Re: [load balancing] Alteon SLB communication between VIPs

From: Jason J. W. Williams <jasonjwwilliams [izzat] gmail.com>
Date: Fri Feb 03 2006 - 12:22:26 EST

Hi Erich,

   The Proxy IP will fix the issue if the web server and app server RIPs are
on the same subnet. Basically, if they're on the same subnet the packet flow
is going to do this:

Source: 1.2.3.4 (Server 1 IP)
Dest: 1.2.4.4 (Alteon VIP)

The Alteon is going to rewrite it like this:

Source: 1.2.3.4 (Server 1 IP)
Dest: 1.2.3.5 (Server 2 IP)

So when Server 2 goes to reply its going to reply to 1.2.3.4 which won't
work, cause the packet will go directly back to Server 1 (who isn't
expecting it from Server 2). Now is the requester was on the Internet-side
of the Alteon this works just fine, because it HAS to go back through the
Alteon to get where its going (and the Alteon can rewrite it at that point).

With a Proxy IP set it looks like this:

Source: 1.2.3.4 (Server 1 IP)
Dest: 1.2.4.4 (Alteon VIP)

Alteon rewrite:

Source: 1.2.3.2 (Alteon PIP)
Dest: 1.2.3.5 (Server 2 IP)

So when Server 2 replies to this packet its guaranteed to go back to the
Alteon. The main problems we've had with Proxy IPs is that they make your
access logs/IP-based security pretty useless (i.e. everything comes from the
Alteon PIP), and doing client/server on the same Alteon port as well as
using a Proxy IP seems to cause packet loss/seepage sometimes. Others have
more experience at this than me, and might tell you different.

But from my understanding the web and app servers in your case are hung off
the Alteon on different subnets...which means you don't need PIPs. We've got
the same issue you do (RIPs need to talk to other VIPs on the same Alteon),
and the way it works for us is we have client processing enabled on the port
that talks to the Internet, server processing enabled on the web server
port, and both client AND server processing enabled on our app server
subnet.

It almost sounds like you don't have client and server processing enabled on
your app server subnet. Could you post a config? Hope this is useful.

Best Regards,
Jason

On 2/3/06, Erich Pletsch <erich@uvnet.net> wrote:
>
> Client processing is enabled for the ports that the RIPs are on.
>
> What is a Proxy IP? I haven't used that before. Might that help with
> this problem?
>
> Thanks!
>
>
> Jason J. W. Williams wrote:
>
> > Hi Erich,
> >
> > Have you turned client processing on for the port that the web
> > server RIPs are hanging off of?
> >
> > Also, you can't put your web server and app server RIPs on the same
> > subnet with two different VIPs (if you want the web server RIPs to be
> > able to talk to the app server VIP) unless you use Proxy IPs. Even so
> > that rarely works really well.
> >
> > Best Regards,
> > Jason
> >
> > On 2/2/06, *Erich Pletsch* <erich@uvnet.net <mailto:erich@uvnet.net>>
> > wrote:
> >
> > If someone has already posted this question, please forgive my
> > inability
> > to find it in the archive.
> >
> > I have an Alteon AD3 (an older load balancer, but it's really been a
> > good piece of equipment).
> >
> > In the past all of the traffic has come in from the Internet to a
> > pair
> > of web servers that are load balanced. That was simple enough to
> > configure. They then talked to a single app server which talked to
> a
> > single database server as follows:
> >
> >
> > Request -> Alteon -> www1 -> App Server -> DB Server
> > www2
> >
> > The Alteon had a VIP to represent the two web servers (VIP =
> > 192.168.2.5 <http://192.168.2.5>
> > , RIP=192.168.3.2 <http://192.168.3.2>, RIP= 192.168.3.3
> > <http://192.168.3.3>). The DB Server and APP server were
> > on the same subnet as the VIP. Everything worked fine.
> >
> > So, now I'm trying to add redundancy into the app server. I
> > purchased a
> > second app server and configured port 2 on the alteon. here's the
> > new
> > concept:
> >
> > Request -> Alteon -> www1 -> App Server 1 -> DB Server
> > www2 App Server2
> >
> > The Alteon has a VIP to represent the two web servers (VIP =
> > 192.168.2.5 <http://192.168.2.5>
> > , RIP=192.168.3.2 <http://192.168.3.2>, RIP=192.168.3.3
> > <http://192.168.3.3>) (group 1).
> > The Alteon has a VIP to represent the two app servers (VIP =
> > 192.168.2.6 <http://192.168.2.6>
> > , RIP=192.168.4.2 <http://192.168.4.2>, RIP=192.168.4.3
> > <http://192.168.4.3>) (group 2).
> >
> > I moved the app servers onto their own subnet to try to keep them
> > from
> > attempting to short circuit the load balancer and talk directly
> > back to
> > the app server. However, I have the same problem described below if
> > they're on the same subnet.
> >
> > Now, from outside the Alteon I can talk through the Alteon via the
> > VIP
> > to either cluster and they respond correctly.
> >
> > The problem is that I can't seem to get them to talk to each other
> > through the Alteon via the VIPs - which is necessary in order to
> make
> > this work. If I try to ping the VIP of group 2 from either member
> of
> > group 1, I get timeouts. however, I can ping either of the real
> > IPs and
> > get replies. And, I can have group 1 talk directly to either of the
> > group 2 servers individually via their RIPs.
> >
> > Same if I try the same procedure from group 1 to group 2.
> >
> > It's like the Alteon doesn't have a route back to the servers or
> > something.
> >
> > So, my question is, how do I get the Alteon to enable
> > communication from
> > one group to another group on the same switch via RIPs?
> >
> > Has anyone had this problem before?
> >
> > Thanks in advance,
> >
> > Erich
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ____________________
> > The Load Balancing Mailing List
> > Unsubscribe: mailto: majordomo@vegan.net
> > <mailto:majordomo@vegan.net>?body=unsubscribe%20lb-l
> > Archive: http://vegan.net/lb/archive
> > LBDigest: http://lbdigest.com
> > MRTG with SLB: http://vegan.net/MRTG
> > Hosted by: http://www.tokkisystems.com
> >
> >
>
>

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Fri Feb 3 14:39:31 2006

This archive was generated by hypermail 2.1.8 : Thu Feb 09 2006 - 06:39:53 EST