我有两个防火墙保护的虚拟机连接到同一个 vLAN,但一段时间后,我看到初始连接尝试时出现 RST/ACK 响应,但随后的尝试却成功了,就像需要启动对等端的某种缓存一样。想知道是什么原因导致这种情况,可能是 arp 缓存?
初始连接尝试:
15:04:56.786105 IP <redacted>.185.60362 > <redacted>.154.ldap: Flags [S], seq 3402 134510, win 26880, options [mss 8960,sackOK,TS val 429607411 ecr 0,nop,wscale 7], length 0
15:04:56.786377 IP <redacted>.154.ldap > <redacted>.185.60362: Flags [R.], seq 0, ack 3402134511, win 0, length 0
成功尝试后:
15:05:11.363088 IP <redacted>.154.ldap > <redacted>.185.60378: Flags [S.], seq 310 2507846, ack 3252771331, win 26844, options [mss 8960,sackOK,TS val 538726974 ecr 429621988,nop,wscale 7], length 0
15:05:11.363120 IP <redacted>.185.60378 > <redacted>.154.ldap: Flags [.], ack 1, win 210, options [nop,nop,TS val 429621988 ecr 538726974], length 0
在目标虚拟机上,只要有通信,我就会看到相对频繁的 arp 请求,否则就不会发生,就像服务器想要确保客户端对等体仍然存在(在同一个 HN 上,虽然 mac-addr 应该在实时迁移期间发生变化,但交换机可能需要快速知道这一点):
18:56:08.164227 ARP, Request who-has <redacted>.184 tell <redacted>.154, length 28
18:56:08.164687 ARP, Reply <redacted>.184 is-at 62:38:31:33:39:39, length 46
看起来正如预期的那样,我没有分配重复的 IP 地址,那么为什么对等方会继续发送相对多的 arp 请求?
[root@dcs2 ~]# arping -DI eth1 <redacted>.184
ARPING <redacted>.184 from 0.0.0.0 eth1
Unicast reply from <redacted>.184 [62:38:31:33:39:39] 1.122ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
#n1:/> arping -DI eth1 <redacted>.154
ARPING <redacted>.154 from 0.0.0.0 eth1
Unicast reply from <redacted>.154 [6E:FF:D6:F0:78:C6] 1.107ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
如果我首先执行 arping,则可能出现 arp 缓存预热问题,而初始没有问题:
#n2:/> arping -I eth1 -f dcs4.<redacted>; telnet dcs4.<redacted> 389
ARPING <redacted>.156 from <redacted>.185 eth1
Unicast reply from <redacted>.156 [92:B9:56:CE:03:E6] 1.150ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
Trying <redacted>.156...
Connected to dcs4.<redacted>.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
但是,如何避免最初的问题影响我们的应用程序呢?