My scenario is that through iptables TEE I mirror packet to two HA proxies, and the second proxy is for backup. However I don’t want the second proxy reply Ack but still could collect packet, so I drop the Ack packet from second proxy. However, because the backup proxy sequence number isn’t the same as primary proxy so the connection wouldn’t establish on backup proxy. Is there a way to make two HA proxy synchronously establish connection? The second connection is fake it’s only to collect packet and if primary failover the backup proxy could take over.
No, this cannot be done.
You cannot achieve high availability by mirroring raw IP packets, it doesn’t work that way. You already seen the issues and I strongly suggest you stop going done this path, it will lead nowhere.
Use things like keepalived to move virtual IPs between the the instances.
Yes, I will put keepalived between two ha proxies.
But, if when I download a file and at that time failover occur, is there a way to make backup ha proxy take over seamlessly. Actually, I am researching the fault tolerance way.
So my idea is to mirror the packet to ha proxy backup and when failover I could use the mirror packet to restore(use TCP repair support by Linux kernel). Is it a possible way?
No, this is not possible. If you want to cover this use case I’d suggest to not terminate TCP sessions, but to work on a lower layer instead. LVS/IPVS may be able to achieve this.
However, you need to think real hard about whether this is actually a hard requirement for you, or if it is just a “nice to have”. How often does your instance really die? How often do you have a HW fault? And how much money do you loose in this case really?
Almost nobody does this.
1 Like
I will research LVS/IPVS you told, thank you!
Because I am researching the ha proxy fault tolerance in my thesis, I tried to use TCP repair feature to achieve but in the stage of collecting packet in two ha proxies had a problem.
I will try LVS/IPVS you told thanks!