Nat load balancing
Hi
I have a cisco ASA firewall (9.1). I have 2 x FTP servers that sit in the DMZ
10.99.1.60
10.99.1. 61 I want to NAT them to 193.164.55.20
So when ever an external connection trys to contact my FTP server it will pick either one at Random
Many thanks
I think you'd need to make the two servers a cluster and create a virtual server that includes both pieces of hardware.
From Cisco in regards to asa 9.1: Load balancing works with IPsec clients and SSL VPN client and clientless sessions. All other VPN connection types (L2TP, PPTP, L2TP/IPsec), including LAN-to-LAN, can connect to an ASA on which load balancing is enabled, but they cannot participate in load balancing.
There's a huge writeup here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_params.html
And without the equipment to play with, I cannot offer anymore help. Most of the load balancing I've dealt with is through netscalers and f5's.
Similar Messages
-
IOS NAT Load Balancing w/ Failover Problem
Greetings, i am currently using the configuration below to provide failover between two DSL connections, all is working fine but i had expected outbound connections to be load balanced between the two DSL links on a round robin basis, however looking at the nat translations shows that only one of the links is being used, failover on the other hand works without issue.
track 1 ip sla 1 reachability
interface FastEthernet0/0
ip address 10.50.1.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
interface FastEthernet0/1
ip address 192.168.1.6 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
interface Dialer0
description WAN Interface
mtu 1492
ip address **********
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
interface Dialer1
description WAN Interface
mtu 1492
ip address **********
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 2
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 212.74.102.15 track 1
ip route 0.0.0.0 0.0.0.0 213.246.177.200 10
ip nat translation timeout 2
ip nat translation tcp-timeout 2
ip nat translation udp-timeout 2
ip nat translation icmp-timeout 2
ip nat inside source route-map opal interface Dialer1 overload oer
ip nat inside source route-map pipex interface Dialer0 overload oer
ip access-list extended dynamicNat
permit ip 10.50.1.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip sla 1
icmp-echo 212.74.102.15
frequency 5
ip sla schedule 1 life forever start-time now
route-map opal permit 10
match ip address dynamicNat
set ip next-hop 213.246.177.200
route-map pipex permit 10
match ip address dynamicNat
set ip next-hop verify-availability 212.74.102.15 1 track 1
Any assistance would be much appreciated.
RegardsHi
Thank you for this post man ! this have been so useful. I experienced almost the same problem the router was load balancing well, but the failover was not occuring well between both equal default route.
After using those command: ip nat translation timeout for tcp icmp and udp all the system has worked propertly. yeah you need a Big bottle of Jack Daniel :) the funniest thing behind is that help me 5 years After......................!!!! -
WRT310N - NAT Load Balancing?
Hi,
Is it possible to have a NAT load blanacing service on a WRT310N router? I would like to setup a web farm that contains multiple webserver. If the router receives a HTTP request, it will automatically forward to request to any of the server in the web farm. Can I do this with WRT310N?
Thanks!
--DerekI think you'd need to make the two servers a cluster and create a virtual server that includes both pieces of hardware.
From Cisco in regards to asa 9.1: Load balancing works with IPsec clients and SSL VPN client and clientless sessions. All other VPN connection types (L2TP, PPTP, L2TP/IPsec), including LAN-to-LAN, can connect to an ASA on which load balancing is enabled, but they cannot participate in load balancing.
There's a huge writeup here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_params.html
And without the equipment to play with, I cannot offer anymore help. Most of the load balancing I've dealt with is through netscalers and f5's. -
Load balancing weirdness using NAT and same-metric route
Hi.
I'm trying to set up a double-WAN load-balancing scenario:
I decided to attempt the "multiple same-metric routes with NAT" approach so I went for the example used in the IOS NAT Load-Balancing for Two ISP Connections Configuration Guide [1].
I decided to use an upside-down Cisco 871-SEC/K9: use Vlan1 and Vlan2 for the routers and Fa4 for the LAN. I am hoping this is not an issue.
There is this weirdness with some connections, particularly FTP. I pinpointed the problem to the following scenario: if I do a couple of pings to 100.1.1.1 using the FastEthernet4 as the source address, this is what I get in the logs:
=== PING 1 ECHO REQUEST ===
*Mar 3 04:38:43.521: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan1), routed via RIB
*Mar 3 04:38:43.521: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14152]
*Mar 3 04:38:43.521: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan1), g=10.129.124.1, len 60, forward
*Mar 3 04:38:43.521: ICMP type=8, code=0
=== PING 1 ECHO REPLY ===
*Mar 3 04:38:45.589: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19824]
*Mar 3 04:38:45.589: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:45.589: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:45.589: ICMP type=0, code=0
=== (something else) ===
*Mar 3 04:38:52.353: RT: SET_LAST_RDB for 0.0.0.0/0
OLD rdb: via 10.129.124.33, Vlan2
NEW rdb: via 10.129.124.1, Vlan1
=== PING 2 ECHO REQUEST ===
*Mar 3 04:38:52.353: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan2), routed via RIB
*Mar 3 04:38:52.353: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14159]
*Mar 3 04:38:52.353: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan2), g=10.129.124.33, len 60, forward
*Mar 3 04:38:52.353: ICMP type=8, code=0
=== PING 2 ECHO REPLY ===
*Mar 3 04:38:53.029: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19825]
*Mar 3 04:38:53.029: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:53.033: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:53.033: ICMP type=0, code=0
In the section "Ping 2 Echo Request" line 2 shows the NAT translating the packet to the address for the first provider but line 3 shows it routing it through the second one.
