Hi,
   
       I have solved the problem of no route to host errors. I believe it was related to pf. I disabled the state tracking on the inside interface and also increased the open file descriptors for user pound which I run pound as to 1024 because I was hitting the soft limit. Everything looks fine except for one thing. I run on the backends caucho resin and do load balancind to 2 backend. It seems that at about 12 hours time interval one of the backends freezes. If I telnet on port 80 I get a response but when I try to do a GET nothing happens and it just hangs. Restarting resin fixes the problem. What is curios is that we have been running same services for couple of weeks with only one server and forwarding through pf and did not get any errors so one server handled the load pretty well. I am not sure if this is a resin issue or a pound issue or maybe something like a pound and resin compatibility issue.
       Does anyone use resin + pound and have some ideas?

Thank you.

 

Adrian Bucur

Senior System Administrator

NOBEL Ltd.

 

___________________

US:            +1 866 776 6235 ext 6464

RO:            +40 21 211 01 85 ext 6464

Fax:           +40 21 211 04 85

E-mail:        adrian.bucur@nobelglobe.com

IM MSN:     bucur_adrian_ciprian@hotmail.com

Web:          www.nobelglobe.com

 

This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.

 



Adrian Bucur wrote: 
Hi Stefan,

       Thanks for the advice. I set the pf state number to 256k. I had
around 6-7k everytime I checked but it didn't solve my issue. Is there
any way I can see in the logs a more detailed error?

Thank you,









 
Adrian Bucur 
Senior System
Administrator
NOBEL Ltd.
 
___________________
US:         
 
+1 866 776 6235 ext 6464
RO:         
 
+40 21 211 01 85 ext 6464
Fax:        
  +40 21 211 04 85
E-mail:     
  adrian.bucur@nobelglobe.com
IM
MSN:    
bucur_adrian_ciprian@hotmail.com
Web:      
  
www.nobelglobe.com
 
This
e-mail and attachments, if any, may contain confidential and/or
proprietary
information. Please be advised that the unauthorized use or disclosure
of the
information is strictly prohibited. The information herein is intended
only for
use by the intended recipient(s) named above. If you have received this
transmission in error, please notify the sender immediately and
permanently
delete the e-mail and any copies, printouts or attachments thereof.
 



Stefan Lambrev wrote:

  
Adrian Bucur wrote:
  
      Well I thought of that in the first place
but since the backends
    
are in the same lan with the server then I cannot see how it can be a
    
routing issue. The proxy server has an internal interface with an
    
internal ip address and external interface on which the request are
    
made. It is as simple as that. The firewall is pf from opnebsd and it
    
does the nat and redirection perfectly.     I tried the ping and nothe
suspicious.     Maybe this is a more general error and it is something
from pound.
    
  
Can you install pftop (or just use pfctl) and see how many active state
have in your firewall?
  
If pound is serving busy site, and you use keep alive (I think pf 4.1
use them by default)
  
then most probably you reach the max limit of states.
  
I suggest increasing "set limit states" (default value is 10,000)
  
  
IF your firewall is too restrictive it can happen that you block
packets that close connection,
  
and you will reach max limit states very very fast on loaded site.
  
  
Also if the connection between pound and backends is done using
internal lan yous can
  
config your firewall to "set skip on $INT_IF", and keep firewalling
only on external interface(s)
  
  
    
    
    
    
    
    
    
 
    
Adrian Bucur Senior System
    
Administrator
    
NOBEL Ltd.
    
 
    
___________________
    
US:          
    
+1 866 776 6235 ext 6464
    
RO:          
    
+40 21 211 01 85 ext 6464
    
Fax:          +40 21 211 04 85
    
E-mail:       adrian.bucur@nobelglobe.com
    
IM
    
MSN:    bucur_adrian_ciprian@hotmail.com
    
Web:        www.nobelglobe.com
    
 
    
This
    
e-mail and attachments, if any, may contain confidential and/or
    
proprietary
    
information. Please be advised that the unauthorized use or disclosure
    
of the
    
information is strictly prohibited. The information herein is intended
    
only for
    
use by the intended recipient(s) named above. If you have received this
    
transmission in error, please notify the sender immediately and
    
permanently
    
delete the e-mail and any copies, printouts or attachments thereof.
    
 
    
    
    
    
Michal Taborsky - Internet Mall wrote:
    
Adrian Bucur napsal(a):
    
      Sep 10 11:02:47 pound: backend
    
xx.xx.xx.xx:80 connect: No route to
    
    host   Hello Adrian,
    
    I seriously doubt this has anything to do with pound itself. It
looks
    
to me you have some issues with your network. Are the pound server and
    
backends on the same network or is there any router between them? Do
    
you use any dynamic routing like OSPF or RIP? It looks like your pound
    
looses the route to backends for a while. Or maybe some firewall
    
reinitialization?
    
    I suggest you run ping on the pound server to the backend and look
for
    
anything suspicpious around the time this error occurs.
    
--
    
To unsubscribe send an email with subject unsubscribe to
pound@apsis.ch.
    
Please contact roseg@apsis.ch for questions.
    
 
--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.