In a CLB UDP health check, the health check result is different from the actual status of the real server port.
In a UDP health check, the CLB instance sends a UDP probe message to the real server. If the PING command is successful and an error message
port XX unreachable is not returned within the response timeout period, the real server is considered healthy. Otherwise, the real server is considered unhealthy.
There are two possible causes for this error:
port unreachableto the health check nodes, leading to an inaccurate health check result.
port XX unreachablecannot be returned, and the CLB instance considers that the health check is successful as no ICMP response is received. Therefore, the health check result is inconsistent with the actual server health.
UDP health checks are different from other health checks. If the health check timeout period is too short, the health check result will switch back and forth between healthy and unhealthy.
sysctl -q net.ipv4.icmp_ratelimit sysctl -q net.ipv4.icmp_ratemask
1000(default). We commend using the default value.
Note that if the rate limit of ICMP
port unreachablemessages is lifted, when the real server is connected to the public network and encounters UDP port scanning attack, it will keep returning
# Run the command `net.ipv4.icmp_ratemask` in step 2 to query the rate mask. # Keep the first three digits of the returned rate mask unchanged, and subtract 8 from the last digit. For example, if the mask returned is “6168”, replace "xxxx" with 6160; if it is 1819, replace "xxxx" with 1811. sysctl -w net.ipv4.icmp_ratemask=xxxx