Re: [lvs-users] Real server not responding back

To: Nick Wilson <vicnickw@xxxxxxxxx>
Subject: Re: [lvs-users] Real server not responding back
Cc: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Thu, 2 Apr 2020 18:06:04 +0300 (EEST)

On Fri, 3 Apr 2020, Nick Wilson wrote:

> I followed the document to setup LVS once again from scratch, but
> unfortunately it didn't resolve the response issue :(
> This time I tried binding the VIP on 'lo' interface instead of 'tunl0' on
> the real-server, and still bring tunl0 up as in your doc, but no luck.
> All the troubleshooting steps in your doc, like 'ip route get...' resolve
> fine.
> I don't see any IPIP packet decoding happening on the real-server when I do
> a tcpdump. Here's how it looks:
> tunl0: CIP -> VIP (packet length 40; checksum correct)

        If you see traffic on tunl0 then the IPIP header is already 
removed and you see CIP->VIP TCP packet. Before that, you should see
IPIP DIP->RIP packet on the ens3 (input device).

> ens3: VIP -> CIP (packet length 0; checksum correct)

        OK, kernel sends SYN+ACK ? Note that the server application (the
listener) may run in mode where it wants to see the first data, so
the server may not wakeup for this first packet. In this case, the
kernel still sends the SYN+ACK (3-way handshake performed without
wakeup). Wakeup occurs on 3th packet which can come with data, eg.
GET request (if HTTP). Such mode is suitable for servers that
expect first data from client, eg. HTTP. OTOH, for SMTP, the
first packet is sent by server, so this mode should not be used
by the listener (TCP_DEFER_ACCEPT).

> This goes on for 4-5 times until timeout on the client.

        So, if you see VIP->CIP SYN+ACK sent by real server, it
means the ISP filters the packet and it does not reach the
client. Client retries. Problem in ISP.

        Check the procedure under Q.3. traceroute will send UDP
traffic VIP->CIP which should generate ICMP errors. Such ICMP
errors are sent by every hop in the path to client. Then you
know which hop receives the traffic from real server. Still,
some hops may refuse to send ICMP, so such test can be confusing.


Julian Anastasov <ja@xxxxxx>

Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>