Re: [leshan-dev] lwm2m servers load balancing DTLS with nginx.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [leshan-dev] lwm2m servers load balancing DTLS with nginx.

From: "Sebastian Kämpfer" <regex37@xxxxxx>
Date: Thu, 13 Apr 2017 13:11:37 +0200
Delivered-to: leshan-dev@xxxxxxxxxxx
Importance: normal
List-archive: <https://dev.eclipse.org/mailman/private/leshan-dev>
List-help: <mailto:leshan-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/leshan-dev>, <mailto:leshan-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/leshan-dev>, <mailto:leshan-dev-request@eclipse.org?subject=unsubscribe>
Sensitivity: Normal

Hi everyone,

trying to get in contact with Santos Das who opened this topic. I am facing a similar issue trying to proxy DTLS over Nginx. This does not work out of the box since Nginx changes its client port for every udp packet it forwards. They are working on this subject, but its not included in the current releases. There are ways to counter this issue (e.g. binding the client port or making the client address transparent for the proxy), but none of them are meant to be used in a production environment.

Since Santos mentioned that he established a single DTLS connection over Nginx I would be grateful to get information about his configuration. Or if anyone else can point me into the right direction or has any advise it would be much appreciated.

Regards,

Sebastian

> I think you should ask this question on a nginx forum.

> --
> Julien Vermillard

On Mon, Jan 30, 2017 at 6:59 PM, Santos Das <santos.das@xxxxxxxxx> wrote:

I thought the following configuration of Nginx is doing this -
hash $remote_addr:remote_port consistent;
 
Thanks, Santos
On Mon, Jan 30, 2017 at 10:57 PM, Julien Vermillard <jvermillard@xxxxxxxxx> wrote:
You need to send all the requests coming from the same source IP/port to the same server.
The leshan servers share nothing about the DTLS state (outside the PSK/RPK keys)
--
Julien Vermillard
On Mon, Jan 30, 2017 at 5:59 PM, ÐÐÐÑÑÐ ÐÐÑÐÑÐÑÐ <zaharkiv567@xxxxxxxxx> wrote:
Hi guys!

We are currently trying to configure LB on nginx forÂ LWM2M servers.

We have successfully managed to configure it for COAP connections. Clients are connecting and being distributed among servers.

However, when we are trying to connect clients via Coaps if fails. It seems that handshake stages are distributed among servers and it causes this:

Jan 30, 2017 10:23:24 AM org.eclipse.californium.scandium.dtls.Record decryptAEAD
FINE: The explicit nonce used by the sender does not match the values provided in the DTLS record
UsedÂÂÂ : 00 01 00 00 00 00 00 00
Expected: 00 01 00 00 00 00 00 01
Jan 30, 2017 10:23:24 AM com.verizon.lwm2m.server.CustomDtlsConnector discardRecord
FINE: Discarding Handshake (22) record from peer [/172.17.0.4:33924]: MAC validation failed
Jan 30, 2017 10:23:25 AM com.verizon.lwm2m.server.CustomDtlsConnector handleTimeout
FINE: Re-transmitting flight for [/172.17.0.4:33924], [2] retransmissions left
Jan 30, 2017 10:23:29 AM com.verizon.lwm2m.server.CustomDtlsConnector handleTimeout
FINE: Re-transmitting flight for [/172.17.0.4:33924], [1] retransmissions left
Jan 30, 2017 10:23:30 AM com.verizon.lwm2m.server.CustomDtlsConnector processHandshakeRecord
FINE: Received Handshake (22) record from peer [/172.17.0.4:33924]
Jan 30, 2017 10:23:30 AM org.eclipse.californium.scandium.dtls.Record decryptHandshakeMessage
FINE: Parsing message without a session
Jan 30, 2017 10:23:30 AM com.verizon.lwm2m.server.CustomDtlsConnector processHandshakeRecord
FINE: Received Handshake (22) record from peer [/172.17.0.4:33924]
Jan 30, 2017 10:23:30 AM org.eclipse.californium.scandium.dtls.Record decryptAEAD
FINE: The explicit nonce used by the sender does not match the values provided in the DTLS record
UsedÂÂÂ : 00 01 00 00 00 00 00 00
Expected: 00 01 00 00 00 00 00 03
Jan 30, 2017 10:23:30 AM com.verizon.lwm2m.server.CustomDtlsConnector discardRecord

We have tried different nginx load balancing methods, includingÂ
hash $remote_addr:remote_port consistent;
Also worth to mention, if there is only 1 server behind nginx UDP loadbanacer, then everything works.
Any help on this is much appreciated.  
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/leshan-dev
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/leshan-dev
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/leshan-dev

Follow-Ups:
- Re: [leshan-dev] lwm2m servers load balancing DTLS with nginx.
  - From: Sebastian Kämpfer

Prev by Date: [leshan-dev] objectID is always 0 in Observe.onResponse
Next by Date: Re: [leshan-dev] lwm2m servers load balancing DTLS with nginx.
Previous by thread: Re: [leshan-dev] lwm2m servers load balancing DTLS with nginx.
Next by thread: Re: [leshan-dev] lwm2m servers load balancing DTLS with nginx.
Index(es):
- Date
- Thread

Breadcrumbs