From jared@puck.nether.net Fri Sep 27 17:54:22 2002 Received: (from jared@localhost) by puck.nether.net (8.12.6/8.9.3.2001112601.msa) id g8RLsMQP019932 for foundry-nsp@puck.nether.net; Fri, 27 Sep 2002 17:54:22 -0400 (envelope-from jared) Received-Date: Fri, 27 Sep 2002 17:54:22 -0400 Date: Fri, 27 Sep 2002 17:54:22 -0400 From: Jared Mauch To: foundry-nsp@puck.nether.net Message-ID: <20020927215422.GA19516@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Subject: [f-nsp] conversion to mailman Sender: foundry-nsp-admin@puck Errors-To: foundry-nsp-admin@puck X-BeenThere: foundry-nsp@puck X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: This is one of the last lists i have needed to convert to mailman. You should have received your password e-mailed to you for the list, if not you can have it sent to you by visiting this link: http://puck.nether.net/mailman/subscribe/foundry-nsp For a list of lists we host, you can visit http://puck.nether.net/mailman/listinfo Questions, direct them to me/postmaster. Enjoy, - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From asr@latency.net Thu Oct 17 16:35:23 2002 Received: from someone claiming to be og.latency.net puck.NOSPAM (postfix@og.latency.net [209.123.200.27]) by puck.nether.net (8.12.6/8.9.3.2001112601.msa) with ESMTP id g9HKZMs0025486 for ; Thu, 17 Oct 2002 16:35:23 -0400 (envelope-from asr@latency.net) Received-Date: Thu, 17 Oct 2002 16:35:23 -0400 Received: by og.latency.net (Postfix, from userid 1000) id DB461140264; Thu, 17 Oct 2002 16:36:01 -0400 (EDT) Date: Thu, 17 Oct 2002 16:36:01 -0400 From: Adam Rothschild To: foundry-nsp@puck.nether.net Message-ID: <20021017163601.D16583@latency.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: [f-nsp] FastIron 4802 and BGP Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: I'm looking for some real-world statistics on *roughly* how many BGP prefixes/sessions a FastIron 4802 (Premium) will cope with before falling over, as of late. Also, am I correct in understanding that it won't recognize any memory beyond the 128mb it ships with? Thanks in advance, -a From patara@registro.br Thu Oct 31 15:56:36 2002 Received: from someone claiming to be clone.registro.br puck.NOSPAM (clone.registro.br [200.160.2.4]) by puck.nether.net (8.12.6/8.9.3.2001112601.msa) with ESMTP id g9VKuaZR012825 for ; Thu, 31 Oct 2002 15:56:36 -0500 (envelope-from patara@registro.br) Received-Date: Thu, 31 Oct 2002 15:56:36 -0500 Received: by clone.registro.br (Postfix, from userid 1019) id 0F57B929C; Thu, 31 Oct 2002 17:56:56 -0300 (BRT) Date: Thu, 31 Oct 2002 17:56:56 -0300 From: Ricardo G Patara To: foundry-nsp@puck.nether.net Message-ID: <20021031175656.B6975@registro.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Subject: [f-nsp] vlan traffic account Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: Hello, Does anyone know how to account the traffic per port vlan? Or, either how to account the traffic to an especific virtual internet (ve)? thanks -- Ricardo G. Patara || patara@registro.br || +55 11 5509-3525 From burnside@kattare.com Thu Dec 5 05:36:05 2002 Received: from someone claiming to be pyramid.kattare.com puck.NOSPAM (root@pyramid.kattare.com [206.163.128.13]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5Aa4ph017684 for ; Thu, 5 Dec 2002 05:36:05 -0500 Received: from localhost (www@pyramid.kattare.com [206.163.128.13]) by pyramid.kattare.com (8.12.3/8.12.3) with ESMTP id gB5AaLYe010820 for ; Thu, 5 Dec 2002 02:36:21 -0800 Received: from 65.212.181.212 ( [65.212.181.212]) as user burnside@mail.kattare.com by www.kattare.com with HTTP; Thu, 5 Dec 2002 02:36:21 -0800 Message-ID: <1039084581.3def2c254d216@www.kattare.com> Date: Thu, 5 Dec 2002 02:36:21 -0800 From: burnside@kattare.com To: foundry-nsp@puck.nether.net MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 Subject: [f-nsp] serveriron & http 1.1 name-based web hosting Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: Greetings, I have a serverironXL with SW version 07.0.06T12. I'm trying to do http/1.1 name-based web hosting. My connectivity provider of course frowns on the wasted IP's ip-based hosting entails. When I try to add a SLB virtual server with the same IP as an existing SLB virtual server, it fails complaining that the IP address is already taken. Is there any way to use the serveriron XL to do name-based vhosting? Or do I have to somehow get a huge chunk of IP space? Cheers, ~Ethan B. -------------------------- Ethan Burnside - Founder Kattare Internet Services http://www.kattare.com -------------------------- From bill@neopets.com Thu Dec 5 05:46:02 2002 Received: from someone claiming to be neoserver.dohring.com puck.NOSPAM (ns1.dohring.com [64.210.3.222] (may be forged)) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5Ajxph018213 for ; Thu, 5 Dec 2002 05:46:00 -0500 Received: from Bill (adsl-64-168-191-237.dsl.lsan03.pacbell.net [64.168.191.237]) by neoserver.dohring.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id XX4R0CL6; Thu, 5 Dec 2002 02:46:16 -0800 Message-ID: <022c01c29c4b$8979db20$edbfa840@Bill> From: "Bill McCaffrey" To: , References: <1039084581.3def2c254d216@www.kattare.com> Subject: Re: [f-nsp] serveriron & http 1.1 name-based web hosting Date: Thu, 5 Dec 2002 02:46:15 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: Ethan, You do not need to enter multiple virtual servers. The requested host name is passed through the lb to the web server. Just set up one virtual server and use that ip for all your domains. I run 6 or 7 websites off the same ip though a serveriron with no problems at all. Bill ----- Original Message ----- From: To: Sent: Thursday, December 05, 2002 2:36 AM Subject: [f-nsp] serveriron & http 1.1 name-based web hosting > Greetings, > > I have a serverironXL with SW version 07.0.06T12. > > I'm trying to do http/1.1 name-based web hosting. My connectivity > provider of course frowns on the wasted IP's ip-based hosting entails. > > When I try to add a SLB virtual server with the same IP as an > existing SLB virtual server, it fails complaining that the IP address is > already taken. > > Is there any way to use the serveriron XL to do name-based vhosting? > Or do I have to somehow get a huge chunk of IP space? > > Cheers, > > ~Ethan B. > > -------------------------- > Ethan Burnside - Founder > Kattare Internet Services > http://www.kattare.com > -------------------------- > > _______________________________________________ > foundry-nsp mailing list > foundry-nsp@puck.nether.net > http://puck.nether.net/mailman/listinfo/foundry-nsp > From burnside@kattare.com Thu Dec 5 05:55:48 2002 Received: from someone claiming to be pyramid.kattare.com puck.NOSPAM (root@pyramid.kattare.com [206.163.128.13]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5Atlph018437 for ; Thu, 5 Dec 2002 05:55:48 -0500 Received: from localhost (www@pyramid.kattare.com [206.163.128.13]) by pyramid.kattare.com (8.12.3/8.12.3) with ESMTP id gB5Au4Ye011760; Thu, 5 Dec 2002 02:56:04 -0800 Received: from 65.212.181.212 ( [65.212.181.212]) as user burnside@mail.kattare.com by www.kattare.com with HTTP; Thu, 5 Dec 2002 02:56:04 -0800 Message-ID: <1039085764.3def30c4372a7@www.kattare.com> Date: Thu, 5 Dec 2002 02:56:04 -0800 From: burnside@kattare.com To: Bill McCaffrey Cc: foundry-nsp@puck.nether.net Subject: Re: [f-nsp] serveriron & http 1.1 name-based web hosting References: <1039084581.3def2c254d216@www.kattare.com> <022c01c29c4b$8979db20$edbfa840@Bill> In-Reply-To: <022c01c29c4b$8979db20$edbfa840@Bill> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: Bill, Awesome, I'll give it a whirl. Next question follows. ;-) ~Ethan B. Quoting Bill McCaffrey : > Ethan, > > You do not need to enter multiple virtual servers. The requested host > name > is passed through the lb to the web server. Just set up one virtual > server > and use that ip for all your domains. > > I run 6 or 7 websites off the same ip though a serveriron with no > problems > at all. > > Bill > > > ----- Original Message ----- > From: > To: > Sent: Thursday, December 05, 2002 2:36 AM > Subject: [f-nsp] serveriron & http 1.1 name-based web hosting > > > > Greetings, > > > > I have a serverironXL with SW version 07.0.06T12. > > > > I'm trying to do http/1.1 name-based web hosting. My > connectivity > > provider of course frowns on the wasted IP's ip-based hosting > entails. > > > > When I try to add a SLB virtual server with the same IP as an > > existing SLB virtual server, it fails complaining that the IP > address is > > already taken. > > > > Is there any way to use the serveriron XL to do name-based > vhosting? > > Or do I have to somehow get a huge chunk of IP space? > > > > Cheers, > > > > ~Ethan B. > > > > -------------------------- > > Ethan Burnside - Founder > > Kattare Internet Services > > http://www.kattare.com > > -------------------------- > > > > _______________________________________________ > > foundry-nsp mailing list > > foundry-nsp@puck.nether.net > > http://puck.nether.net/mailman/listinfo/foundry-nsp > > > -------------------------- Ethan Burnside - Founder Kattare Internet Services http://www.kattare.com -------------------------- From burnside@kattare.com Thu Dec 5 06:10:21 2002 Received: from someone claiming to be pyramid.kattare.com puck.NOSPAM (root@pyramid.kattare.com [206.163.128.13]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5BAKph018707 for ; Thu, 5 Dec 2002 06:10:20 -0500 Received: from localhost (www@pyramid.kattare.com [206.163.128.13]) by pyramid.kattare.com (8.12.3/8.12.3) with ESMTP id gB5BAbYe012445; Thu, 5 Dec 2002 03:10:37 -0800 Received: from 65.212.181.212 ( [65.212.181.212]) as user burnside@mail.kattare.com by www.kattare.com with HTTP; Thu, 5 Dec 2002 03:10:37 -0800 Message-ID: <1039086637.3def342d2fd74@www.kattare.com> Date: Thu, 5 Dec 2002 03:10:37 -0800 From: burnside@kattare.com To: Bill McCaffrey Cc: foundry-nsp@puck.nether.net References: <1039084581.3def2c254d216@www.kattare.com> <022c01c29c4b$8979db20$edbfa840@Bill> In-Reply-To: <022c01c29c4b$8979db20$edbfa840@Bill> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 Subject: [f-nsp] serveriron http on ports other than 80 Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: Greetings, I'm running several instances of Apache per server. Many of them on ports above 1024. (so that normal users can start/stop them.) Two issues I've run into: I've tried configuring TCP health checks on the high ports (10000, 10010, etc.) via the TCP/UDP port config and it seems to fail the health checks on the real server every time. (and thus serves nothing.) If I connect directly to the servers on the high ports I get the pages I expect. The second issue is that I cannot bind from a low point to a high point. I was kind of hoping to be able to bind port 80 on the virtual server to port 10000 (or whatever) on the real server. This is necessary because right now I use apache on port 80 to proxy up to port 10000 (or whatever) on the individual webservers. So... if the health checks just check port 80, the proxy may be up just fine, but the high port server may not be up. Thus the client may see a "proxy failure" page if the port 80 server is alive and the port 10000 server is dead. Sorry about all the questions. I just got this serveriron recently and despite reading through most of the docs on the website, there is still much I am having trouble figuring out. ;-) Cheers, ~Ethan B. -------------------------- Ethan Burnside - Founder Kattare Internet Services http://www.kattare.com -------------------------- From bill@neopets.com Thu Dec 5 06:32:47 2002 Received: from someone claiming to be neoserver.dohring.com puck.NOSPAM (ns1.dohring.com [64.210.3.222] (may be forged)) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5BWjph020233 for ; Thu, 5 Dec 2002 06:32:47 -0500 Received: from Bill (adsl-64-168-191-237.dsl.lsan03.pacbell.net [64.168.191.237]) by neoserver.dohring.