[f-nsp] [ServerIronXL] accessing VIP from real server

Mike Allen mkallen at gmail.com
Mon Jan 22 14:58:44 EST 2007 

Yeah, from what you are describing, the problem is not the config.  In your
case, what is happening is the real servers are responding back to each
other directly.  To better illustrate, here is a quick packet walkthru.

Original packet for flow setup
SourceIP (SIP)=RealServer1
DestIP (DIP)=VIP

SI gets this, and changes to
SIP=RealServer1
DIP=RealServer2

RealServer2 gets this, and responds appropriately, since its on the same
vlan/L2 domain:
SIP=RealServer2
DIP=RealServer1

If you have a L2 switch path that bypasses the ServerIron, it never sees
this packet to do the reverse translation.  This in turn gets dropped by
RealServer1, since it is expecting a reply from the VIP ip, not RS2.  Your
options are to use DSR, Source-nat, or attach directly to the SI (or somehow
ensure the SI is in both incoming and return path for traffic.)   One other
option (though a little more complicated) is to use NAT for the real
servers.

Mike




On 1/22/07, Ryan DeBerry <rdeberry at gmail.com> wrote:
>
> What is the vlan configuration like?  You only have one VE?
>
> On 1/22/07, news.gmane.org < matthew.kirkland at uk.clara.net> wrote:
> >
> > Hello
> >
> > I am having an issue with a load balancer config whereby the real
> > servers (smtp servers) cannot access the VIP that they are part of.
> >
> > The servers are able to ping the VIP but any connections to port 25 are
> > timed out.
> >
> > The load balancer is running ip forwarding, with the VIP range and real
> > server range on the same VE.
> >
> > Enabling "server source-nat" resolves this , but makes all the
> > connections on the servers appear to come from the load balancer alone.
> >
> > I need the real servers to be able to contact the VIP without
> > translation taking place.
> >
> > Does anyone know a solution to this problem ?
> >
> > Thanks
> > Matthew Kirkland
> > Claranet Network Engineering
> >
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
> >
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20070122/ee2525b0/attachment.html>

More information about the foundry-nsp mailing list