[f-nsp] Outbound NAT problem
David Miller
dmiller at metheus.org
Tue Jan 31 15:02:21 EST 2012
All;
I have a ServerIron 4G SSL with Version 10.2.01oTI4 on it. Other than very infrequently dropping the ability to ssh to it it's been extremely reliable.
Yesterday something really weird happened to it. I have a group of web servers (apache/php) the SI load balances amongst. Each has to establish a tcp connection to an external service to process a certain type of request. Each of the web servers could only make this connection intermittently.
Other hosts on the same network had no problem, even if they used the same outbound NAT rule.
The thing that gives me the willies is that a reboot seems to have 'fixed' it - the whole group could make outbound connections anywhere after the reboot, something that makes me wonder if I should even bother looking at the config.
I'm looking for advice from the experienced pros here. Should I:
1) immediately upgrade to the current firmware
2) ignore it, it's never going to happen again
3) replace the hardware
4) move to new load balancers
.... or something else? They were expensive and have been very stable, I'd like to not get too drastic.
TIA,
--- David
The config looks like this:
ip nat inside source list 199 pool default_pool overload
ip nat pool default_pool 6.a.b.c.8 a.b.c.8 netmask 255.255.255.255
ip nat pool default_pool port-pool-range 2
[...]
access-list 199 deny ip any 192.168.140.0 0.0.0.255
access-list 199 permit ip host 192.168.12.11 any
access-list 199 permit ip host 192.168.12.12 any
(etc, a bunch more use this outgoing address)
server vip-group 1
ip-nat-pool default_pool
More information about the foundry-nsp
mailing list