[load balancing] Alteon UDP load balancing issue

From: Henrik Lantz <henrik [izzat] onyx.nu>
Date: Wed Jun 25 2008 - 15:25:32 EDT

Hi folks,

I am a former frequent reader of/contributor to the lb-l list that is now returning after a few years' absence seeking assistance from the general expertise here. For a project I'm working on, I've salvaged a pair of (very) old Alteon 180Es that I am using until I can get my shiny new 3408s delivered (they are on order...); but I've run into an issue with regards to UDP load balancing. I am under a lot of heat right now to get this working before I get the new load balancers, so if anyone has any ideas about this I'd be most grateful.

The platform serves two applications; one HTTP service that is running fine, and a new UDP-based application that is not working for me. Beside this, I have a couple of extra VIPs set up to allow for direct access (SSH/FTP/proprietary protocols, all TCP) to the individual real servers, and they are also working. The real servers that are supposed to serve the UDP requests also make outgoing connections, and this is handled without problems. Both Alteons are ACESwitch 180E, running WebOS (not using the BWM feature that caused that version to get retracted). The Alteons are connected with two separate ports to my Cisco Cat 6509s, one for the "Outside" VLAN with all the VIPs, and one for the "Inside" VLAN with the real servers connected (off the Ciscos, not directly to the Alteons). There is also a cross-connect trunk with both VLANs between the Alteons and they are of course trunked between the Ciscos as well. STP is disabled on the Alteons, allowing the Cats to handle it. I've engineered it so that the ports between RtrB and LB-02 are blocking on both VLANs. RtrA and LB-01 are HSRP/VRRP masters in all instances.

Now, config for the offending portion:

--{snip, snip}--
 direct ena
 matrix dis
 grace ena

/c/slb/real 151
 name "UDPServerA"
/c/slb/real 152
 name "UDPServerB"

/c/slb/group 200
 health icmp
 add 151
 add 152
 name "UDPServers - Load Balanced"

/c/slb/port 1
 client ena
 server ena
/c/slb/port 2
 client ena
 server ena
 proxy ena
 pip xx.yy.36.41
/c/slb/port 9
 client ena
 server ena

/c/slb/virt 150
 vip xx.yy.36.40
 dname "UDPServers - Load Balanced"
/c/slb/virt 150/service 3700
 group 200
 udp enabled

/c/slb/filt 25
 action allow
 proto udp
 sport 3700

/c/slb/filt 100
 action nat
 nat source
 invert ena

/c/slb/port 2
 filt ena
 add 25
 add 100
--{dius 'dius}--

Now, here's what I am seeing:

1) Wireshark capture on Inside VLAN between Alteon and server looks fine: I see the UDP request coming in, with the client IP as source address and the RIP as the destination, then moments later the response with the RIP as the source and the client IP as the destination. All fine.

2) When ENABLING filter 25 and capturing on the Outside VLAN, I see the request with the client IP as source and the VIP as destination, then the response comes back with the RIP as source and the client address as the destination IP. Shouldn't the Alteon maintain state of the UDP session and substitute it with the VIP coming back?

3) When DISABLING filter 25 and capturing on the Outside VLAN, things get really weird. The requests flows as before, client IP -> VIP; but the RESPONSE comes back as sourced by zz.qq.36.41 (see the PIP on port 2), where zz = xx + 128 and qq = yy + 40. I assume this is because it's hitting the NAT filter 100, but then two questions pose themselves - 1) as above, shouldn't the Alteon maintain state of UDP sessions, and 2) why the bastardized PIP as a source address?

Can anybody spot anything I'm doing wrong here? It's the first time I'm attempting to load balance a UDP service, so I am hoping it's something glaringly obvious to anyone has seen it before...

And just for the record - I have tried shutting the load balancer that is normally the master down and run only on the other one; they both exhibit the exact same behaviour and use the exact same source IP for the UDP response when filter 25 is disabled. I have rebooted both load balancers, individually and simultaneously. I have no more addresses available in the xx.yy.36.32/28 pool that I can assign as PIPs to be able to activate VMA.

I'm tearing my hair out over this one.

Comments? Questions? Solutions (please)?

Thanks a lot in advance,


lb-l mailing list
Searchable Archive: http://vegan.net/lb/archive
http://lbdigest.com Load Balancing Digest
http://lbwiki.com Load Balancing Wiki
Received on Wed Jun 25 15:26:01 2008

This archive was generated by hypermail 2.1.8 : Wed Jun 25 2008 - 15:26:03 EDT