Bernhard Bock wrote: > Pablo Neira Ayuso wrote: >> During the fail-over, keepalived recovers the virtual IPs and conntrackd >> commits the states into the kernel. The commit takes very short but you >> can still lose some packets if the state is not yet present in the >> kernel - thus, these packets are logged as invalid and dropped as we >> don't find any matching state (with a sane stateful rule-set, of >> course). *However*, the TCP sessions should recover as the peer or the >> server retransmits the packet in short, so I don't understand why you >> lose nearly all the sessions. > > Agreed. My problem is, it doesn't recover. It keeps dropping packets as > long as the test runs (the test stops at some point in time with socket > timeouts). Hm, I remember that the problem reported with RHEL kernel was similar. That user assured me that the state entries were successfully committed - ie. he could verify that conntrack -L displays them - but the packets were not matching the injected states, thus, leading to invalid logs and drops. He ended up changing to Ubuntu. However, if it is a Fedora/RHEL problem, it would be nice to know what's wrong with it. >> Is the firewall sending RST packets to the peer/server to close >> connections? If so, I remember a similar report with a RHEL kernel: > > Will check tomorrow. OK, wait for your news. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
