RE: [load balancing] Re: AW: ASA load balancing

From: Richard Golding (richard.goldingIZZATomnetica.com)
Date: Fri Jul 30 2004 - 12:09:24 EDT

  • Next message: lijian97IZZATnetscape.net: "Re: [load balancing] [Alteon] Static Route vs. Default Gateway"

    Maybe I am missing something but you should only need the one SSL server
    (per VIP defined on the Application switch) on each ASA to achieve this.

    i.e. 1 Server defined on each on ASA's = 194.48.123.33 which equals VIP
    on Application Switch. Depending on hash HTTPS connections will be
    redirected to either one of the ASA devices and this device would then
    initiate an un-encrypted HTTP connection to the defined VIP
    (194.48.123.33) that exists on the Application switch and normal LB then
    takes place. Return traffic from end Server will hit filter and be
    redirected back to the correct ASA for re-encyption.

    Additional VIPs just require an additional server to be added to ASA's

    I apologise if I have mis-interpreted your requirement.

    If working via RTS then maybe this is the method for you - Using hashing
    to ensure same ASA is used in both directions will have issues the way
    it is currently defined

    Cheers Richard

    -----Original Message-----
    From: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net] On Behalf Of
    r.rauch
    Sent: 30 July 2004 10:31
    To: lb-lIZZATvegan.net
    Subject: [load balancing] Re: AW: ASA load balancing

    Hi Richard,

    At the moment we are using the VIP 194.48.124.174 as a proxy, this will
    become
    a single sign on proxy of all our services in the future, server 2 works
    fine
    if i remove the real server ( IP )redirect to back end and use the ASA
    server
    IP. But it is necessary to redirect this ASA server and others in the
    future. I have changed the configuration to RTS, and this works fine
    with both ASA
    being load balanced, server 2 with back end redirect will only work with

    transparent prox mode OFF.
    My configuration that i wish to achieve is ASA ssl server 2 ( SSL Server
    IP
    194.48.124.33 )with a redirect real server ip address to the VIP (
    194.48.124.174 proxy on AS) using transparent proxy mode ON, this is
    needed so
    a auto log feature can be determined by using the CIP address. If the
    source
    address is from the ASA auto log on feature can not be used.

    any other tips??

    thanks
    robert rauch

    Richard Golding <richard.golding <at> omnetica.com> writes:

     
     Robert,
     
     Have you tried removing the real server ip address 194.48.124.174 that
    is associated with Server 2? This will have the effect of ensuring DIP
    remains unchanged on return traffic from Server 2. Having this set will
    cause the intended hashing of SIP/DIP to fail as SIP/DIP will be
    different for return traffic from Server 2 so it is not guaranteed that
    Server 2 responses will be returned to correct ASA.
     
     May also need to open up filters (ANY/ANY 443 inbound and ANY/ANY 4443
     return)
     
     Hope that helps,
     
     Cheers Richard
     
     -----Original Message-----
     From: owner-lb-l <at> vegan.net [mailto:owner-lb-l <at> vegan.net] On
    Behalf Of r.rauch
     Sent: 29 July 2004 12:13
     To: lb-l <at> vegan.net
     Subject: [load balancing] Re: AW: ASA load balancing
     
     
     Hallo Peter,
     
     At the moment we have the same results using transparent proxy mode
    with server
     2, it does not matter weather its enables or not, still can not load
    balance
     two ASA in a group, only works with one. Before trying RTS, i would
    like to see
     if i can get it working with filter redirects.
     
     thanks
     robert
     
     
     Schimscha Peter <peter.schimscha <at> kapsch.net> writes:
     
      Transparent proxy mode for server 2 is turned off! Maybe RTS is the
    better way
     to go, cause you can save lots of
      filters for the return traffic.
      rgds, Peter.
     
      -----Ursprüngliche Nachricht-----
      Von: owner-lb-l <at> vegan.net [mailto:owner-lb-l <at> vegan.net] Im
    Auftrag
     von r.rauch
      Gesendet: Donnerstag, 29. Juli 2004 10:56
      An: lb-l <at> vegan.net
      Betreff: [load balancing] ASA load balancing
      
      Hallo,
     
      I have a bit of a problem with two AS2424-ssl, a quick description of
    my
     problem.
     
      Using filters I am redirecting https traffic for several VIP to a ASA
    group, on the ASA I have 2 servers
      configured server 1 and server 2, server 1 is working fine, also with
    both ASA
     in group, server 2 which is a
      redirect again on the ASA, only works only if I am using one of the
    ASA in the
     group.
     
      ASA 4.1.2
      SSL Server 1 cur
      
      Server 1 WORKING WITH BOTH ASA IN GROUP
        Server name = asmp.a1.net
        IP addr of SSL server = 194.48.124.174
        Listen port of SSL server = 443 (https)
        Real server IP addr = 0.0.0.0
        Real server port = 4443
        Type (generic/http/socks/portal) = http
        DNS name of server =
        Transparent proxy mode (on/off) = on
        Enable virtual server = enabled
      
      Server 2 ONLY WORKING WITH ON ASA IN GROUP; TIME OUT WHEN ADDING
    SECONDARY ASA
        Server name = signatur.a1.net
        IP addr of SSL server = 194.48.124.33
        Listen port of SSL server = 443 (https)
        Real server IP addr = 194.48.124.174
        Real server port = 4443
        Type (generic/http/socks/portal) = http
        DNS name of server =
        Transparent proxy mode (on/off) = off
        Enable virtual server = enabled
      
      AS-2424-ssl 21.0.4.5
      On the AS2424-ssl i am just using filter, in the filters i am using
    thash (
     both ) instead of fwlb.
     
      Server Load Balancing Information# /c/sl/filt 99/cur Current filter
    99:
          enabled, name ssl-redirect_signatur.a1.net
          invert disabled
          sip any, dip 194.48.124.33 255.255.255.255
          proto tcp, sport any, dport https
          vlan any
          action redir, group 1000, rport 443
          log disabled, cache enabled
          proxy enabled, fwlb disabled, linklb disabled
          dbind disabled, pbind disabled,
          option disabled, tos 0 0 0
          length any
          tcp no flags enabled
          ack_or_reset disabled
          l7lkup disabled, ftpa disabled, radius snoop disabled
          radius/wap persistence disabled
          parseall enabled
          idshash dip
          thash both
          BW Contract 256
          pmatch disabled, matchall disabled
          ratelim disabled, maxconn 100
          timewin 1, holddur 2
      
      Filter 99 # ../filt 101/cur
      Current filter 101:
         enabled, name return_ssl
          invert disabled
          sip 194.48.124.174 255.255.255.255, dip any
          vlan any
          action redir, group 1000, rport 0
          log disabled, cache enabled
          proxy enabled, fwlb disabled, linklb disabled
          dbind disabled, pbind disabled,
          option disabled, tos 0 0 0
          length any
          tcp no flags enabled
          ack_or_reset disabled
          l7lkup disabled, ftpa disabled, radius snoop disabled
          radius/wap persistence disabled
          parseall enabled
          idshash dip
          thash both
          BW Contract 256
          pmatch disabled, matchall disabled
          ratelim disabled, maxconn 100
          timewin 1, holddur 2
      
     
      both real servers are up, only one is in the group at the moment,
    metric hash
     health sslh.
     
      1000: ssl_lbodsip03a, 00:0c:f8:00:b8:1f, vlan 4090, ssl port, health
    4, up
      1001: ssl_lbodsip03b, 00:0e:62:f7:f5:1f, vlan 4090, port 24, health 3,
    up
      
     
        5: 194.48.124.150, proxy, client, server SERVER
             filt enabled, filters: 101 2048
      
       24: 194.48.124.151, client, server INTERFACE FOR ASA'S,VLAN
     4090
      
       25: 194.48.124.150, client, server UPLINK TO INTERNET CLIENT
             filt enabled, filters: 99 100 2048
     
      If anyone can help it would be much appreciated
      
     
      Thanks in advance
      robert
      
     
      ____________________
      The Load Balancing Mailing List
      Unsubscribe: mailto:majordomo <at>
    vegan.net?body=unsubscribe%20lb-l
      Archive: http://vegan.net/lb/archive
      LBDigest: http://lbdigest.com
      MRTG with SLB: http://vegan.net/MRTG
      Hosted by: http://www.tokkisystems.com
     
      ____________________
      The Load Balancing Mailing List
      Unsubscribe: mailto:majordomo <at>
    vegan.net?body=unsubscribe%20lb-l
      Archive: http://vegan.net/lb/archive
      LBDigest: http://lbdigest.com
      MRTG with SLB: http://vegan.net/MRTG
      Hosted by: http://www.tokkisystems.com
     
     ____________________
     The Load Balancing Mailing List
     Unsubscribe: mailto:majordomo <at> vegan.net?body=unsubscribe%20lb-l
     Archive: http://vegan.net/lb/archive
     LBDigest: http://lbdigest.com
     MRTG with SLB: http://vegan.net/MRTG
     Hosted by: http://www.tokkisystems.com
     
     **********************************************************************
    Omnetica are recognised as the experts for enterprise networks. By
    combining
    business insight with
     network know-how, we help customers select, deploy and manage robust
    networking solutions that create
     value, enhance return on investment and accelerate the achievement of
    business
    objectives.
     For further information visit http://www.omnetica.com
     
     This e-mail and any files transmitted with it are confidential and
    intended
    solely for the use of the
     individual or entity to whom it is addressed. If you have received this
    e-mail
    in error you should not
     disseminate, distribute or copy it. Please notify the sender
    immediately and
    delete this e-mail from
     your system.
     
     This footnote also confirms that this email message has been swept for
    the
    presence of computer viruses.
     However, it is the responsibility of the recipient to ensure that this
    email
    and any attachments are free
     from the presence of viruses. Omnetica accepts no responsibility for
    any loss
    or damage arising from the
     use of this email or its attachments.
     **********************************************************************
     
     ____________________
     The Load Balancing Mailing List
     Unsubscribe: mailto:majordomo <at> vegan.net?body=unsubscribe%20lb-l
     Archive: http://vegan.net/lb/archive
     LBDigest: http://lbdigest.com
     MRTG with SLB: http://vegan.net/MRTG
     Hosted by: http://www.tokkisystems.com
     
     

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com



    This archive was generated by hypermail 2.1.4 : Fri Jul 30 2004 - 12:20:09 EDT