RE: [load balancing] Problem when enable DAM in 180e

From: andres abersaturi <segarcas [izzat] yahoo.es>
Date: Mon Apr 03 2006 - 04:39:03 EDT

Hi Peter,

The config is:

/c/slb/port 6
        client ena
        server ena

/c/slb/filt 171
        name "Dmp01->Any"
        ena
        action nat
        sip 192.168.5.220
        smask 255.255.255.255
        dip 172.17.8.137
        dmask 255.255.255.255
        proto tcp
        nat source
/c/slb/filt 171/adv
        proxy dis

/c/slb/filt 173
        name "SAP01->Any"
        ena
        action nat
        sip 192.168.5.219
        smask 255.255.255.255
        dip 172.17.8.135
        dmask 255.255.255.255
        proto tcp
        nat source
/c/slb/filt 173/adv
        proxy dis

/c/slb/filt 175
        name "SAP02->Any"
        ena
        action nat
        sip 192.168.5.212
        smask 255.255.255.255
        dip 172.17.8.136
        dmask 255.255.255.255
        proto tcp
        nat source
/c/slb/filt 175/adv
        proxy dis

/c/slb/filt 177
        name "Wbp01-PRE->Any"
        ena
        action nat
        sip 192.168.5.209
        smask 255.255.255.255
        dip 172.17.8.138
        dmask 255.255.255.255
        proto tcp
        nat source
/c/slb/filt 177/adv
        proxy dis

/c/slb/filt 179
        name "Wbp02-PRE->Any"
        ena
        action nat
        sip 192.168.5.211
        smask 255.255.255.255
        dip 172.17.8.139
        dmask 255.255.255.255
        proto tcp
        nat source
/c/slb/filt 179/adv
        proxy dis

/c/slb/filt 203
        name "BDPrePro01->Any"
        ena
        action nat
        sip 192.168.5.217
        smask 255.255.255.255
        dip 172.17.8.133
        dmask 255.255.255.255
        proto tcp
        nat source
/c/slb/filt 203/adv
        proxy dis

/c/slb/filt 205
        name "BDPrePro02->Any"
        ena
        action nat
        sip 192.168.5.218
        smask 255.255.255.255
        dip 172.17.8.134
        dmask 255.255.255.255
        proto tcp
        nat source
/c/slb/filt 205/adv
        proxy dis

/c/slb/filt 223
        ena
        action allow

/c/slb/port 6
        filt ena
        add 171
        add 173
        add 175
        add 177
        add 179
        add 203
        add 205
        add 223

Then, regarding you email, how proccess the alteon
health check? In server process?

Or server only look for in session table to session
mounted by clients?

I want to understand why alteon do nat to health
checks.

Otherway, after do nat, with this packet would do
routing? If dip is alteon's own ip address, what do
with this packet? Is it sent to default gateway?

Regards,
Sergio.

 --- Peter Degrassi <degrassi@layer227.com> escribió:

