Loading ...
Sorry, an error occurred while loading the content.
 

RE: slightly OT, postfix related

Expand Messages
  • Gary Smith
    ... Things work much better. The lost connections were because of iptables. I have this rule early on for server that has the director. I guess the ACK FIN
    Message 1 of 2 , Apr 26, 2010
      > I'm working on load balancing some sqlgrey servers using ipvsadm (non of the
      > other bells and whistles, just the director itself). Anyway, at first glimps
      > things look like they are running well until I find that I have a lot of
      > connections in ESTABLISHED mode running on the sqlgrey real servers. Looking
      > at the director there are corresponding active connections, and finally,
      > looking at postfix, there are only a few active connections. I have worked
      > with the ipvsadm group to ensure arp routing and other items are taken care of
      > as per their recommendations.
      >
      > What I am seeing is that postfix seems to be sending the close request down
      > the pipe to the load balancer and the director isn't responding (properly?),
      > postfix is then marking the connection as FIN_WAIT, and finally, the
      > connection is being dropped by the postfix server. The problem appears to be
      > that the director isn't either passing the request forward or isn't
      > acknowledging it at all.
      >
      > Now, when I swing the postfix directly to the IP of one of the real nodes, no
      > problem. So, I was thinking maybe persistence. So I change director to be
      > sticky for 15 minutes, but no go.
      >
      > Has anyone seen this behavior before on a load balanced policy server?
      >
      > Anyone have any ipvsadm scripts for a policy server they would like to share?
      > I'm using wlc nat'ed connections currently.


      Things work much better. The lost connections were because of iptables. I have this rule early on for server that has the director. I guess the ACK FIN is an technically an invalid state...

      -A INPUT -p tcp -m conntrack --ctstate INVALID -j LOG --log-prefix "FW-I BF: "
      -A INPUT -p tcp -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-port-unreachable

      Apr 26 04:36:02 wall1 kernel: FW-I BF: IN=br0 OUT= PHYSIN=eth1 MAC=00:50:56:b1:63:bc:00:0c:29:92:be:b7:08:00 SRC=10.80.66.24 DST=10.80.55.11 LEN=52 TOS=0x08 PREC=0x00 TTL=64 ID=40835 DF PROTO=TCP SPT=52114 DPT=3917 WINDOW=363 RES=0x00 ACK FIN URGP=0

      > Gary
    Your message has been successfully submitted and would be delivered to recipients shortly.