Problem with conntrackd: TCP RST sent on NAT connections

[Michael Schwartzkopff <misch@multinet.de>]

Hi,

I have a strange problem here. I set up a testbed like in the on on the 
website, except that I have NAT im my scenario.

When I test a SSH connection everything goes fine.

When I download a file via HTTP the first failover works, but the failback 
breaks the connection and the download stops. Tracing the connection show that 
during the failback the HTTP Server sends a package to the virtual NAT address 
of my firewall and the firewall send a TCP RST back and thus stops the 
connection.

Of course I tried first to sync the connection table and after that set up my 
virtual addresses, but it seems that it does not help.

A similar problem was described from Abhijit Menon-Sen on Oct, 30th 2007 on 
the nf-failover mailing list. But I did not find any solution there.

My system:
debian lenny.
Kernel 2.6.26-1-686
conntrackd version 0.9.6-4

Mode: FTFW, heartbeat as HA solution.

My firewall does allow everything. The only rule is the NAT rule that translats 
all packets comming from internal to the virtual external address.

Any idea what could be wrong? How could I trace the problem further? Thanks 
for any help.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch@multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42