Looking for Simple Instructions

Roberto Nibali ratz at drugphish.ch
Fri Nov 10 18:01:36 GMT 2006 

> I've attempted to simplify things on this new attempt (fyi, there is no 
> eth0 on any of the machines):
> 
> DIP = 74.52.166.34  bound to eth1
> VIP = 74.52.166.35  bound to eth1:35
> 
> RS1 = 74.52.166.50  bound to eth1
> RS1VIP = 74.52.166.35 bound to lo:35
> 
> RS2 = 74.52.166.130 bound to eth1
> RS2VIP = 74.52.166.35 bound to lo:35

Ok.

> On Director:
>   [root at lb1 ~]# sysctl -p
>   net.ipv4.conf.lo.arp_ignore = 0
>   net.ipv4.conf.lo.arp_announce = 0
>   net.ipv4.conf.eth1.arp_ignore = 0
>   net.ipv4.conf.eth1.arp_announce = 0
>   net.ipv4.conf.all.send_redirects = 1
>   net.ipv4.conf.default.send_redirects = 1
>   net.ipv4.conf.eth1.send_redirects = 1
>   net.ipv4.ip_forward = 0
>   net.ipv4.conf.default.rp_filter = 1

You should disable rp_filter.

>   net.ipv4.conf.default.accept_source_route = 0
> 
> On both RS's:
>   net.ipv4.conf.lo.arp_ignore = 1
>   net.ipv4.conf.lo.arp_announce = 2
>   net.ipv4.conf.eth1.arp_ignore = 1
>   net.ipv4.conf.eth1.arp_announce = 2
>   net.ipv4.ip_forward = 0
>   net.ipv4.conf.default.rp_filter = 1
>   net.ipv4.conf.default.accept_source_route = 0

Ok.

>> Care to show the ipvsadm -L -n output?
> 
> [root at lb1 ~]# ipvsadm -L -n
> IP Virtual Server version 1.2.0 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  74.52.166.35:23 rr
>   -> 74.52.166.50:23              Route   1      0          0
>   -> 74.52.166.130:23             Route   1      0          0

Looks perfect.

>> The preferred way of dealing with this is by instrumenting 
>> arp_{announce,ignore} in the proc-fs.
> 
>     I've cleared out all the arptables stuff and are trying to use the 
> arp_{announce,ignore} as suggested but I am unsure which interfaces need 
> what setting. The mini-HOWTO isn't too clear on this.

The interface carrying the the VIP, since this is the one we should not 
send/reply arp probes for the VIP. Only the director needs to reply to 
arp on the VIP.

>> Can you tcpdump on the director? Are you sure there's not some 
>> filtering of illicit traffic on switch ports on your ISP's side?
> 
> Yes. Running "tcpdump -n -i eth1 port 23" on the director shows lots of 
> these when I try and telnet from my home machine:
> 
> 11:37:45.031014 IP 70.241.143.240.3165 > 74.52.166.35.telnet: S 
> 2050237163:2050237163(0) win 65535 <mss 1452,nop,nop,sackOK>

In earlier days I would have said missing arp handling, yours seems to 
be ok. So please disable rp_filter and try again. Also check your kernel 
messages, e.g. the dropped packets from the reverse path filtering go 
there if log_martians is enabled.

> Running "tcpdump -n -i any port 23" on the 2 RS's shows nothing when I 
> try to telnet to the VIP.

Ok, so packets are dropped at the director.

> Thanks very much for your assistance.

We're glad to help out, if time permits.

Best regards,
Roberto Nibali, ratz
-- 
echo 
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list