FTP Load-Balancing in DSR mode
Hello Experts ..
Need some clarity on FTP LB under DSR mode .... I have my DSR working fine for normal http traffic , but facing issues with FTP on the same , please find the configs attached below
Topology
Client ( 10.20.10.101) -----> CAT6k ( 10.20.10.110 & 10.10.15.2) --> ACE --- > Server
VLAN 149 VLAN 149 & VLAN 150
access-list access line 8 extended permit icmp any any
access-list access line 16 extended permit tcp any any
access-list acl line 8 extended permit ip any any
rserver host real2
ip address 10.10.15.101
inservice
serverfarm host ftp
transparent
rserver real2
inservice
class-map match-all ftp-vip
2 match virtual-address 192.168.5.5 tcp eq ftp
class-map match-any ftp_1
2 match access-list access
policy-map type management first-match mgmt
class class-default
permit
policy-map type loadbalance first-match ftp
class class-default
serverfarm ftp
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
class ftp-vip
loadbalance vip inservice
loadbalance policy ftp
inspect ftp
class ftp_1
nat dynamic 5 vlan 150
interface vlan 61
ip address 61.202.200.200 255.0.0.0
access-group input acl
service-policy input mgmt
no shutdown
interface vlan 150
description server-side
ip address 10.10.15.1 255.255.255.0
no normalization
access-group input acl
nat-pool 5 10.10.15.209 10.10.15.209 netmask 255.255.255.255 pat
service-policy input LBPOL
service-policy input mgmt
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.15.2
Client
======
root@TLS_SRV ~]# ifconfig eth1.149
eth1.149 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.20.10.101 Bcast:10.20.10.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:203 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10444 (10.1 KiB) TX bytes:8408 (8.2 KiB)
route
192.168.5.0 10.20.10.110 255.255.255.0 UG 0 0 0 eth1.149
CAT6k
=======
interface Vlan149
ip address 10.20.10.110 255.255.255.0
end
interface Vlan150
ip address 10.10.15.2 255.255.255.0
end
ip route 192.168.5.5 255.255.255.255 10.10.15.1
Server
=======
eth1.150 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.10.15.101 Bcast:10.10.15.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9194 errors:0 dropped:0 overruns:0 frame:0
TX packets:408 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:503104 (491.3 KiB) TX bytes:71884 (70.1 KiB)
eth1.150:1 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:192.168.5.5 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
route
10.20.0.0 10.10.15.2 255.255.0.0 UG 0 0 0 eth1.150
When i do FTP from client 10.20.10.101 , my connection is getting refused.... But when i connect to my server directly bypassing ACE i am getting authenticated ..
As per the DSR , i made Rserver & ACE as L2 Adjacent , so when ACE receives the packet it will change the dest ip instead it will use VIP ip as destination , but the MAC will be rewritten to Rserver MAC address... As i said before all works fine for http DSR ...
I know NAT doesn't work in ACE when its configured under DSR , but for FTP i made NAT config , but even if i remove the same its not working , Is my config for FTP is correct ?
Could some please look into this and reply ?
Thanks
Charles
if you need to route / provide load balancing between 2 hosts, then you will need to have Route SAF . you can use web server 7 reverse proxy cli or gui to get this. however, you might want to start from a fresh configuration to avoid reverse-map / map that you have experimented with does not overlap with the 'Route' functionality that you seem to need here
here are some reference content
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_sun
http://www.sun.com/bigadmin/features/articles/web_server_zones.jsp
Similar Messages
-
FTP Load Balancing on ACE 4710
Hi,
I have two ACEs working in ROUTED-MODE. In the servers there are HTTP content and FTP content.
- The load balancing is working in correct form.
Now, I have a problem: The client wants to performs a FTP request to server in Internet from server belong to server farm configured in the ACE.
In simple words, now the server belonging to the farm will be the client for the FTP server in Internet. The client can connect to the Internet FTP, he enter his username and password, but when he want to transfer data (command as ls, get, put) the connection is closed.
- When the client makes the FTP comes with the VIP address 200.29.72.226 to the intenet FTP.
