Brent, did you set this value (it might be different on CentOS stock, I'm running 2.6.27):
net.netfilter.nf_conntrack_tcp_be_liberal = 1 That might resolve the remainder of your dropped FIN/RST. Jason Faulkner Linux Engineer, Rackspace Email & Apps [email protected] o: (540) 443-2101 (ex. 505-2101) > -----Original Message----- > From: [email protected] [mailto:lvs-users- > [email protected]] On Behalf Of Brent Jensen > Sent: Monday, August 09, 2010 12:26 AM > To: LinuxVirtualServer.org users mailing list. > Subject: Re: [lvs-users] Firewall on LVS NAT > > Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST. > There still are a few so I don't know what is causing this, but it is small > compared to what I was getting before. Those users who had terrible > connection problems seem to have no problems at all now. So thanks Jay for > heading me in the right direction. For some reason this didn't appear to be as > big of a problem in kernel 2.4.x, although it still might have existed. > > I also ran across a script from Golan Zakai > http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html > that greatly automates the custom kernel build in Centos 5. > > Thanks for all of your help, > > Brent > > At 12:39 PM 8/6/2010 -0600, you wrote: > > >Thanks for the heads up. I'll have to brush up on my kernel hacking > >skills. Has anyone been able to successfully run LVS-NAT with stateful > >firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks, > >Brent > > > >On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner > ><[email protected]> wrote: > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of Brent > >Jensen > > > Sent: Friday, August 06, 2010 12:29 AM > > > To: LinuxVirtualServer.org users mailing list. > > > Subject: Re: [lvs-users] Firewall on LVS NAT > > > > > > More info. I now realize that these dropped packets are FIN and RST > > > ACKs > > > > > being blocked, probably because my rules to the VIP include: -m > > > state --state NEW -j ACCEPT. Can these dropped packets affect the > > > TCP connections, resulting in client connection issues? > > > > > > > > > > > > Brent, > > > > > > I feel particularly sad for you, I had to troubleshoot this same > > > issue > >and > > > had a very, very bad week. > > > > > > In my environment, I was able to fix the problem by recompiling my > >kernel > > > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something > >similar > > > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it > >happens, > > > but I suspect that iptables can't get a good take on the "STATE" of > > > a connection in LVS, because LVS partially bypasses netfilter. > > > > > > Give it a shot and let me know how it works. > > > > > > -- > > > Jason Faulkner > > > Linux Engineer > > > Rackspace Email & Apps > > > > > > _______________________________________________ > > > Please read the documentation before posting - it's available at: > > > http://www.linuxvirtualserver.org/ > > > > > > LinuxVirtualServer.org mailing list - > > > [email protected] Send requests to > > > [email protected] > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > >_______________________________________________ > >Please read the documentation before posting - it's available at: > >http://www.linuxvirtualserver.org/ > > > >LinuxVirtualServer.org mailing list - [email protected] > >Send requests to [email protected] > >or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] Send > requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
