Problem solved. Short answer: PEBKAC. Long answer: My asymmetrical route map was sending traffic to the wrong address. The internal (incoming traffic) network for the cluster is: 192.168.115.32/29 Virtual IP = 192.168.115.33 Real IP (primary server) = 192.168.115.34 Real IP (backup server) = 192.168.115.35 The route map was sending traffic to 192.168.115.34 instead of 192.168.115.33. *ugh* I am still confused as to why the backup server would be "seeing" the traffic via tcpdump, it is not as if I am using repeaters/hubs. Mystery solved. On Mon, 2007-10-29 at 13:53 -0500, Matt Zagrabelny wrote: > Greetings, > > I am working on project that involves asymmetrical routing. I am using > two Debian GNU/Linux boxes as a active passive firewall cluster. > > > Outgoing Traffic > > +--eth0---+ +--eth0---+ > | | | | > | primary | | backup | > | | | | > +--eth1---+ +--eth1---+ > > Incoming Traffic > > On the primary node everything works as expected. > > I have done the following: > > # echo 1 > /proc/sys/net/ipv4/ip_forward > # echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter > > I can see the traffic "go through the box" with the following commands: > > # tcpdump -i eth1 > # tcpdump -i eth0 > > and also > > # iptables -t mangle -L PREROUTING -v -n > # iptables -t filter -L FORWARD -v -n > > So, with the tcpdump commands I see on stdout the traffic. With the > iptables commands I see byte counts increasing on the FORWARD chain. > > Here lies the problem: > > When I shut off the primary node and configure the backup to perform the > same functionality traffic does not seem to "go through" the tables. > > Running the same commands on the backup: > > # tcpdump -i eth1 <---- Output on stdout (good) > # tcpdump -i eth0 <---- No output (bad) > > and also > > # iptables -t mangle -L PREROUTING -v -n <- byte counts do not increase > # iptables -t filter -L FORWARD -v -n <- byte counts do not increase > > So then I also did: > > iptables -t mangle -A PREROUTING -j LOG --log-level ALERT > > Again, I see no evidence on any packets reaching iptables. > > So.... I have no idea where the packets are going after I seem them in > tcpdump. They seem like they disappear. > > I have done an effective "diff" of /proc/sys/net/ between the two nodes > and they are identical. > -- Matt Zagrabelny - mzagrabe@xxxxxxxxx - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot
Attachment:
signature.asc
Description: This is a digitally signed message part
