I''m currently testing a firewall that is load-balancing on 2 ISP''s and NATing to the internal network. I''ve set-up everything and the firewall works great for the most part. However, I''m having one strange problem, with one particular application. When using IM (specifically AIM/ICQ), the IM clients will connect to the IM server, but immediately disconnect. This will happen multiple times (clicking "reconnect" repeatedly), then after many reconect attempts, will mysteriously connect just fine. Now, when connecting to the same servers from behind the current production firewall ( older single ISP configuration ) the IM client does not exhibit this behavior and will connect immediately. Now, the behavior is somewhat intermittent, as some days it will be ICQ that has the connection problem, while other days it will be AIM. Does anyone have an idea what might be happening here, or where I might be able to look for what''s going on? All other IM protocols I''ve used do not exhibit this behavior (Jabber, MSN, Yahoo!), only AOL protocols. I''ve used Ethereal to trace the sessions out, and the client connects, but then immediately issues a disconnect command. Or, connects, but gets a message stating that the login credentials are incorrect. It''s very odd behavior. Again, I do not experience this behavior behind a non-multi-ISP configuration. Thanks in advance for any help. If anyone needs specific data (config files / packet captures) please let me know. Thanks.
Preston wrote on 14/09/2005 16:20:01:> I''m currently testing a firewall that is load-balancing on 2 ISP''s and > NATing to the internal network. I''ve set-up everything and the firewall > works great for the most part. However, I''m having one strange problem, > with one particular application. > > When using IM (specifically AIM/ICQ), the IM clients will connect to the > IM server, but immediately disconnect. This will happen multiple times > (clicking "reconnect" repeatedly), then after many reconect attempts, > will mysteriously connect just fine. Now, when connecting to the same > servers from behind the current production firewall ( older single ISP > configuration ) the IM client does not exhibit this behavior and will > connect immediately. Now, the behavior is somewhat intermittent, as > some days it will be ICQ that has the connection problem, while other > days it will be AIM. Does anyone have an idea what might be happening > here, or where I might be able to look for what''s going on? All other > IM protocols I''ve used do not exhibit this behavior (Jabber, MSN, > Yahoo!), only AOL protocols.In some cases, sessions are IP oriented. If you load balance all your traffic, some banks and other applications will fail when your box chooses a route for the first connection (the site register this IP for the session) and later the route is changed for the other ISP. I Don''t know if connmark will do the trick for you. Here, As my problem is mainly with a bank, I just fwmark the traffic in port 443 and later use ''ip rule'' to direct that traffic to one of the ISPs. I use The tcrules file to mark that traffic...> > I''ve used Ethereal to trace the sessions out, and the client connects, > but then immediately issues a disconnect command. Or, connects, but > gets a message stating that the login credentials are incorrect. It''s > very odd behavior. Again, I do not experience this behavior behind a > non-multi-ISP configuration. Thanks in advance for any help. If anyone > needs specific data (config files / packet captures) please let me > know. Thanks.Hope it helps, -- Eduardo Ferrira
Preston Kutzner escribió:> I''m currently testing a firewall that is load-balancing on 2 ISP''s and > NATing to the internal network. I''ve set-up everything and the firewall > works great for the most part. However, I''m having one strange problem, > with one particular application. > > When using IM (specifically AIM/ICQ), the IM clients will connect to the > IM server, but immediately disconnect. This will happen multiple times > (clicking "reconnect" repeatedly), then after many reconect attempts, > will mysteriously connect just fine. Now, when connecting to the same > servers from behind the current production firewall ( older single ISP > configuration ) the IM client does not exhibit this behavior and will > connect immediately. Now, the behavior is somewhat intermittent, as > some days it will be ICQ that has the connection problem, while other > days it will be AIM. Does anyone have an idea what might be happening > here, or where I might be able to look for what''s going on? All other > IM protocols I''ve used do not exhibit this behavior (Jabber, MSN, > Yahoo!), only AOL protocols.send the traffic to AIM/ICQ to one ISP only http://www.shorewall.net/Shorewall_and_Routing.html#id2539574 some IM protocols are tricky, and some of them are a complete disaster from the security point of view. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
Eduardo Ferreira wrote: --snip--> In some cases, sessions are IP oriented. If you load balance all your > traffic, some banks and other applications will fail when your box > chooses a route for the first connection (the site register this IP for > the session) and later the route is changed for the other ISP. > I Don''t know if connmark will do the trick for you. Here, As my problem > is mainly with a bank, I just fwmark the traffic in port 443 and later > use ''ip rule'' to direct that traffic to one of the ISPs. I use The > tcrules file to mark that traffic...--snip-- I''m currently using wondershaper on this firewall. Will I be able to use connection marking (connmark) in tcrules if I''m using wondershaper?
On Wednesday 14 September 2005 13:14, Preston Kutzner wrote:> > I''m currently using wondershaper on this firewall. Will I be able to > use connection marking (connmark) in tcrules if I''m using wondershaper?Wondershaper is completely independent of packet marking. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Wednesday 14 September 2005 13:14, Preston Kutzner wrote: > > >>I''m currently using wondershaper on this firewall. Will I be able to >>use connection marking (connmark) in tcrules if I''m using wondershaper? > > > Wondershaper is completely independent of packet marking. > > -TomGood to know, thanks.
Preston Kutzner wrote:> Tom Eastep wrote: > >>On Wednesday 14 September 2005 13:14, Preston Kutzner wrote: >> >> >> >>>I''m currently using wondershaper on this firewall. Will I be able to >>>use connection marking (connmark) in tcrules if I''m using wondershaper? >> >> >>Wondershaper is completely independent of packet marking. >> >>-Tom > > Good to know, thanks.Adding the following lines to tcrules fixed the problem. Thanks again for the help. 1:P xxx.xxx.xxx.0/24 0.0.0.0/0 tcp 5190 1:P xxx.xxx.xxx.0/24 0.0.0.0/0 tcp 5190