- I have a capture when is performing the command "ls" and the connection was closed: The ACE stated:
12:42:11.079794 00:08:74:4e:d4:67 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 10.3.2.1.1911 > 200.54.172.202.21: P [tcp sum ok] 37:58(21) ack 161 win 16400
12:42:11.079957 00:0b:fc:fe:1b:01 > 00:e0:b6:04:14:49, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum a77 (->57b)!) 200.29.72.226.39292 > 200.54.172.202.21: P [bad tcp cksum 7d15 (->4ce)!] 37:58(21) ack 161 win 16400
12:42:11.080088 00:e0:b6:04:14:49 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 200.54.172.202.21 > 200.29.72.226.39292: R [tcp sum ok] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]
12:42:11.079212 00:0b:fc:fe:1b:01 > 00:08:74:4e:d4:68, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum 57b (->a77)!) 200.54.172.202.21 > 10.3.2.1.1911: R [bad tcp cksum 4d2 (->7d19)!] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]
I atached a diagram of situation and actual configuration.
I appreciate your help
Thanks and regards,
Jaime.Thanks Gilles!
I applied the commands you told me. I performed laboratory tests and it worked fine.
Then I apply in the ACE of client and the results were positive.
Thanks you very much again.
Jaime. -
IDSM-2 load balancing on inline mode is it possible ..?
Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
Thanks !!!To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800 -
Firewall Load Balance using bridged mode ACE
Dear Folks,
I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
Please Help ThanksThank you very much Gilles,
You 're the man. ;-)
Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
Thank you very much -
IPsec on hosts behind load balancing NAT
Hi,
I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
On the side where the traffic comes from i allways see a debug output like this:
ar 1 05:23:54.294: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
195.10.0.1 is my global address for the FTP server
on the side where the encryption should be terminated i allways see an output like this:
*Mar 1 05:23:54.130: map_db_find_best did not find matching map
*Mar 1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
But i can see that there is a crypto map for address 10.0.10.1
RA#sh cryp map
Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
I tried to use some of the NAT traversal techniques for IPSec but without any success.
If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
Thanks, AdrianThis is a lab scenario and i want to test for my learning how IPSec would work in such a case.
I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
I have configured 2 loopback. on R1: 100.1.1.1
on R2: 200.1.1.1
R1:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.1.1
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.0.2
R2:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Now when i ping from R1:
ping 200.1.1.1 source 100.1.1.1
its not successful. Why doesnt it work any idea ? -
Load balancing and High Availability topology
Our Forms 6i client-server application currently runs on Citrix farm of 20 Windows 2000 boxes (IBM Blade Servers 2 CPU and 2 Gig Memory).
Application supports 2000 users.
We are moving to AS 10g r2, forms 10g and the goal is to use same hardware, 20 Windows boxes (or less), for intranet web deployment.
What will be our best choices for application Load balancing and High Availability?
Hardware load balancer, Web Cache, mod-oc4j? Combinations?
Any suggestions, best practices, your experience?Gerd, I understand, that you are running 10g web forms through the browser, but using Citrix for deployment. This means that in addition to Application Server and Forms runtime sessions, it will be separate browser session opened for each user. What the advantage of this configuration?
Michael, we are aware, that Citrix is not supported by Oracle as a deployment platform. That only means that prior contacting Oracle Support we have to reproduce the problem in standard environment. It was never been a problem to reproduce problem :) We were using Citrix as a deployment platform for Forms 6i client/server for 4 years, but now we are forced to upgrade to 10g.
We are familiar with various Load balancing options available. The question is which option is the most "workable" in our case. -
Internal load balancer for ADFS, Web Application Proxy join problem
Hello,
we deployed 2 x ADFS (2012 R2) behind a internal Azure load balancer.
In front are two WAP servers, which should be joined to the ADFS farm based on the internal load balancer IP.
Unfortunately the WAPs fail to join and sometimes after 5 tries it works. The problem is (based on the event logs) that the ADFS Servers dont trust the WAP certificate.
It seems, that during the join process the ADFS internal load balancer does not stick to one ADFS server. If we join the WAP directly (without the ILB) to one of the ADFS servers, everything works fine.
As soon as we try to join via the ADFS internal load balancer IP, the abover occurs.
Did anyone experience the same problems? How does the internal load balancer distribute the requests? Seems to be not sticky at all.
Thanks for any Feedback,
ThomasThomas -
This article talks (in detail) about a recently updated distribution mode - Source IP affinity.
http://azure.microsoft.com/blog/2014/10/30/azure-load-balancer-new-distribution-mode/
Hope this helps!
/Arvind -
Windows Load Balancing on Multiple VLAN?
Hi all. Just wondering if any of you having this same issue as I did. I've got NLB configured on 2 VM running on Hyper-V. Each of the VM equiped with 2 NIC. The NIC for heart beat purpose is configured
with Static MAC and with the option "Enable Spoofing for MAC Address" enabled. Another NIC is for LAN communication purose. Each of the NIC is reside on a different VLAN (VLANx and VLANy). After I've got the NLB configured,
with "unicast" mode. I've noticed I am not able to ping the NLB virtual IP address from any of the clients. Ping works between the NLB hosts, and is accessible. Once I've put all the NIC into the same VLAN, NLB works
fine; I can ping the NLB virtual IP, and test on IIS works good. My question, does NLB requires all the host to reside in the same VLAN? If NLB support mulitple VLAN, then how can I configure it to support multiple VLAN (eg: production LAN
NIC on VLANx, and heart beat NIC on VLANy)? Thank you.Hi,
It seems that we need to use Multicast mode.
Configure Network Load Balancing Cluster Operation Mode
http://technet.microsoft.com/en-us/library/cc731616.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Load balancing Application Server
Hi
I am new to peoplesoft dba
It would be great if somebody could point me to the steps required for setting up loadbalancing for Peoplesoft application server (not web server)
In particular i wanted to know where to look for information on 'directing certain loads' to particular server.
Thanks a lot
CyrilAre you talking about load balancing from Webserver to multiple appserver in 4tier mode ? See here the configuration.properties conf :
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tsvt/book.htm?File=tsvt/htm/tsvt14.htm#H4003
Or are you talking about load balancing for 3tier mode ? See TUXEDO Connect String* in the profile (configuration manager) :
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tsvt/book.htm?File=tsvt/htm/tsvt11.htm#H4032
Nicolas. -
Host Unreachable intermittently within a Windows Network Load Balancing Cluster
Hi,
We have 2 Windows 2008 R2 servers running multiple IIS web sites and load balanced across Windows Network Load Balancer in unicast mode. Although there are two interfaces in each server, only 1 interface in each server participates in load balancing and
other interface is used for a different backup LAN. The problem I am going to mention was not seen within the NLB for almost 1 year.
I have noticed intermittent "host unreachable" detected from NLB in each host from time to time since 3 weeks ago. After servers are rebooted, both hosts can be reached and can be detected from NLB manager. However it becomes unreachable in both
servers within minutes and then becomes reachable again after several minutes. This behavior is noticed in the load balancer and pings do not work between the two hosts when the issue occurs. I did a packet capture to see what was going on with ARP message
when the issue occurs. ARP entry goes missing in each server when the problem occurs and no ARP replies are returned from each server. But ARP requests are dispatched from both servers when the issue occurs. ARP replies come back after sometime after which
hosts become reachable again.
I tried to create a permanent static ARP entry (By copying the MAC address from ARP table when the two hosts are reachable) in each host but that hasn't solved the issue either. It seems like the individual MAC address generated by each host is a virtual
one and it doesn't seem to respond when the problem occurs.
However load balancing and web sites are fully functional without any issues even while "host unreachability" issue is detected.
Appreciate if someone could help me to dig the real problem out.
Thank you.Hi,
Did you do some change of your network or the NLB firewall settings recently?
If you are using the NLB cluster in Hyper-V guest vm you need to enable the spoofing of MAC address.
The related article:
Cannot access the virtual or dedicated IP address of an NLB node (Guest) running in Unicast Mode on Windows Server 2008 R2 Hyper-V
http://blogs.technet.com/b/networking/archive/2010/02/12/cannot-access-the-virtual-or-dedicated-ip-address-of-an-nlb-node-guest-running-in-unicast-mode-on-windows-server-2008-r2-hyper-v.aspx
More information:
Selecting the Unicast or Multicast Method of Distributing Incoming Requests
http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx
Single network adapter
http://technet.microsoft.com/en-us/library/cc776178(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Hyper-V 2012 R2 & NLB (Network Load Balancing) with Unicast on VMs
Hi,
We set up a 2012 R2 Hyper-V Cluster. On this Cluster we would like to run 2 VM's which are using NLB (Network load Balancing) in Unicast mode.
We have created a External Virtual Switch wich is connected trough a 3x10GB LACP Team to a Cisco Nexux Switch.
We have tried to set the NLB up in the way we did with 2008 R2 but we were not be able to get this working. Is there any Change in 2012 R2 we did not think about?
Each time we form the Cluster one Node becomes unavailable.
TimoCheck the virtual network adapter properties - you must enable MAC address spoofing. We had the same issues.
Note that this will absolutely pollute your host machine's system log with tons of spam and make it pretty much worthless. I'm trying to find a way around this as we speak, actually. -
I'm having a difficult time trying to configure load balancing on my CSM based on the URL entered. Here is my scenerio:
Two web servers (WebA & WebB), load balanced on a CSM. WebA & WebB have 90% the same content, so most traffic can be load balanced between them without a problem. The problem (for me anyway) comes in where WebA has certain web sites that WebB doesn't, and vice versa. So I need to load balance to both for 90% of the traffic, and point traffic to a particular server the other 10% of the time based on the URL entered.
Below is the test config I have so far (that doesn't work correctly), what I am trying for in this example is that any URL that contains /vhosts/ or /programs/ be directed to WebA, and any URL that contains /platform/ or /ssl/ be directed to WebB, and all other traffic be load balanced between the two evenly. (For testing purposes, the servers are being load balanced in "bridge-mode", in production they will be "routed-mode"....I did't want to go through the change controls to change the IP addresses for the test servers!).
module ContentSwitchingModule 2
vlan 605 client
ip address 10.63.240.4 255.255.255.0
gateway 10.63.240.1
vlan 606 server
ip address 10.63.240.4 255.255.255.0
natpool URL-POLICY-TEST 10.63.240.204 10.63.240.204 netmask 255.255.255.254
map SRV-A url
match protocol http url /vhosts/*
match protocol http url /programs/*
map SRV-B url
match protocol http url /platform/*
match protocol http url /ssl/*
serverfarm URL-POLICY-TEST
nat server
nat client URL-POLICY-TEST
real 10.40.109.100
inservice
real 10.40.109.101
inservice
serverfarm URL-TESTA
nat server
nat client URL-POLICY-TEST
real 10.40.109.100
inservice
serverfarm URL-TESTB
nat server
nat client URL-POLICY-TEST
real 10.40.109.101
inservice
policy TESTWEB-A
url-map SRV-A
serverfarm URL-TESTA
policy TESTWEB-B
url-map SRV-B
serverfarm URL-TESTB
vserver URL-POLICY_TEST
virtual 10.63.240.10 tcp 0
vlan 605
serverfarm URL-POLICY-TEST
sticky 1
persistent rebalance
slb-policy TESTWEB-A
slb-policy TESTWEB-B
inserviceThanks for the reply Gilles....I've been out of the office for a while.
Well, right now nothing is working....except that all traffic is going to the default server farm assinged to the vserver. Here are the URLs I am testing with:
**************TEST A************
http://10.63.240.10/manual/vhosts/fd-limits.xml
http://10.63.240.10/manual/programs/apachectl.xml
**************TEST B************
http://10.63.240.10/manual/platform/ebcdic.xml
http://10.63.240.10/manual/ssl/ssl_compat.xml
***************BOTH****************
http://10.63.240.10/manual/howto/htaccess.xml
http://10.63.240.10/manual/howto/cgi.xml
When I try attaching to the first URL for example, here is the connection info (I trimmed it down so it will fit here):
MOSL1S1A#sh mod csm 2 real
real server farm Conns/hits
10.40.109.100 URL-POLICY-TEST 1
10.40.109.101 URL-POLICY-TEST 0
10.40.109.100 URL-TESTA 0
10.40.109.101 URL-TESTB 0
MOSL1S1A#
MOSL1S1A#sh mod csm 2 conn
prot vlan source destination
In TCP 605 10.47.10.10:3738 10.63.240.10:80
Out TCP 605 10.40.109.101:80 10.63.240.204:8820
I've tried changing the syntax on the URL statement in the map as such:
/manual/*
*/manual/*
/manual/
*manual*
/manual* -
Load Balancing FTP Server thru CSM using a single Client IP
Hello,
We have a need to load balance 3 FTP servers. These servers are reached only from a single client IP which is a database server. The FTP method that is being used is currently passive. Our configuration is currently unidirectional, ie, the FTP client (the one database server) sends to the VIP and the FTP Servers then talk directly back to the FTP client and the traffic does not go back through the CSM. The problem is that because FTP negotiates another port to talk on, we have to use sticky so that the connection is sent back to the original FTP server that sent the FTP data port to talk on. But, since we only have a single client IP that is ever used we are not load balancing appropriately across the FTP servers.
Traffic flow goes something like this, tcp port followed after colon as an example
1. FTP Client ----> VIP:21
2. CSM ---------> FTP Server:21
3. FTP Server --------> FTP Client(FTP server says come talk to me on port 1700)
4. FTP Client ---------> VIP:1700
5. CSM ---------> FTP Server:1700
6. FTP Server:1700 ---------> FTP Client
repeat steps 4 thru 6
Here's our hardware and software:
WS-X6066-SLB-APC running 4.2(2)
Config is as follows
module ContentSwitchingModule 9
ft group 101 vlan 9
priority 10
vlan 216 client
ip address 10.209.16.31 255.255.252.0
gateway 10.209.16.1
vlan 20 server
ip address 10.209.0.31 255.255.252.0
alias 10.209.0.11 255.255.252.0
probe ICMP1 icmp
interval 3
failed 3
receive 3
serverfarm FHEPRT
no nat server
no nat client
real 10.209.0.72
inservice
real 10.209.0.73
inservice
real 10.209.0.71
inservice
probe ICMP1
sticky 106 netmask 255.255.255.255 address source timeout 3
policy FHEPRT_POL1
sticky-group 106
serverfarm FHEPRT
vserver FHEPRT1
virtual 10.209.16.71 any
vlan 216
unidirectional
serverfarm FHEPRT
replicate csrp connection
no persistent rebalance
slb-policy FHEPRT_POL1
inserviceYou are missing "service ftp" config in the Vip definition. Try the following
vserver FHEPRT1
virtual 10.209.16.71 tcp ftp service ftp
Syed Iftekhar Ahmed -
Load balancing FTP/HTTP on same VIP
Hi,
Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
class-map match-any WCVS
2 match virtual-address 20.0.0.1 tcp eq www
4 match virtual-address 20.0.0.1 tcp eq ftp
policy-map multi-match int3
class WCVS
loadbalance vip inservice
loadbalance policy VS-l7slb
inspect ftp
nat dynamic 5 vlan 20
int vl20
service-policy input int3Hello,
I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used. The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP. Below is your config with some modifications. I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map. There is one line that I would like you to remove and see if it works. If it does not, then add this line and see if it works.
Let me know how it goes...
logging enable
logging buffered 6
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe http Probe_HTTP
interval 5
passdetect interval 60
expect status 200 200
open 2
receive 2
probe tcp Probe_FTP
port 21
interval 5
passdetect interval 60
open 2
receive 2
rserver host Server1
ip address 10.10.10.10
conn-limit max 4000000 min 4000000
inservice
rserver host Server2
ip address 10.10.10.11
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-HTTP
probe Probe_HTTP
rserver Server1 80
conn-limit max 4000000 min 4000000
inservice
rserver Server2 80
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-FTP
probe Probe_FTP
rserver Server1
conn-limit max 4000000 min 4000000
inservice
rserver Server2
conn-limit max 4000000 min 4000000
inservice
sticky http-cookie XXX_tempCookie XXX_tempCookie
cookie insert
serverfarm FARM-HTTP
class-map type management match-any Management
201 match protocol http any
202 match protocol https any
203 match protocol icmp any
204 match protocol kalap-udp any
205 match protocol ssh any
206 match protocol telnet any
207 match protocol xml-https any
class-map match-any XXX-WCVS-WWW
2 match virtual-address 10.10.10.100 tcp eq www
class-map match-any XXX-WCVS-FTP
2 match virtual-address 10.10.10.100 tcp eq ftp
3 match virtual-address 10.10.10.100 tcp range 1023 65535 <-- try first without this, then with this
class-map match-any NAT-VIP
2 match destination-address 10.10.10.100 255.255.255.255
policy-map type management first-match Management
class Management
permit
policy-map type loadbalance first-match XXX_VS-l7slb-WWW
class class-default
sticky-serverfarm XXX_tempCookie
policy-map type loadbalance first-match XXX_VS-l7slb-FTP
class class-default
Serverfarm FARM-FTP
policy-map multi-match int3
class XXX-WCVS-WWW
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-WWW
class XXX-WCVS-FTP
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-FTP
inspect ftp
class NAT-VIP
nat dynamic 5 vlan 12
interface vlan 12
ip address 10.10.10.1 255.255.255.0
alias 10.10.10.3 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ALL
nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input Management
service-policy input int3
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.254 -
Dynamic LBFO Load Balancing mode causing issues
Hi,
We`re running a couple of virtual machines with the
BIG-IP Virtual Edition in a Windows Server 2012 R2 Hyper-V cluster.
