RE: [load balancing] SSL / Alteon / iPlanet

From: Henry Silva (hsilva1IZZATnortelnetworks.com)
Date: Tue Jun 03 2003 - 08:53:40 EDT

  • Next message: Cihan Subasi (Garanti Teknoloji): "[load balancing] Real server with many Service ports (alteon)"

    Hi Steve, can you verify that your health-checks are passing
    for you real servers (i/slb/dump)? I didn't see an allow filter
    on your server port to allow for health-checks. Configure an allow filter
    with
    the DIP of the alteon interface and that should allow the health-checks to
    pass.
    I didn't see real server 2 defined but I am assuming that it is the iSD310.
     
    You don't need to configure the addport 80 to your web server. This is only
    required
    if you are running with multiple rports. By default it will use the rport
    configured under
    the VIP unless the rport under the VIP is set to 0.
     
    Henry
    -----Original Message-----
    From: Steven Christall [mailto:SChristallIZZATbuildonline.com]
    Sent: Monday, June 02, 2003 1:21 PM
    To: 'lb-lIZZATvegan.net'
    Subject: RE: [load balancing] SSL / Alteon / iPlanet

    Hi Marcel
     
    I have finally got around to trying this config ... previously I had the AD3
    setup to use RTS for the iSD, in order to allow 80 and 443 to terminate on
    the same realport on a webserver. I am however having a problem that may be
    indirectly related to this and I wanted to try the method you described last
    month.
     
    Here are the relevent bits (I think!) from my config .. essentially the
    traffic does not seem to arrive at my server. It is almost like I don't
    have a global turned on somewhere. I have added notes *** like this. I
    really am stuck and in great pain lol ..... I would appreciate if you or
    another list member can spot my deliberate error (which I can't find) ....
     
    I can't even connect to a simple page directly on port 80 on the virtual
    server (ie missing out the isd)
     
    Subsequent to writing this and dumping the config below I have turned on
    adv/fwlb on both 100 and 110 filters .... still no go :o(
     
    BTW where can I see some simple logging .... I would love to snoop a port!!
     
    Thank you
    Steve
     
    iSD settings
     
    IP addr of SSL server = 10.253.1.83
      Listen port of SSL server = 443 (https)
      Real server IP addr = 0.0.0.0
      Real server port = 81
      Type (generic/http) = generic
      Transparent proxy mode (on/off) = on
      Enable virtual server = enabled
     
    AD3 settings
     
    /c/port 2 *** iSD310
            pvid 2
    /c/port <file://c/port> 7 *** real servers .. they all have default
    gateway pointing back to the ip attached to this port
            pvid 3
    /c/vlan 1 *** clients are connecting to port 1, vlan1
            def 1 3 4 5 8 9
    /c/vlan 2
            ena
            name "VLAN 2"
            def 2
    /c/vlan 3
            ena
            name "VLAN 3"
            def 7
    /c/stp 1/off
    /c/stp 1/clear
    /c/stp 1/add 1 2 3 4
    /c/ip/if 1 *** clients connecting here
            ena
            addr 10.253.1.60
            mask 255.255.255.0
            broad 10.253.1.255
    /c/ip/if 2 *** iSD here on 10.10.10.1 with default
    route set 10.10.10.60
            ena
            addr 10.10.10.60
            mask 255.255.255.0
            broad 10.10.10.255
            vlan 2
    /c/ip/if 3 *** servers on here with default route set
    10.254.1.60
            ena
            addr 10.254.1.60
            mask 255.255.255.0
            broad 10.254.1.255
            vlan 3
    /c/ip/gw 1 *** vrrp gateway to internet
            ena
            addr 10.253.1.1
            arp enabled *** arp health check ... ping not enabled on f/w
    /c/slb
            on
    /c/slb/adv *** what does this do ... allows direct access
    to servers? how does this effect layer 4 ip addresses?
            direct ena

    *** snip other real servers not involved
     
    /c/slb/real 6 *** this is the one and only server I am trying
    to load balance to through the ad3 / isd
            ena
            rip 10.254.1.6
            addport 80

    /c/slb/group 2 *** isd
            add 2
    /c/slb/group 3 *** real server
            add 6

    /c/slb/port 1 *** i have client proxy ip's set, but not turned
    on
            client ena
            pip 10.253.1.81
    /c/slb/port 2
            client ena
            pip 10.253.1.82

    /c/slb/port 7
            server ena
            pip 10.253.1.87

    /c/slb/virt 2 *** this is the virtual server that I connect
    to
            ena
            vip 10.253.1.83
    /c/slb/virt 2/service http
            group 3
    /c/slb/virt 2/service 81
            group 3
            rport 80

    /c/slb/filt 100
            ena
            action redir
            dip 10.253.1.83
            dmask 255.255.255.255
            proto tcp
            dport https
            group 2
            rport 443
    /c/slb/filt 110
            ena
            action redir
            sip 10.253.1.83
            smask 255.255.255.255
            proto tcp
            sport 81
            group 2
    /c/slb/filt 224
            ena
            action allow

    /c/slb/port 1
            filt ena
            add 100
            add 224
    /c/slb/port 7
            filt ena
            add 110
            add 224

    -----Original Message-----
    From: Derksen, Marcel [mailto:marcel.derksenIZZATcw.com]
    Sent: 16 April 2003 07:27
    To: 'lb-lIZZATvegan.net'
    Subject: RE: [load balancing] SSL / Alteon / iPlanet
    Importance: High

    Steven,
     
    I would advise you to setup the environment as follows:
     
    Port 1 : client processing enabled, filter enabled with redirection to ISD
    group for https.
    Port 2: client processing enabled.
    Port 3: server processing enabled, filter enabled with redirection to ISD
    for port 81.
     
    The ISD is stripping the SSL layer from the HTTPS request and forwarding
    this to port 81 of the VIP. The VIP is listening to port 80 for normal HTTP
    traffic and to port 81 for formerly HTTPS traffic. The VIP is loadbalancing
    traffic to the real servers on port 80. So for the service port 81 you
    define RPORT to 80. When the traffic is returning the Alteon will revert the
    session into the state before it is loadbalanced. This means that normal
    http traffic will be translated into port 80 and formerly HTTPS traffic will
    be translated into port 81. After this the filters will do their work. Port
    80 traffic will not hit the filter, but port 81 will (on port 3).
     
    So to be more specific:
     
    Port 1:
    Client ena, filt ena, filt 100
    Filt 100: DIP=VIP, DMASK=255.255.255.255, DPORT=443,action=redir, group=2,
    proto=tcp,ena
     
    Port 2:
    Client ena
     
    Port 3:
    Server ena, filt ena, filt 110
    Filt 110: SIP=VIP, SMASK=255.255.255.255, SPORT=81,action = redir, group=2,
    proto=tcp,ena
     
    Virt 1:
    Virt=xxx.xxx.xxx.xxx
    Ena
    Service 80, group=xx
    Service 81, group=xx, rport=80
     
    You can use different VLAN's if you want to that is no problem. The
    portnumbers I used are fictive. Port 1 holds the clients, port 2 holds the
    ISD's and port 3 holds the servers.
     
    Hope this helps.
     
    Greetings,
     
    Marcel Derksen
    NNCDS, NNCSS Alteon

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com



    This archive was generated by hypermail 2.1.4 : Tue Jun 03 2003 - 09:01:50 EDT