Hi Marius,
your NIC is probably doing the TCP checksum calculation (called « TCP
offloading»). The TCP/IP stacks therefore sends all outbound TCP packets with
the same dummy checksum (in your case: 0x2a21) to the NIC driver. This saves
some CPU cycles.
Check your TCP offloading settings using:
/sbin/ethtool -k eth0
Disable TCP Offloading using:
sudo /sbin/ethtool -K eth0 tx off rx off
In other words: You have no problem, it's just tcpdump which thinks there is a
TCP checksum problem. If you want to work around this, use the following
tcpdump option:
-K
--dont-verify-checksums
Don't attempt to verify IP, TCP, or UDP checksums. This is
useful for interfaces that perform some or all
of those checksum calculation in hardware; otherwise, all
outgoing TCP checksums will be flagged as bad.
Cheers
Mathias
==============================================================
Von: matei marius <mat.mar...@yahoo.com>
Gesendet: Donnerstag, 22. März 2018 11:50
An: HAproxy Mailing Lists <haproxy@formilux.org>
Betreff: transparent mode -> chksum incorrect
Hello
I'm trying to configure haproxy in transparent mode using the configuration
below:
The backend servers have as default gateway the haproxy IP (172.17.232.232)
frontend fe_frontend_pool_proxy_3128
timeout client 30m
mode tcp
bind 172.17.232.232:3128 transparent
default_backend bk_pool_proxy_3128
backend bk_pool_proxy_3128
timeout server 30m
timeout connect 5s
mode tcp
balance leastconn
default-server inter 5s fall 3 rise 2 on-marked-down shutdown-sessions
source 0.0.0.0 usesrc clientip
server sibipd-wcg1 172.17.232.229:3128 check port 3128 inter 3s rise 3
fall 3
server romapd-wcg2 172.17.32.80:3128 check port 3128 backup inter 3s
rise 3 fall 3 weight 10 source 0.0.0.0
option redispatch
I have these iptables rules on the HAProxy server
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
This setup is working perfectly from any IP class other than 172.17.232.x.
When I try to access the service from the same IP class with haproxy I see the
packets having incorrect checksum .
tcpdump -i eth0 -n host 172.17.232.229 and host 172.17.232.233 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144
bytes
12:37:21.741935 IP (tos 0x0, ttl 64, id 63601, offset 0, flags [DF], proto TCP
(6), length 60)
172.17.232.233.34012 > 172.17.232.229.3128: Flags [S], cksum 0x2a21
(incorrect -> 0xf5a2), seq 111508051, win 29200, options [mss 1460,sackOK,TS
val 573276706 ecr 0,nop,wscale 7], length 0
12:37:21.743005 IP (tos 0x0, ttl 64, id 53770, offset 0, flags [DF], proto TCP
(6), length 60)
172.17.232.233.34014 > 172.17.232.229.3128: Flags [S], cksum 0x2a21
(incorrect -> 0xdbe0), seq 1250971688, win 29200, options [mss 1460,sackOK,TS
val 573276706 ecr 0,nop,wscale 7], length 0
What am I doing wrong?
Thanks
Marius
