From: Yoann Juet <yoann.juet@univ-nantes.fr>
To: netfilter@vger.kernel.org
Subject: Second failover failure with conntrackd - INVALID packets
Date: Wed, 21 Jan 2009 18:52:11 +0100 [thread overview]
Message-ID: <497760CB.6090008@univ-nantes.fr> (raw)
Hi,
I have a testbed cluster with two firewall nodes and conntrack sync.
Initially, node1 is the primary and node2 the backup.
1) I open a jabber connection. node1 replicates the conntrack session to
node2 (conntrackd in synchronization mode FT-FW).
2) First failover : node2 becomes the new primary, node1 the backup.
node2 recovers the TCP session. Everything seems to work fine at this
moment.
3) Second failover : just 1 to 2 minutes after the first failove, node1
becomes the primary, node2 the backup. The jabber TCP session is still
into the conntrack table but the session is broken. I see many packets
denied due to the INVALID state.
"nf_ct_tcp: ACK is over the upper bound (ACKed data not seen yet) IN=
OUT=xxxxxx"
The TCP window tracking rejects packets after the second failober. I
just have to activate "nf_conntrack_tcp_be_liberal" to make it work
again, but that's not, for me, a good solution:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal
Why conntrackd cannot recover the TCP session in the second failover ?
Is it a known issue, possibly due to a misconfiguration ? I'm using
debian/lenny (kernel 2.6.26-1-amd64) with heartbeat2, conntrack 0.9.6
and a shell script that executes :
** on the new primary :
conntrackd -c -C /etc/conntrackd.conf
conntrackd -f -C /etc/conntrackd.conf
conntrackd -R -C /etc/conntrackd.conf
** on the new backup :
conntrackd -n -C /etc/conntrackd.conf
Thanks for your help,
Regards,
next reply other threads:[~2009-01-21 17:52 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-21 17:52 Yoann Juet [this message]
2009-01-21 20:52 ` Second failover failure with conntrackd - INVALID packets Pablo Neira Ayuso
2009-01-22 9:54 ` Yoann Juet
2009-01-22 16:55 ` Pablo Neira Ayuso
2009-01-23 12:39 ` Yoann Juet
2009-01-25 10:51 ` Pablo Neira Ayuso
2009-01-25 17:55 ` Pablo Neira Ayuso
2009-01-26 19:27 ` Yoann Juet
2009-01-26 23:01 ` Pablo Neira Ayuso
2009-01-29 16:10 ` Yoann Juet
2009-02-03 10:10 ` Pablo Neira Ayuso
2009-02-04 10:37 ` Yoann Juet
2009-02-04 10:43 ` Pablo Neira Ayuso
2009-02-06 9:18 ` Yoann Juet
2009-02-09 11:29 ` Pablo Neira Ayuso
2009-02-10 13:13 ` Yoann Juet
2009-02-11 8:49 ` Pablo Neira Ayuso
2009-02-13 8:21 ` Yoann Juet
2009-02-13 15:20 ` Pablo Neira Ayuso
[not found] ` <499B0696.2020300@netfilter.org>
2009-02-23 15:38 ` Yoann Juet
2009-02-23 20:40 ` Pablo Neira Ayuso
2009-02-24 12:03 ` Yoann Juet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497760CB.6090008@univ-nantes.fr \
--to=yoann.juet@univ-nantes.fr \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.