Re: [load balancing] Alteon 184 shows web interface on VIP

From: Oliver <oadam [izzat] madao.de>
Date: Wed Apr 30 2008 - 05:22:04 EDT

I rememnber a similar issue which got fixed in the past. Check the
release notes of 9.0.45. The WebSwitches did allow access to the
WebUI using a virtual server in case ALL real servers behind the VIP
where down. This is for sure a bug.

Quick question:

Why do you have the following below the real servers:

addport 80
addport 443

This is ONLY necessary in case rport 0 is used below the virtual
service which is not the case in your setup. On top of that I do not
see any client port defined - there are only server ports

>/c/slb/port 2
> server ena
> hotstan ena
>/c/slb/port 3
> intersw ena
>/c/slb/port 4
> server ena

I would expect to see at least one port with "client ena" which would
be the port client requests are coming in.

The third thing is: there are hot-standby ports but hot-standby is
not enabled. What is the redundancy mechanism you would like to use?
A non-hot-standby setup would require a so called VSR (virtual server
router) on top of the VIP address to ensure there is only ONE master
for the VIP.

R, Oliver

At 14:27 21.04.2008, Jonathan Thorpe wrote:
>Hi All,
>
>I have two Alteon 184s running firmware 10.1.4 running in a HA
>configuration. I understand these devices are approaching EOL, however
>they've provided many years of good service and I need to use them for
>the next few months for a new project.
>
>I have two real servers part of a group and although the load balancers
>(both of them) detect both real servers and virtual servers to be up,
>attempting to access the VIP 111.222.64.21 results in the web interface
>for the LB showing up, asking for a username and password (if I access
>from a PC in the management LAN, otherwise it times out on any other
>external host).
>
>The REAL servers actually virtual machines within a VMWare
>
>I have the following configuration:
>
>1. On each 184, port 2 connects to the client servers something like this:
>
>+-------------+ +-------------+
>| | | |
>| 184-1 +--3-----3-+ 184-2 |
>| | | |
>+-------------+ +-------------+
> | | | |
> 2 4 2 4
> | | | |
>+-------------+ +-------------+
>| | | |
>| SW-1 +----------+ SW-2 +-------> To internet (same VLAN
>as Port 4).
>| | | |
>+-------------+ +-------------+
> | | (Same VLAN as port 2 on 184s)
>+------+ +------+
>| | | |
>|REAL-1| |REAL-2|
>| | | |
>+------+ +------+
>
>RIP: 111.222.64.22 RIP: 111.222.64.23
>GW: 111.222.64.19 GW: 111.222.64.19
>
>Ports 2 and 4 are in separate VLANs with Port 4's VLANs connecting to a
>firewall which in turn to the Internet and to the clients. Port 2's
>VLANs (2501) connect to the servers.
>
>As I mentioned, the servers are in a HA configuration, however even
>completely isolating the second LB from the network results in a
>failover to the first (I have the second one being the master
>deliberately) and I continue to get the web interface.
>
>Does anyone see anything obvious wrong with my configuration?
>
>---------
>script start "Alteon 184" 4 /**** DO NOT EDIT THIS LINE!
>/* Configuration dump taken 23:16:02 Mon Apr 21, 2008
>/* Version 10.1.4, Base MAC address 00:60:cf:4b:06:60
>/* EQX.2050.1684.U31.SLB.1
>/c/sys
> snmp r
> http ena
> hprompt ena
>/c/sys/mgmt/add 111.222.68.0 255.255.255.0
>/c/sys/user
> admpw "secret"
>/c/snmp
> name "EQX.2050.1684.U31.SLB.1"
>/c/sys/radius
> prisrv 111.222.333.444
> secret "secret"
> port 1812
> on
> telnet enabled
>/c/port 1
> dis
> tag ena
> rmon e
>/c/port 2
> name "DL-2050.1684.U34.DIST-FW.1-P47"
> tag ena
> pvid 1001
> rmon e
>/c/port 3
