[f-nsp] SI GT - SLB with Router Image?

Paul Raj Khangure foundry-nsp at digitaljunkie.net
Mon Jul 10 22:04:17 EDT 2006 

On Mon, Jul 10, 2006 at 11:33:49AM -0400, Ryan DeBerry wrote:

> What is your real servers default route?

They default route via 10.200.41.254.

I don't see how that could be the problem though, given a tcpdump on the
real server shows that the syn isn't being received.

prk.

> On 7/10/06, Paul Raj Khangure <foundry-nsp at digitaljunkie.net> wrote:
> >
> >G'day all,
> >
> >I'm trying to get a SI GT with the router image on it to function as an
> >SLB.
> >
> >The router image is  due to needing the "advertise-vip-route" command
> >(it advertises the VIP IP via dynamic routing protocol if health checks
> >have the VIP as up) which isn't available on the switching image.
> >
> >I'd prefer the SLB to work in DSR mode, but I currently can't get the
> >SLB function working at all in any mode with the router image!
> >
> >The SLB can see the real server, it's doing health checks (to the
> >dummy address on the SMT Port), and marking the real as active. It then
> >advertises the Virtual via OSPF, as desired. I can telnet to the real
> >server on port 25 from the SLB and it responds with the SMTP prompts.
> >
> >I can ping the Virtual IP fine from externally when it's advertised via
> >OSPF, but if I try and telnet to the virtual IP on the SMTP port, I dont
> >see anything at all in a tcpdump on the real server.
> >
> >The stats on the SLB don't show any connection attempts to that real
> >either:
> >
> >telnet at ica-grafton-slb1#sh serv real mail1
> >Real Servers Info
> >========================
> >State(St) - ACT:active, ENB:enabled, FAL:failed, TST:test, DIS:disabled,
> >            UNK:unknown, UNB:unbind, AWU:await-unbind, AWD:await-delete
> >
> >Name: mail1                  State: Active       Cost: 0  IP:10.200.41.1:
> >1
> >Mac: 0014.5e31.59e6          Weight: 0                  MaxConn: 1000000
> >SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
> >tcp conn rate:udp conn rate = 0:0, max tcp conn rate:max udp conn rate =
> >0:0
> >
> >Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet
> >Tx-octet   Reas
> >----    --  -- ------- -------    -------   -------   --------
> >--------   ----
> >default UNB 0  0       0          0         0
> >0          0          0
> >smtp    ACT 0  0       0          0         0
> >0          0          0
> >
> >Server  Total  0       0          0         0
> >0          0          0
> >
> >telnet at ica-grafton-slb1#
> >
> >>From a linux box well outside the network, I can ping the VIP:
> >
> >--- 203.x.y.x ping statistics ---
> >3 packets transmitted, 3 packets received, 0% packet loss
> >round-trip min/avg/max = 127.9/147.2/167.7 ms
> >
> >But a telnet reports no route to host:
> >
> >> telnet 203.x.y.x 25
> >Trying 203.x.y.z...
> >telnet: Unable to connect to remote host: No route to host
> >>
> >
> >>From the next hop from the SLB (where the route is being advertised via
> >OSPF) I can again ping the device:
> >
> >#ping 203.x.y.z
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 203.x.y.z, timeout is 2 seconds:
> >!!!!!
> >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
> >#
> >
> >But again, can't telnet on the SMTP port:
> >
> >#telnet 203.x.y.z 25
> >Trying 203.x.y.z, 25 ...
> >% Connection timed out; remote host not responding
> >
> >#
> >
> >Again, no change to the stats for mail1 - it's not showing the
> >connection attempt, and the server itself sees nothing via tcpdump.
> >
> >The route is definitely there and learned by OSPF though:
> >
> >#sh ip route 203.x.y.z
> >Routing entry for 203.x.y.z/32
> >  Known via "ospf 253", distance 110, metric 10, type extern 2, forward
> >metric 10
> >  Last update from 10.200.253.250 on Vlan253, 03:00:48 ago
> >  Routing Descriptor Blocks:
> >  * 10.200.253.250, from 10.200.40.250, 03:00:48 ago, via Vlan253
> >      Route metric is 10, traffic share count is 1
> >
> >#
> >
