Re: [lvs-users] Firewall on LVS NAT

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] Firewall on LVS NAT
From:	Chris Chen <chchen@xxxxxxx>
Date:	Mon, 09 Aug 2010 10:55:56 -0700

I brought it up on this list a month or two ago, and it sort of  
floundered a bit--

The problem we're seeing is a failure during the initial SSL  
handshake, this is for IMAP over SSL (or, in that case, any  
"anonymous" connection)--
They seem to get into a retransmit loop right after the client sends  
the Change Cipher Spec message.

I didn't see it with any other client OS, and by that, I mean, if I  
saw a timeout, the retransmit worked correctly and the handshake was  
able to continue.

cc

-- 
Chris Chen <chchen@xxxxxxx>
UNIX Systems Administrator
Office of Information Technologies
Portland State University


Quoting Jay Faulkner <jay.faulkner@xxxxxxxxxxxxx>:

>> -----Original Message-----
>> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:lvs-users-
>> bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Chris Chen
>> Sent: Monday, August 09, 2010 12:37 PM
>> To: LinuxVirtualServer.org users mailing list.; Brent Jensen
>> Subject: Re: [lvs-users] Firewall on LVS NAT
>>
>> Do you see this behavior with LVS-DR as well? I've got a few -DR directors
>> running RHEL4 and RHEL5 that are causing all sorts of trouble with windows 7
>> hosts, and ACK FIN/ACK RST with SSL handshakes--these problems seem to
>> go away in testing with LVS-NAT, but if you're having trouble with NAT in
>> production, part of me is wondering if we're heading down another dark
>> path...
>>
>
> The real key to LVS-NAT is to *not* run NAT rules on /any/ traffic  
> that travels through LVS. That will avoid any bug I've ever  
> encountered. If you must, then just run the NFCT patch.
>
> What are your problems with LVS-DR? Are there bugs filed, etc? I'm  
> sure if there's a sysstemic problem that the devs will want to  
> resolve it asap.
>
>
> Jason Faulkner
> Linux Engineer, Rackspace Email & Apps
> jason.faulkner@xxxxxxxxxxxxx
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>





_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] Firewall on LVS NAT, Brent Jensen Re: [lvs-users] Firewall on LVS NAT, Brent Jensen Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner Re: [lvs-users] Firewall on LVS NAT, brent Re: [lvs-users] Firewall on LVS NAT, Brent Jensen Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner Message not available Re: [lvs-users] Firewall on LVS NAT, Brent Jensen Re: [lvs-users] Firewall on LVS NAT, Chris Chen Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner Re: [lvs-users] Firewall on LVS NAT, Chris Chen <= Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner

Previous by Date:	Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner
Next by Date:	[lvs-users] Real server monitoring, Anoop Bhat
Previous by Thread:	Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner
Next by Thread:	Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner
Indexes:	[Date] [Thread] [Top] [All Lists]