Hi Marius, your NIC is probably doing the TCP checksum calculation (called « TCP offloading»). The TCP/IP stacks therefore sends all outbound TCP packets with the same dummy checksum (in your case: 0x2a21) to the NIC driver. This saves some CPU cycles.
Check your TCP offloading settings using: /sbin/ethtool -k eth0 Disable TCP Offloading using: sudo /sbin/ethtool -K eth0 tx off rx off In other words: You have no problem, it's just tcpdump which thinks there is a TCP checksum problem. If you want to work around this, use the following tcpdump option: -K --dont-verify-checksums Don't attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad. Cheers Mathias ============================================================== Von: matei marius <mat.mar...@yahoo.com> Gesendet: Donnerstag, 22. März 2018 11:50 An: HAproxy Mailing Lists <haproxy@formilux.org> Betreff: transparent mode -> chksum incorrect Hello I'm trying to configure haproxy in transparent mode using the configuration below: The backend servers have as default gateway the haproxy IP (172.17.232.232) frontend fe_frontend_pool_proxy_3128 timeout client 30m mode tcp bind 172.17.232.232:3128 transparent default_backend bk_pool_proxy_3128 backend bk_pool_proxy_3128 timeout server 30m timeout connect 5s mode tcp balance leastconn default-server inter 5s fall 3 rise 2 on-marked-down shutdown-sessions source 0.0.0.0 usesrc clientip server sibipd-wcg1 172.17.232.229:3128 check port 3128 inter 3s rise 3 fall 3 server romapd-wcg2 172.17.32.80:3128 check port 3128 backup inter 3s rise 3 fall 3 weight 10 source 0.0.0.0 option redispatch I have these iptables rules on the HAProxy server iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 111 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 111 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 This setup is working perfectly from any IP class other than 172.17.232.x. When I try to access the service from the same IP class with haproxy I see the packets having incorrect checksum . tcpdump -i eth0 -n host 172.17.232.229 and host 172.17.232.233 -vv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:37:21.741935 IP (tos 0x0, ttl 64, id 63601, offset 0, flags [DF], proto TCP (6), length 60) 172.17.232.233.34012 > 172.17.232.229.3128: Flags [S], cksum 0x2a21 (incorrect -> 0xf5a2), seq 111508051, win 29200, options [mss 1460,sackOK,TS val 573276706 ecr 0,nop,wscale 7], length 0 12:37:21.743005 IP (tos 0x0, ttl 64, id 53770, offset 0, flags [DF], proto TCP (6), length 60) 172.17.232.233.34014 > 172.17.232.229.3128: Flags [S], cksum 0x2a21 (incorrect -> 0xdbe0), seq 1250971688, win 29200, options [mss 1460,sackOK,TS val 573276706 ecr 0,nop,wscale 7], length 0 What am I doing wrong? Thanks Marius