Hi, On 27/12/10 15:50, Simone Zaffalon wrote: > Hi. > I'm trying to set-up an HA firewall with Debian, ucarp and conntrackd > in a testbed. > Debian is version 5.0.7 (stock kernel 2.6.26). > > I have two hosts in active/passive configuration. At the moment i > don't have any particular firewall rule in place, only a couple of > iptables statements to nat clients ips and let them connect to > internet: > iptables -t nat -A POSTROUTING -s state --state > NEW,ESTABLISHED,RELATED -p TCP -s $internal_lan -d 0/0 -j SNAT --to > source $ext_fw_ip > iptables -t nat -A POSTROUTING -s state --state > NEW,ESTABLISHED,RELATED -p UDP -s $internal_lan -d 0/0 -j SNAT --to > source $ext_fw_ip > > Conntrackd is installed and conntrackd -s report no error in multicast traffic. > Anyway i'm not able to keep the sessions active between failovers. > I can see connections in cache external, but it seems that such > connections are not committed. > [Mon Dec 27 02:01:19 2010] (pid=2032) [notice] initialization completed > [Mon Dec 27 02:01:19 2010] (pid=2041) [notice] -- starting in daemon mode -- > [Mon Dec 27 02:08:39 2010] (pid=2481) [notice] committing external cache > [Mon Dec 27 02:08:39 2010] (pid=2481) [notice] Committed 1 new entries > [Mon Dec 27 02:08:39 2010] (pid=2483) [notice] committing external cache > [Mon Dec 27 02:08:39 2010] (pid=2483) [notice] Committed 0 new entries > [Mon Dec 27 02:08:39 2010] (pid=2483) [notice] 1 entries can't be committed > [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] flushing caches > [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] resync with master table > [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] flushing caches > [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] resync with master table > > As far as i understood, with this sequence of commands: > in master > conntrackd -n > > in backup > conntrackd -c > conntrackd -f > conntrackd -R Better use the primary-backup.sh script that is included in the conntrack-tools package. You can find it under doc/sync. That script should be called by your HA manager during the failover. > i should have the same sessions in master and backup (listed with > conntrack -L) or am i totally wrong? After the failover, you should see the flow-entries in the new primary with conntrack -L. > Is there any way to increment log verbosity to understand what's going on? > I really don't know well the internals of conntrackd: am i missing > something? Kernel parameters? sysctl settings? Reading this helps: http://conntrack-tools.netfilter.org/manual.html http://conntrack-tools.netfilter.org/testcase.html It can help you to get some more background on it and to spot what you're doing wrong. Please, have a look at them and let me know if your problems persist. Include also your software versions in your reports. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