> >I've tried various combinations of source nat, dest nat, and dsr without
> >any avail.
> >
> >I've tried removing the advertisment via OSPF and statically routing the
> >Virtual IP via 10.200.253.250 or 10.200.254.15 with no luck.
> >
> >I've also tried removing the ve41 interface, and changing vlan 41 to:
> >
> >vlan 41 name Untrusted2 by port
> >tagged ethe 3/1
> >ip-subnet 10.200.41.0 255.255.255.0
> >!
> >
> >With no avail (health checks no longer work if I don't have the ve41 on
> >the 10.200.41.0/24 subnet).
> >
> >I also notice that in the router image, I don't have the "server
> >source-ip" command available which I would normally use with the above
> >ip-subnet configuration.
> >
> >It's as if it's not making it to the SLB layer at all.
> >
> >Any help with this would be greatly appreciated as I'm running out of
> >hair.
> >
> >Version and config included below.
> >
> >Cheers,
> >
> >prk.
> >
> >
> >Version:
> >
> >#sh ver
> >  SW: Version 09.3.00aTD4 Copyright (c) 1996-2003 Foundry Networks, Inc.
> >      Compiled on Apr 25 2005 at 21:02:19 labeled as WXR09300a
> >  HW: ServerIronGT E-1 Router, SYSIF version 21, Serial #: Non-exist
> >==========================================================================
> >SL 1: B0GMR WSM2 Management Module, SYSIF 2, M6, ACTIVE
> >      Serial #:   CHxxxxxxxx
> >    0 MB SHM, 1 Application Processors
> >16384 KB BRAM, SMC version 5, BM version 21
> >  SW: (1)09.3.00aTF2
> >==========================================================================
> >SL 3: J-B2404CF JetCore Slave Module, SYSIF 2 (Mini GBIC)
> >      Serial #:   CXxxxxxxxx
> >4096 KB BRAM, JetCore ASIC IPC+IGC version 49, BIA version 8a
> >32768 KB PRAM and 2M-Bit*1 CAM for IPC  8, version 1848
> >32768 KB PRAM and 2M-Bit*1 CAM for IGC  9, version 0449
> >==========================================================================
> >Active management module:
> >  1.0 GHz Power PC processor 750GX (version 7002/0101) 66 MHz bus
> >  512 KB boot flash memory
> >16384 KB code flash memory
> >  512 KB SRAM
> >  512 MB DRAM
> >The system uptime is 6 hours 29 minutes 29 seconds
> >The system : started=warm start   reloaded=by "reload"
> >
> >
> >Config:
> >
> >!
> >ver 09.3.00aTD4
> >!
> >module 1 bi-0-port-wsm2-management-module
> >module 3 bi-jc-2404-slave-module
> >!
> >global-stp
> >global-protocol-vlan
> >!
> >!
> >!
> >!
> >!
> >!
> >!
> >server ping-interval 5
> >server predictor response-time
> >server syn-limit 2000
> >server sticky-age 15
> >server tcp-age 2
> >server udp-age 2
> >!
> >server port 25
> >tcp keepalive 60 2
> >server icmp-message
> >server reset-message
> >server router-ports ethernet 3/1
> >!
> >!
> >!
> >!
> >server real mail1 10.200.41.1
> >port smtp
> >port smtp clear-all-seesion-on-port-up
> >port smtp keepalive
> >!
> >server virtual mail-backend 203.x.y.z
> >predictor least-conn
> >advertise-vip-route
> >port smtp
> >port smtp dsr
> >port smtp reset-on-port-fail
> >bind smtp mail1 smtp
> >!
> >!
> >vlan 1 name DEFAULT-VLAN by port
> >!
> >vlan 254 name Admin by port
> >tagged ethe 3/1
> >router-interface ve 254
> >!
> >vlan 41 name Untrusted2 by port
> >tagged ethe 3/1
> >router-interface ve 41
> >!
> >vlan 253 name External_SLB by port
> >tagged ethe 3/1
> >router-interface ve 253
> >!
> >hostname blah
> >ip dns domain-name blah.com
> >ip dns server-address 1.2.3.4
> >ip route 0.0.0.0 0.0.0.0 10.200.254.254
> >!
> >logging buffered 200
> >!
> >router ospf
> >area 253
> >redistribution static
> >log adjacency
> >!
> >interface ethernet 3/1
> >port-name uplink
> >!
> >interface ve 41
> >ip address 10.200.41.250 255.255.255.0
> >!
> >interface ve 253
> >ip address 10.200.253.250 255.255.255.0
> >ip ospf area 253
> >!
> >interface ve 254
> >ip address 10.200.254.15 255.255.255.0
> >!
> >!
> >end
> >
> >_______________________________________________
> >foundry-nsp mailing list
> >foundry-nsp at puck.nether.net
> >http://puck.nether.net/mailman/listinfo/foundry-nsp
> >

More information about the foundry-nsp mailing list