RE: [load balancing] fwlb with 2208 issues

From: Richard Golding <richard.golding [ [izzat] ] affiniti.com>
Date: Tue Jan 17 2006 - 11:48:55 EST

Doehni,
 
If your Firewalls are not performing NAT then it is not necessary to use RTS
as the source/destination IP address pair will be the same on either side of
the Firewalls.
 
This would require a redirect filter at both ends redirecting to the real
servers on the other side of the Firewall. Just need to ensure that FWLB is
enabled on the redirect filter (like in the filter from the config excerpt
you have provided below).
 
This way you are guaranteeing that the connection will traverse the same
Firewall in both directions as you are no longer reliant on the RTS session
entry being present. Suspect that this has aged out when you see the out of
sync behavior.
 
Hope that helps?
 
Regards,
 
Richard
 

-----Original Message-----
From: Joni Jachniuk [mailto:owner-lb-l@vegan.net] On Behalf Of Joni Jachniuk
Sent: 14 January 2006 16:22
To: lb-l@vegan.net
Subject: RE: [load balancing] fwlb with 2208 issues

did you try to enable
/c/slb/adv/fastag
to 2 or another number?

  _____

מאת: owner-lb-l@vegan.net בשם jon.hartman@verizon.com
נשלח: ו 1/13/2006 9:39 PM
אל: lb-l@vegan.net
נושא: RE: [load balancing] fwlb with 2208 issues

Friend, I'm curious. What sort of traffic are you seeing as out-of-state?
Is it administrative in nature, monitoring traffic, or services you're
providing SLB for? Also are you doing SLB on the either of the 2208 pairs
or do you have a third pair of alteons behind the FWLB scenario?

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net
<mailto:owner-lb-l@vegan.net> ] On Behalf Of
fw@doehni.dyndns.org
Sent: Tuesday, January 10, 2006 4:32 PM
To: lb-l@vegan.net
Subject: [load balancing] fwlb with 2208 issues

hi list,
we got issues concerning alteon fwlb with a firewallload-sandwich 2 x 2208
on dirty and 2 x alteon 2208 (running alteon OS 22.0.3) on clean side.
These alteons balance two netscreen 208 firewalls.

Sometimes we have "out-of-state problems" (inbound traffic across one
firewall and the outbound traffic go back across another
firewall) We have enabled "hash" in the metric in the groups in the
alteons(clean side/dirty side) but sometimes! a ACK paket was balanced to
the wrong firewall and the session accross the fw-sandwich timed out.

Do I have to enable rts on the vrrp link (trunk between the alteons)?
Which other problem could cause this? (There is no NAT between dirty and
clean side)

the fw port:

/c/slb/port 1
        client ena
        rts ena

the vrrp links to the second 2208:

/c/slb/port 9
        client ena
        server ena
        rts ena
/c/slb/port 10
        client ena
        server ena
        rts ena

real/slb config:

/c/slb/real 100
        ena
        rip 10.10.10.1
        name "fw1"
/c/slb/real 101
        ena
        rip 10.10.10.2
        name "fw2"

/c/slb/group 1
        metric hash
        add 100
        add 101
        name "FW"

/c/slb/filt 2000
        ena
        action redir
        group 1
        rport 0
        vlan any
/c/slb/filt 2000/adv
        proxy dis
        fwlb ena

thx
doehni

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
<mailto:majordomo@vegan.net?body=unsubscribe%20lb-l>
Archive: http://vegan.net/lb/archive <http://vegan.net/lb/archive>
LBDigest: http://lbdigest.com <http://lbdigest.com>
MRTG with SLB: http://vegan.net/MRTG <http://vegan.net/MRTG>
Hosted by: http://www.tokkisystems.com <http://www.tokkisystems.com>

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
<mailto:majordomo@vegan.net?body=unsubscribe%20lb-l>
Archive: http://vegan.net/lb/archive <http://vegan.net/lb/archive>
LBDigest: http://lbdigest.com <http://lbdigest.com>
MRTG with SLB: http://vegan.net/MRTG <http://vegan.net/MRTG>
Hosted by: http://www.tokkisystems.com <http://www.tokkisystems.com>

The content of this e-mail and any attachment is private and may be legally
privileged. If you are not
the intended recipient, any use, disclosure, copying or forwarding of this
e-mail and/or its
attachments is unauthorised. If you have received this e-mail in error
please notify the sender by e-
mail and delete this message and any attachments immediately from this
system.

Kingston Communications (HULL) PLC is a public limited company incorporated
in England and Wales
with registration number 02150618 and whose registered office is at 37 Carr
Lane, Hull HU1 3RE

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Tue Jan 17 14:02:16 2006

This archive was generated by hypermail 2.1.8 : Wed Jan 25 2006 - 05:09:46 EST