FTP Load-Balancing in DSR mode

Similar Messages

• FTP Load Balancing on ACE 4710

  Hi,
  I have two ACEs working in ROUTED-MODE. In the servers there are HTTP content and FTP content.
  - The load balancing is working in correct form.
  Now, I have a problem: The client wants to performs a FTP request to server in Internet from server belong to server farm configured in the ACE.
  In simple words, now the server belonging to the farm will be the client for the FTP server in Internet. The client can connect to the Internet FTP, he enter his username and password, but when he want to transfer data (command as ls, get, put) the connection is closed.
  - When the client makes the FTP comes with the VIP address 200.29.72.226 to the intenet FTP.
  - I have a capture when is performing the command "ls" and the connection was closed: The ACE stated:
  12:42:11.079794 00:08:74:4e:d4:67 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 10.3.2.1.1911 > 200.54.172.202.21: P [tcp sum ok] 37:58(21) ack 161 win 16400
  12:42:11.079957 00:0b:fc:fe:1b:01 > 00:e0:b6:04:14:49, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum a77 (->57b)!) 200.29.72.226.39292 > 200.54.172.202.21: P [bad tcp cksum 7d15 (->4ce)!] 37:58(21) ack 161 win 16400
  12:42:11.080088 00:e0:b6:04:14:49 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 200.54.172.202.21 > 200.29.72.226.39292: R [tcp sum ok] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]
  12:42:11.079212 00:0b:fc:fe:1b:01 > 00:08:74:4e:d4:68, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum 57b (->a77)!) 200.54.172.202.21 > 10.3.2.1.1911: R [bad tcp cksum 4d2 (->7d19)!] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]
  I atached a diagram of situation and actual configuration.
  I appreciate your help
  Thanks and regards,
  Jaime.

  Thanks Gilles! 
  I applied the commands you told me. I performed laboratory tests and it worked fine.
  Then I apply in the ACE of client and the results were positive.
  Thanks you very much again.
  Jaime.

• IDSM-2 load balancing on inline mode is it possible ..?

  Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
  Thanks !!!

  To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800

• Firewall Load Balance using bridged mode ACE

  Dear Folks,
  I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
  I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
  Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
  by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
  Please Help Thanks

  Thank you very much Gilles,
  You 're the man. ;-)
  Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
  What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
  I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
  Thank you very much

• IPsec on hosts behind load balancing NAT

  Hi,
  I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
  I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
  So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
  On the side where the traffic comes from i allways see a debug output like this:
  ar  1 05:23:54.294: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
      local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
      remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
      protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
  195.10.0.1 is my global address for the FTP server
  on the side where the encryption should be terminated i allways see an output like this:
  *Mar  1 05:23:54.130: map_db_find_best did not find matching map
  *Mar  1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
  But i can see that there is a crypto map for address 10.0.10.1
  RA#sh cryp map
  Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
  I tried to use some of the NAT traversal techniques for IPSec but without any success.
  If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
  Thanks, Adrian

  This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
  I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
  I have configured 2 loopback. on R1: 100.1.1.1
  on R2: 200.1.1.1
  R1:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.1.1
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.0.2
  R2:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.1.2
  Now when i ping from R1:
  ping 200.1.1.1 source 100.1.1.1
  its not successful. Why doesnt it work any idea ?

• Load balancing and High Availability topology

  Our Forms 6i client-server application currently runs on Citrix farm of 20 Windows 2000 boxes (IBM Blade Servers 2 CPU and 2 Gig Memory).
  Application supports 2000 users.
  We are moving to AS 10g r2, forms 10g and the goal is to use same hardware, 20 Windows boxes (or less), for intranet web deployment.
  What will be our best choices for application Load balancing and High Availability?
  Hardware load balancer, Web Cache, mod-oc4j? Combinations?
  Any suggestions, best practices, your experience?