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id XX4R0CTF; Thu, 5 Dec 2002 03:33:02 -0800 Message-ID: <02bb01c29c52$12239b90$edbfa840@Bill> From: "Bill McCaffrey" To: Cc: References: <1039084581.3def2c254d216@www.kattare.com> <022c01c29c4b$8979db20$edbfa840@Bill> <1039086637.3def342d2fd74@www.kattare.com> Date: Thu, 5 Dec 2002 03:33:02 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Subject: [f-nsp] Re: serveriron http on ports other than 80 Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: I don't know about the high port issue, but you can set the health check to expect a certain value or string - that should take care of the proxy issue. Take a look at this page, it explains more about setting the health check status code. http://www.foundrynet.com/solutions/appNotes/HealthChecks.html ----- Original Message ----- From: To: "Bill McCaffrey" Cc: Sent: Thursday, December 05, 2002 3:10 AM Subject: serveriron http on ports other than 80 > Greetings, > > I'm running several instances of Apache per server. Many of them on > ports above 1024. (so that normal users can start/stop them.) Two > issues I've run into: > > I've tried configuring TCP health checks on the high ports (10000, > 10010, etc.) via the TCP/UDP port config and it seems to fail the health > checks on the real server every time. (and thus serves nothing.) If I > connect directly to the servers on the high ports I get the pages I expect. > > The second issue is that I cannot bind from a low point to a high > point. I was kind of hoping to be able to bind port 80 on the virtual > server to port 10000 (or whatever) on the real server. This is > necessary because right now I use apache on port 80 to proxy up to port > 10000 (or whatever) on the individual webservers. So... if the health > checks just check port 80, the proxy may be up just fine, but the high > port server may not be up. Thus the client may see a "proxy failure" > page if the port 80 server is alive and the port 10000 server is dead. > > Sorry about all the questions. I just got this serveriron recently > and despite reading through most of the docs on the website, there is > still much I am having trouble figuring out. ;-) > > Cheers, > > ~Ethan B. > > -------------------------- > Ethan Burnside - Founder > Kattare Internet Services > http://www.kattare.com > -------------------------- > From TBulger@ea.com Thu Dec 5 06:55:35 2002 Received: from someone claiming to be outbound.ea.com puck.NOSPAM (outbound.ea.com [159.153.6.6]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5BtYph020697 for ; Thu, 5 Dec 2002 06:55:34 -0500 Received: from eahq-bh1.rws.ad.ea.com (eahq-bh1.rws.ad.ea.com [10.14.204.31]) by outbound.ea.com (Switch-2.2.4/Switch-2.2.4) with ESMTP id gB5Btp626310; Thu, 5 Dec 2002 03:55:52 -0800 (PST) Received: from eahq-mb3.rws.ad.ea.com ([10.14.204.120]) by eahq-bh1.rws.ad.ea.com with Microsoft SMTPSVC(5.0.2195.5329); Thu, 5 Dec 2002 03:55:47 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: [f-nsp] Re: serveriron http on ports other than 80 Date: Thu, 5 Dec 2002 03:55:47 -0800 Message-ID: <4EE2F983A19E9D4DAD0CDBC8C914ADD80139CF6E@eahq-mb3.rws.ad.ea.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [f-nsp] Re: serveriron http on ports other than 80 Thread-Index: AcKcUk3YkhsJAR0KS4KjPujLkvz8YwAAqfsg From: "Bulger, Tim" To: "Bill McCaffrey" , Cc: X-OriginalArrivalTime: 05 Dec 2002 11:55:47.0937 (UTC) FILETIME=[3FFB1D10:01C29C55] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by puck.nether.net id gB5BtYph020697 Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: I believe you are looking for the 'no http port translate' command.. I suggest searching the ServerIron docs on their site. -----Original Message----- From: Bill McCaffrey [mailto:bill@neopets.com] Sent: Thursday, December 05, 2002 11:33 AM To: burnside@kattare.com Cc: foundry-nsp@puck.nether.net Subject: [f-nsp] Re: serveriron http on ports other than 80 I don't know about the high port issue, but you can set the health check to expect a certain value or string - that should take care of the proxy issue. Take a look at this page, it explains more about setting the health check status code. http://www.foundrynet.com/solutions/appNotes/HealthChecks.html ----- Original Message ----- From: To: "Bill McCaffrey" Cc: Sent: Thursday, December 05, 2002 3:10 AM Subject: serveriron http on ports other than 80 > Greetings, > > I'm running several instances of Apache per server. Many of them on > ports above 1024. (so that normal users can start/stop them.) Two > issues I've run into: > > I've tried configuring TCP health checks on the high ports (10000, > 10010, etc.) via the TCP/UDP port config and it seems to fail the health > checks on the real server every time. (and thus serves nothing.) If I > connect directly to the servers on the high ports I get the pages I expect. > > The second issue is that I cannot bind from a low point to a high > point. I was kind of hoping to be able to bind port 80 on the virtual > server to port 10000 (or whatever) on the real server. This is > necessary because right now I use apache on port 80 to proxy up to port > 10000 (or whatever) on the individual webservers. So... if the health > checks just check port 80, the proxy may be up just fine, but the high > port server may not be up. Thus the client may see a "proxy failure" > page if the port 80 server is alive and the port 10000 server is dead. > > Sorry about all the questions. I just got this serveriron recently > and despite reading through most of the docs on the website, there is > still much I am having trouble figuring out. ;-) > > Cheers, > > ~Ethan B. > > -------------------------- > Ethan Burnside - Founder > Kattare Internet Services > http://www.kattare.com > -------------------------- > _______________________________________________ foundry-nsp mailing list foundry-nsp@puck.nether.net http://puck.nether.net/mailman/listinfo/foundry-nsp From TBulger@ea.com Thu Dec 5 07:06:07 2002 Received: from someone claiming to be outbound.ea.com puck.NOSPAM (outbound.ea.com [159.153.6.6]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5C66ph020933 for ; Thu, 5 Dec 2002 07:06:06 -0500 Received: from eahq-bh1.rws.ad.ea.com (eahq-bh1.rws.ad.ea.com [10.14.204.31]) by outbound.ea.com (Switch-2.2.4/Switch-2.2.4) with ESMTP id gB5C6O626953; Thu, 5 Dec 2002 04:06:25 -0800 (PST) Received: from eahq-mb3.rws.ad.ea.com ([10.14.204.120]) by eahq-bh1.rws.ad.ea.com with Microsoft SMTPSVC(5.0.2195.5329); Thu, 5 Dec 2002 04:06:20 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: [f-nsp] Re: serveriron http on ports other than 80 Date: Thu, 5 Dec 2002 04:06:19 -0800 Message-ID: <4EE2F983A19E9D4DAD0CDBC8C914ADD80139CF6F@eahq-mb3.rws.ad.ea.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [f-nsp] Re: serveriron http on ports other than 80 Thread-Index: AcKcUk3YkhsJAR0KS4KjPujLkvz8YwAAqfsgAABr0DA= From: "Bulger, Tim" To: "Bulger, Tim" , "Bill McCaffrey" , Cc: X-OriginalArrivalTime: 05 Dec 2002 12:06:20.0140 (UTC) FILETIME=[B8CDA2C0:01C29C56] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by puck.nether.net id gB5C66ph020933 Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: Errr... 'no port http translate'.. Sorry for the spam. -----Original Message----- From: Bulger, Tim Sent: Thursday, December 05, 2002 11:56 AM To: Bill McCaffrey; burnside@kattare.com Cc: foundry-nsp@puck.nether.net Subject: RE: [f-nsp] Re: serveriron http on ports other than 80 I believe you are looking for the 'no http port translate' command.. I suggest searching the ServerIron docs on their site. -----Original Message----- From: Bill McCaffrey [mailto:bill@neopets.com] Sent: Thursday, December 05, 2002 11:33 AM To: burnside@kattare.com Cc: foundry-nsp@puck.nether.net Subject: [f-nsp] Re: serveriron http on ports other than 80 I don't know about the high port issue, but you can set the health check to expect a certain value or string - that should take care of the proxy issue. Take a look at this page, it explains more about setting the health check status code. http://www.foundrynet.com/solutions/appNotes/HealthChecks.html ----- Original Message ----- From: To: "Bill McCaffrey" Cc: Sent: Thursday, December 05, 2002 3:10 AM Subject: serveriron http on ports other than 80 > Greetings, > > I'm running several instances of Apache per server. Many of them on > ports above 1024. (so that normal users can start/stop them.) Two > issues I've run into: > > I've tried configuring TCP health checks on the high ports (10000, > 10010, etc.) via the TCP/UDP port config and it seems to fail the health > checks on the real server every time. (and thus serves nothing.) If I > connect directly to the servers on the high ports I get the pages I expect. > > The second issue is that I cannot bind from a low point to a high > point. I was kind of hoping to be able to bind port 80 on the virtual > server to port 10000 (or whatever) on the real server. This is > necessary because right now I use apache on port 80 to proxy up to port > 10000 (or whatever) on the individual webservers. So... if the health > checks just check port 80, the proxy may be up just fine, but the high > port server may not be up. Thus the client may see a "proxy failure" > page if the port 80 server is alive and the port 10000 server is dead. > > Sorry about all the questions. I just got this serveriron recently > and despite reading through most of the docs on the website, there is > still much I am having trouble figuring out. ;-) > > Cheers, > > ~Ethan B. > > -------------------------- > Ethan Burnside - Founder > Kattare Internet Services > http://www.kattare.com > -------------------------- > _______________________________________________ foundry-nsp mailing list foundry-nsp@puck.nether.net http://puck.nether.net/mailman/listinfo/foundry-nsp _______________________________________________ foundry-nsp mailing list foundry-nsp@puck.nether.net http://puck.nether.net/mailman/listinfo/foundry-nsp From harpo@thebackrow.net Thu Dec 5 10:22:49 2002 Received: from someone claiming to be leftcoast.thebackrow.net puck.NOSPAM (mail@client6.fre.communitycolo.net [216.218.240.155]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5FMmph028757 for ; Thu, 5 Dec 2002 10:22:49 -0500 Received: from harpo by leftcoast.thebackrow.net with local (Microsoft Exchange Internet Mail Service 5.5.2653.13) ; Thu, 05 Dec 2002 07:23:05 -0800 Date: Thu, 5 Dec 2002 07:23:05 -0800 From: Will Lowe To: burnside@kattare.com Cc: Bill McCaffrey , foundry-nsp@puck.nether.net Subject: Re: [f-nsp] serveriron http on ports other than 80 Message-ID: <20021205152305.GC12899@thebackrow.net> References: <1039084581.3def2c254d216@www.kattare.com> <022c01c29c4b$8979db20$edbfa840@Bill> <1039086637.3def342d2fd74@www.kattare.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1039086637.3def342d2fd74@www.kattare.com> User-Agent: Mutt/1.4i Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: > I've tried configuring TCP health checks on the high ports (10000, > 10010, etc.) via the TCP/UDP port config and it seems to fail the health > checks on the real server every time. (and thus serves nothing.) If I > connect directly to the servers on the high ports I get the pages I expect. You need something like: server port 10000 tcp keepalive protocol http to force it to do http health-checks on a non-port-80 service. Foundry's docs are kinda confusing, but the relevant part of the manual is at http://www.foundrynet.com/services/documentation/siug/ServerIron_health_checks.html#41255 From cliftonr@lava.net Thu Dec 5 13:36:02 2002 Received: from someone claiming to be malasada.lava.net puck.NOSPAM (IDENT:{opjG4Jd4C1lb+Jw0Rkj67ZozCp5upfih}@malasada.lava.net [64.65.64.17]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gB5Ia1ph005505 for ; Thu, 5 Dec 2002 13:36:02 -0500 Received: from localhost (3364 bytes) by malasada.lava.net; Thu, 5 Dec 2002 08:35:53 -1000 (HST) via sendmail [stdio] id for Date: Thu, 5 Dec 2002 08:35:52 -1000 From: Clifton Royston To: burnside@kattare.com Cc: Bill McCaffrey , foundry-nsp@puck.nether.net Subject: Re: [f-nsp] serveriron http on ports other than 80 Message-ID: <20021205083552.A11231@lava.net> References: <1039084581.3def2c254d216@www.kattare.com> <022c01c29c4b$8979db20$edbfa840@Bill> <1039086637.3def342d2fd74@www.kattare.