[f-nsp] Foundry ServerIron - source-nat
Gaurav Sabharwal
gaurav at inwire.net
Thu Nov 1 16:24:51 EDT 2007
on 11/01/2007 08:14 PM Raja Subramanian said the following:
> On 11/1/07, Gaurav Sabharwal <gaurav at inwire.net> wrote:
>> We have a ServerIron XL Load Balancer on which we do SLB for mysql and
>> http. We have source-nat enabled. In order to get the client IP address
>> in the log file for statistics, etc. I wanted to disable the source-nat
>> for one particular VIP compromising of two real servers.
>>
>> After disabling the source-nat from the real servers, the traffic to the
>> real server stops. Below is the relevant configuration.
>
> Return traffic from your server needs to flow back through the SI.
> source-nat ensures that this happens. If you disable source-nat, you
> need to:
>
> 1. set the SI as your real server's gateway, or
> 2. put the SI physically inline between the real server and it's gateway
> eg. connect the real-server directly to the SI port
The eth1 port on the LB is connected to the uplink switch (layer3) and
the eth2 port is connected to the inside switch. The real servers
connect to the inside switch as well. The default router for all the
servers and the LB is the router that is connected via the eth1 port. No
VRRP involved.
>
> Couple of things to test:
> Run tcpdump/ethereal on your real server and check if TCP SYN packets
> reach your real server. And also check where the return traffic from your
> server is headed, it should not bypass your SI.
When we disable source-nat for the real servers, no traffic hits the
real server at all. I tried to "debug ip tcp IP.Add.of.Server" on the SI
but can't seem to get an debug messages on the screen. debug console is
enabled.
>> #sh ver
>> SW: Version 07.3.05T12 Copyright (c) 1996-2002 Foundry Networks, Inc.
>> Compiled on Jul 18 2002 at 17:20:18 labeled as SLB07305
>
> Your firmware is very old, consider upgrading to 9.x. Or 10.x if you're
> feeling brave.
I know. Not that brave for the time being. I might open a ticket with
the data center where the LB is hosted and ask them to do the upgrade.
>
> - Raja
>
More information about the foundry-nsp
mailing list