  Gerd, I understand, that you are running 10g web forms through the browser, but using Citrix for deployment. This means that in addition to Application Server and Forms runtime sessions, it will be separate browser session opened for each user. What the advantage of this configuration?
  Michael, we are aware, that Citrix is not supported by Oracle as a deployment platform. That only means that prior contacting Oracle Support we have to reproduce the problem in standard environment. It was never been a problem to reproduce problem :) We were using Citrix as a deployment platform for Forms 6i client/server for 4 years, but now we are forced to upgrade to 10g.
  We are familiar with various Load balancing options available. The question is which option is the most "workable" in our case.

• Internal load balancer for ADFS, Web Application Proxy join problem

  Hello,
  we deployed 2 x ADFS (2012 R2) behind a internal Azure load balancer.
  In front are two WAP servers, which should be joined to the ADFS farm based on the internal load balancer IP.
  Unfortunately the WAPs fail to join and sometimes after 5 tries it works. The problem is (based on the event logs) that the ADFS Servers dont trust the WAP certificate.
  It seems, that during the join process the ADFS internal load balancer does not stick to one ADFS server. If we join the WAP directly (without the ILB) to one of the ADFS servers, everything works fine.
  As soon as we try to join via the ADFS internal load balancer IP, the abover occurs.
  Did anyone experience the same problems? How does the internal load balancer distribute the requests? Seems to be not sticky at all.
  Thanks for any Feedback,
  Thomas

  Thomas -
  This article talks (in detail) about a recently updated distribution mode - Source IP affinity.
  http://azure.microsoft.com/blog/2014/10/30/azure-load-balancer-new-distribution-mode/
  Hope this helps!
  /Arvind

• Windows Load Balancing on Multiple VLAN?

  Hi all.  Just wondering if any of you having this same issue as I did.  I've got NLB configured on 2 VM running on Hyper-V.  Each of the VM equiped with 2 NIC.  The NIC for heart beat purpose is configured
  with Static MAC and with the option "Enable Spoofing for MAC Address" enabled.  Another NIC is for LAN communication purose.  Each of the NIC is reside on a different VLAN (VLANx and VLANy).  After I've got the NLB configured,
  with "unicast" mode.  I've noticed I am not able to ping the NLB virtual IP address from any of the clients.  Ping works between the NLB hosts, and is accessible.  Once I've put all the NIC into the same VLAN, NLB works
  fine; I can ping the NLB virtual IP, and test on IIS works good.  My question, does NLB requires all the host to reside in the same VLAN?  If NLB support mulitple VLAN, then how can I configure it to support multiple VLAN (eg: production LAN
  NIC on VLANx, and heart beat NIC on VLANy)?  Thank you.

  Hi,
  It seems that we need to use Multicast mode.
  Configure Network Load Balancing Cluster Operation Mode
  http://technet.microsoft.com/en-us/library/cc731616.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Load balancing Application Server

  Hi
  I am new to peoplesoft dba
  It would be great if somebody could point me to the steps required for setting up loadbalancing for Peoplesoft application server (not web server)
  In particular i wanted to know where to look for information on 'directing certain loads' to particular server.
  Thanks a lot
  Cyril

  Are you talking about load balancing from Webserver to multiple appserver in 4tier mode ? See here the configuration.properties conf :
  http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tsvt/book.htm?File=tsvt/htm/tsvt14.htm#H4003
  Or are you talking about load balancing for 3tier mode ? See TUXEDO Connect String* in the profile (configuration manager) :
  http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tsvt/book.htm?File=tsvt/htm/tsvt11.htm#H4032
  Nicolas.

