On Fri, Oct 17, 2008 at 10:19 AM, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote: > On 10/17/08 01:30, Pranav Desai wrote: >> >> We are seeing cases where the return traffic is going out using the >> proxyIP and port 8001, instead of using the origin servers IP and port 80. I >> have added the traces for both cases below. Most of the traffic goes out >> correctly using the origin server IP and port, but the traffic using port >> 8001 is not insignificant, hence we are a bit concerned about it. > > *nod* > >> There are no connections coming in to port 8001. > > Ok... > > I have to ask, is there a reason you are not configuring clients to talk > directly to the proxy? In my experience this works a lot better than > transparent proxying. I tend to use direct proxying as the primary method > and then transparent proxying as a backup and to catch devices that don't > know how to talk to a proxy. > Too many clients will have to change their settings. Not feasible in our case. >> I am not sure what could be causing this behavior or how I should go about >> debugging this. Could the conntrack table or its usage be screwed up? > > Are there any DMESG or syslog entries about the connection table being full? > There is no info there, and the tables are not getting full. Here are the conntrack settings. net.ipv4.ip_conntrack_max = 1048576 net.ipv4.netfilter.ip_conntrack_buckets = 1048576 net.ipv4.netfilter.ip_conntrack_count = 63908 net.ipv4.netfilter.ip_conntrack_max = 1048576 -- Pranav > > > Grant. . . . > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
