Say, I've got a question-- Do you see this behavior with LVS-DR as well? I've got a few -DR directors running RHEL4 and RHEL5 that are causing all sorts of trouble with windows 7 hosts, and ACK FIN/ACK RST with SSL handshakes--these problems seem to go away in testing with LVS-NAT, but if you're having trouble with NAT in production, part of me is wondering if we're heading down another dark path...
Cheers cc -- Chris Chen <[email protected]> UNIX Systems Administrator Office of Information Technologies Portland State University Quoting Brent Jensen <[email protected]>: > I'm using ip_conntrack so it's > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal (or sysctl equiv). > > That didn't seem to change the remaining drops. > > Thanks, > > Brent > > > At 09:01 AM 8/9/2010 -0500, you wrote: >> Brent, did you set this value (it might be different on CentOS stock, I'm >> running 2.6.27): >> >> net.netfilter.nf_conntrack_tcp_be_liberal = 1 >> >> That might resolve the remainder of your dropped FIN/RST. >> >> Jason Faulkner >> Linux Engineer, Rackspace Email & Apps >> [email protected] >> o: (540) 443-2101 (ex. 505-2101) >> >> >> > -----Original Message----- >> > From: [email protected] [mailto:lvs-users- >> > [email protected]] On Behalf Of Brent Jensen >> > Sent: Monday, August 09, 2010 12:26 AM >> > To: LinuxVirtualServer.org users mailing list. >> > Subject: Re: [lvs-users] Firewall on LVS NAT >> > >> > Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST. >> > There still are a few so I don't know what is causing this, but >> it is small >> > compared to what I was getting before. Those users who had terrible >> > connection problems seem to have no problems at all now. So thanks Jay for >> > heading me in the right direction. For some reason this didn't appear >> to be as >> > big of a problem in kernel 2.4.x, although it still might have existed. >> > >> > I also ran across a script from Golan Zakai >> > http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html >> > that greatly automates the custom kernel build in Centos 5. >> > >> > Thanks for all of your help, >> > >> > Brent >> > >> > At 12:39 PM 8/6/2010 -0600, you wrote: >> > >> > >Thanks for the heads up. I'll have to brush up on my kernel hacking >> > >skills. Has anyone been able to successfully run LVS-NAT with stateful >> > >firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks, >> > >Brent >> > > >> > >On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner >> > ><[email protected]> wrote: >> > > > -----Original Message----- >> > > > From: [email protected] >> > > > [mailto:[email protected]] On Behalf Of Brent >> > >Jensen >> > > > Sent: Friday, August 06, 2010 12:29 AM >> > > > To: LinuxVirtualServer.org users mailing list. >> > > > Subject: Re: [lvs-users] Firewall on LVS NAT >> > > > >> > > > More info. I now realize that these dropped packets are FIN and RST >> > > > ACKs >> > > >> > > > being blocked, probably because my rules to the VIP include: -m >> > > > state --state NEW -j ACCEPT. Can these dropped packets affect the >> > > > TCP connections, resulting in client connection issues? >> > > > >> > > > >> > > > >> > > > Brent, >> > > > >> > > > I feel particularly sad for you, I had to troubleshoot this same >> > > > issue >> > >and >> > > > had a very, very bad week. >> > > > >> > > > In my environment, I was able to fix the problem by recompiling my >> > >kernel >> > > > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something >> > >similar >> > > > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it >> > >happens, >> > > > but I suspect that iptables can't get a good take on the "STATE" of >> > > > a connection in LVS, because LVS partially bypasses netfilter. >> > > > >> > > > Give it a shot and let me know how it works. >> > > > >> > > > -- >> > > > Jason Faulkner >> > > > Linux Engineer >> > > > Rackspace Email & Apps >> > > > >> > > > _______________________________________________ >> > > > Please read the documentation before posting - it's available at: >> > > > http://www.linuxvirtualserver.org/ >> > > > >> > > > LinuxVirtualServer.org mailing list - >> > > > [email protected] Send requests to >> > > > [email protected] >> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> > > >> > >_______________________________________________ >> > >Please read the documentation before posting - it's available at: >> > >http://www.linuxvirtualserver.org/ >> > > >> > >LinuxVirtualServer.org mailing list - [email protected] >> > >Send requests to [email protected] >> > >or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> > >> > >> > _______________________________________________ >> > Please read the documentation before posting - it's available at: >> > http://www.linuxvirtualserver.org/ >> > >> > LinuxVirtualServer.org mailing list - >> [email protected] Send >> > requests to [email protected] >> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> >> _______________________________________________ >> Please read the documentation before posting - it's available at: >> http://www.linuxvirtualserver.org/ >> >> LinuxVirtualServer.org mailing list - [email protected] >> Send requests to [email protected] >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
