Problems with IPVS

Mindaugas mind at bi.lt
Tue Oct 17 15:43:24 BST 2006 


>>  I investigated a bit further and that's what I found:
> Where did you tcpdump?

  Dumps attached on previous e-mail were done on bond0 interface which is
facing proxy. tcpdumps done on proxy confirms the problem.

  tcpdump.cap - DNAT case
  tcpdump2.cap - LVS case
  tcpdump3.cap - LVS case and Nokia phone

>>  1. phone sends SYN packet to proxy;
>
> Means (from previous email context):
>
> Phone --> GRE tunnel --> netwap --> fwmark --> LVS --> proxy

  Yes. netwap is interface on the same server running LVS.

> How many devices are we talking about including Phone and proxy?

  Phone, SGSN/GGSN, PIX firewall (one end of GRE is there), server, proxy.

>>  2. proxy responds with SYN,ACK;
>>  3. phone sends ACK;
>
> Beautiful, if this goes through LVS, it's already a big step towards a 
> correctly working LVS.

  Nokia phones works through LVS without problems.

>>  4. phone sends HTTP GET request;
>>  5. proxy ACKs packet 4;
> Only ACK? No data?

  Yes.

>>  6. proxy sends HTTP data packet;
>>  7. proxy sends another HTTP data packet;
>>  8. proxy sends FIN packet;
>>
>>  weird things starts here
>>
>>  9. phone once more sends ACK packet acknowledging packet 2 (duplicate of 
>> packet 3);
> Does the proxy have SACK/FACK support enabled?

  Proxy is CentOS4 Linux server running Squid.

# sysctl net.ipv4.tcp_fack net.ipv4.tcp_sack
net.ipv4.tcp_fack = 1
net.ipv4.tcp_sack = 1

>>  10. and one more dupe of packet 3;
>>  11.-14. proxy repeats packet 6. 4 times.
> It has to. Is ECN enabled?

  Once again sysctl says that no. Both on LVS server and on proxy.

>>  The problem is that LVS does not pass packets 11. to 14. to phone. Why?
> Because packet 8 was FIN and LVS is not stateful with regard to TCP 
> sessions and retransmits.

  But phone did not acknowledged that FIN yet?

>>  In case of DNAT packets 11.-14. are passed to phone which at the end 
>> acknowledges packets 6. and 7. and then acknowledges packet 8. thus 
>> closing TCP connection.
> Here I don't follow your statements, sorry.

  If I setup DNAT instead of LVS then packets 11.-14. are sent to phone. In 
case of LVS they are not.
  And after phone receives those packets it sends ACK to packets 6. and 7. 
and then to 8.

  Mindaugas

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list