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1039086637.3def342d2fd74@www.kattare.com>; from burnside@kattare.com on Thu, Dec 05, 2002 at 03:10:37AM -0800 Sender: foundry-nsp-admin@puck.nether.net Errors-To: foundry-nsp-admin@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Unsubscribe: , List-Id: a list for people that use foundry in a service provider environment List-Post: List-Help: List-Subscribe: , List-Archive: On Thu, Dec 05, 2002 at 03:10:37AM -0800, burnside@kattare.com wrote: > Greetings, > > I'm running several instances of Apache per server. Many of them on > ports above 1024. (so that normal users can start/stop them.) Two > issues I've run into: > > I've tried configuring TCP health checks on the high ports (10000, > 10010, etc.) via the TCP/UDP port config and it seems to fail the health > checks on the real server every time. (and thus serves nothing.) If I > connect directly to the servers on the high ports I get the pages I expect. > > The second issue is that I cannot bind from a low point to a high > point. I was kind of hoping to be able to bind port 80 on the virtual > server to port 10000 (or whatever) on the real server. This is > necessary because right now I use apache on port 80 to proxy up to port > 10000 (or whatever) on the individual webservers. So... if the health > checks just check port 80, the proxy may be up just fine, but the high > port server may not be up. Thus the client may see a "proxy failure" > page if the port 80 server is alive and the port 10000 server is dead. Can you post a snippet of your configuration, e.g. for the virtual server and some of the real servers? > Sorry about all the questions. I just got this serveriron recently > and despite reading through most of the docs on the website, there is > still much I am having trouble figuring out. ;-) Yes, there is a lot of stuff about them that is poorly documented or confusingly documented. I thought for several years that they were unable to have virtual servers based on real servers which are not physically connected through the ServerIron (which actually was broken functionality in early firmware releases.) It wasn't until some people on this list said they were doing just that that I started experimenting and discovered how it had to be configured to make it work, using the source-ip settings. (The commands were documented, but how you have to use them in a particular network topology was not.) -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "As for yourself, ... I am well disposed to hope you may hitherto have escaped many Vices of your Country. But by what I have gathered from your own Relation, and the Answers I have with much Pain wringed and extorted from you, I cannot but conclude the Bulk of your Natives to be the most pernicious Race of little odious Vermin that Nature ever suffered to crawl upon the Surface of the Earth." - Jonathan Swift, _Gulliver's Travels_ From burnside@kattare.com Fri Dec 20 08:34:59 2002 Received: from someone claiming to be pyramid-01.kattare.com puck.NOSPAM (pyramid-01.kattare.com [206.163.128.20]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gBKDYxLx019190 for ; Fri, 20 Dec 2002 08:34:59 -0500 Received: from localhost (localhost [127.0.0.1])gBKDZFOH028269; Fri, 20 Dec 2002 05:35:16 -0800 Received: from 65.212.181.212 ( [65.212.181.212]) as user burnside@mail.kattare.com by www.kattare.com with HTTP; Fri, 20 Dec 2002 05:35:15 -0800 Message-ID: <1040391315.3e031c93e7c09@www.kattare.com> Date: Fri, 20 Dec 2002 05:35:15 -0800 From: burnside@kattare.com To: Will Lowe Subject: Re: [f-nsp] serveriron http on ports other than 80 References: <1039084581.3def2c254d216@www.kattare.com> <022c01c29c4b$8979db20$edbfa840@Bill> <1039086637.3def342d2fd74@www.kattare.com> <20021205152305.GC12899@thebackrow.net> In-Reply-To: <20021205152305.GC12899@thebackrow.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1b6 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2002 13:35:00 -0000 Will, I appreciate the assistance. After much reading and fandangling with it I realized that the version of the OS I have is not the version the docs on the site are for, and does not allow the protocol argument when working with the given port. This leaves me in a bit of a bind, as I have all kinds of weird ports that I need to support. (smtp on port 2525, pop3 on port 995, http on port 10000, etc.) To add to the confusion... I started off using the web based admin, thinking it'd be an easier way to jump in and learn the concepts. Turns out that the SLB port management is broken in the web interface. If you manually add a port it automatically assumes it's an HTTP port and sets it up to do the default "HEAD /" checks. Cripes. It took me quite a while to figure out why the checks were failing. There's no way to fix it from the web interface. Thank goodness the CLI is similar to IOS and fixing it up wasn't too difficult. How does one go about getting the latest version of the OS? I poked around on their site briefly but could not find any downloads. Are they setup like Cisco where you have to get a service contract and pay for bugfixes, security patches, and functionality that should have been there in the first place? ;-) Cheers, ~Ethan B. Quoting Will Lowe : > > I've tried configuring TCP health checks on the high ports > (10000, > > 10010, etc.) via the TCP/UDP port config and it seems to fail the > health > > checks on the real server every time. (and thus serves nothing.) > If I > > connect directly to the servers on the high ports I get the pages I > expect. > > You need something like: > > server port 10000 > tcp keepalive protocol http > > to force it to do http health-checks on a non-port-80 service. > Foundry's docs are kinda confusing, but the relevant part of the > manual is at > > http://www.foundrynet.com/services/documentation/siug/ServerIron_health_checks.html#41255 > -------------------------- Ethan Burnside - Founder Kattare Internet Services http://www.kattare.com -------------------------- From kwall@softhome.net Fri Dec 20 10:14:53 2002 Received: from someone claiming to be jive.SoftHome.net puck.NOSPAM (jive.SoftHome.net [66.54.152.27]) by puck.nether.net (8.12.6/8.12.6) with SMTP id gBKFEqLx022540 for ; Fri, 20 Dec 2002 10:14:52 -0500 Received: (qmail 27164 invoked by uid 417); 20 Dec 2002 15:15:09 -0000 Received: from shunt-smtp-out-0 (HELO softhome.net) (172.16.3.12) by shunt-smtp-out-0 with SMTP; 20 Dec 2002 15:15:09 -0000 Received: from ibmbkqnqeyz4w0 ([68.12.39.177]) by softhome.net with esmtp; Fri, 20 Dec 2002 08:15:08 -0700 From: "Kim Wall" To: burnside@kattare.com, "'Will Lowe'" Subject: RE: [f-nsp] serveriron http on ports other than 80 Date: Fri, 20 Dec 2002 09:15:06 -0600 Message-ID: <000401c2a83a$95105400$2efc10ac@ibmbkqnqeyz4w0> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal In-Reply-To: <1040391315.3e031c93e7c09@www.kattare.com> X-Mailman-Approved-At: Fri, 20 Dec 2002 20:10:18 -0500 cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1b6 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2002 15:14:53 -0000 Yes, a maintenance contract is required to gain access to the code download pages. You would normally purchase through a local sales team. If you need assistance in locating a local SE, the following may be useful: Contact: Technical Support Center 408-586-1881 1-877-TURBOCALL (1-877-887-2622) support@foundrynet.com Also: from the web http://www.foundrynet.com/services/support/index.html Warranty customers may access Foundry's Technical Support section for up to 90 days after shipment of your system. To obtain access to Foundry's on-line service and support for the 90-day Software Warranty period, please: Locate the Part Number on your Foundry product: Example: B15000 Locate the Serial Number label on the back of your Foundry product. Example: F12345 Your User name = Part Number + Serial Number with no spaces Example: B15000F12345 Your Password = Part Number Example: B15000 Click on the Log In button below Enter in the User name and Password which you determined above. Click "OK" to log in. Regards, Kim -----Original Message----- From: foundry-nsp-bounces@puck.nether.net [mailto:foundry-nsp-bounces@puck.nether.net] On Behalf Of burnside@kattare.com Sent: Friday, December 20, 2002 7:35 AM To: Will Lowe Cc: foundry-nsp@puck.nether.net Subject: Re: [f-nsp] serveriron http on ports other than 80 Will, I appreciate the assistance. After much reading and fandangling with it I realized that the version of the OS I have is not the version the docs on the site are for, and does not allow the protocol argument when working with the given port. This leaves me in a bit of a bind, as I have all kinds of weird ports that I need to support. (smtp on port 2525, pop3 on port 995, http on port 10000, etc.) To add to the confusion... I started off using the web based admin, thinking it'd be an easier way to jump in and learn the concepts. Turns out that the SLB port management is broken in the web interface. If you manually add a port it automatically assumes it's an HTTP port and sets it up to do the default "HEAD /" checks. Cripes. It took me quite a while to figure out why the checks were failing. There's no way to fix it from the web interface. Thank goodness the CLI is similar to IOS and fixing it up wasn't too difficult. How does one go about getting the latest version of the OS? I poked around on their site briefly but could not find any downloads. Are they setup like Cisco where you have to get a service contract and pay for bugfixes, security patches, and functionality that should have been there in the first place? ;-) Cheers, ~Ethan B. Quoting Will Lowe : > > I've tried configuring TCP health checks on the high ports > (10000, > > 10010, etc.) via the TCP/UDP port config and it seems to fail the > health > > checks on the real server every time. (and thus serves nothing.) > If I > > connect directly to the servers on the high ports I get the pages I > expect. > > You need something like: > > server port 10000 > tcp keepalive protocol http > > to force it to do http health-checks on a non-port-80 service. > Foundry's docs are kinda confusing, but the relevant part of the > manual is at > > http://www.foundrynet.com/services/documentation/siug/ServerIron_health_ checks.html#41255 > -------------------------- Ethan Burnside - Founder Kattare Internet Services http://www.kattare.com -------------------------- _______________________________________________ foundry-nsp mailing list foundry-nsp@puck.nether.net http://puck.nether.net/mailman/listinfo/foundry-nsp --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.427 / Virus Database: 240 - Release Date: 12/6/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.427 / Virus Database: 240 - Release Date: 12/6/2002 From tuc@himinbjorg.ttsg.com Mon Dec 23 16:09:05 2002 Received: from someone claiming to be himinbjorg.ttsg.com puck.NOSPAM (wallstreet34.kickstartusa.com [65.105.161.248]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gBNL95Lx000491 for ; Mon, 23 Dec 2002 16:09:05 -0500 Received: (from tuc@localhost) by himinbjorg.ttsg.com (8.11.6/8.11.6) id gBNL9aD04121 for foundry-nsp@puck.nether.net; Mon, 23 Dec 2002 16:09:36 -0500 (EST) (envelope-from tuc) From: Tuc Message-Id: <200212232109.gBNL9aD04121@himinbjorg.ttsg.com> To: foundry-nsp@puck.nether.net Date: Mon, 23 Dec 2002 16:09:36 -0500 (EST) X-Mailer: ELM [version 2.5 PL6] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [f-nsp] Automated ACLs X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1b6 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Dec 2002 21:09:06 -0000 Hi, Wondering if anyone has run into a decent way of automating the usage of ACLs. I know we can do expect scripts or something, but wondering if there was some better way. On our core Cisco routers we use Zebra as a "BLACKHOLE" server. We'd like something that we can go to our Foundry 4802 with and be able to do on a port by port basis. Thanks, Tuc/TTSG Internet Services, Inc. From andrew@peak.org Tue Dec 31 13:37:32 2002 Received: from someone claiming to be a.mail.peak.org puck.NOSPAM (a.mail.PEAK.ORG [198.88.144.70]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id gBVIbVLx011831 for ; Tue, 31 Dec 2002 13:37:32 -0500 Received: from [206.163.129.240] ([206.163.129.240]) by a.mail.peak.org (8.12.2/8.12.2) with ESMTP id gBVIcn3P091139 for ; Tue, 31 Dec 2002 18:38:49 GMT (envelope-from andrew@peak.org) From: Andrew Lee To: foundry-nsp@puck.nether.net Content-Type: text/plain Organization: Message-Id: <1041359875.14854.3.camel@grumpy.peak.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 31 Dec 2002 10:37:55 -0800 Content-Transfer-Encoding: 7bit X-Spam-Score: 0.6 () SPAM_PHRASE_00_01 X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang) Subject: [f-nsp] Memory upgrade for B8MGR X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1b6 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Dec 2002 18:37:32 -0000 Anyone know where I can get a memory upgrade for a B8MGR? Currently has 128M, would like to go to 256 or 512. Thanks Andrew From alan@ic24.net Wed Jan 8 05:06:02 2003 Received: from someone claiming to be ic24.net puck.NOSPAM ([217.32.175.193]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id h08A612K001987 for ; Wed, 8 Jan 2003 05:06:02 -0500 Received: from toon ([62.6.120.141]) by ic24.net ; Wed, 08 Jan 2003 10:03:36 -0000 Message-ID: <003401c2b6ff$949b0be0$8d78063e@toon> From: "alan" To: , "Bill McCaffrey" References: <1039084581.3def2c254d216@www.kattare.com> <022c01c29c4b$8979db20$edbfa840@Bill> <1039086637.3def342d2fd74@www.kattare.com> Subject: Re: [f-nsp] serveriron http on ports other than 80 Date: Wed, 8 Jan 2003 10:20:31 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailman-Approved-At: Thu, 09 Jan 2003 10:30:05 -0500 cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jan 2003 10:06:03 -0000 You have a bit of a problem with virtual hosts on the foundrys. They only support health checks in http 1.0 this means there is no real way to pass a host header via a health check. this means you will have to run multiple instances of apache on the server and bind them to different ports. If you use virtual hosts the serveriron will not send a host header so you get a 404 from the web server indicating the site was not found\configured. the unusual thing is the serveriron does support virtual host slb. this will allow you to use a single virtual ip address and look for the host header coming in and send it to an apache instance running on a high port number. one other thing to note. if you health check at layer 7 or script heal check then the foundry sets everthing as positive by default once a layer 4 healcheck has been achieved ( 404 error will mark a server as up as the layer 4 healthcheck was passed ) you need to set server no-fast-bringup this will enable layer 7 health checks. same also applies to scripted healthchecks you need an entry of down default. one last thing (sorry for the rabit) layer 7 slb can be very unforgiving to the serveriron check the cpu levels I the configurations of a working setup if you're interested Alan ----- Original Message ----- From: To: "Bill McCaffrey" Cc: Sent: Thursday, December 05, 2002 11:10 AM Subject: [f-nsp] serveriron http on ports other than 80 > Greetings, > > I'm running several instances of Apache per server. Many of them on > ports above 1024. (so that normal users can start/stop them.) Two > issues I've run into: > > I've tried configuring TCP health checks on the high ports (10000, > 10010, etc.) via the TCP/UDP port config and it seems to fail the health > checks on the real server every time. (and thus serves nothing.) If I > connect directly to the servers on the high ports I get the pages I expect. > > The second issue is that I cannot bind from a low point to a high > point. I was kind of hoping to be able to bind port 80 on the virtual > server to port 10000 (or whatever) on the real server. This is > necessary because right now I use apache on port 80 to proxy up to port > 10000 (or whatever) on the individual webservers. So... if the health > checks just check port 80, the proxy may be up just fine, but the high > port server may not be up. Thus the client may see a "proxy failure" > page if the port 80 server is alive and the port 10000 server is dead. > > Sorry about all the questions. I just got this serveriron recently > and despite reading through most of the docs on the website, there is > still much I am having trouble figuring out. ;-) > > Cheers, > > ~Ethan B. > > -------------------------- > Ethan Burnside - Founder > Kattare Internet Services > http://www.kattare.com > -------------------------- > > _______________________________________________ > foundry-nsp mailing list > foundry-nsp@puck.nether.net > http://puck.nether.net/mailman/listinfo/foundry-nsp From TBulger@ea.com Thu Jan 9 12:05:27 2003 Received: from someone claiming to be inbound.ea.com puck.NOSPAM (inbound.ea.com [159.153.6.5]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id h09H5Q2K018830 for ; Thu, 9 Jan 2003 12:05:27 -0500 Received: from eahq-bh1.rws.ad.ea.com (eahq-bh1.rws.ad.ea.com [10.14.204.31]) h09H6mc27315; Thu, 9 Jan 2003 09:06:48 -0800 (PST) Received: from eahq-mb3.rws.ad.ea.com ([10.14.204.120]) by eahq-bh1.rws.ad.ea.com with Microsoft SMTPSVC(5.0.2195.5329); Thu, 9 Jan 2003 09:07:37 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: [f-nsp] serveriron http on ports other than 80 Date: Thu, 9 Jan 2003 09:07:36 -0800 Message-ID: <4EE2F983A19E9D4DAD0CDBC8C914ADD802A3B70F@eahq-mb3.rws.ad.ea.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [f-nsp] serveriron http on ports other than 80 Thread-Index: AcK39Gk+FRAZn4XtTYClzcttWRPqDQADT1JQ From: "Bulger, Tim" To: "alan" , , "Bill McCaffrey" X-OriginalArrivalTime: 09 Jan 2003 17:07:37.0398 (UTC) FILETIME=[9C258D60:01C2B801] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by puck.nether.net id h09H5Q2K018830 cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2003 17:05:28 -0000 This is not correct.. The format to pass host information is like this: port http url "HEAD /home/home.jsp HTTP/1.1\r\nHost: www.whatever.com" -----Original Message----- From: alan [mailto:alan@ic24.net] Sent: Wednesday, January 08, 2003 2:21 AM To: burnside@kattare.com; Bill McCaffrey Cc: foundry-nsp@puck.nether.net Subject: Re: [f-nsp] serveriron http on ports other than 80 You have a bit of a problem with virtual hosts on the foundrys. They only support health checks in http 1.0 this means there is no real way to pass a host header via a health check. this means you will have to run multiple instances of apache on the server and bind them to different ports. If you use virtual hosts the serveriron will not send a host header so you get a 404 from the web server indicating the site was not found\configured. the unusual thing is the serveriron does support virtual host slb. this will allow you to use a single virtual ip address and look for the host header coming in and send it to an apache instance running on a high port number. one other thing to note. if you health check at layer 7 or script heal check then the foundry sets everthing as positive by default once a layer 4 healcheck has been achieved ( 404 error will mark a server as up as the layer 4 healthcheck was passed ) you need to set server no-fast-bringup this will enable layer 7 health checks. same also applies to scripted healthchecks you need an entry of down default. one last thing (sorry for the rabit) layer 7 slb can be very unforgiving to the serveriron check the cpu levels I the configurations of a working setup if you're interested Alan ----- Original Message ----- From: To: "Bill McCaffrey" Cc: Sent: Thursday, December 05, 2002 11:10 AM Subject: [f-nsp] serveriron http on ports other than 80 > Greetings, > > I'm running several instances of Apache per server. Many of them > on ports above 1024. (so that normal users can start/stop them.) Two > issues I've run into: > > I've tried configuring TCP health checks on the high ports (10000, > 10010, etc.) via the TCP/UDP port config and it seems to fail the > health checks on the real server every time. (and thus serves > nothing.) If I connect directly to the servers on the high ports I > get the pages I expect. > > The second issue is that I cannot bind from a low point to a high > point. I was kind of hoping to be able to bind port 80 on the virtual > server to port 10000 (or whatever) on the real server. This is > necessary because right now I use apache on port 80 to proxy up to > port 10000 (or whatever) on the individual webservers. So... if the > health checks just check port 80, the proxy may be up just fine, but > the high port server may not be up. Thus the client may see a "proxy > failure" page if the port 80 server is alive and the port 10000 server > is dead. > > Sorry about all the questions. I just got this serveriron > recently and despite reading through most of the docs on the website, > there is still much I am having trouble figuring out. ;-) > > Cheers, > > ~Ethan B. > > -------------------------- > Ethan Burnside - Founder > Kattare Internet Services > http://www.kattare.com > -------------------------- > > _______________________________________________ > foundry-nsp mailing list > foundry-nsp@puck.nether.net > http://puck.nether.net/mailman/listinfo/foundry-nsp _______________________________________________ foundry-nsp mailing list foundry-nsp@puck.nether.net http://puck.nether.net/mailman/listinfo/foundry-nsp From cliftonr@lava.net Wed Jan 22 13:36:29 2003 Received: from someone claiming to be malasada.lava.net (IDENT:{iwiOIdUCbfWuTXESxBQ+HMvUBBDAPZku}@malasada.lava.net [64.65.64.17]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id h0MIaScg009589 for ; Wed, 22 Jan 2003 13:36:28 -0500 Received: by malasada.lava.net (Postfix, from userid 102) id 0A91A17A1C2; Wed, 22 Jan 2003 08:36:42 -1000 (HST) Date: Wed, 22 Jan 2003 08:36:41 -1000 From: Clifton Royston To: foundry-nsp@puck.nether.net Message-ID: <20030122083641.A25888@lava.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: [f-nsp] ServerIron config question - can this be done? X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2003 18:36:29 -0000 I am trying to configure a particular load-balancing+failover setup for a web customer who will be colo'ed with us, and am wondering if there is a way to do this. I've got 2 original ServerIrons and one ServerIron XL, I'm planning to put this onto the XL. I would like the configuration to have the following properties: 1) The ServerIron can determine when any of the real servers is down (i.e. failover works correctly) 2) The customer web servers do not have to be physically connected "through" the ServerIron. 3) The original source IP address of the connection is preserved (they need that for their logging and analysis.) 4) Preferably, the customer servers are in their own address block and VLAN (Ethernet broadcast domain.) Is there any way to get all of these at one time? I know I can achieve 1, 3, and 4 by physically routing their connection through a ServerIron port dedicated to their VLAN; that's close to our standard configuration so I'm not showing that here. That's my fallback solution, but I'd like to be able to do this without dedicating a port. I think I could achieve 2, 3, and 4 by defining the servers as "remote" instead of "real" and configuring DSR, but the documentation seems to imply that the ServerIrons can't automatically detect a failed server in that case. I know I can achieve the combination of properties 1, 2, and 4 by configuring a tagged VLAN on the main Ethernet link to our main switch and configuring their servers with source NAT like this; this rewrites the source IP, but routes everything correctly, distributes load fairly, detects failed servers, and keeps them in their own VLAN: server source-ip xx.yy.zz.14 255.255.255.240 xx.yy.zz.1 real server their-server-1 xx.yy.zz.2 source-nat port http port http url "HEAD /" real server their-server-2 xx.yy.zz.3 source-nat port http port http url "HEAD /" server virtual virtual-85 ww.vv.uu.tt sym-priority 100 port http bind http their-server-1 their-server-2 Is there any way to get all of what I want - failover detection, not dedicating a port to put the servers "behind" the ServerIron, source IP preserved, and keeping them in their own VLAN? Thanks in advance for any help. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "If you ride fast enough, the Specialist can't catch you." "What's the Specialist?" Samantha says. "The Specialist wears a hat," says the babysitter. "The hat makes noises." She doesn't say anything else. Kelly Link, _The Specialist's Hat_ From vandusb@attens.com Wed Jan 22 14:38:29 2003 Received: from someone claiming to be staff.cerf.net puck.NOSPAM (staff.cerf.net [198.137.140.12]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id h0MJcScg011938 for ; Wed, 22 Jan 2003 14:38:28 -0500 Received: from sdhqdell034.attens.com (localhost [127.0.0.1]) by staff.cerf.net (8.11.6/8.11.6) with ESMTP id h0MJcJt17199; Wed, 22 Jan 2003 19:38:19 GMT Message-Id: <5.1.0.14.2.20030122113523.01b21bd8@staff.attens.com> X-Sender: vandusb@staff.attens.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 22 Jan 2003 11:38:35 -0800 To: Clifton Royston , foundry-nsp@puck.nether.net From: Brent Van Dussen Subject: Re: [f-nsp] ServerIron config question - can this be done? In-Reply-To: <20030122083641.A25888@lava.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Filter-Version: 1.7.ATTENS.2 (staff) X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2003 19:38:29 -0000 You'll need to keep the serveriron and the customers webservers in the same L2 domain. If the webservers and the serveriron are all part of the same customer installation I don't see why it has to be separated out into VLAN's. DSR will do everything else that you need it to, just remember that you'll have to configure Loopbacks on each of the real servers. If the real servers are in a different subnet than the serveriron you can use the source-ip or just put both subnets on the upstream L3 device and the serveriron will route health checks up to the router and back down to the real servers. -Brent At 10:36 AM 1/22/2003, Clifton Royston wrote: > I am trying to configure a particular load-balancing+failover setup >for a web customer who will be colo'ed with us, and am wondering if >there is a way to do this. I've got 2 original ServerIrons and one >ServerIron XL, I'm planning to put this onto the XL. > > I would like the configuration to have the following properties: > >1) The ServerIron can determine when any of the real servers is down > (i.e. failover works correctly) > >2) The customer web servers do not have to be physically connected > "through" the ServerIron. > >3) The original source IP address of the connection is preserved (they > need that for their logging and analysis.) > >4) Preferably, the customer servers are in their own address block and > VLAN (Ethernet broadcast domain.) > > Is there any way to get all of these at one time? > > I know I can achieve 1, 3, and 4 by physically routing their >connection through a ServerIron port dedicated to their VLAN; that's >close to our standard configuration so I'm not showing that here. >That's my fallback solution, but I'd like to be able to do this without >dedicating a port. > > I think I could achieve 2, 3, and 4 by defining the servers as >"remote" instead of "real" and configuring DSR, but the documentation >seems to imply that the ServerIrons can't automatically detect a failed >server in that case. > > I know I can achieve the combination of properties 1, 2, and 4 by >configuring a tagged VLAN on the main Ethernet link to our main switch >and configuring their servers with source NAT like this; this rewrites >the source IP, but routes everything correctly, distributes load >fairly, detects failed servers, and keeps them in their own VLAN: > >server source-ip xx.yy.zz.14 255.255.255.240 xx.yy.zz.1 >real server their-server-1 xx.yy.zz.2 > source-nat > port http > port http url "HEAD /" >real server their-server-2 xx.yy.zz.3 > source-nat > port http > port http url "HEAD /" >server virtual virtual-85 ww.vv.uu.tt > sym-priority 100 > port http > bind http their-server-1 their-server-2 > > Is there any way to get all of what I want - failover detection, not >dedicating a port to put the servers "behind" the ServerIron, source IP >preserved, and keeping them in their own VLAN? > > Thanks in advance for any help. > -- Clifton > >-- > Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net > > "If you ride fast enough, the Specialist can't catch you." > "What's the Specialist?" Samantha says. > "The Specialist wears a hat," says the babysitter. "The hat makes noises." > She doesn't say anything else. > Kelly Link, _The Specialist's Hat_ >_______________________________________________ >foundry-nsp mailing list >foundry-nsp@puck.nether.net >http://puck.nether.net/mailman/listinfo/foundry-nsp From cliftonr@lava.net Wed Jan 22 16:14:17 2003 Received: from someone claiming to be malasada.lava.net (IDENT:{Zi5ols10XOOXp0x1VKelhMm7Dw9n87t5}@malasada.lava.net [64.65.64.17]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id h0MLEHcg015907 for ; Wed, 22 Jan 2003 16:14:17 -0500 Received: by malasada.lava.net (Postfix, from userid 102) id 4EED117A3FF; Wed, 22 Jan 2003 11:14:27 -1000 (HST) Date: Wed, 22 Jan 2003 11:14:27 -1000 From: Clifton Royston To: Brent Van Dussen Subject: Re: [f-nsp] ServerIron config question - can this be done? Message-ID: <20030122111426.B14791@lava.net> References: <20030122083641.A25888@lava.net> <5.1.0.14.2.20030122113523.01b21bd8@staff.attens.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.1.0.14.2.20030122113523.01b21bd8@staff.attens.com>; from vandusb@attens.com on Wed, Jan 22, 2003 at 11:38:35AM -0800 cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2003 21:14:18 -0000 On Wed, Jan 22, 2003 at 11:38:35AM -0800, Brent Van Dussen wrote: > You'll need to keep the serveriron and the customers webservers in the same > L2 domain. If the webservers and the serveriron are all part of the same > customer installation I don't see why it has to be separated out into VLAN's. Thanks for the quick response! The ServerIrons are not dedicated to this customer; the customer's virtual server will be "sharing time" on a ServerIron we also use for in-house load-balanced virtual servers. Ultimately other customers might end up in a similar configuration, and we prefer to map our colo customers into separate L2 domains. Is the point of having them in the same L2 domain that the ServerIron can see ARPs for the servers directly? > DSR will do everything else that you need it to, just remember that you'll > have to configure Loopbacks on each of the real servers. > > If the real servers are in a different subnet than the serveriron you can > use the source-ip or just put both subnets on the upstream L3 device and > the serveriron will route health checks up to the router and back down to > the real servers. Sorry, you lost me here. Are you talking about just adding the "server source-ip [IP-in-their-netblock]" globally, with a usual "server real foo" definition, and "port http dsr" on the virtual server, and that that should do it all? I've never tried this particular permutation, but if it should work, I'll give it a shot! -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "If you ride fast enough, the Specialist can't catch you." "What's the Specialist?" Samantha says. "The Specialist wears a hat," says the babysitter. "The hat makes noises." She doesn't say anything else. Kelly Link, _The Specialist's Hat_ From cliftonr@lava.net Wed Jan 22 20:31:05 2003 Received: from someone claiming to be malasada.lava.net (IDENT:{c5Dj/dACvHqdUbX963tRnBxk7pls8thn}@malasada.lava.net [64.65.64.17]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id h0N1V4cg028183 for ; Wed, 22 Jan 2003 20:31:04 -0500 Received: by malasada.lava.net (Postfix, from userid 102) id 665EE17A2E1; Wed, 22 Jan 2003 15:31:19 -1000 (HST) Date: Wed, 22 Jan 2003 15:31:19 -1000 From: Clifton Royston To: Kim Wall Message-ID: <20030122153119.A4428@lava.net> References: <000001c2c24a$680b88b0$0afc10ac@ibmbkqnqeyz4w0> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <000001c2c24a$680b88b0$0afc10ac@ibmbkqnqeyz4w0>; from kwall@softhome.net on Wed, Jan 22, 2003 at 01:13:53PM -0600 cc: foundry-nsp@puck.nether.net Subject: [f-nsp] Re: can this be done? X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2003 01:31:05 -0000 On Wed, Jan 22, 2003 at 01:13:53PM -0600, Kim Wall wrote: > "I think I could achieve 2, 3, and 4 by defining the servers as > "remote" instead of "real" and configuring DSR, but the documentation > seems to imply that the ServerIrons can't automatically detect a > failed server in that case." > > Clifton, not sure what version of software you are using, but I know > that the SI-XL still performs "pings" as a basic health check to > remote real servers using version 7.3.05. This is done automatically. This was a good tip, and got me thinking (and reading the docs deeper) about how to enable additional health checks. For those Googling the mailing list, it turns out to be perfectly easy to configure further application layer checks in conjunction with a "dsr" or "Switchback" configuration. Setting up explicit health checks on http to work with DSR or Switchback, e.g. in an asymmetrically routed network, is as simple as this: server port 80 ! number of seconds and retries between polls tcp keepalive 60 2 server real foo xx.yy.zz.ww port http port http keepalive port http url "HEAD /" server real bar xx.yy.zz.vv port http port http keepalive port http url "HEAD /" server virtual baz xx.yy.zz.qq port http dsr bind http foo http bar http If you tail the http logs on the real servers, you will see the "HEAD" requests from the ServerIron itself show up every 60 seconds, or however often you've configured them, along with whatever connections get made to the virtual server. This also appears to work in the multiple subnet and multiple VLAN environment I was originally concerned about. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "If you ride fast enough, the Specialist can't catch you." "What's the Specialist?" Samantha says. "The Specialist wears a hat," says the babysitter. "The hat makes noises." She doesn't say anything else. Kelly Link, _The Specialist's Hat_ From cliftonr@lava.net Thu Jan 23 21:45:12 2003 Received: from someone claiming to be malasada.lava.net (IDENT:{W5QzDeHqKffdX9JTDm+RJ28GJ3LHWFcY}@malasada.lava.net [64.65.64.17]) by puck.nether.net (8.12.6/8.12.6) with ESMTP id h0O2jCcg000860 for ; Thu, 23 Jan 2003 21:45:12 -0500 Received: by malasada.lava.net (Postfix, from userid 102) id 7311517A224; Thu, 23 Jan 2003 16:45:11 -1000 (HST) Date: Thu, 23 Jan 2003 16:45:11 -1000 From: Clifton Royston To: Brent Van Dussen Subject: Re: [f-nsp] ServerIron config question - can this be done? Message-ID: <20030123164511.B24237@lava.net> References: <20030122083641.A25888@lava.net> <5.1.0.14.2.20030122113523.01b21bd8@staff.attens.com> <20030122111426.B14791@lava.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030122111426.B14791@lava.net>; from cliftonr@lava.net on Wed, Jan 22, 2003 at 11:14:27AM -1000 cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2003 02:45:13 -0000 On Wed, Jan 22, 2003 at 11:14:27AM -1000, Clifton Royston wrote: ... > Are you talking about just adding the "server source-ip > [IP-in-their-netblock]" globally, with a usual "server real foo" > definition, and "port http dsr" on the virtual server, and that that > should do it all? I've never tried this particular permutation, but if > it should work, I'll give it a shot! This seems to be working fine; thanks for all the help! We are running into some minor problems on their servers, because the Linux kernel is insisting on proxy-arping for the virtual IP and causing some ARP conflicts. This is a Linux bug or serious misfeature IMHO, but there is a patch the customer will apply for it as they have built a custom kernel anyway. Apart from this, the solution is working fine even in the VLAN environment, and has saved us having to dedicate a physical ServerIron switch port to them. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "If you ride fast enough, the Specialist can't catch you." "What's the Specialist?" Samantha says. "The Specialist wears a hat," says the babysitter. "The hat makes noises." She doesn't say anything else. Kelly Link, _The Specialist's Hat_ From jba@analogue.net Thu Jan 23 23:06:57 2003 Received: from someone claiming to be phase.skylab.nyc.analogue.net puck.NOSPAM (w186.z064000057.nyc-ny.dsl.cnc.net [64.0.57.186]) by puck.nether.net (8.12.6/8.12.6) with SMTP id h0O46scg002758 for ; Thu, 23 Jan 2003 23:06:57 -0500 Received: (qmail 6790 invoked by uid 506); 24 Jan 2003 04:06:50 -0000 Received: from unknown (HELO hush.int.skylab.nyc.analogue.net) (10.40.2.101) by 10.40.2.99 with SMTP; 24 Jan 2003 04:06:50 -0000 Date: Thu, 23 Jan 2003 22:53:38 -0500 (EST) From: "jeffrey.arnold" X-X-Sender: jba@hush.nyc.analogue.net To: Clifton Royston Subject: Re: [f-nsp] ServerIron config question - can this be done? In-Reply-To: <20030123164511.B24237@lava.net> Message-ID: References: <20030122083641.A25888@lava.net> <5.1.0.14.2.20030122113523.01b21bd8@staff.attens.com> <20030122111426.B14791@lava.net> <20030123164511.B24237@lava.net> X-waste-of-headers: yes. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Brent Van Dussen cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2003 04:06:58 -0000 On Thu, 23 Jan 2003, Clifton Royston wrote: :: We are running into some minor problems on their servers, because the :: Linux kernel is insisting on proxy-arping for the virtual IP and :: causing some ARP conflicts. :: :: :: :: This is a Linux bug or serious misfeature IMHO, but there is a patch :: the customer will apply for it as they have built a custom kernel :: anyway. :: I agree this is a horrible linux bug, and have yet to see a reasonable argument why it has become the default behavior for loopback interfaces in the 2.4 kernel. Anyone? -jba __ [jba@analogue.net] :: analogue.networks.nyc :: http://analogue.net From bill@neopets.com Tue Mar 4 18:05:22 2003 Received: from someone claiming to be neoserver.dohring.com puck.NOSPAM (ns1.dohring.com [64.210.3.222] (may be forged)) by puck.nether.net (8.12.8/8.12.6) with ESMTP id h24N5LRL022651 for ; Tue, 4 Mar 2003 18:05:22 -0500 Received: by neoserver.dohring.com with Internet Mail Service (5.5.2653.19) id ; Tue, 4 Mar 2003 15:07:00 -0800 Message-ID: <7138CDFAE47E34459A03E3E531D5CE3504564D1C@neoserver.dohring.com> From: Bill McCaffrey To: "'foundry-nsp@puck.nether.net'" Date: Tue, 4 Mar 2003 15:07:00 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="utf-8" Subject: [f-nsp] Strange interaction X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2003 23:05:23 -0000 I have an odd/strange/interesting situation that I am at a complete loss to explain. I have two serverirons, one with 50 servers, the other has 100 servers. Serverirons are running on firmware version 07.3.05aT12 and are configured with hand-off load balancing. All the servers are running stock RH 6.2. I recently change the TCP syn-def parameter down to 2 seconds to battle some ddos attacks. After the change, I started to have from 2 to 6 dead servers in the morning, not just health-check dead, but completely kernel-panic type dead. With nothing showing in the logs on the servers. They tended to go down early to mid morning, all at different times and not the same servers each day. This time of day is neither the highest nor lowest traffic period. The 50 server lb, which handles about 3 times the number of requests as the other had the problem in a greater degree. I changed the parameter to 4 seconds and the problem went away. Tarot cards and pigeon entrails have shed no light on this - does anybody have any ideas on what could be happening here? TIA, Bill From jb@anthologeek.net Tue Mar 4 18:50:11 2003 Received: from someone claiming to be day.anthologeek.net puck.NOSPAM (day.anthologeek.net [213.91.4.139]) by puck.nether.net (8.12.8/8.12.6) with ESMTP id h24NoARL024061 for ; Tue, 4 Mar 2003 18:50:11 -0500 Received: by day.anthologeek.net (Postfix, from userid 1020) id 6E27D17199; Wed, 5 Mar 2003 00:48:42 +0100 (CET) Date: Wed, 5 Mar 2003 00:48:42 +0100 From: Jean Barbezat To: "'foundry-nsp@puck.nether.net'" Subject: Re: [f-nsp] Strange interaction Message-ID: <20030304234842.GA75545@day.anthologeek.net> References: <7138CDFAE47E34459A03E3E531D5CE3504564D1C@neoserver.dohring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <7138CDFAE47E34459A03E3E531D5CE3504564D1C@neoserver.dohring.com> User-Agent: Mutt/1.4i X-PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD604A020 X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2003 23:50:13 -0000 Hi, Le Tue, Mar 04, 2003 at 03:07:00PM -0800 or thereabouts, Bill McCaffrey écrivait: > All the servers are running stock RH 6.2. I > recently change the TCP syn-def parameter down to 2 seconds to battle some > ddos attacks. After the change, I started to have from 2 to 6 dead servers > in the morning, not just health-check dead, but completely kernel-panic type > dead. Well you'd better upgrade your servers with a brand new kernel, 6.2 kernels should be running a bogus kernel tcp/ip stack. cf: http://lists.insecure.org/lists/bugtraq/1996/May/0017.html > > Tarot cards and pigeon entrails have shed no light on this - does anybody > have any ideas on what could be happening here? I think you should try bugtraq it works better, and it saves pigeons. Regards, -- Jean Barbezat "Every day, computers are making people easier to use." From kwong@masergy.com Tue Apr 15 11:23:03 2003 Received: from someone claiming to be m-va-bsod03.add0.masergy.com puck.NOSPAM (mail.masergy.com [64.47.12.2]) by puck.nether.net (8.12.9/8.12.6) with ESMTP id h3FFN2cL019521 for ; Tue, 15 Apr 2003 11:23:02 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C30362.E6F95946" Date: Tue, 15 Apr 2003 11:23:01 -0400 Message-ID: <6B25E083A064374CA3D2FAB305CFAF7A0C9E4B@m-va-bsod03.add0.masergy.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PIM Snooping thread-index: AcMDYubt5ZkZDe7dQq+98kJ+Il7yvw== From: "Ken Wong" To: X-Mailman-Approved-At: Sat, 19 Apr 2003 09:54:43 -0400 Subject: [f-nsp] PIM Snooping X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 15:23:03 -0000 This is a multi-part message in MIME format. ------_=_NextPart_001_01C30362.E6F95946 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Is the PIM SM Snooping feature available on the EdgeIron Box? =20 Thanks, Ken ------_=_NextPart_001_01C30362.E6F95946 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Is the PIM SM Snooping feature available on the EdgeIron Box?

 

Thanks,

Ken

=00 ------_=_NextPart_001_01C30362.E6F95946-- From bill@neopets.com Sat Apr 19 20:00:36 2003 Received: from someone claiming to be neoserver.dohring.com puck.NOSPAM (ns1.dohring.com [64.210.3.222] (may be forged)) by puck.nether.net (8.12.9/8.12.6) with ESMTP id h3K00YcL024270 for ; Sat, 19 Apr 2003 20:00:35 -0400 Received: from Bill (adsl-64-164-174-144.dsl.lsan03.pacbell.net [64.164.174.144]) by neoserver.dohring.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2A8851PD; Sat, 19 Apr 2003 17:01:00 -0700 Message-ID: <00d901c306cf$ed46c160$90aea440@Bill> From: "Bill McCaffrey" To: Date: Sat, 19 Apr 2003 17:00:59 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D6_01C30695.400C7D80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: [f-nsp] Real world metrics X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 00:00:36 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_00D6_01C30695.400C7D80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable If anyone is interested, here are some real-world statistics of what a = serveriron can do. These levels of traffic resulted in 100% cpu = utilization. The total amount of traffic making it through this machine = was about 80-90% of actual demand. They are quite a bit different than = what the brochure claims... Model: 8-port ServerIronXL, 400Mhz processor, 32MB System DRAM Expansion: 1 GIGA Fiber uplink interfaces Board Type: ServerIron Switch Board Type 1, Octal System Firmware: 07.3.05aT12 Bits/sec Rx: 140M Tx: 130M Packets/sec Rx: 126k Tx: 102k 10k http requests/sec 2 Virtual servers 146 Real servers - DSR, not sticky - nothing fancy ------=_NextPart_000_00D6_01C30695.400C7D80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
If anyone is interested, here are some = real-world=20 statistics of what a serveriron can do. These levels of traffic resulted = in 100%=20 cpu utilization. The total amount of traffic making it through this = machine was=20 about 80-90% of actual demand. They are quite a bit different than what = the=20 brochure claims...
 
 
Model: 8-port=20 ServerIronXL, 400Mhz processor, 32MB System DRAM
Expansion: 1 GIGA Fiber uplink interfaces
Board Type: ServerIron Switch Board Type 1, Octal=20 System
Firmware: 07.3.05aT12
 
Bits/sec
Rx: 140M
Tx: 130M
 
Packets/sec
Rx: 126k
Tx: 102k
 
10k http requests/sec
2 Virtual servers
146 Real = servers -=20 DSR, not sticky - nothing fancy
 
------=_NextPart_000_00D6_01C30695.400C7D80-- From jba@analogue.net Sat Apr 19 20:04:35 2003 Received: from someone claiming to be phase.skylab.nyc.analogue.net puck.NOSPAM (w186.z064000057.nyc-ny.dsl.cnc.net [64.0.57.186]) by puck.nether.net (8.12.9/8.12.6) with SMTP id h3K04YcL024789 for ; Sat, 19 Apr 2003 20:04:34 -0400 Received: (qmail 40040 invoked from network); 19 Apr 2003 22:54:24 -0000 Received: from unknown (HELO hush.int.skylab.nyc.analogue.net) (10.40.2.101) by 10.40.2.99 with SMTP; 19 Apr 2003 22:54:24 -0000 Date: Sat, 19 Apr 2003 20:10:58 -0400 (EDT) From: "jeffrey.arnold" X-X-Sender: jba@hush.nyc.analogue.net To: Ken Wong Subject: Re: [f-nsp] PIM Snooping In-Reply-To: <6B25E083A064374CA3D2FAB305CFAF7A0C9E4B@m-va-bsod03.add0.masergy.com> Message-ID: References: <6B25E083A064374CA3D2FAB305CFAF7A0C9E4B@m-va-bsod03.add0.masergy.com> X-waste-of-headers: yes. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 00:04:35 -0000 On Tue, 15 Apr 2003, Ken Wong wrote: :: Is the PIM SM Snooping feature available on the EdgeIron Box? :: Doesn't look like it. The edgeiron boxes are not made by foundry (hardware and software are bought from some other vendor) and have nothing in common with the rest of the foundry line besides the paint job. Config syntax and functionality are completely different than the netiron/bigiron/fastiron line. Of course, you should probably check with your local SE, as things may have changed.. -jba __ [jba@analogue.net] :: analogue.networks.nyc :: http://analogue.net From burnside@kattare.com Thu Jun 12 00:30:16 2003 Received: from someone claiming to be pyramid-02.kattare.com puck.NOSPAM (pyramid-02.kattare.com [206.163.128.3]) by puck.nether.net (8.12.9/8.12.6) with ESMTP id h5C4UFlb026202 for ; Thu, 12 Jun 2003 00:30:16 -0400 Received: from localhost (localhost [127.0.0.1]) by pyramid-02.kattare.com (8.12.8/8.12.3) with ESMTP id h5C4TFja006287 for ; Wed, 11 Jun 2003 21:29:15 -0700 Received: from 65.212.181.200 ( [65.212.181.200]) as user burnside@mail.kattare.com by www.kattare.com with HTTP; Wed, 11 Jun 2003 21:29:15 -0700 Message-ID: <1055392155.3ee8019bd2b7b@www.kattare.com> Date: Wed, 11 Jun 2003 21:29:15 -0700 From: Ethan Burnside To: foundry-nsp@puck.nether.net References: <5.1.0.14.2.20030122113523.01b21bd8@staff.attens.com> In-Reply-To: <5.1.0.14.2.20030122113523.01b21bd8@staff.attens.