Okay. I'm not sure this is the best approach, but adding a simple iptables rule for each of the VIPs, to accept any traffic, seems to fix the issue of it being stuck in ESTABLISHED.
Thanks again for pointing me in the right direction. One of these days I'll have to remember that tcpdump sees packets before iptables, while everything else happens after iptables rules are applied. For anyone else looking at this thread in the archives, here's the total list of modifications in the /etc/sysconfig/iptables, from the stock RHEL 6.5 setup, that seem to get it working; be sure to substitute in the correct values for DIR1IP, DIR2IP, VIP1, and VIP2: > #VRRP multicast for keepalived > -A INPUT -d 224.0.0.18/32 -s DIR1IP/32 -j ACCEPT > -A INPUT -d 224.0.0.18/32 -s DIR2IP/32 -j ACCEPT > #IPVS connection syncing for keepalived > -A INPUT -d 224.0.0.81/32 -s DIR1IP/32 -j ACCEPT > -A INPUT -d 224.0.0.81/32 -s DIR2IP/32 -j ACCEPT > #All connections for virtual IPs (VIP1 and VIP2) > -A INPUT -d VIP1/32 -j ACCEPT > -A INPUT -d VIP2/32 -j ACCEPT Lloyd Brown Systems Administrator Fulton Supercomputing Lab Brigham Young University http://marylou.byu.edu On 07/29/2014 08:40 AM, Lloyd Brown wrote: > Frank, > > Okay. So disabling SELinux didn't seem to have any effect. But adding > iptables rules like these (from /etc/sysconfig/iptables), seemed to get > the connection information syncing between directors: > >> #IPVS connection syncing for keepalived >> -A INPUT -d 224.0.0.81/32 -s 192.168.25.9/32 -j ACCEPT >> -A INPUT -d 224.0.0.81/32 -s 192.168.25.10/32 -j ACCEPT > > In this state the connections are still getting stuck in the ESTABLISHED > state, instead of transitioning to FIN_WAIT. But when I flush the > iptables entirely ("iptables -F" or "service iptables stop"), they seem > to transition correctly. > > In general, I don't like the idea of leaving the iptables completely > empty, so I guess I'll have to figure out what specific traffic is > getting blocked, that is causing the connections to get stuck in > ESTABLISHED. If anyone has any pointers on that one, I'd be glad to > hear it. > > Thanks again for the help, > > Lloyd Brown > Systems Administrator > Fulton Supercomputing Lab > Brigham Young University > http://marylou.byu.edu > > On 07/29/2014 08:22 AM, Lloyd Brown wrote: >> Frank, >> >> I hadn't thought about SELinux, but I'll check on that. I'm assuming >> that the firewall isn't a problem, since I captured the packets on the >> backup director. But I'll test both of those, and report back. >> >> All the communication between servers (both keepalived's VRRP, and the >> IPVS connection sync) is going over Ethernet. Since this is a test >> environment, both directors (and the realserver) are actually VMWare >> Virtual Machines. >> >> >> >> Lloyd Brown >> Systems Administrator >> Fulton Supercomputing Lab >> Brigham Young University >> http://marylou.byu.edu >> >> On 07/28/2014 11:26 PM, Frank Kirschner wrote: >>> Hi Lloyd, >>> >>> do you have disables SELinux for the RHEL hosts? By the way: also set the >>> firewall to accept all (later if all is working you should set up a firewall >>> of cause) >>> >>> I wich way you communicate the keepalived between the two directors? Over >>> Ethernet or serial cable? >>> >>> best regards >>> Frank >>> >>> mfg >>> Frank Kirschner >> >> _______________________________________________ >> Please read the documentation before posting - it's available at: >> http://www.linuxvirtualserver.org/ >> >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org >> Send requests to lvs-users-requ...@linuxvirtualserver.org >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users