• Host Unreachable intermittently within a Windows Network Load Balancing Cluster

  Hi,
  We have 2 Windows 2008 R2 servers running multiple IIS web sites and load balanced across Windows Network Load Balancer in unicast mode. Although there are two interfaces in each server, only 1 interface in each server participates in load balancing and
  other interface is used for a different backup LAN. The problem I am going to mention was not seen within the NLB for almost 1 year.
  I have noticed intermittent "host unreachable" detected from NLB in each host from time to time since 3 weeks ago. After servers are rebooted, both hosts can be reached and can be detected from NLB manager. However it becomes unreachable in both
  servers within minutes and then becomes reachable again after several minutes. This behavior is noticed in the load balancer and pings do not work between the two hosts when the issue occurs. I did a packet capture to see what was going on with ARP message
  when the issue occurs. ARP entry goes missing in each server when the problem occurs and no ARP replies are returned from each server. But ARP requests are dispatched from both servers when the issue occurs. ARP replies come back after sometime after which
  hosts become reachable again.
  I tried to create a permanent static ARP entry (By copying the MAC address from ARP table when the two hosts are reachable) in each host but that hasn't solved the issue either. It seems like the individual MAC address generated by each host is a virtual
  one and it doesn't seem to respond when the problem occurs.
  However load balancing and web sites are fully functional without any issues even while "host unreachability" issue is detected.
  Appreciate if someone could help me to dig the real problem out.
  Thank you.

  Hi,
  Did you do some change of your network or the NLB firewall settings recently?
  If you are using the NLB cluster in Hyper-V guest vm you need to enable the spoofing of MAC address.
  The related article:
  Cannot access the virtual or dedicated IP address of an NLB node (Guest) running in Unicast Mode on Windows Server 2008 R2 Hyper-V
   http://blogs.technet.com/b/networking/archive/2010/02/12/cannot-access-the-virtual-or-dedicated-ip-address-of-an-nlb-node-guest-running-in-unicast-mode-on-windows-server-2008-r2-hyper-v.aspx
  More information:
  Selecting the Unicast or Multicast Method of Distributing Incoming Requests
  http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx
  Single network adapter
  http://technet.microsoft.com/en-us/library/cc776178(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Hyper-V 2012 R2 & NLB (Network Load Balancing) with Unicast on VMs

  Hi,
  We set up a 2012 R2 Hyper-V Cluster. On this Cluster we would like to run 2 VM's which are using NLB (Network load Balancing) in Unicast mode.
  We have created a External Virtual Switch wich is connected trough a 3x10GB LACP Team to a Cisco Nexux Switch.
  We have tried to set the NLB up in the way we did with 2008 R2 but we were not be able to get this working. Is there any Change in 2012 R2 we did not think about?
  Each time we form the Cluster one Node becomes unavailable.
  Timo

  Check the virtual network adapter properties - you must enable MAC address spoofing.  We had the same issues.
  Note that this will absolutely pollute your host machine's system log with tons of spam and make it pretty much worthless.  I'm trying to find a way around this as we speak, actually.

• URL-Based Load Balancing

  I'm having a difficult time trying to configure load balancing on my CSM based on the URL entered. Here is my scenerio:
  Two web servers (WebA & WebB), load balanced on a CSM. WebA & WebB have 90% the same content, so most traffic can be load balanced between them without a problem. The problem (for me anyway) comes in where WebA has certain web sites that WebB doesn't, and vice versa. So I need to load balance to both for 90% of the traffic, and point traffic to a particular server the other 10% of the time based on the URL entered.
  Below is the test config I have so far (that doesn't work correctly), what I am trying for in this example is that any URL that contains /vhosts/ or /programs/ be directed to WebA, and any URL that contains /platform/ or /ssl/ be directed to WebB, and all other traffic be load balanced between the two evenly. (For testing purposes, the servers are being load balanced in "bridge-mode", in production they will be "routed-mode"....I did't want to go through the change controls to change the IP addresses for the test servers!).
  module ContentSwitchingModule 2
  vlan 605 client
  ip address 10.63.240.4 255.255.255.0
  gateway 10.63.240.1
  vlan 606 server
  ip address 10.63.240.4 255.255.255.0
  natpool URL-POLICY-TEST 10.63.240.204 10.63.240.204 netmask 255.255.255.254
  map SRV-A url
  match protocol http url /vhosts/*
  match protocol http url /programs/*
  map SRV-B url
  match protocol http url /platform/*
  match protocol http url /ssl/*
  serverfarm URL-POLICY-TEST
  nat server
  nat client URL-POLICY-TEST
  real 10.40.109.100
  inservice
  real 10.40.109.101
  inservice
  serverfarm URL-TESTA
  nat server
  nat client URL-POLICY-TEST
  real 10.40.109.100
  inservice
  serverfarm URL-TESTB
  nat server
  nat client URL-POLICY-TEST
  real 10.40.109.101
  inservice
  policy TESTWEB-A
  url-map SRV-A
  serverfarm URL-TESTA
  policy TESTWEB-B
  url-map SRV-B
  serverfarm URL-TESTB
  vserver URL-POLICY_TEST
  virtual 10.63.240.10 tcp 0
  vlan 605
  serverfarm URL-POLICY-TEST
  sticky 1
  persistent rebalance
  slb-policy TESTWEB-A
  slb-policy TESTWEB-B
  inservice

