[f-nsp] [ServerIronXL] accessing VIP from real server
Nils Domrose
nils at domrose.net
Mon Jan 22 15:07:11 EST 2007
Yes, i think NAT will be the only option if you think about the self
via VIP requesting usecase.
Org. Packet
SIP=RealServer1
DIP=VIP
SI gests this, and changes to
SIP=RealServer1
DIP=RealServer1
your packet will never be send out the NIC in this case since the
destination is a local address.
Nils
On Jan 22, 2007, at 8:58 PM, Mike Allen wrote:
> Yeah, from what you are describing, the problem is not the config.
> In your case, what is happening is the real servers are responding
> back to each other directly. To better illustrate, here is a quick
> packet walkthru.
>
> Original packet for flow setup
> SourceIP (SIP)=RealServer1
> DestIP (DIP)=VIP
>
> SI gets this, and changes to
> SIP=RealServer1
> DIP=RealServer2
>
> RealServer2 gets this, and responds appropriately, since its on the
> same vlan/L2 domain:
> SIP=RealServer2
> DIP=RealServer1
>
> If you have a L2 switch path that bypasses the ServerIron, it never
> sees this packet to do the reverse translation. This in turn gets
> dropped by RealServer1, since it is expecting a reply from the VIP
> ip, not RS2. Your options are to use DSR, Source-nat, or attach
> directly to the SI (or somehow ensure the SI is in both incoming
> and return path for traffic.) One other option (though a little
> more complicated) is to use NAT for the real servers.
>
> Mike
>
>
>
>
> On 1/22/07, Ryan DeBerry <rdeberry at gmail.com> wrote:
> What is the vlan configuration like? You only have one VE?
>
>
> On 1/22/07, news.gmane.org < matthew.kirkland at uk.clara.net> wrote:
> Hello
>
> I am having an issue with a load balancer config whereby the real
> servers (smtp servers) cannot access the VIP that they are part of.
>
> The servers are able to ping the VIP but any connections to port 25
> are
> timed out.
>
> The load balancer is running ip forwarding, with the VIP range and
> real
> server range on the same VE.
>
> Enabling "server source-nat" resolves this , but makes all the
> connections on the servers appear to come from the load balancer
> alone.
>
> I need the real servers to be able to contact the VIP without
> translation taking place.
>
> Does anyone know a solution to this problem ?
>
> Thanks
> Matthew Kirkland
> Claranet Network Engineering
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20070122/bddb4ea2/attachment.html>
More information about the foundry-nsp
mailing list