Short question :
Is it possible to get a TCPDUMP of a TCP attempt on BOTH FireWalls which fails , combined with the conntrack -E output from both ?
Best regards
André Paulsberg-Csibi
Senior Network Engineer
IBM Services AS
Sensitivity: Internal
-----Opprinnelig melding-----
Fra: netfilter-owner@xxxxxxxxxxxxxxx <netfilter-owner@xxxxxxxxxxxxxxx> På vegne av n3phr0n
Sendt: torsdag 28. februar 2019 18.06
Til: netfilter@xxxxxxxxxxxxxxx
Emne: Re: conntrackd - active/active asynchronous multi-path cluster - TCP SYN_SENT UNREPLIED
Please Ignore this post..
Broken encoding, typos - I already resend a clean one.
Sorry for the noise...
On 2/28/19 5:31 PM, n3phr0n wrote:
> Hey ML!
>
> I am trying to build an active/active asynchronous multi-path cluster
> with a stateful firewall on top.
> Basically I have 2 routers connected to a different AS via multiple
> Links. I am using keepalived to have a VIP on LAN side to route all
> internal traffic through it. As Packet flow is eventually exiting via
> the one link and returning on the other, I need to synchronize all
> connection states. Otherwise the Firewall will drop the packets as its
> not aware of e.g. the tcp connections.
>
> My configuration so far:
>
>> Sync {
>> Mode FTFW {
>> DisableExternalCache On
>> ResendQueueSize 131072
>> PurgeTimeout 5
>> ACKWindowSize 300
>> }
>>
>> Multicast {
>> IPv4_address 225.0.0.50
>> Group 3780
>> IPv4_interface 10.4.48.14
>> Interface bond2
>> SndSocketBuffer 1249280
>> RcvSocketBuffer 1249280
>> Checksum On
>> }
>>
>> Options {
>> TCPWindowTracking On
>> ExpectationSync On
>> }
>>
>> }
>>
>> General {
>> Nice -20
>> HashSize 32768
>> HashLimit 131072
>> LogFile /var/log/conntrackd.log
>> LockFile /var/lock/conntrack.lock
>> UNIX {
>> Path /var/run/conntrackd.ctl
>> Backlog 20
>> }
>> NetlinkBufferSize 2097152
>> NetlinkBufferSizeMaxGrowth 8388608
>> Filter From Userspace {
>> Protocol Accept {
>> TCP
>> SCTP
>> DCCP
>> UDP
>> ICMP
>> IPv6-ICMP
>> }
>> Address Ignore {
>> IPv4_address 127.0.0.0/8
>> IPv4_address 46.243.94.14
>> IPv4_address 10.4.48.14
>> IPv4_address 10.243.163.14
>> IPv4_address 172.27.3.14
>> IPv4_address 169.254.0.0/16
>> IPv4_address 10.4.48.1
>> IPv6_address ::1/128
>> IPv6_address 2a02:2b80:101:677::14
>> }
>> }
>> }
> Second node is X.X.X.15
>
> Actually conntrackd is working so far:
>
>> node1 $ conntrackd -s
>> cache internal:
>> current active connections: 62959 connections created:
>> 489195 failed: 0 connections updated:
>> 1156570 failed: 0 connections destroyed:
>> 426236 failed: 0
>>
>> external inject:
>> connections created: 221071 failed: 0
>> connections updated: 21 failed: 0
>> connections destroyed: 61344 failed: 0
>>
>> traffic processed:
>> 0 Bytes 0 Pckts
>>
>> multicast traffic (active device=bond2):
>> 145907924 Bytes sent 33912008 Bytes recv
>> 1978321 Pckts sent 350383 Pckts recv
>> 0 Error send 0 Error recv
>>
>> message tracking:
>> 0 Malformed msgs 3 Lost msgs
>
>> node2 $ conntrackd -s
>> cache internal:
>> current active connections: 1537 connections created:
>> 224062 failed: 0 connections updated:
>> 21 failed: 0 connections destroyed:
>> 222525 failed: 0
>>
>> external inject:
>> connections created: 491746 failed: 0
>> connections updated: 1160477 failed: 0
>> connections destroyed: 348601 failed: 0
>>
>> traffic processed:
>> 0 Bytes 0 Pckts
>>
>> multicast traffic (active device=bond2):
>> 34254992 Bytes sent 147212112 Bytes recv
>> 353358 Pckts sent 1995846 Pckts recv
>> 0 Error send 0 Error recv
>>
>> message tracking:
>> 0 Malformed msgs 0 Lost msgs
>>
> I was able to see the synchronization of an ICMP connection and the
> incoming packet flow was actually accepted on the second node as the
> state was known. It was _not_ working before conntrackd was running.
>
> But its not working for TCP connections which are known on node1 as
> SYN_SENT UNREPLIED. They do not get synced to the other node and hence
> the firewall on the second node is dropping the SYN_ACK packet.
>
> What am I missing?
>