  Thanks for the reply Gilles....I've been out of the office for a while.
  Well, right now nothing is working....except that all traffic is going to the default server farm assinged to the vserver. Here are the URLs I am testing with:
  **************TEST A************
  http://10.63.240.10/manual/vhosts/fd-limits.xml
  http://10.63.240.10/manual/programs/apachectl.xml
  **************TEST B************
  http://10.63.240.10/manual/platform/ebcdic.xml
  http://10.63.240.10/manual/ssl/ssl_compat.xml
  ***************BOTH****************
  http://10.63.240.10/manual/howto/htaccess.xml
  http://10.63.240.10/manual/howto/cgi.xml
  When I try attaching to the first URL for example, here is the connection info (I trimmed it down so it will fit here):
  MOSL1S1A#sh mod csm 2 real
  real server farm Conns/hits
  10.40.109.100 URL-POLICY-TEST 1
  10.40.109.101 URL-POLICY-TEST 0
  10.40.109.100 URL-TESTA 0
  10.40.109.101 URL-TESTB 0
  MOSL1S1A#
  MOSL1S1A#sh mod csm 2 conn
  prot vlan source destination
  In TCP 605 10.47.10.10:3738 10.63.240.10:80
  Out TCP 605 10.40.109.101:80 10.63.240.204:8820
  I've tried changing the syntax on the URL statement in the map as such:
  /manual/*
  */manual/*
  /manual/
  *manual*
  /manual*

• Load Balancing FTP Server thru CSM using a single Client IP

  Hello,
  We have a need to load balance 3 FTP servers. These servers are reached only from a single client IP which is a database server. The FTP method that is being used is currently passive. Our configuration is currently unidirectional, ie, the FTP client (the one database server) sends to the VIP and the FTP Servers then talk directly back to the FTP client and the traffic does not go back through the CSM. The problem is that because FTP negotiates another port to talk on, we have to use sticky so that the connection is sent back to the original FTP server that sent the FTP data port to talk on. But, since we only have a single client IP that is ever used we are not load balancing appropriately across the FTP servers.
  Traffic flow goes something like this, tcp port followed after colon as an example
  1. FTP Client ----> VIP:21
  2. CSM ---------> FTP Server:21
  3. FTP Server --------> FTP Client(FTP server says come talk to me on port 1700)
  4. FTP Client ---------> VIP:1700
  5. CSM ---------> FTP Server:1700
  6. FTP Server:1700 ---------> FTP Client
  repeat steps 4 thru 6
  Here's our hardware and software:
  WS-X6066-SLB-APC running 4.2(2)
  Config is as follows
  module ContentSwitchingModule 9
  ft group 101 vlan 9
  priority 10
  vlan 216 client
  ip address 10.209.16.31 255.255.252.0
  gateway 10.209.16.1
  vlan 20 server
  ip address 10.209.0.31 255.255.252.0
  alias 10.209.0.11 255.255.252.0
  probe ICMP1 icmp
  interval 3
  failed 3
  receive 3
  serverfarm FHEPRT
  no nat server
  no nat client
  real 10.209.0.72
  inservice
  real 10.209.0.73
  inservice
  real 10.209.0.71
  inservice
  probe ICMP1
  sticky 106 netmask 255.255.255.255 address source timeout 3
  policy FHEPRT_POL1
  sticky-group 106
  serverfarm FHEPRT
  vserver FHEPRT1
  virtual 10.209.16.71 any
  vlan 216
  unidirectional
  serverfarm FHEPRT
  replicate csrp connection
  no persistent rebalance
  slb-policy FHEPRT_POL1
  inservice

