Hi,

Could anybody lend a hand here? I'm running on only 1 load balancer with a
couple of sites, which does not create a warm feeling inside ...

Gr. Siggi

-----Oorspronkelijk bericht-----
Van: Siggi Oskarsson [mailto:siggi(at)junesystems.com] 
Verzonden: dinsdag 26 september 2006 15:50
Aan: pound(at)apsis.ch
Onderwerp: [Pound Mailing List] ListenHTTPS and load balancing with
heartbeat

Hi,

I have a very strange problem in my pound setup, that I can't seem to solve
on my own. We are using 2 pound servers to direct requests to the backend
servers. The 2 servers also have heartbeat (ultramonkey) running on them for
IP failover. We have 4 IP addresses in use by heartbeat and pound.

When I changed the pound config on the active server from

ListenHTTPS *,443 /root/ssl/ssl.pem ALL:!ADH:!EXPORT56:RC4+RSA:+H

To 

ListenHTTPS [IP1],443 /root/ssl/ssl2.pem ALL:!ADH:!EXPORT5 ListenHTTPS
[IP2],443 /root/ssl/ssl.pem ALL:!ADH:!EXPORT5 ListenHTTPS [IP3],443
/root/ssl/ssl.pem ALL:!ADH:!EXPORT5 ListenHTTPS [IP4],443 /root/ssl/ssl.pem
ALL:!ADH:!EXPORT5

(IP1-4 being the IP's used by heartbeat, IP1 and 2 are production sites, 3
and 4 are for testing and use one of the production certificates) everything
worked fine. I even got the correct ssl certificates on requesting a page on
IP1 (ssl2.pem) or IP2 (ssl.pem). When I did the same change on the other
pound server (and restarted pound) everything stopped working immediately.
When I changed the config back in the second pound server, and restarted,
everything worked again and is still working (with the new config only on 1
pound server).

Any idea's what would be causing this? I did get an IP1:443 address in use
error in the log, but that could only be from the other pound server! Is
pound checking for the (remote) port on the IP given if there is already a
server in stead of only checking the local machine?

Gr. Siggi Oskarsson
Using pound-1.9.4-1.src.rpm waiting for 2.x to become stable.

On Wed, 2006-10-04 at 17:00 +0200, Siggi Oskarsson wrote:[...]

Pound 1.x checks on conflicts on the LOCAL machine only. If both your
addresses are present there (as is usually the case with heartbeat) you
may have a problem.[...]

Hi

I think pound-1.9.4 tries to connect to the IP address ([IP1] to [IP4] in 
your case) before it starts to listen to it. At least pound-1.10 does 
that.

So when you try to start pound on the second machine it will not start 
because it can connect to the IP-address:port it intends to listen to 
itself, and decides that this IP-address:port is already in use.

We are running pound-1.10 on openbsd and carp using the patches found 
here: http://folesvaert.no/pound/patches/
The one called patch-pound-1.10-noifchk.diff.gz removes this 
connect-to-self-test. This test is generally not needed, as a bind to a 
used address will fail on most modern systems anyway. I think this test is 
even removed in pound-2.x.x.

You are running Linux, right?
Please note that if the default gateway for the pound boxes is a cisco 
router you will have ARP problems when the services fail over. We switched 
to openbsd and carp (wich does MAC address failover as well) to get around 
such a problem.

Regards
Rune

---
Rune Sætre <rune.saetre(at)netcom-gsm.no>
NetCom as
Telefon (mob): 934 34 285
..

On Wed, 4 Oct 2006, Siggi Oskarsson wrote:
[...]

Rune,

Thanks alot for the information. We are not having any problems with ARP
when addresses failover, but I think my solution lies in removing the
connect-to-self-test like you suggest. Maybe it's time to switch to 2.x ...

Gr. Siggi
[...]