These virtual machines have had problems where traffic sent through the virtual machines doesn`t get through due to the MAC Addresses of the physical team NICs being replaced with the Mac Address from the team member actually used to transmit the
packet.
Reference:
Windows Server 2012 R2 NIC Teaming (LBFO) Deployment and Management
Blog post - Server 2012 Hyper-V / NIC Team Oddity
One of the comments in the blog-post states what we are seeing:
The reason for the MAC Address switching you’re seeing is that Server 2012 in some cases will replace the source MAC address on Ethernet frames with the MAC Address from the team member actually used to transmit the packet. The reason for this is that
if it always kept the MAC Address intact, the switch would throw alarms for “MAC flapping”, i.e. seeing a given MAC Address bouncing back and forth between switch ports.
When we changed the Load Balancing mode from Dynamic to Hyper-V port, the problem was resolved.
Is it possible to solve this problem while still using Dynamic as the Load Balancing mode? Would LACP instead of Switch independent teaming mode solve the problem?@Rob Thanks, that`s useful information. Did they suggest any other solutions/workarounds? (such as LACP)
@Alex I understand that I need to configure my switches if I`m going to use LACP, but will LACP cause a different behaviour regarding the replacement of the source MAC address on Ethernet frames? In other words: Will LACP be an alternate solution/workaround
to using Hyper-V Port in Switch Independent mode?
I can't answer this from experience because I've never had this problem.
But, the basic issue with the switch-independent mode is that the physical switch is completely unaware that there is any team situation at all. It can only operate within the base rules of Ethernet, which say that a MAC address can only appear on one endpoint
at a time. So, if you have built a switch-independent team that crosses 4 physical adapters and a Hyper-V virtual switch on top of that, what the physical switch "sees" is four distinct endpoints that are hosting multiple MAC addresses. When one
of the virtual adapters transmits on a virtual switch, it could, depending on the load-balancing mode, use any of the four physical lines. If it uses the same source MAC address while communicating across all four lines, the switch might panic. It wants to
know where the MAC really is for purposes of knowing where to deliver its inbound packets, and depending on security configuration, to be sure that there's not an unauthorized spoofing attempt in progress. That's why the dynamic mode uses MAC substitution.
The Hyper-V port mode gets around this by locking each virtual adapter on to a single physical channel so that its MAC address doesn't move. This has a cost of not allowing traffic on any given virtual adapter to be load-balanced.
In a LACP connection, the physical switch is fully aware of the team, and furthermore, it knows that it's not an endpoint. All the MAC addresses of the virtual adapters are associated with this single aggregated tunnel, not the individual physical adapters.
When it comes down to deciding which of the physical adapters to use to carry any given transmission, that can be negotiated by the switches without the need to lock a MAC to a specific adapter. There isn't, or at least there shouldn't be, any need for the
dynamic mode to perform MAC substitution.
Again, I'm speaking from theory, not direct experience with what you're asking about. I do make regular use of the dynamic mode on LACP trunks, but I don't run any applications that would have this MAC sensitivity issue. For all I know, dynamic still performs
this substitution and I just don't understand why. Also, there's a chance your symptoms just happen to point to this substitution as being a problem. But, I would say there's a good chance that using Dynamic/LACP will solve your issue.
Eric Siron
Altaro Hyper-V Blog
I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.
Maybe you are looking for
-
Infrequent and generic error on cfinclude
I'm experiencing an intractible and difficult-to-explain problem with a framework-level coding structure. My index.cfm ends with a <cfinclude> tag that brings in the page template. It works just fine - *most* of the time. Every now and then that line
-
Just finished updating web site, saved and published. Showed up on the internet finr, went back to do a few tweeks and all my days work is gone! Fine on the net gone in iweb! I don't want to loose the days work. Is there any way to get the websit
-
Cfinput validation is not working
I have a CF8 cfform which contains several cfinput tags set to required. If I submit the form without fillign otu those fields, I do get the popup message displaying the error message(s) but when I click ok on that popup, it still submits the form.
-
Payment programme - reg.
Hello experts, If vendor invoices is generally posted by three users. When running the payment programme is it possible for the user to run the payment programme only for the invoices posted by that user. I yes kindly advice me in this regard. Rega
-
J2EE at Os level...
Hello, How can I make sure that J2EE is running? It is regarding ABAP+J2EE for BW 3.5 NW04. I went to SMICM - Services and it will show the list of HTTP ports and there status. How will I be sure that J2EE is active. Because J2EE will be down but the