  You are missing "service ftp" config in the Vip definition. Try the following
  vserver FHEPRT1
  virtual 10.209.16.71 tcp ftp service ftp
  Syed Iftekhar Ahmed

• Load balancing FTP/HTTP on same VIP

  Hi,
  Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
  class-map match-any WCVS
    2 match virtual-address 20.0.0.1 tcp eq www
    4 match virtual-address 20.0.0.1 tcp eq ftp
  policy-map multi-match int3
    class WCVS
      loadbalance vip inservice
      loadbalance policy VS-l7slb
      inspect ftp
      nat dynamic 5 vlan 20
  int vl20
  service-policy input int3

  Hello,
  I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used.  The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP.  Below is your config with some modifications.  I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map.  There is one line that I would like you to remove and see if it works.  If it does not, then add this line and see if it works.
  Let me know how it goes...
  logging enable
  logging buffered 6
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  probe http Probe_HTTP
    interval 5
    passdetect interval 60
    expect status 200 200
    open 2
    receive 2
  probe tcp Probe_FTP
    port 21
    interval 5
    passdetect interval 60
    open 2
    receive 2
  rserver host Server1
    ip address 10.10.10.10
    conn-limit max 4000000 min 4000000
    inservice
  rserver host Server2
    ip address 10.10.10.11
    conn-limit max 4000000 min 4000000
    inservice
  serverfarm host FARM-HTTP
    probe Probe_HTTP
    rserver Server1 80
      conn-limit max 4000000 min 4000000
      inservice
    rserver Server2 80
      conn-limit max 4000000 min 4000000
      inservice
  serverfarm host FARM-FTP
    probe Probe_FTP
    rserver Server1
      conn-limit max 4000000 min 4000000
      inservice
    rserver Server2
      conn-limit max 4000000 min 4000000
      inservice
  sticky http-cookie XXX_tempCookie XXX_tempCookie
    cookie insert
    serverfarm FARM-HTTP
  class-map type management match-any Management
    201 match protocol http any
    202 match protocol https any
    203 match protocol icmp any
    204 match protocol kalap-udp any
    205 match protocol ssh any
    206 match protocol telnet any
    207 match protocol xml-https any
  class-map match-any XXX-WCVS-WWW
    2 match virtual-address 10.10.10.100 tcp eq www
  class-map match-any XXX-WCVS-FTP
    2 match virtual-address 10.10.10.100 tcp eq ftp
    3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this
  class-map match-any NAT-VIP
    2 match destination-address 10.10.10.100 255.255.255.255
  policy-map type management first-match Management
    class Management
      permit
  policy-map type loadbalance first-match XXX_VS-l7slb-WWW
    class class-default
      sticky-serverfarm XXX_tempCookie
  policy-map type loadbalance first-match XXX_VS-l7slb-FTP
    class class-default
      Serverfarm FARM-FTP
  policy-map multi-match int3
    class XXX-WCVS-WWW
      loadbalance vip inservice
      loadbalance policy XXX_VS-l7slb-WWW
    class XXX-WCVS-FTP   
      loadbalance vip inservice
      loadbalance policy XXX_VS-l7slb-FTP
      inspect ftp   
    class NAT-VIP
      nat dynamic 5 vlan 12
  interface vlan 12
    ip address 10.10.10.1 255.255.255.0
    alias 10.10.10.3 255.255.255.0
    peer ip address 10.10.10.2 255.255.255.0
    access-group input ALL
    nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
    service-policy input Management
    service-policy input int3
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.10.10.254