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 X-MailScanner: Found to be clean X-MailScanner-Information: Please contact your ISP for more information - Be sure to include all mail headers X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-25.7, required 5, BAYES_10, IN_REP_TO, QUOTED_EMAIL_TEXT, REFERENCES, REPLY_WITH_QUOTES, USER_AGENT_IMP) Subject: [f-nsp] Bouncing L4 Health Checks X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 04:30:17 -0000 Greetings, I've been using a ServerIron XL for SLB and GSLB and have been seeing the health checks bounce up and down for quite some time now, similar to the following: 0 days 1:7:52 notification L4 server 206.163.128.131 front-01-800mcmahan port 110 is up 0 days 1:7:52 notification L4 server 206.163.128.131 front-01-800mcmahan port 110 is down due to healthcheck 0 days 1:7:46 notification L4 server 206.163.128.131 front-01-800mcmahan port 80 is up 0 days 1:7:46 notification L4 server 206.163.128.131 front-01-800mcmahan port 80 is down due to healthcheck 0 days 1:7:32 notification L4 server 206.163.128.131 front-01-800mcmahan port 110 is up 0 days 1:7:32 notification L4 server 206.163.128.131 front-01-800mcmahan port 110 is down due to healthcheck 0 days 1:7:31 notification L4 server 206.163.128.131 front-01-800mcmahan port 80 is up 0 days 1:7:31 notification L4 server 206.163.128.131 front-01-800mcmahan port 80 is down due to healthcheck The server itself hasn't really seen any interruptions in service. I can connect directly to it over and over without trouble. The logs actually look similar for all of the hosts on the ServerIron, it's not limited to a single host. All of the hosts are directly connected to the ServerIron. I see the same behavior under both of the following images: Compressed Pri Code size = 1724176, Version 07.3.06T12 Compressed Sec Code size = 1873161, Version 07.1.21T12 (SLB07121.bin) If I disable the L4 health checks, it seems to decide to not do the L7 checks. The status remains "active" seemingly no matter what I do, (shut down apache, etc.) until I shut down the server at which time it changes to "enabled". (I assume because of the failure of the L3 check.) I'd really like to use the L4 checks anyway. It's just that this "flapping" is causing all kinds of problems with the GSLB stuff. We're using the GSLB for a backup/failover "we're working on it" error page and to avoid "cannot connect" errors with smtp, pop3, etc. But with the L4 checks failing, we're seeing people ending up on the backup, despite the primary being fully accessible, etc. I suspect they get the backup when the L4 checks on the primary fail simultaneously for both the SLB machines. TYIA! Cheers, ~Ethan B. -- -------------------------- Ethan Burnside Kattare Internet Services http://www.kattare.com -------------------------- Quoting Brent Van Dussen : > You'll need to keep the serveriron and the customers webservers in > the same > L2 domain. If the webservers and the serveriron are all part of the > same > customer installation I don't see why it has to be separated out into > VLAN's. > > DSR will do everything else that you need it to, just remember that > you'll > have to configure Loopbacks on each of the real servers. > > If the real servers are in a different subnet than the serveriron you > can > use the source-ip or just put both subnets on the upstream L3 device > and > the serveriron will route health checks up to the router and back > down to > the real servers. > > -Brent > > > At 10:36 AM 1/22/2003, Clifton Royston wrote: > > I am trying to configure a particular load-balancing+failover > setup > >for a web customer who will be colo'ed with us, and am wondering if > >there is a way to do this. I've got 2 original ServerIrons and one > >ServerIron XL, I'm planning to put this onto the XL. > > > > I would like the configuration to have the following properties: > > > >1) The ServerIron can determine when any of the real servers is > down > > (i.e. failover works correctly) > > > >2) The customer web servers do not have to be physically connected > > "through" the ServerIron. > > > >3) The original source IP address of the connection is preserved > (they > > need that for their logging and analysis.) > > > >4) Preferably, the customer servers are in their own address block > and > > VLAN (Ethernet broadcast domain.) > > > > Is there any way to get all of these at one time? > > > > I know I can achieve 1, 3, and 4 by physically routing their > >connection through a ServerIron port dedicated to their VLAN; > that's > >close to our standard configuration so I'm not showing that here. > >That's my fallback solution, but I'd like to be able to do this > without > >dedicating a port. > > > > I think I could achieve 2, 3, and 4 by defining the servers as > >"remote" instead of "real" and configuring DSR, but the > documentation > >seems to imply that the ServerIrons can't automatically detect a > failed > >server in that case. > > > > I know I can achieve the combination of properties 1, 2, and 4 > by > >configuring a tagged VLAN on the main Ethernet link to our main > switch > >and configuring their servers with source NAT like this; this > rewrites > >the source IP, but routes everything correctly, distributes load > >fairly, detects failed servers, and keeps them in their own VLAN: > > > >server source-ip xx.yy.zz.14 255.255.255.240 xx.yy.zz.1 > >real server their-server-1 xx.yy.zz.2 > > source-nat > > port http > > port http url "HEAD /" > >real server their-server-2 xx.yy.zz.3 > > source-nat > > port http > > port http url "HEAD /" > >server virtual virtual-85 ww.vv.uu.tt > > sym-priority 100 > > port http > > bind http their-server-1 their-server-2 > > > > Is there any way to get all of what I want - failover detection, > not > >dedicating a port to put the servers "behind" the ServerIron, source > IP > >preserved, and keeping them in their own VLAN? > > > > Thanks in advance for any help. > > -- Clifton > > > >-- > > Clifton Royston -- LavaNet Systems Architect -- > cliftonr@lava.net > > > > "If you ride fast enough, the Specialist can't catch you." > > "What's the Specialist?" Samantha says. > > "The Specialist wears a hat," says the babysitter. "The hat makes > noises." > > She doesn't say anything else. > > Kelly Link, _The Specialist's Hat_ > >_______________________________________________ > >foundry-nsp mailing list > >foundry-nsp@puck.nether.net > >http://puck.nether.net/mailman/listinfo/foundry-nsp > > > _______________________________________________ > foundry-nsp mailing list > foundry-nsp@puck.nether.net > http://puck.nether.net/mailman/listinfo/foundry-nsp > From burnside@kattare.com Thu Jun 12 01:04:15 2003 Received: from someone claiming to be pyramid-02.kattare.com puck.NOSPAM (pyramid-02.kattare.com [206.163.128.3]) by puck.nether.net (8.12.9/8.12.6) with ESMTP id h5C54Flb028715 for ; Thu, 12 Jun 2003 01:04:15 -0400 Received: from localhost (localhost [127.0.0.1])h5C53Cja011163; Wed, 11 Jun 2003 22:03:12 -0700 Received: from 65.212.181.200 ( [65.212.181.200]) as user burnside@mail.kattare.com by www.kattare.com with HTTP; Wed, 11 Jun 2003 22:03:12 -0700 Message-ID: <1055394192.3ee80990cdd7e@www.kattare.com> Date: Wed, 11 Jun 2003 22:03:12 -0700 From: Ethan Burnside To: "Bulger, Tim" Subject: RE: [f-nsp] Bouncing L4 Health Checks References: <4EE2F983A19E9D4DAD0CDBC8C914ADD802A3BAAC@eahq-mb3.rws.ad.ea.com> In-Reply-To: <4EE2F983A19E9D4DAD0CDBC8C914ADD802A3BAAC@eahq-mb3.rws.ad.ea.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 X-MailScanner: Found to be clean X-MailScanner-Information: Please contact your ISP for more information - Be sure to include all mail headers X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-26.5, required 5, BAYES_01, IN_REP_TO, QUOTED_EMAIL_TEXT, REFERENCES, REPLY_WITH_QUOTES, USER_AGENT_IMP) cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 05:04:18 -0000 Tim, You mean on the servers? Or on the serveriron? I haven't had any troubles using ssh/pop/http/ftp/etc connecting directly (by IP) to any of the 4 servers. We're seeing the same behavior on all 4 of them in the primary datacenter, and on the other two in the backup datacenter, so I don't think it could be dupe IP's on the servers. I should have mentioned that we're seeing the same behavior on both of the serveriron's, the one at our primary datacenter and the one at our secondary datacenter. The machines themselves have a variety of NIC's, mostly nforce, intel, and 3com. They're all linux servers, but are running a couple of different kernel versions. (2.4.18 and 2.4.20 I believe.) Before we had the GSLB setup we didn't really care much about it because the load balancing still worked ok. (even if it was flapping a little more than it should.) But now with the GSLB setup, it's sending out fail-over DNS responses and causing clients to see errors that really shouldn't be happening. Not much fun. Appreciate the response though! Cheers, ~Ethan B. -- -------------------------- Ethan Burnside - Founder Kattare Internet Services http://www.kattare.com -------------------------- Quoting "Bulger, Tim" : > You don't have some kind of duplicate IP address problem, do you? > > -----Original Message----- > From: Ethan Burnside [mailto:burnside@kattare.com] > Sent: Wednesday, June 11, 2003 9:29 PM > To: foundry-nsp@puck.nether.net > Subject: [f-nsp] Bouncing L4 Health Checks > > > Greetings, > > I've been using a ServerIron XL for SLB and GSLB and have been > seeing the health checks bounce up and down for quite some time now, > similar to the following: > > 0 days 1:7:52 notification L4 server 206.163.128.131 > front-01-800mcmahan port 110 is up > 0 days 1:7:52 notification L4 server 206.163.128.131 > front-01-800mcmahan > port 110 is down due to healthcheck > 0 days 1:7:46 notification L4 server 206.163.128.131 > front-01-800mcmahan > port 80 is up > 0 days 1:7:46 notification L4 server 206.163.128.131 > front-01-800mcmahan > port 80 is down due to healthcheck > 0 days 1:7:32 notification L4 server 206.163.128.131 > front-01-800mcmahan > port 110 is up > 0 days 1:7:32 notification L4 server 206.163.128.131 > front-01-800mcmahan > port 110 is down due to healthcheck > 0 days 1:7:31 notification L4 server 206.163.128.131 > front-01-800mcmahan > port 80 is up > 0 days 1:7:31 notification L4 server 206.163.128.131 > front-01-800mcmahan > port 80 is down due to healthcheck > > The server itself hasn't really seen any interruptions in > service. > I can connect directly to it over and over without trouble. The > logs > actually look similar for all of the hosts on the ServerIron, it's > not > limited to a single host. All of the hosts are directly connected > to > the ServerIron. > > I see the same behavior under both of the following images: > > Compressed Pri Code size = 1724176, Version 07.3.06T12 Compressed > Sec > Code size = 1873161, Version 07.1.21T12 (SLB07121.bin) > > If I disable the L4 health checks, it seems to decide to not do > the > L7 checks. The status remains "active" seemingly no matter what I > do, > (shut down apache, etc.) until I shut down the server at which time > it > changes to "enabled". (I assume because of the failure of the L3 > check.) I'd really like to use the L4 checks anyway. It's just > that > this "flapping" is causing all kinds of problems with the GSLB stuff. > > We're using the GSLB for a backup/failover "we're working on it" > error > page and to avoid "cannot connect" errors with smtp, pop3, etc. But > with the L4 checks failing, we're seeing people ending up on the > backup, > despite the primary being fully accessible, etc. I suspect they get > the > backup when the L4 checks on the primary fail simultaneously for > both > the SLB machines. > > TYIA! > > Cheers, > > ~Ethan B. > > > -- > -------------------------- > Ethan Burnside > Kattare Internet Services > http://www.kattare.com > -------------------------- > > > > Quoting Brent Van Dussen : > > > You'll need to keep the serveriron and the customers webservers in > the > > > same L2 domain. If the webservers and the serveriron are all part > of > > the same > > customer installation I don't see why it has to be separated out > into > > VLAN's. > > > > DSR will do everything else that you need it to, just remember that > > > you'll have to configure Loopbacks on each of the real servers. > > > > If the real servers are in a different subnet than the serveriron > you > > can use the source-ip or just put both subnets on the upstream L3 > > device and > > the serveriron will route health checks up to the router and back > > down to > > the real servers. > > > > -Brent > > > > > > At 10:36 AM 1/22/2003, Clifton Royston wrote: > > > I am trying to configure a particular load-balancing+failover > > setup > > >for a web customer who will be colo'ed with us, and am wondering > if > > >there is