> name "HA-EQX.2050.1679.U31.SLB.2-P3"
> tag ena
> pvid 2009
> rmon e
> iponly e
>/c/port 4
> name "UL-2050.1684.U34.DIST-FW.1-P45"
> tag ena
> pvid 2010
>/c/port 5
> dis
>/c/port 6
> dis
>/c/port 7
> dis
>/c/port 8
> dis
>/c/port 9
> dis
> tag ena
>/c/vlan 1
> def 1 5 6 7 8 9
>/c/vlan 1001
> ena
> name "SVC-TEST"
> def 2
>/c/vlan 1002
> ena
> name "SVC-TEST-B"
> def 2
>/c/vlan 2007
> ena
> name "INT-FW-SLB.1"
> def 4
>/c/vlan 2008
> ena
> name "INT-FW-SLB.2"
> def 4
>/c/vlan 2009
> ena
> name "INT-SLB.1-SLB.2"
> def 3
>/c/vlan 2010
> name "VLAN 2010"
> def 4
>/c/vlan 2501
> ena
> name "SVC-2217-NMM"
> def 2
>/c/stp 1/off
>/c/stp 1/clear
>/c/stp 1/add 1 1001 1002 2007 2008 2009 2501 2010
>/c/sys/syslog
> host 111.222.68.5
>/c/sys/sshd/on
>/c/ip/ospf/on
>/c/ip/ospf/aindex 0
> ena
> areaid 0.0.0.1
> type transit
> metric 1
> auth password
> spf 10
>/c/ip/ospf/aindex 1
> ena
> areaid 0.0.0.2
> type transit
> metric 2
> auth password
> spf 10
>/c/ip/ospf/if 1
> ena
> aindex 0
> prio 1
> cost 1
> hello 2
> dead 8
> trans 1
> retra 5
> key secret
>/c/ip/ospf/if 2
> ena
> aindex 1
> prio 2
> cost 100
> hello 2
> dead 8
> trans 1
> retra 5
> key secret
>/c/ip/ospf/if 6
> ena
> aindex 1
> prio 2
> cost 100
> hello 2
> dead 8
> trans 1
> retra 5
> key secret
>/c/ip/if 1
> ena
> addr 111.222.68.171
> mask 255.255.255.248
> broad 111.222.68.175
> vlan 2007
>/c/ip/if 2
> ena
> addr 111.222.68.179
> mask 255.255.255.248
> broad 111.222.68.183
> vlan 2008
>/c/ip/if 4
> ena
> addr 111.222.68.205
> mask 255.255.255.248
> broad 111.222.68.207
> vlan 2009
>/c/ip/if 6
> ena
> addr 111.222.64.17
> mask 255.255.255.240
> broad 111.222.64.31
> vlan 2501
>/c/vrrp/on
>/c/vrrp/track
> vrs 2
> ifs 4
> ports 4
> l4pts 4
> reals 2
> hsrp 10
> hsrv 10
>/c/vrrp/vr 3
> ena
> vrid 1
> if 4
> addr 111.222.68.205
> share dis
>/c/vrrp/vr 4
> ena
> vrid 1
> if 6
> addr 111.222.64.19
> share dis
> track
> l4pts e
> reals e
>/c/vrrp/group
> dis
> vrid 1
> if 4
> prio 102
> share dis
> track
> ifs ena
> ports ena
> l4pts ena
> reals dis
> hsrp dis
> hsrv dis
>/c/sys/ntp
> on
> dlight ena
> server 112.223.177.25
> intrval 20
> tzone 10
>/c/slb
> on
>/c/slb/sync
> prios d
> state e
>/c/slb/sync/peer 1
> ena
> addr 111.222.68.206
>/c/slb/real 1
> ena
> rip 111.222.64.22
> name "CSRV2281-SLBRIP1.V2501-2.2217"
> addport 80
> addport 443
>/c/slb/real 2
> ena
> rip 111.222.64.23
> name "CSRV2282-SLBRIP2.V2501-2.2217"
> addport 80
> addport 443
>/c/slb/group 1
> metric roundrobin
> add 1
> add 2
> name "SLBVIP1.V2501-2.2217"
>/c/slb/port 2
> server ena
> hotstan ena
>/c/slb/port 3
> intersw ena
>/c/slb/port 4
> server ena
>/c/slb/virt 1
> ena
> vip 111.222.64.21
>/c/slb/virt 1/service http
> group 1
>/c/slb/virt 1/service https
> group 1
>/c/slb/adv/script 1
> open "80"
> send "GET /probe/ HTTP/1.1\\r\\nHOST:www.slbprobe.slb\\r\\n\\r\\n"
> expect "SERVEROK"
>/
>script end /**** DO NOT EDIT THIS LINE!
>---------
>
>Any help would be very much appreciated - I've been beating my head
>against the wall for the past few days and not sure what to do from here.
>
>Kind Regards,
>Jonathan
>
>
>_______________________________________________
>lb-l mailing list
>lb-l@vegan.net
>http://vegan.net/mailman/listinfo/lb-l
>Searchable Archive: http://vegan.net/lb/archive
>http://lbdigest.com Load Balancing Digest

_______________________________________________
lb-l mailing list
lb-l@vegan.net
http://vegan.net/mailman/listinfo/lb-l
Searchable Archive: http://vegan.net/lb/archive
http://lbdigest.com Load Balancing Digest
Received on Wed Apr 30 05:22:11 2008

This archive was generated by hypermail 2.1.8 : Wed Apr 30 2008 - 05:22:11 EDT