Persistence through a firewall

Horms horms at verge.net.au
Thu Aug 12 01:15:33 BST 2004


On Wed, Aug 11, 2004 at 10:28:15AM -0400, Brett Simpson wrote:
> I have an LVS director that uses wrr with 3600 of persistence for two
> real servers. I noticed that connections going through a firewall from
> my internal network tend to get locked into one of my real servers but
> usually doesn't go to the other real server unless all of the
> connections have expired to the first real server.

Are all the connections coming from the same source IP address?
If so that would explain this behaviour.
> 
> >From what I understood with LVS is it's support to use the source IP
> >for persistence but I wasn't sure if it also used a source port. 

The source IP address is used, but the source port is not.
This is because suscessive connections from the same host will
almost certainly have a different ephemereal source port.

There is no parameter in LVS to change this behaviour.
Though off the top of my head it would seem like a simple
hack to alter this if you needed to for some reason.

> Would using a different scheduler or a kernel upgrade (with a new lvs
> version) work around this?
> 
> I'm using ipvsadm v1.21 2002/11/12 (compiled with popt and IPVS
> v1.0.9).  Thanks, Brett

Not likely.

-- 
Horms


More information about the lvs-users mailing list