From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Michael Schwartzkopff <misch@multinet.de>
Cc: netfilter@vger.kernel.org
Subject: Re: Problem with conntrackd: TCP RST sent on NAT connections
Date: Fri, 20 Feb 2009 17:49:23 +0100 [thread overview]
Message-ID: <499EDF13.5000302@netfilter.org> (raw)
In-Reply-To: <200902201334.34830.misch@multinet.de>
Michael Schwartzkopff wrote:
> Hi,
>
> I have a strange problem here. I set up a testbed like in the on on the
> website, except that I have NAT im my scenario.
>
> When I test a SSH connection everything goes fine.
>
> When I download a file via HTTP the first failover works, but the failback
> breaks the connection and the download stops. Tracing the connection show that
> during the failback the HTTP Server sends a package to the virtual NAT address
> of my firewall and the firewall send a TCP RST back and thus stops the
> connection.
>
> Of course I tried first to sync the connection table and after that set up my
> virtual addresses, but it seems that it does not help.
>
> A similar problem was described from Abhijit Menon-Sen on Oct, 30th 2007 on
> the nf-failover mailing list. But I did not find any solution there.
>
> My system:
> debian lenny.
> Kernel 2.6.26-1-686
I remember that this kernel version has some problems if your setup has
any helper, if so, I suggest you to upgrade to latest linux kernel.
> conntrackd version 0.9.6-4
This is rather old conntrack-tools version. Could you try latest
conntrack-tools version from www.netfilter.org?
Using the latest primary-backup.sh script from git.netfilter.org instead
of the old ones that you are using would be also a good idea:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=tree;f=doc/sync;h=d0e3afe1bca3a581d246fa0b07b67bb8175295f6;hb=HEAD
> Mode: FTFW, heartbeat as HA solution.
>
> My firewall does allow everything. The only rule is the NAT rule that translats
> all packets comming from internal to the virtual external address.
Your firewall has to drop invalid packets at least, see the example
rule-set in the website. The firewall sends a TCP RST to the client if
it didn't find the NAT information, this happens when the conntrack
entry does not exist.
> Any idea what could be wrong? How could I trace the problem further?
After the first failover, check the primary's internal cache and
backup's external cache with the commands:
show internal cache (do this in the primary):
# conntrackd -i
show external cache (do this in the backup):
# conntrackd -e
They should show the same entries.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next prev parent reply other threads:[~2009-02-20 16:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-20 12:34 Problem with conntrackd: TCP RST sent on NAT connections Michael Schwartzkopff
2009-02-20 16:49 ` Pablo Neira Ayuso [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-02-23 20:34 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499EDF13.5000302@netfilter.org \
--to=pablo@netfilter.org \
--cc=misch@multinet.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.