> is
>> generating ICMP host unreachable on the lo interface. Here is the tcpdump
>> output. Note that the IP of the machine making the request is 128.227.212.87.
>>
>> misc07 ~ # tcpdump -s 0 -vv -Z nobody -i lo -n
>> tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535
>> bytes
>> 09:55:35.201415 IP (tos 0xc0, ttl 64, id 5683, offset 0, flags [none], proto
>> ICMP (1), length 88) 128.227.74.138 > 128.227.74.138: ICMP host
>> 128.227.212.87
>> unreachable, length 68
>> IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6),
>> length
>> 60) 128.227.74.138.80 > 128.227.212.87.45432: S, cksum 0x0668 (correct),
>> 1327391410:1327391410(0) ack 3340736982 win 5792 <mss 1460,sackOK,timestamp
>> 39702124 872235241,nop,wscale 7>
>> 09:55:35.201422 IP (tos 0xc0, ttl 64, id 5684, offset 0, flags [none], proto
>> ICMP (1), length 88) 128.227.74.138 > 128.227.74.138: ICMP host
>> 128.227.212.87
>> unreachable, length 68
>> IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6),
>> length
>> 60) 128.227.74.138.80 > 128.227.212.87.45432: S, cksum 0x037a (correct),
>> 1327391410:1327391410(0) ack 3340736982 win 5792 <mss 1460,sackOK,timestamp
>> 39702874 872235241,nop,wscale 7>
>
> So the realserver is telling itself that it can't get the packets back
> to the client. Looks like a routing problem to me.
>
> Given the mass of detail you gave, I'd suggest you see what the iproute2
> tools think your routing table is for getting packets back to the
> clients from the realserver, because it's clearly tied in a knot.
>
> /sbin/ip route show table local
> /sbin/ip route show table main
>
> If that doesn't help, look at your iptables rules. Something is causing
> that ICMP message to be generated.
>
> Graeme
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
So after further investigation with tcpdump, I think I know what the problem is.
When the realserver arps for the gateway's mac address, it does not get a
response. The reason for this is that the realserver's IP address is not on the
same network as the gateway. The realserver's IP address is 192.168.74.81 and
the IP of the gateway is 128.227.74.126. Here is the relevant section of the
tcpdump:
16:00:52.119149 arp who-has 128.227.74.126 tell 192.168.74.81
After talking to my network people, they tell me that this is explicitly not
allowed by their current configs. Has anyone run into this problem before?
--
Eli Ben-Shoshan ebs@xxxxxxx
IT Expert
University of Florida/Computing and Networking Services (UFCNS)
VOX: (352) 392-2061 FAX: (352) 392-9440
|