|
Hi,
I set up 2 directors IP 192.168.96.11 (active/standby) with 4 real
servers (squid) for a week ago.
At 4 squid boxes,
I noticed in dmesg output as following lines
(output)
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
So I restart iptables.
(output)
Removing netfilter NETLINK layer.
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (8192 buckets, 65536 max) - 232 bytes per conntrack
Then, ip_conntrack down below 65536 max.
(output)
[root@proxy5-in ~]# cat /proc/slabinfo | grep conn
ip_conntrack_expect 0 0 92 42 1 : tunables 120 60
8 : slabdata 0 0 0
ip_conntrack 20723 20723 232 17 1 : tunables 120 60
8 : slabdata 1219 1219 120
But for a day period, it it reached max ip_conntrack again.
I check with command "cat /proc/net/ip_conntrack | grep UNREPLIED"
It filled up with many lines with ESTABLISHED and UNREPLIED.
(output)
tcp 6 419803 ESTABLISHED src=192.168.96.11 dst=192.168.192.7
sport=8080 dport=56055 packets=1 bytes=601 [UNREPLIED] src=192.168.192.7
dst=192.168.96.11 sport=56055 dport=8080 packets=0 bytes=0 mark=0 use=1
I think that it because squid (real server) directly send answer back
from internet to client and then client send FIN to director, isn't it?
Do IPVS/DR have any configurations to get rid of these ip_conntrack?
Do I need to unload module ip_conntrack on all squid boxes?
FYI,
Our squid boxes use fedora core 5 kernal 2.6.15-1.2054_FC5smp #1 SMP
--
Wiboon Warasittichai
Network Administrator
The Computer Center
Prince of Songkla University
Hatyai, Songkla, Thailand 90112
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
|
