[lvs-users] NFCT and PMTU

lvs at elwe.co.uk lvs at elwe.co.uk
Mon Sep 10 15:37:17 BST 2012

I have a number of LVS directors running a mixture of CentOS 5 and CentOS 
6 (running kernels 2.6.18-238.5.1 and 2.6.32-71.29.1). I have applied the 
ipvs-nfct patch to the kernel(s).

When I set /proc/sys/net/ipv4/vs/conntrack to 1 I have PMTU issues. When 
it is set to 0 the issues go away. The issue is when a client on a network 
with a <1500 byte MTU connects. One of my real servers replies to the 
clients request with a 1500 byte packet and a device upstream of the 
client will send an ICMP must fragment. When conntrack=0 the director 
passed the (modified) ICMP packet on to the client. When conntrack=1 the 
director doesn't send an ICMP to the real server. I can toggle conntrack 
and watch the PMTU work and not work.

I would happily leave conntrack off, but it has a huge performance impact. 
With my traffic profile the softirq load doubles when I turn off 
conntrack. My busiest director is doing 2.1Gb of traffic and with 
conntrack off it can probably only handle 2.5Gb.

I am hoping that this issue has been observed and fixed and someone will 
be able to point me to the patch so I can back port it to my kernels (or 
finally get rid of CentOS 5!).


More information about the lvs-users mailing list