> Processing order is PIP, Server, Filter then Client
> when VMA (/cfg/slb/adv/matrix en) is enabled. This
> is the default setting. This is true regardless of
> the DAM setting.
>
> The processing order you describe below only occurs
> when VMA is disabled and DAM is enabled.
>
> The static NAT filter below will NAT the source
> address (192.168.5.209) to 172.17.8.138. You may
> need to add an allow filter BEFORE the NAT filter
> with a DIP = switch IP so the health checks are not
> NATed. It would be best if you posted your entire
> configuration to be sure.
>
> -----Original Message-----
> From: owner-lb-l@vegan.net
> [mailto:owner-lb-l@vegan.net] On Behalf Of andres
> abersaturi
> Sent: Friday, March 31, 2006 6:06 AM
> To: lb-l@vegan.net
> Subject: RE: [load balancing] Problem when enable
> DAM in 180e
>
>
> Hi all again,
>
> We have achieved resolve the problem.
>
> Whit DAM the process is filter-server-client as I
> read in this forum.
>
> Then, when the packet arrive to alteon from the
> server, the alteon apply the filter and do nat to
> this packet. After this, alteon do server process,
> but like don't have this session (other source ip
> after do nat), then alteon send the packet to
> default gateway (I read this in this forum too).
>
> We have disable nat to these servers and all started
> to work ok.
>
> Thanks for you help.
>
> --- andres abersaturi <segarcas@yahoo.es> escribió:
>
> >
> > Thanks for you reply.
> >
> > I can give more data to the problem.
> >
> > I'm going understanding the problem. We had
> already configured VSR in
> > two alteons, but the problem continued.
> >
> > We have done more captures and we have found the
> > next:
> > With DAM enable the packet sequence in health
> check
> > is:
> >
> > Alteon 1 starts health check:
> > LB01(sync)-----WBP01
> > WBP01(sync, ack)------LB01
> >
> > Alteon 1 don't go out any reply by server port and
> alteon 2 send this
> > packet by server port.
> >
> > And LB02
> > LB01(rst)-----WBP01
> >
> > I think that the problem is in filters. With DMA
> first in process are
> > filters, not?
> >
> > And we have this filter in server port:
> >
> > /c/slb/filt 177
> > name "Wbp01-PRE->Any"
> > ena
> > action nat
> > sip 192.168.5.209 (server web)
> > smask 255.255.255.255
> > dip 172.17.8.138
> > dmask 255.255.255.255
> > proto tcp
> > nat source
> > /c/slb/filt 177/adv
> > proxy dis
> >
> > I have to ask which is 172.17.8.138 and why is
> this necessary.
> >
> > How can we keep filters and enable DAM? How is
> used to configure it?
> >
> > Regards and thanks for you help.
> >
> > --- Peter Degrassi <degrassi@layer227.com>
> > escribió:
> >
> > > Health checks are sourced from the Alteon IP
> interface that is local
> > > to the real servers. So
> > you
> > > shouldn't see the "other alteon" mac in the
> RST.
> > > Are you sure you are looking at the same TCP
> session?
> > >
> > > BTW, I do see a problem if you are running the
> Alteons in high
> > > availability with VRRP. Your VIPs do not have
> Virtual Router MAC
> > > addresses (VRMACs).
> >
> > > This means you haven't configured virtual
> routers with the same IPs
> > > as your VIPs, ie Virtual Server Routers. This
> will result in both
> > > Alteons responding to ARP requests for the VIP
> (ie
> > duplicate
> > > IP addresses on your network). Only the master
> Alteon will respond
> > > to ARP requests when VSRs are configured. Also,
> when using DAM
> > > ensure that you have disabled sharing on all
> your virtual routers.
> > >
> > > If you haven't already, you should also
> configure virtual routers
> > > that will be the default gateways for your real
> servers, Virtual
> > > Interface Routers.
> > > Disable sharing on these as well.
> > >
> > > This VRRP misconfiguration could be causing your
> health check
> > > failures depending on topology,
> > sharing
> > > and where server processing is taking place.
> > >
> > > Peter
> > >
> > > -----Original Message-----
> > > From: owner-lb-l@vegan.net
> > > [mailto:owner-lb-l@vegan.net] On Behalf Of
> andres abersaturi
> > > Sent: Thursday, March 30, 2006 6:23 AM
> > > To: lb-l@vegan.net
> > > Subject: RE: [load balancing] Problem when
> enable DAM in 180e
> > >
> > >
> > >
> > > Hi again,
> > >
> > > We have followed doing test and we have found
> the
> > > next:
> > >
> > > When we enable DAM in alteon, the health check
> > from
> > > alteon has the next problem:
> > >
> > > ALTEON send SYN. (mac source physical alteon)
> > Server
> > > answer with SYN/ACK (mac dst physical alteon)
> > ALTEON
> > > answer with RST (mac source is changed in this
> point. Don't go out
> > > with mac physical alteon. Go
> > out
> > > with other mac (mac of the other alteon).
> > >
> > > I think that this have to be a bug, but I would
> > like
> > > that someone give some advice.
> > >
> > > Thanks.
> > > --- andres abersaturi <segarcas@yahoo.es>
> > escribió:
> > >
> > > > Hi all,
> > > >
> > > > We have a problem with the DAM. Version is
> > 10.0.30
> > > >
> > > > We want activate DAM because we are going to
> use
> > > the same service to
> > > > one real server in differents virtuals.
> > > >
> > > > Before activate DAM we have all services up:
> > > >
> > > > 60: 172.17.8.129, 00:60:cf:4a:bb:8e
> > > > virtual ports:
> > > > https: rport https, group 62,
> > > > SSLCPD-HTTPS-GROUP,
>
=== message truncated ===

                
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Mon Apr 3 04:39:05 2006

This archive was generated by hypermail 2.1.8 : Mon Apr 03 2006 - 05:02:35 EDT