• Dynamic LBFO Load Balancing mode causing issues

  Hi,
  We`re running a couple of virtual machines with the
  BIG-IP Virtual Edition in a Windows Server 2012 R2 Hyper-V cluster.
  These virtual machines have had problems where traffic sent through the virtual machines doesn`t get through due to the MAC Addresses of the physical team NICs being replaced with the Mac Address from the team member actually used to transmit the
  packet.
  Reference:
  Windows Server 2012 R2 NIC Teaming (LBFO) Deployment and Management
  Blog post - Server 2012 Hyper-V / NIC Team Oddity
  One of the comments in the blog-post states what we are seeing:
  The reason for the MAC Address switching you’re seeing is that Server 2012 in some cases will replace the source MAC address on Ethernet frames with the MAC Address from the team member actually used to transmit the packet. The reason for this is that
  if it always kept the MAC Address intact, the switch would throw alarms for “MAC flapping”, i.e. seeing a given MAC Address bouncing back and forth between switch ports.
  When we changed the Load Balancing mode from Dynamic to Hyper-V port, the problem was resolved.
  Is it possible to solve this problem while still using Dynamic as the Load Balancing mode? Would LACP instead of Switch independent teaming mode solve the problem?

  @Rob Thanks, that`s useful information. Did they suggest any other solutions/workarounds? (such as LACP)
  @Alex I understand that I need to configure my switches if I`m going to use LACP, but will LACP cause a different behaviour regarding the replacement of the source MAC address on Ethernet frames? In other words: Will LACP be an alternate solution/workaround
  to using Hyper-V Port in Switch Independent mode?
  I can't answer this from experience because I've never had this problem.
  But, the basic issue with the switch-independent mode is that the physical switch is completely unaware that there is any team situation at all. It can only operate within the base rules of Ethernet, which say that a MAC address can only appear on one endpoint
  at a time. So, if you have built a switch-independent team that crosses 4 physical adapters and a Hyper-V virtual switch on top of that, what the physical switch "sees" is four distinct endpoints that are hosting multiple MAC addresses. When one
  of the virtual adapters transmits on a virtual switch, it could, depending on the load-balancing mode, use any of the four physical lines. If it uses the same source MAC address while communicating across all four lines, the switch might panic. It wants to
  know where the MAC really is for purposes of knowing where to deliver its inbound packets, and depending on security configuration, to be sure that there's not an unauthorized spoofing attempt in progress. That's why the dynamic mode uses MAC substitution.
  The Hyper-V port mode gets around this by locking each virtual adapter on to a single physical channel so that its MAC address doesn't move. This has a cost of not allowing traffic on any given virtual adapter to be load-balanced.
  In a LACP connection, the physical switch is fully aware of the team, and furthermore, it knows that it's not an endpoint. All the MAC addresses of the virtual adapters are associated with this single aggregated tunnel, not the individual physical adapters.
  When it comes down to deciding which of the physical adapters to use to carry any given transmission, that can be negotiated by the switches without the need to lock a MAC to a specific adapter. There isn't, or at least there shouldn't be, any need for the
  dynamic mode to perform MAC substitution.
  Again, I'm speaking from theory, not direct experience with what you're asking about. I do make regular use of the dynamic mode on LACP trunks, but I don't run any applications that would have this MAC sensitivity issue. For all I know, dynamic still performs
  this substitution and I just don't understand why. Also, there's a chance your symptoms just happen to point to this substitution as being a problem. But, I would say there's a good chance that using Dynamic/LACP will solve your issue.
  Eric Siron
  Altaro Hyper-V Blog
  I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.