From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Michael Schwartzkopff <misch@multinet.de>
Cc: netfilter@vger.kernel.org
Subject: Re: Problem with conntrackd: TCP RST sent on NAT connections
Date: Fri, 20 Feb 2009 17:49:23 +0100 [thread overview]
Message-ID: <499EDF13.5000302@netfilter.org> (raw)
In-Reply-To: <200902201334.34830.misch@multinet.de>
Michael Schwartzkopff wrote:
> Hi,
>
> I have a strange problem here. I set up a testbed like in the on on the
> website, except that I have NAT im my scenario.
>
> When I test a SSH connection everything goes fine.
>
> When I download a file via HTTP the first failover works, but the failback
> breaks the connection and the download stops. Tracing the connection show that
> during the failback the HTTP Server sends a package to the virtual NAT address
> of my firewall and the firewall send a TCP RST back and thus stops the
> connection.
>
> Of course I tried first to sync the connection table and after that set up my
> virtual addresses, but it seems that it does not help.
>
> A similar problem was described from Abhijit Menon-Sen on Oct, 30th 2007 on
> the nf-failover mailing list. But I did not find any solution there.
>
> My system:
> debian lenny.
> Kernel 2.6.26-1-686
I remember that this kernel version has some problems if your setup has
any helper, if so, I suggest you to upgrade to latest linux kernel.
> conntrackd version 0.9.6-4
This is rather old conntrack-tools version. Could you try latest
conntrack-tools version from www.netfilter.org?
Using the latest primary-backup.sh script from git.netfilter.org instead
of the old ones that you are using would be also a good idea:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=tree;f=doc/sync;h=d0e3afe1bca3a581d246fa0b07b67bb8175295f6;hb=HEAD
> Mode: FTFW, heartbeat as HA solution.
>
> My firewall does allow everything. The only rule is the NAT rule that translats
> all packets comming from internal to the virtual external address.
Your firewall has to drop invalid packets at least, see the example
rule-set in the website. The firewall sends a TCP RST to the client if
it didn't find the NAT information, this happens when the conntrack
entry does not exist.
> Any idea what could be wrong? How could I trace the problem further?
After the first failover, check the primary's internal cache and
backup's external cache with the commands:
show internal cache (do this in the primary):
# conntrackd -i
show external cache (do this in the backup):
# conntrackd -e
They should show the same entries.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next prev parent reply other threads:[~2009-02-20 16:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-20 12:34 Problem with conntrackd: TCP RST sent on NAT connections Michael Schwartzkopff
2009-02-20 16:49 ` Pablo Neira Ayuso [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-02-23 20:34 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499EDF13.5000302@netfilter.org \
--to=pablo@netfilter.org \
--cc=misch@multinet.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox