RE: [load balancing] alteon 180e outbound NAT

Todd,

A flow that hits a filter (including any/any allow) will force an entry
in the switches session table.

Therefore in the first instance I would retry the outbound NAT
connection and then check you have a corresponding entry in the session
table:

/i/slb/sess/du

Hope that helps,

Regards,

Richard

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of
Todd Underwood
Sent: 01 April 2005 22:26
To: lb-l@vegan.net
Subject: Re: [load balancing] alteon 180e outbound NAT

thanks v. much for the help so far.

i just can't seem to get this.

maybe if i understood what *exactly* the filters and proxy did i would
be able to figure it out. it would also help to be able to do
troubleshooting on the alteon. do the filters log anything if they
fire? what happens to packets that get blocked? is there any way to
figure this stuff out? :-)

> To stop the switch using the proxy address when sending requests to
> the web servers you need to disable proxy on the real server
> /c/sl/real <x>/proxy dis

so this works well. thanks.

> As VMA is disabled the PIP address needs to be on the port where the
> servers are connected, in your case port 1.

i'm planning to re-enable VMA. i just did it for now to simplify the
switch config.

> /c/slb/port 1/
> pip 195.160.235.240
> proxy ena

this just doesn't work and i can't figure out why. inbound traffic is
fabulous now. outbound is just not working.

current config is:

/c/ip/if 1
        ena
        addr 192.168.11.1
/c/ip/if 2
        ena
        addr 195.160.236.4
/c/ip/gw 1
        ena
        addr 195.160.236.1
/c/slb
        on
/c/slb/real 1
        ena
        rip 192.168.11.15
        name delaware
        proxy dis
/c/slb/real 2
        ena
        rip 192.168.11.16
        proxy dis
        name ohio
/c/slb/real 3
        ena
        rip 192.168.11.17
        proxy dis
        name potomac
/c/slb/group 1
        add 1
        add 2

/c/slb/port 1
        client ena
        server ena
        proxy ena
        pip 195.160.235.241
/c/slb/port 2
        client ena
        server ena
        proxy ena
        pip 195.160.235.242
/c/slb/port 3
        pip 195.160.235.243
/c/slb/port 4
        pip 195.160.235.244
/c/slb/port 5
        pip 195.160.235.245
/c/slb/port 6
        pip 195.160.235.246
/c/slb/port 7
        pip 195.160.235.247
/c/slb/port 8
        pip 195.160.235.248
/c/slb/port 9
        pip 195.160.235.249
/c/slb/virt 1
        ena
        vip 195.160.236.21
/c/slb/virt 1/service http
        group 1
        rport 8080
/c/slb/filt 5
        ena
        action allow
        sip 192.168.11.0
        smask 255.255.255.0
        dip 192.168.11.0
        dmask 255.255.255.0
/c/slb/filt 6
        ena
        action nat
        sip 192.168.11.0
        smask 255.255.255.0
        dip 195.150.236.0
        dmask 255.255.255.0
        nat source
/c/slb/filt 7
        ena
        action allow
/c/slb/port 1
        filt ena
        add 5-7
/c/slb/port 2
        filt ena
        add 5-7
        proxy ena

any thoughts would be gratefully reviewed.

-- 
_____________________________________________________________________
todd underwood
director of operations & security
renesys - interdomain intelligence
todd@renesys.com   www.renesys.com
____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com
____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com