[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipvsadm / local addresses

Hello everybody,
Anyone found a solution to this problem ? I have exactly the same (with http requests, si relative to port 80), and cannot solve it. 

Thanks for advance.

--
Laurent


Repost :


 ipvsadm and local addresses

------------------------------------------------------------------------

   * /To/: nefsall@debian.org <mailto:nefsall@debian.org>
   * /Subject/: ipvsadm and local addresses
   * /From/: Russell Coker <russell@coker.com.au
     <mailto:russell@coker.com.au>>
   * /Date/: Tue, 4 Feb 2003 22:50:03 +0100
   * /Cc/: Debian ISP <debian-isp@lists.debian.org
     <mailto:debian-isp@lists.debian.org>>
   * /Old-return-path/: <russell@coker.com.au>
   * /Reply-to/: Russell Coker <russell@coker.com.au
     <mailto:russell@coker.com.au>>
   * /User-agent/: KMail/1.5

------------------------------------------------------------------------
Let's say I have four machines with IP addresses 10.0.0.1 to 10.0.0.4 (all in the same subnet - I'll refer to them as 1 to 4 from now on).
1 is the client, 2 is the LVS machine, 3 and 4 are the servers providing the service. I set them up as follows: 

ipvsadm -A -t 2:389 -s wlc
ipvsadm -a -t 2:389 -r 3 -m
ipvsadm -a -t 2:389 -r 4 -m

Now machine 1 tries to connect, here's the tcpdump output from machine 2:
22:33:43.903540 1.51673 > 2.389: S 3870790008:3870790008(0) win 5840 <mss 1460,sackOK,timestamp 409360083 0,nop,wscale 0> (DF) [tos 0x10] 22:33:43.903576 1.51673 > 3.389: S 3870790008:3870790008(0) win 5840 <mss 1460,sackOK,timestamp 409360083 0,nop,wscale 0> (DF) [tos 0x10]
So we see that the SYN packet has gone from the client to the IPVS machine and been directed to one of the servers. However the server is on the same subnet as the client and sends the response back to the client. The client sees a packet from 3 when it's expecting a packet from 2 and drops it. Therefore no connection!
I tried using iptables to masquerade the packets using SNAT to make the replies come back to the IPVS machine, but it didn't work. It seems that iptables and IPVS don't mix.
I can't use IP tunneling because the servers are running Solaris 2.6 in a very fragile setup (so even if Solaris 2.6 supports such things I am not enthusiastic about installing it).
I can't change the routing because the entire network setup is very fragile and lible to break if I change such things (also there are so many machines that the risk of human error when changing these things is significant, and in the testing phase I will probably be turning the service on and off repeatedly). 

Any suggestions?
Reply to: