From: Bernhard Bock <mailinglists@bock.nu>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org
Subject: Re: conntrackd failover works partially
Date: Wed, 23 Jul 2008 17:20:21 +0200 [thread overview]
Message-ID: <48874C35.5010308@bock.nu> (raw)
In-Reply-To: <48872918.5080406@netfilter.org>
Hi Pablo,
Pablo Neira Ayuso wrote:
>>> Basically, you must to find the same
>>> set of flows in the master's internal-cache and the backup's
>>> external-cache if everything goes fine.
>> That's exactly what I can observe. They are consistent when the failover
>> goes fine, and they're not when I have INVALID packets.
>
> Why did you set cache-write through on? You have a basic primary-backup
> failover, right? Set it off, please.
Fine. I was just experimenting.
>> As written in my last mail, I increased the SocketBufferSize to 256M and
>> the SocketBufferSizemaxGrown to 1024M in conntrackd.conf.
>
> That's too much, why did you set such a high buffer? Are you getting
> some log messages that tells you to do so?
No, I just wanted to make absolutely sure that a too small buffer cannot
be the reason, and the machine has plenty of RAM. What is a sensible value?
>> Now I get a lot of the following entries in syslog in addition to the
>> INVALID packets:
>> conntrack-tools[21319]: cache_wt crt-upd: Invalid argument
>> conntrack-tools[21319]: cache_wt update:Invalid argument
>
> Please, enable logging via /var/log/conntrackd.log. The syslog logging
> is not including the information about the entry that has failed. I'll
> fix this to make both logging approaches consistent.
OK, here are some example entries from conntrackd.log:
[Tue Jul 22 10:05:58 2008] (pid=27666) [ERROR] cache_wt crt-upd: Invalid
argument
Tue Jul 22 10:05:58 2008 tcp 6 120 SYN_SENT src=10.5.0.101
dst=10.6.6.102 sport=53000 dport=80 [UNREPLIED]
[Tue Jul 22 10:05:58 2008] (pid=27666) [ERROR] cache_wt update:Invalid
argument
Tue Jul 22 10:05:58 2008 tcp 6 60 SYN_RECV src=10.5.0.101
dst=10.6.6.102 sport=53000 dport=80
[Tue Jul 22 10:05:58 2008] (pid=27666) [ERROR] cache_wt crt-upd: Invalid
argument
Tue Jul 22 10:05:58 2008 tcp 6 120 SYN_SENT src=10.5.0.101
dst=10.6.6.102 sport=53074 dport=80 [UNREPLIED]
[Tue Jul 22 10:05:58 2008] (pid=27666) [ERROR] cache_wt update:Invalid
argument
Tue Jul 22 10:05:58 2008 tcp 6 60 SYN_RECV src=10.5.0.101
dst=10.6.6.102 sport=53074 dport=80
[Tue Jul 22 10:05:58 2008] (pid=27666) [ERROR] cache_wt crt-upd: Invalid
argument
This is all with cache-write through, so we can just skip it for the
moment if you like.
Without cache-writethrough, I don't have the "cache_wt" message.
Nevertheless, I get lots of INVALID messages and many dying TCP
conntections on failover, so there's no improvement in the result of
0.9.7 over 0.9.6. The lost packets in the multicast sequence tracking
are gone, as you suggested.
>> In FT-FW mode, the failover always fails, and it produces log entries like:
>
> Please, too many issues at the same time. Let's try to get it working
> without the cachewritethrough clause and then we'll get back to this, OK?
No problem, I was just testing FT-FW mode as you were proposing in your
last mail. One correctly working mode is enough for me. ;-)
best regards
Bernhard
next prev parent reply other threads:[~2008-07-23 15:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-18 9:39 conntrack performance test results in INVALID packets Bernhard Bock
2008-07-18 10:13 ` Jan Engelhardt
2008-07-18 10:52 ` Bernhard Bock
2008-07-18 12:14 ` Pablo Neira Ayuso
2008-07-18 14:20 ` conntrackd failover works partially, was " Bernhard Bock
2008-07-21 0:37 ` Pablo Neira Ayuso
2008-07-21 14:22 ` conntrackd failover works partially Bernhard Bock
2008-07-23 8:51 ` Bernhard Bock
2008-07-23 12:50 ` Pablo Neira Ayuso
2008-07-23 15:20 ` Bernhard Bock [this message]
2008-08-08 8:47 ` conntrackd failover works partially, was Re: conntrack performance test results in INVALID packets Pablo Neira Ayuso
2008-08-08 12:58 ` Bernhard Bock
2008-09-02 9:39 ` Bernhard Bock
2008-09-02 9:56 ` Pablo Neira Ayuso
2008-09-02 12:34 ` Bernhard Bock
2008-09-02 12:48 ` Pablo Neira Ayuso
2008-09-02 15:18 ` Bernhard Bock
2008-09-02 16:22 ` Pablo Neira Ayuso
2008-09-02 16:55 ` Bernhard Bock
2008-09-03 9:13 ` Pablo Neira Ayuso
2008-09-03 11:26 ` Bernhard Bock
2008-09-04 12:29 ` Pablo Neira Ayuso
2008-09-04 13:27 ` Bernhard Bock
2008-09-05 10:55 ` Pablo Neira Ayuso
2008-09-04 11:40 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48874C35.5010308@bock.nu \
--to=mailinglists@bock.nu \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox