From: Henry Silva (hsilva1IZZATnortelnetworks.com)
Date: Tue Jun 03 2003 - 08:53:40 EDT
Hi Steve, can you verify that your health-checks are passing
for you real servers (i/slb/dump)? I didn't see an allow filter
on your server port to allow for health-checks. Configure an allow filter
with
the DIP of the alteon interface and that should allow the health-checks to
pass.
I didn't see real server 2 defined but I am assuming that it is the iSD310.
You don't need to configure the addport 80 to your web server. This is only
required
if you are running with multiple rports. By default it will use the rport
configured under
the VIP unless the rport under the VIP is set to 0.
Henry
-----Original Message-----
From: Steven Christall [mailto:SChristallIZZATbuildonline.com]
Sent: Monday, June 02, 2003 1:21 PM
To: 'lb-lIZZATvegan.net'
Subject: RE: [load balancing] SSL / Alteon / iPlanet
Hi Marcel
I have finally got around to trying this config ... previously I had the AD3
setup to use RTS for the iSD, in order to allow 80 and 443 to terminate on
the same realport on a webserver. I am however having a problem that may be
indirectly related to this and I wanted to try the method you described last
month.
Here are the relevent bits (I think!) from my config .. essentially the
traffic does not seem to arrive at my server. It is almost like I don't
have a global turned on somewhere. I have added notes *** like this. I
really am stuck and in great pain lol ..... I would appreciate if you or
another list member can spot my deliberate error (which I can't find) ....
I can't even connect to a simple page directly on port 80 on the virtual
server (ie missing out the isd)
Subsequent to writing this and dumping the config below I have turned on
adv/fwlb on both 100 and 110 filters .... still no go :o(
BTW where can I see some simple logging .... I would love to snoop a port!!
Thank you
Steve
iSD settings
IP addr of SSL server = 10.253.1.83
Listen port of SSL server = 443 (https)
Real server IP addr = 0.0.0.0
Real server port = 81
Type (generic/http) = generic
Transparent proxy mode (on/off) = on
Enable virtual server = enabled
AD3 settings
/c/port 2 *** iSD310
pvid 2
/c/port <file://c/port> 7 *** real servers .. they all have default
gateway pointing back to the ip attached to this port
pvid 3
/c/vlan 1 *** clients are connecting to port 1, vlan1
def 1 3 4 5 8 9
/c/vlan 2
ena
name "VLAN 2"
def 2
/c/vlan 3
ena
name "VLAN 3"
def 7
/c/stp 1/off
/c/stp 1/clear
/c/stp 1/add 1 2 3 4
/c/ip/if 1 *** clients connecting here
ena
addr 10.253.1.60
mask 255.255.255.0
broad 10.253.1.255
/c/ip/if 2 *** iSD here on 10.10.10.1 with default
route set 10.10.10.60
ena
addr 10.10.10.60
mask 255.255.255.0
broad 10.10.10.255
vlan 2
/c/ip/if 3 *** servers on here with default route set
10.254.1.60
ena
addr 10.254.1.60
mask 255.255.255.0
broad 10.254.1.255
vlan 3
/c/ip/gw 1 *** vrrp gateway to internet
ena
addr 10.253.1.1
arp enabled *** arp health check ... ping not enabled on f/w
/c/slb
on
/c/slb/adv *** what does this do ... allows direct access
to servers? how does this effect layer 4 ip addresses?
direct ena
*** snip other real servers not involved
/c/slb/real 6 *** this is the one and only server I am trying
to load balance to through the ad3 / isd
ena
rip 10.254.1.6
addport 80
/c/slb/group 2 *** isd
add 2
/c/slb/group 3 *** real server
add 6
/c/slb/port 1 *** i have client proxy ip's set, but not turned
on
client ena
pip 10.253.1.81
/c/slb/port 2
client ena
pip 10.253.1.82
/c/slb/port 7
server ena
pip 10.253.1.87
/c/slb/virt 2 *** this is the virtual server that I connect
to
ena
vip 10.253.1.83
/c/slb/virt 2/service http
group 3
/c/slb/virt 2/service 81
group 3
rport 80
/c/slb/filt 100
ena
action redir
dip 10.253.1.83
dmask 255.255.255.255
proto tcp
dport https
group 2
rport 443
/c/slb/filt 110
ena
action redir
sip 10.253.1.83
smask 255.255.255.255
proto tcp
sport 81
group 2
/c/slb/filt 224
ena
action allow
/c/slb/port 1
filt ena
add 100
add 224
/c/slb/port 7
filt ena
add 110
add 224
-----Original Message-----
From: Derksen, Marcel [mailto:marcel.derksenIZZATcw.com]
Sent: 16 April 2003 07:27
To: 'lb-lIZZATvegan.net'
Subject: RE: [load balancing] SSL / Alteon / iPlanet
Importance: High
Steven,
I would advise you to setup the environment as follows:
Port 1 : client processing enabled, filter enabled with redirection to ISD
group for https.
Port 2: client processing enabled.
Port 3: server processing enabled, filter enabled with redirection to ISD
for port 81.
The ISD is stripping the SSL layer from the HTTPS request and forwarding
this to port 81 of the VIP. The VIP is listening to port 80 for normal HTTP
traffic and to port 81 for formerly HTTPS traffic. The VIP is loadbalancing
traffic to the real servers on port 80. So for the service port 81 you
define RPORT to 80. When the traffic is returning the Alteon will revert the
session into the state before it is loadbalanced. This means that normal
http traffic will be translated into port 80 and formerly HTTPS traffic will
be translated into port 81. After this the filters will do their work. Port
80 traffic will not hit the filter, but port 81 will (on port 3).
So to be more specific:
Port 1:
Client ena, filt ena, filt 100
Filt 100: DIP=VIP, DMASK=255.255.255.255, DPORT=443,action=redir, group=2,
proto=tcp,ena
Port 2:
Client ena
Port 3:
Server ena, filt ena, filt 110
Filt 110: SIP=VIP, SMASK=255.255.255.255, SPORT=81,action = redir, group=2,
proto=tcp,ena
Virt 1:
Virt=xxx.xxx.xxx.xxx
Ena
Service 80, group=xx
Service 81, group=xx, rport=80
You can use different VLAN's if you want to that is no problem. The
portnumbers I used are fictive. Port 1 holds the clients, port 2 holds the
ISD's and port 3 holds the servers.
Hope this helps.
Greetings,
Marcel Derksen
NNCDS, NNCSS Alteon
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
This archive was generated by hypermail 2.1.4 : Tue Jun 03 2003 - 09:01:50 EDT