Hey ML!
I am trying to build an active/active asynchronous multi-path cluster
with a stateful firewall on top.
Basically I have 2 routers connected to a different AS via multiple
Links. I am using keepalived to have a VIP on LAN side to route all
internal traffic through it. As Packet flow is eventually exiting via
the one link and returning on the other, I need to synchronize all
connection states. Otherwise the Firewall will drop the packets as its
not aware of e.g. the tcp connections.
My configuration so far:
> Sync {
> Mode FTFW {
> DisableExternalCache On
> ResendQueueSize 131072
> PurgeTimeout 5
> ACKWindowSize 300
> }
>
> Multicast {
> IPv4_address 225.0.0.50
> Group 3780
> IPv4_interface 10.4.48.14
> Interface bond2
> SndSocketBuffer 1249280
> RcvSocketBuffer 1249280
> Checksum On
> }
>
> Options {
> TCPWindowTracking On
> ExpectationSync On
> }
>
> }
>
> General {
> Nice -20
> HashSize 32768
> HashLimit 131072
> LogFile /var/log/conntrackd.log
> LockFile /var/lock/conntrack.lock
> UNIX {
> Path /var/run/conntrackd.ctl
> Backlog 20
> }
> NetlinkBufferSize 2097152
> NetlinkBufferSizeMaxGrowth 8388608
> Filter From Userspace {
> Protocol Accept {
> TCP
> SCTP
> DCCP
> UDP
> ICMP
> IPv6-ICMP
> }
> Address Ignore {
> IPv4_address 127.0.0.0/8
> IPv4_address 46.243.94.14
> IPv4_address 10.4.48.14
> IPv4_address 10.243.163.14
> IPv4_address 172.27.3.14
> IPv4_address 169.254.0.0/16
> IPv4_address 10.4.48.1
> IPv6_address ::1/128
> IPv6_address 2a02:2b80:101:677::14
> }
> }
> }
Second node is X.X.X.15
Actually conntrackd is working so far:
> node1 $ conntrackd -s
> cache internal:
> current active connections: 62959
> connections created: 489195 failed: 0
> connections updated: 1156570 failed: 0
> connections destroyed: 426236 failed: 0
>
> external inject:
> connections created: 221071 failed: 0
> connections updated: 21 failed: 0
> connections destroyed: 61344 failed: 0
>
> traffic processed:
> 0 Bytes 0 Pckts
>
> multicast traffic (active device=bond2):
> 145907924 Bytes sent 33912008 Bytes recv
> 1978321 Pckts sent 350383 Pckts recv
> 0 Error send 0 Error recv
>
> message tracking:
> 0 Malformed msgs 3 Lost msgs
> node2 $ conntrackd -s
> cache internal:
> current active connections: 1537
> connections created: 224062 failed: 0
> connections updated: 21 failed: 0
> connections destroyed: 222525 failed: 0
>
> external inject:
> connections created: 491746 failed: 0
> connections updated: 1160477 failed: 0
> connections destroyed: 348601 failed: 0
>
> traffic processed:
> 0 Bytes 0 Pckts
>
> multicast traffic (active device=bond2):
> 34254992 Bytes sent 147212112 Bytes recv
> 353358 Pckts sent 1995846 Pckts recv
> 0 Error send 0 Error recv
>
> message tracking:
> 0 Malformed msgs 0 Lost msgs
>
I was able to see the synchronization of an ICMP connection and the
incoming packet flow was actually accepted on the second node as the
state was known. It was _not_ working before conntrackd was running.
But its not working for TCP connections which are known on node1 as
SYN_SENT UNREPLIED. They do not get synced to the other node and hence
the firewall on the second node is dropping the SYN_ACK packet.
What am I missing?
Attachment:
0x520DF07814B030DF.asc
Description: application/pgp-keys
Attachment:
0x520DF07814B030DF.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
