In a situation where a VM is generating a huge number of inbound or outbound connections it is possible for the ip_conntrack table to become full and for packets to be dropped. This situation is rarely seen under normal traffic, but the event of a DOS attack can often cause this behaviour.
To stop packets from a particular source IP from keeping track of the state of connections we can do the following:
iptables -t raw -I PREROUTING -s <source_ip> -j NOTRACK
We would suggest as a minimum to do this for the Control Panels management IP address to ensure that the CP and HV are able to communicate, you may also wish to put in place additional entries for any SAN IPs on your storage network, and for your backup server IP(s) to ensure traffic flowing over those networks also is not affected.
Those entries once created could be placed into /etc/rc.local for static HVs, or CustomConfig for cloudboot HVs. Note that OnApp Integrated Storage traffic has this disabled by default so there is no need to add additional entries where this is in use.
Comments
0 comments
Please sign in to leave a comment.