[f-nsp] ServerIron XL not translating SLB response addresses?

Brent Van Dussen vandusb at attens.com
Wed Jan 28 18:32:28 EST 2004


Try putting

'server router-ports 1' (or whatever port connects to the internet where 
client requests will be coming from)

-Brent


At 03:21 PM 1/28/2004, Clifton Royston wrote:
>   I recently picked up a ServerIron XL and put it onto a new network
>I'm setting up, and then plugged in and configured a number of real
>servers behind it and set up some virtual servers on it.
>
>   When I try to connect to the virtual servers, it appears I'm seeing
>quite different behavior in terms of packet rewriting than I see on my
>other ServerIrons, which are essentially identically configured in what
>I thought were the relevant respects.  Even though I have not
>configured DSR, the responses from the real servers are not having
>their source IP address rewritten as I think they should.
>
>   The old ServerIrons and ServerIron XLs are running 7.1.21 or 7.1.08
>(really old!) and the problem ServerIron XL was initially running
>7.3.00, but I also booted it into 7.1.17 (from the secondary) and still
>see the same behavior.
>
>   Here's a config excerpt (names and addresses altered):
>
>ver 07.3.00T12
>no global-stp
>!
>!
>!
>!
>server real real01 10.11.12.49
>  port default disable
>  port smtp
>  port ssl
>  port http
>  port http url "HEAD /"
>!
>server real real02 10.11.12.50
>  port default disable
>  port http
>  port http url "HEAD /"
>  port ssl
>  port smtp
>!
>...
>server virtual virtual01 10.11.12.12
>  sym-priority 100
>  port default disable
>  port smtp
>  bind smtp real02 smtp real01 smtp
>!
>...
>
>!
>!
>enable telnet password .....
>enable super-user-password .....
>enable port-config-password .....
>enable read-only-password .....
>hostname newxl
>ip address 10.11.12.9 255.255.255.192
>ip default-gateway 10.11.12.1
>...
>
>   As you can see, I've made the configuration as vanilla as possible.
>
>   Here's a tcpdump from a client machine, again with names changed to
>protect the innocent:
>
>[client$ telnet virtual01.example.com smtp]
>
>12:10:07.473353 client.example.net.49607 > virtual01.example.com.smtp:
>S 3339122030:3339122030(0) win 8192 <mss 1460,nop,wscale 
>0,nop,nop,timestamp 114
>6543 0> (DF) [tos 0x10]
>12:10:07.473356 real01.example.com.smtp > client.example.net.49607: S 3937
>812647:3937812647(0) ack 3339122031 win 57344 <mss 1460,nop,wscale 
>0,nop,nop,tim
>estamp 69348795 1146543> (DF)
>12:10:07.473357 client.example.net.49607 > real01.example.com.smtp: R 3339
>122031:3339122031(0) win 0
>12:10:09.183449 client.example.net.49607 > virtual01.example.com.smtp:
>S 3339122030:3339122030(0) win 8192 <mss 1460,nop,wscale 
>0,nop,nop,timestamp 114
>6546 0> (DF) [tos 0x10]
>12:10:09.183450 real01.example.com.smtp > client.example.net.49607: S 4170
>5827:41705827(0) ack 3339122031 win 57344 <mss 1460,nop,wscale 
>0,nop,nop,timesta
>mp 69350505 1146546> (DF)
>12:10:09.183451 client.example.net.49607 > real01.example.com.smtp: R 3339
>122031:3339122031(0) win 0
>12:10:13.183649 client.example.net.49607 > virtual01.example.com.smtp:
>S 3339122030:3339122030(0) win 8192 <mss 1460,nop,wscale 
>0,nop,nop,timestamp 114
>6554 0> (DF) [tos 0x10]
>12:10:13.183658 real02.example.com.smtp > client.example.net.49607: S 5
>17189916:517189916(0) ack 3339122031 win 57344 <mss 1460,nop,wscale 
>0,nop,nop,ti
>mestamp 71049339 1146554> (DF)
>12:10:13.183659 client.example.net.49607 > real02.example.com.smtp: R 3
>339122031:3339122031(0) win 0
>12:10:21.184049 client.example.net.49607 > virtual01.example.com.smtp:
>S 3339122030:3339122030(0) win 8192 <mss 1460,nop,wscale 
>0,nop,nop,timestamp 114
>6570 0> (DF) [tos 0x10]
>12:10:21.184051 real02.example.com.smtp > client.example.net.49607: S 2
>177638732:2177638732(0) ack 3339122031 win 57344 <mss 1460,nop,wscale 
>0,nop,nop,
>timestamp 71057341 1146570> (DF)
>12:10:21.184052 client.example.net.49607 > real02.example.com.smtp: R 3
>339122031:3339122031(0) win 0
>  [etc.]
>
>   You can see that the real server responses are not getting rewritten,
>as if I'd specifically enabled DSR, but it's not enabled.  In fact, the
>valid responses from the real server indicate that the initial
>destination IP and MAC addresses are rewritten correctly by the
>ServerIron to reach the real server.  The ethernet interfaces of the
>real01 and real02 servers are physically plugged in directly to the
>ServerIron, so there should be no possibility of their responses taking
>an alternate path which does not pass through it for the standard SLB
>address translation.  The problem occurs when connecting from clients
>both within and outside the ServerIron and servers' subnets, both
>directly connected to it and "upstream" of it as in this example.
>
>   I'm baffled.  I've reread all the docs in the last couple days, and
>those I have seem to say that it should absolutely be rewriting the
>source IP address on these responses, as my past experience showed.  Am
>I missing something obvious here?  My last resort is to enable the
>virtual IP addresses on a loopback, explicitly turn on DSR, and hope
>that works, but I am concerned that I've set up a network with a
>critical piece of equipment which is behaving completely differently
>from what the docs say and how I always thought it should work.
>
>   Guru advice welcomed.
>   -- Clifton
>
>--
>           Clifton Royston  --  cliftonr at tikitechnologies.com
>          Tiki Technologies Lead Programmer/Software Architect
>Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
>   Did you ever milk this kind of cow?  Well we can do it.  We know how.
>If you never did, you should.  These things are fun, and fun is good.
>                                                                  -- Dr. Seuss
>_______________________________________________
>foundry-nsp mailing list
>foundry-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/foundry-nsp




More information about the foundry-nsp mailing list