Scheduling lc, rr, persistent.
Denis
denismpa at gmail.com
Thu Feb 1 06:42:59 EST 2007
Hello guys! I''m Im trouble with a Squid proxy that uses a LB+HA
streamlined DR server .
I was using the rr scheduler but the users were always having problems
with slugishness and frequently timeouts when accessing the internet.
I tried to change my scheduler to lc persistent mode but some users
can connect and anothers can't. and if u wait for a minutes u can
connect, and not, and yes, and not intermittent. With the persistent
option disabled, sometimes that occurs to, and sometimes not.
When I type the ipvsadm -L -n
the tables in two machines is different from another one,
sometimes have a lot of connections on all colluns and sometimes so few conn.
machine one:
Proxy-Node1:~# ipvsadm -L -n
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.8.77:3128 lc persistent 180
-> 172.16.8.83:3128 Local 1 19 130
-> 172.16.8.85:3128 Route 1 11 388
Proxy-Node2:~# ipvsadm -L -n
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.8.77:3128 lc persistent 180
-> 172.16.8.83:3128 Route 1 0 94
-> 172.16.8.85:3128 Local 1 40 56
in another time:
Proxy-Node1:~# ipvsadm -L -n
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.8.77:3128 lc
-> 172.16.8.83:3128 Local 1 99 518
-> 172.16.8.85:3128 Route 1 190 398
Proxy-Node2:~# ipvsadm -L -n
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.8.77:3128 lc
-> 172.16.8.83:3128 Route 1 181 660
-> 172.16.8.85:3128 Local 1 182 741
that looks as a DOS atacck, so I enabled the 3 options of dos defence from lvs:
echo 1 > /proc/sys/net/ipv4/vs/secure_tcp && echo 1 >
/proc/sys/net/ipv4/vs/drop_packet && echo 1 >
/proc/sys/net/ipv4/vs/drop_entry
I tried to reduce the timeout from tcp, tcp_fin and udp connections too:
ipvsadm --set 300 120 120
but I still having that problem...
The browser can't connect to the proxy, analizing the tcpdump from a
client that cant connect to proxy at real time, the output is this:
17:03:31.967415 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.967490 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.967696 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.967841 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.968210 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.967945 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.968342 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.968105 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.968610 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.968508 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.969067 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.980978 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.984454 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.984587 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.984687 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.984733 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.985094 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.985148 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.985858 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.985898 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.986199 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.986233 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.986579 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
17:03:31.986649 IP 172.16.8.126.4512 > 172.16.8.77.3128: S
687174948:687174948(0) win 65535 <mss 1460,nop,nop,sackOK>
that is as the client try to connect but the server does't answer.
What I want is to use this system for a ha+lb proxy My machines are
two PIV 3.0 with 1Gb Ram
Looking at mrtg the processor load stays about 5% all the day and the
memory about 30%
I have about 1000~1300 clients. Are my servers less than I need?
Regards, thanks.
=) And sorry for my poor english =D
--
Ultra Monkey - http://www.ultramonkey.org/
To UNSUBSCRIBE, email to lisa at ultramonkey.org, with a body:
unsubscribe ultramonkey-users your-email-address at some.domain
where "your-email-address at some.domain" is YOUR email address.
More information about the Ultramonkey-users
mailing list