a way to do this. I've got 2 original ServerIrons and > one > > >ServerIron XL, I'm planning to put this onto the XL. > > > > > > I would like the configuration to have the following > properties: > > > > > >1) The ServerIron can determine when any of the real servers is > > down > > > (i.e. failover works correctly) > > > > > >2) The customer web servers do not have to be physically > connected > > > "through" the ServerIron. > > > > > >3) The original source IP address of the connection is preserved > > (they > > > need that for their logging and analysis.) > > > > > >4) Preferably, the customer servers are in their own address > block > > and > > > VLAN (Ethernet broadcast domain.) > > > > > > Is there any way to get all of these at one time? > > > > > > I know I can achieve 1, 3, and 4 by physically routing their > > >connection through a ServerIron port dedicated to their VLAN; > > that's > > >close to our standard configuration so I'm not showing that here. > > > >That's my fallback solution, but I'd like to be able to do this > > without > > >dedicating a port. > > > > > > I think I could achieve 2, 3, and 4 by defining the servers as > > > >"remote" instead of "real" and configuring DSR, but the > > documentation > > >seems to imply that the ServerIrons can't automatically detect a > > failed > > >server in that case. > > > > > > I know I can achieve the combination of properties 1, 2, and 4 > > by > > >configuring a tagged VLAN on the main Ethernet link to our main > > switch > > >and configuring their servers with source NAT like this; this > > rewrites > > >the source IP, but routes everything correctly, distributes load > > >fairly, detects failed servers, and keeps them in their own VLAN: > > > > > >server source-ip xx.yy.zz.14 255.255.255.240 xx.yy.zz.1 > > >real server their-server-1 xx.yy.zz.2 > > > source-nat > > > port http > > > port http url "HEAD /" > > >real server their-server-2 xx.yy.zz.3 > > > source-nat > > > port http > > > port http url "HEAD /" > > >server virtual virtual-85 ww.vv.uu.tt > > > sym-priority 100 > > > port http > > > bind http their-server-1 their-server-2 > > > > > > Is there any way to get all of what I want - failover > detection, > > not > > >dedicating a port to put the servers "behind" the ServerIron, > source > > IP > > >preserved, and keeping them in their own VLAN? > > > > > > Thanks in advance for any help. > > > -- Clifton > > > > > >-- > > > Clifton Royston -- LavaNet Systems Architect -- > > cliftonr@lava.net > > > > > > "If you ride fast enough, the Specialist can't catch you." > > > "What's the Specialist?" Samantha says. > > > "The Specialist wears a hat," says the babysitter. "The hat > makes > > noises." > > > She doesn't say anything else. > > > Kelly Link, _The Specialist's Hat_ > > >_______________________________________________ > > >foundry-nsp mailing list > > >foundry-nsp@puck.nether.net > > >http://puck.nether.net/mailman/listinfo/foundry-nsp > > > > > > _______________________________________________ > > foundry-nsp mailing list > > foundry-nsp@puck.nether.net > > http://puck.nether.net/mailman/listinfo/foundry-nsp > > > > _______________________________________________ > foundry-nsp mailing list > foundry-nsp@puck.nether.net > http://puck.nether.net/mailman/listinfo/foundry-nsp > > From george@shorelink.com Thu Jun 12 03:13:34 2003 Received: from someone claiming to be phat.nether.net puck.NOSPAM (phat.nether.net [204.212.45.10]) by puck.nether.net (8.12.9/8.12.6) with ESMTP id h5C7DQll004514 for ; Thu, 12 Jun 2003 03:13:33 -0400 Received: from someone claiming to be leftcoast.thebackrow.net PhAT.NOSPAM (mail@client6.fre.communitycolo.net [216.218.240.155]) by phat.nether.net (8.12.8/8.11.2) with ESMTP id h5C73Abv012586 for ; Thu, 12 Jun 2003 07:03:11 GMT Received: from george (helo=localhost) Internet Mail Service 5.5.2653.13) ; Thu, 12 Jun 2003 00:04:16 -0700 Date: Thu, 12 Jun 2003 00:04:16 -0700 (PDT) From: George Bonser X-X-Sender: george@leftcoast.thebackrow.net To: Ethan Burnside Subject: Re: [f-nsp] Bouncing L4 Health Checks In-Reply-To: <1055392155.3ee8019bd2b7b@www.kattare.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: foundry-nsp@puck.nether.net X-BeenThere: foundry-nsp@puck.nether.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: a list for people that use foundry in a service provider environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 07:14:21 -0000 I have seen this problem when the default document doesnt exist and one or more of the servers in the farm is set to not allow display of the index. Take a browser and try to hit the ip address default doc like this: http:/// and if you get a "forbidden", that might be the cause of the problem. In your gslb setup, you might try: telnet@hostname#conf ter telnet@hostname(config)#gslb dns zone telnet@hostname(config)#host-info http status-code 200 500 and see if that clears your problem WHat that does is tells the healthcheck to consider any response for the default document that is equal to or greater than 200 and less than or equal to 500 as OK. I might not RUN with that for long but if that clears the problem, it might tell you that you have one server that is configured slightly differently and is clobbering the healthcheck from time to time. On Wed, 11 Jun 2003, Ethan Burnside wrote: > Greetings, > > I've been using a ServerIron XL for SLB and GSLB and have been > seeing the health checks bounce up and down for quite some time now, > similar to the following: > > 0 days 1:7:52 notification L4 server 206.163.128.131 > front-01-800mcmahan port 110 is up > 0 days 1:7:52 notification L4 server 206.163.128.131 front-01-800mcmahan > port 110 is down due to healthcheck > 0 days 1:7:46 notification L4 server 206.163.128.131 front-01-800mcmahan > port 80 is up > 0 days 1:7:46 notification L4 server 206.163.128.131 front-01-800mcmahan > port 80 is down due to healthcheck > 0 days 1:7:32 notification L4 server 206.163.128.131 front-01-800mcmahan > port 110 is up > 0 days 1:7:32 notification L4 server 206.163.128.131 front-01-800mcmahan > port 110 is down due to healthcheck > 0 days 1:7:31 notification L4 server 206.163.128.131 front-01-800mcmahan > port 80 is up > 0 days 1:7:31 notification L4 server 206.163.128.131 front-01-800mcmahan > port 80 is down due to healthcheck > > The server itself hasn't really seen any interruptions in service. > I can connect directly to it over and over without trouble. The logs > actually look similar for all of the hosts on the ServerIron, it's not > limited to a single host. All of the hosts are directly connected to > the ServerIron. > > I see the same behavior under both of the following images: > > Compressed Pri Code size = 1724176, Version 07.3.06T12 > Compressed Sec Code size = 1873161, Version 07.1.21T12 (SLB07121.bin) > > If I disable the L4 health checks, it seems to decide to not do the > L7 checks. The status remains "active" seemingly no matter what I do, > (shut down apache, etc.) until I shut down the server at which time it > changes to "enabled". (I assume because of the failure of the L3 > check.) I'd really like to use the L4 checks anyway. It's just that > this "flapping" is causing all kinds of problems with the GSLB stuff. > We're using the GSLB for a backup/failover "we're working on it" error > page and to avoid "cannot connect" errors with smtp, pop3, etc. But > with the L4 checks failing, we're seeing people ending up on the backup, > despite the primary being fully accessible, etc. I suspect they get the > backup when the L4 checks on the primary fail simultaneously for both > the SLB machines. > > TYIA! > > Cheers, > > ~Ethan B. > > > -- > -------------------------- > Ethan Burnside > Kattare Internet Services > http://www.kattare.com > -------------------------- > > > > Quoting Brent Van Dussen : > > > You'll need to keep the serveriron and the customers webservers in > > the same > > L2 domain. If the webservers and the serveriron are all part of the > > same > > customer installation I don't see why it has to be separated out into > > VLAN's. > > > > DSR will do everything else that you need it to, just remember that > > you'll > > have to configure Loopbacks on each of the real servers. > > > > If the real servers are in a different subnet than the serveriron you > > can > > use the source-ip or just put both subnets on the upstream L3 device > > and > > the serveriron will route health checks up to the router and back > > down to > > the real servers. > > > > -Brent > > > > > > At 10:36 AM 1/22/2003, Clifton Royston wrote: > > > I am trying to configure a particular load-balancing+failover > > setup > > >for a web customer who will be colo'ed with us, and am wondering if > > >there is a way to do this. I've got 2 original ServerIrons and one > > >ServerIron XL, I'm planning to put this onto the XL. > > > > > > I would like the configuration to have the following properties: > > > > > >1) The ServerIron can determine when any of the real servers is > > down > > > (i.e. failover works correctly) > > > > > >2) The customer web servers do not have to be physically connected > > > "through" the ServerIron. > > > > > >3) The original source IP address of the connection is preserved > > (they > > > need that for their logging and analysis.) > > > > > >4) Preferably, the customer servers are in their own address block > > and > > > VLAN (Ethernet broadcast domain.) > > > > > > Is there any way to get all of these at one time? > > > > > > I know I can achieve 1, 3, and 4 by physically routing their > > >connection through a ServerIron port dedicated to their VLAN; > > that's > > >close to our standard configuration so I'm not showing that here. > > >That's my fallback solution, but I'd like to be able to do this > > without > > >dedicating a port. > > > > > > I think I could achieve 2, 3, and 4 by defining the servers as > > >"remote" instead of "real" and configuring DSR, but the > > documentation > > >seems to imply that the ServerIrons can't automatically detect a > > failed > > >server in that case. > > > > > > I know I can achieve the combination of properties 1, 2, and 4 > > by > > >configuring a tagged VLAN on the main Ethernet link to our main > > switch > > >and configuring their servers with source NAT like this; this > > rewrites > > >the source IP, but routes everything correctly, distributes load > > >fairly, detects failed servers, and keeps them in their own VLAN: > > > > > >server source-ip xx.yy.zz.14 255.255.255.240 xx.yy.zz.1 > > >real server their-server-1 xx.yy.zz.2 > > > source-nat > > > port http > > > port http url "HEAD /" > > >real server their-server-2 xx.yy.zz.3 > > > source-nat > > > port http > > > port http url "HEAD /" > > >server virtual virtual-85 ww.vv.uu.tt > > > sym-priority 100 > > > port http > > > bind http their-server-1 their-server-2 > > > > > > Is there any way to get all of what I want - failover detection, > > not > > >dedicating a port to put the servers "behind" the ServerIron, source > > IP > > >preserved, and keeping them in their own VLAN? > > > > > > Thanks in advance for any help. > > > -- Clifton > > > > > >-- > > > Clifton Royston -- LavaNet Systems Architect -- > > cliftonr@lava.net > > > > > > "If you ride fast enough, the Specialist can't catch you." > > > "What's the Specialist?" Samantha says. > > > "The Specialist wears a hat," says the babysitter. "The hat makes > > noises." > > > She doesn't say anything else. > > > Kelly Link, _The Specialist's Hat_ > > >_______________________________________________ > > >foundry-nsp mailing list > > >foundry-nsp@puck.nether.net > > >http://puck.nether.net/mailman/listinfo/foundry-nsp > > > > > > _______________________________________________ > > foundry-nsp mailing list > > foundry-nsp@puck.nether.net > > http://puck.nether.net/mailman/listinfo/foundry-nsp > > > > _______________________________________________ > foundry-nsp mailing list > foundry-nsp@puck.nether.net > http://puck.nether.net/mailman/listinfo/foundry-nsp > From vandusb@attens.com Thu Jun 12 13:43:51 2003 Received: from someone claiming to be staff.cerf.net p