[f-nsp] [ServerIronXL] accessing VIP from real server

Nils Domrose nils at domrose.net
Mon Jan 22 15:07:11 EST 2007


Yes, i think NAT will be the only option  if you think about the self  
via VIP requesting usecase.

Org. Packet
SIP=RealServer1
DIP=VIP

SI gests this, and changes to
SIP=RealServer1
DIP=RealServer1

your packet will never be send out the NIC in this case since the  
destination is a local address.



Nils
On Jan 22, 2007, at 8:58 PM, Mike Allen wrote:

> Yeah, from what you are describing, the problem is not the config.   
> In your case, what is happening is the real servers are responding  
> back to each other directly.  To better illustrate, here is a quick  
> packet walkthru.
>
> Original packet for flow setup
> SourceIP (SIP)=RealServer1
> DestIP (DIP)=VIP
>
> SI gets this, and changes to
> SIP=RealServer1
> DIP=RealServer2
>
> RealServer2 gets this, and responds appropriately, since its on the  
> same vlan/L2 domain:
> SIP=RealServer2
> DIP=RealServer1
>
> If you have a L2 switch path that bypasses the ServerIron, it never  
> sees this packet to do the reverse translation.  This in turn gets  
> dropped by RealServer1, since it is expecting a reply from the VIP  
> ip, not RS2.  Your options are to use DSR, Source-nat, or attach  
> directly to the SI (or somehow ensure the SI is in both incoming  
> and return path for traffic.)   One other option (though a little  
> more complicated) is to use NAT for the real servers.
>
> Mike
>
>
>
>
> On 1/22/07, Ryan DeBerry <rdeberry at gmail.com> wrote:
> What is the vlan configuration like?  You only have one VE?
>
>
> On 1/22/07, news.gmane.org < matthew.kirkland at uk.clara.net> wrote:
> Hello
>
> I am having an issue with a load balancer config whereby the real
> servers (smtp servers) cannot access the VIP that they are part of.
>
> The servers are able to ping the VIP but any connections to port 25  
> are
> timed out.
>
> The load balancer is running ip forwarding, with the VIP range and  
> real
> server range on the same VE.
>
> Enabling "server source-nat" resolves this , but makes all the
> connections on the servers appear to come from the load balancer  
> alone.
>
> I need the real servers to be able to contact the VIP without
> translation taking place.
>
> Does anyone know a solution to this problem ?
>
> Thanks
> Matthew Kirkland
> Claranet Network Engineering
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20070122/bddb4ea2/attachment.html>


More information about the foundry-nsp mailing list