[load balancing] ServerIron + NAT == Can't Ping VIP

From: Paul Sharpe (paulIZZATsixapart.com)
Date: Mon Jun 09 2003 - 22:33:55 EDT

Next message: Paul Sharpe: "[load balancing] RE: ServerIron + NAT"

Previous message: James Costello: "Re: [load balancing] Cisco CSS vs F5 BigIP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I was wondering if anyone had any experience with NAT and ServerIrons.

My setup basically looks like the NAT based, route pathed, two-armed
SLB from Tony Bourke's SLB book. Everything works fine, except the
real servers can't ping the VIPs. They can ping the management IP,
they can ping their external NAT IP (both of which are on VLAN 1), but
they can't ping/access the VIPs. I've tried doing this with source-ip
and with setting up IP forwarding (one VE on each VLAN with an IP in
that VLAN's subnet).

The only way the real servers seem to access the net is if I have
inside NAT turned on (with either source-ip set, or using ip
forwarding). When this happens, I lose the ability to ping the VIPs.
If I turn off inside NAT and try to rely on routes & ip forwarding, the
real servers lose access to the net, but can ping the VIPs.

I hope this explanation makes sense to you folks, my brain's about to
explode. :p

here's some of the relative config info, btw my internal network is
10.0.0.0/16:

Here's the route table:

       Destination NetMask Gateway Port Cost
   Type
1 10.0.0.0 255.255.0.0 0.0.0.0 Ve 1 1
   D
2 <public ip> <public ip mask> 0.0.0.0 Ve 2 1
   D
3 0.0.0.0 0.0.0.0 <router hsrp ip> Ve 2 1
      S

server virtual web-vip <public ip>
  port ssl sticky
  port http
  bind ssl web1 ssl web2 ssl
  bind http web1 http web2 http
!
server virtual app-vip <public ip>
  port smtp
  port ssl sticky
  port http
  bind smtp app1 smtp app2 smtp
  bind ssl app1 ssl app2 ssl
  bind http app1 http app2 http

vlan 1 name DEFAULT-VLAN by port
   router-interface ve 2
!
vlan 2 by port
  untagged ethe 2 ethe 4 ethe 6 ethe 8
   router-interface ve 1

ip forward
ip address <public ip info>
ip nat inside
ip nat inside source list 1 pool outside
ip nat pool outside <public nat ip info>
ip default-gateway <our router's HSRP IP>

ip policy 1 cache tcp 0 global
ip policy 2 cache udp 0 global

interface ve 1
ip address 10.0.0.1 255.255.0.0
!
interface ve 2
ip address <public IP info>

In desperation, I've tried setting up various routes like:

to access VIPs:
ip route <VIP> <netmask> 10.0.0.1

or to access the net w/o inside NAT:
ip route <public ip network> 10.0.0.1
ip route <public HSRP ip> 10.0.0.1

no go on those either.

Thanks in advance to any help you folks can give me. :)

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

Next message: Paul Sharpe: "[load balancing] RE: ServerIron + NAT"
Previous message: James Costello: "Re: [load balancing] Cisco CSS vs F5 BigIP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 09 2003 - 22:44:26 EDT