In a situation where a VM is generating a huge number of inbound or outbound connections, it is possible for the ip_conntrack table to become full and for the packets to be dropped. This situation is rarely seen under normal traffic, but the event of a DOS attack can often cause this behavior.
To stop packets from a particular source IP from keeping track of the state of the connections, we can do the following:
iptables -t raw -I PREROUTING -s <source_ip> -j NOTRACK
We would suggest at least to do this for the Control Panels management IP address to ensure that the CP and HVs are able to communicate. You may also wish to put in place additional entries for any SAN IPs on your storage network, and for your backup server IP(s) to ensure traffic flowing over those networks is also not affected.
Those entries, once created, could be placed into /etc/rc.local for static HVs, or CustomConfig for cloudboot HVs. Note that OnApp Integrated Storage traffic has this disabled by default, so there is no need to add additional entries, where this is in use.
Comments
0 comments
Please sign in to leave a comment.