Re: [lvs-users] TCP Connection Sync Problems RHEL

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: [lvs-users] TCP Connection Sync Problems RHEL
From:	Lloyd Brown <lloyd_brown@xxxxxxx>
Date:	Tue, 29 Jul 2014 08:55:16 -0600

Okay.  I'm not sure this is the best approach, but adding a simple
iptables rule for each of the VIPs, to accept any traffic, seems to fix
the issue of it being stuck in ESTABLISHED.

Thanks again for pointing me in the right direction.  One of these days
I'll have to remember that tcpdump sees packets before iptables, while
everything else happens after iptables rules are applied.

For anyone else looking at this thread in the archives, here's the total
list of modifications in the /etc/sysconfig/iptables, from the stock
RHEL 6.5 setup, that seem to get it working; be sure to substitute in
the correct values for DIR1IP, DIR2IP, VIP1, and VIP2:

> #VRRP multicast for keepalived
> -A INPUT -d 224.0.0.18/32 -s DIR1IP/32 -j ACCEPT
> -A INPUT -d 224.0.0.18/32 -s DIR2IP/32 -j ACCEPT
> #IPVS connection syncing for keepalived
> -A INPUT -d 224.0.0.81/32 -s DIR1IP/32 -j ACCEPT
> -A INPUT -d 224.0.0.81/32 -s DIR2IP/32 -j ACCEPT
> #All connections for virtual IPs (VIP1 and VIP2)
> -A INPUT -d VIP1/32 -j ACCEPT
> -A INPUT -d VIP2/32 -j ACCEPT



Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

On 07/29/2014 08:40 AM, Lloyd Brown wrote:
> Frank,
> 
> Okay.  So disabling SELinux didn't seem to have any effect.  But adding
> iptables rules like these (from /etc/sysconfig/iptables), seemed to get
> the connection information syncing between directors:
> 
>> #IPVS connection syncing for keepalived
>> -A INPUT -d 224.0.0.81/32 -s 192.168.25.9/32 -j ACCEPT
>> -A INPUT -d 224.0.0.81/32 -s 192.168.25.10/32 -j ACCEPT
> 
> In this state the connections are still getting stuck in the ESTABLISHED
> state, instead of transitioning to FIN_WAIT.  But when I flush the
> iptables entirely ("iptables -F" or "service iptables stop"), they seem
> to transition correctly.
> 
> In general, I don't like the idea of leaving the iptables completely
> empty, so I guess I'll have to figure out what specific traffic is
> getting blocked, that is causing the connections to get stuck in
> ESTABLISHED.  If anyone has any pointers on that one, I'd be glad to
> hear it.
> 
> Thanks again for the help,
> 
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> http://marylou.byu.edu
> 
> On 07/29/2014 08:22 AM, Lloyd Brown wrote:
>> Frank,
>>
>> I hadn't thought about SELinux, but I'll check on that.  I'm assuming
>> that the firewall isn't a problem, since I captured the packets on the
>> backup director.  But I'll test both of those, and report back.
>>
>> All the communication between servers (both keepalived's VRRP, and the
>> IPVS connection sync) is going over Ethernet.  Since this is a test
>> environment, both directors (and the realserver) are actually VMWare
>> Virtual Machines.
>>
>>
>>
>> Lloyd Brown
>> Systems Administrator
>> Fulton Supercomputing Lab
>> Brigham Young University
>> http://marylou.byu.edu
>>
>> On 07/28/2014 11:26 PM, Frank Kirschner wrote:
>>> Hi Lloyd,
>>>
>>> do you have disables SELinux for the RHEL hosts? By the way: also set the
>>> firewall to accept all (later if all is working you should set up a firewall
>>> of cause)
>>>
>>> I wich way you communicate the keepalived between the two directors? Over
>>> Ethernet or serial cable?
>>>
>>> best regards
>>> Frank
>>>
>>> mfg
>>> Frank Kirschner
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
> 
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
> 
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> 

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown Re: [lvs-users] TCP Connection Sync Problems RHEL, Frank Kirschner Re: [lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown Re: [lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown Re: [lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown <= Re: [lvs-users] TCP Connection Sync Problems RHEL, Brandon Perkins Re: [lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown Re: [lvs-users] TCP Connection Sync Problems RHEL, Frank Kirschner Re: [lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown Re: [lvs-users] TCP Connection Sync Problems RHEL, Timo Schöler Re: [lvs-users] TCP Connection Sync Problems RHEL, Frank Kirschner

Previous by Date:	Re: [lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown
Next by Date:	Re: [lvs-users] TCP Connection Sync Problems RHEL, Brandon Perkins
Previous by Thread:	Re: [lvs-users] TCP Connection Sync Problems RHEL, Lloyd Brown
Next by Thread:	Re: [lvs-users] TCP Connection Sync Problems RHEL, Brandon Perkins
Indexes:	[Date] [Thread] [Top] [All Lists]