In this case, the ICMP packet goes through but it is problematic if the ISP restricts the service by source-address (like RPF) or there is some acceleration mechanism inside the provider cloud, other than just plain routing.
What am I missing? Here is the relevant part of the configuration. I deliberately disabled CEF to be able to debug the messages, but I *think* this may be altering the actual router behavior. This router does not have a "debug ip cef packet" command.
no ip cef
ip dhcp pool lan-side
import all
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
domain-name doublewan.local
dns-server 8.8.8.8 8.8.4.4
lease infinite
ip domain name doublewan
interface FastEthernet0
!doesn't appear on running-config: vlan 1 is the default access vlan
!switchport access vlan 1
interface FastEthernet1
switchport access vlan 2
interface FastEthernet2
shutdown
interface FastEthernet3
shutdown
interface FastEthernet4
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
interface Vlan1
ip address 10.129.124.2 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
interface Vlan2
ip address 10.129.124.35 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
ip route 0.0.0.0 0.0.0.0 Vlan1 10.129.124.1
ip route 0.0.0.0 0.0.0.0 Vlan2 10.129.124.33
ip nat inside source route-map nat1 interface Vlan1 overload
ip nat inside source route-map nat2 interface Vlan2 overload
ip access-list standard acl4-nexthop-vlan1
permit 10.129.124.1
ip access-list standard acl4-nexthop-vlan2
permit 10.129.124.33
route-map nat2 permit 10
match ip address 102
match ip next-hop acl4-nexthop-vlan2
match interface Vlan2
route-map nat1 permit 10
match ip address 101
match ip next-hop acl4-nexthop-vlan1
match interface Vlan1
control-plane
Of course, there is some configuration pending for redundancy and stuff.
Thanks a lot in advance.
[1] http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.htmlHello.
This might be a bug in debug command or the IOS (without ip cef) you use; as routing is done before NAT (inside to outside).
To make sure it works fine with ip cef, just enable strict uRPF (or just ACL) on .1 and .33 interfaces and see if you see any packet sent over wrong interface.
PS: please check "sh ip cef 100.1.1.1"; I guess ip cef would tell you "per-destination sharing". -
Cisco 886VA - Multiple PPPoE Line Load Balancing
Dear Cisco Community,
due to the need of increased bandwidth a customer ordered three ADSL6000/576Kbit lines from the same ISP. Dial-in is done with PPPoE and the IP is not static.
- Is it possible to load balance between the three ISP lines with this router as the Cisco 886VA-K9 (Advanced IP Services) doesnt support PFR/OER I want to load balance per session, meaning each TCP session takes the same path, the next TCP session takes second path, next TCP session takes third path, then first path again and so on.
- I did read the tutorials avaiable, but they don't discuss how the lines are used in round-robin fashion, just how to distribute different traffic on different lines. (https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla?page=1) or (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html)
- How would you solve this challenge?
Relevant config so far:
vlan 1
name #LAN#
vlan 2
name #WAN-Uplink1#
vlan 3
name #WAN-Uplink2#
interface FastEthernet0
description #LAN#
switchport access vlan 1
interface FastEthernet2
description #WAN-Uplink1#
switchport access vlan 2
no ip address
pppoe enable
pppoe-client dial-pool-number 20
interface FastEthernet3
description #WAN-Uplink2#
switchport access vlan 3
no ip address
pppoe enable
pppoe-client dial-pool-number 30
interface ATM0
description #WAN-Uplink3#
no ip address
logging event atm pvc state
logging event atm pvc autoppp
logging event subif-link-status
no atm ilmi-keepalive
no ip redirects
no ip unreachables
no ip proxy-arp
dsl enable-training-log delay 0
dsl bitswap both
interface ATM0.1 point-to-point
bandwidth 550
bandwidth receive 6000
pvc pvc 1/32
pppoe enable
pppoe-client dial-pool-number 10
vbr-nrt 500 500 1
service-policy out WAN-Control1-Parent
interface Vlan1
description #LAN#
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
description #WAN-Dialer1#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 20
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password XXX
ppp pap sent-username XXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
service-policy output WAN-Control2-Parent
interface Dialer2
description #WAN-Dialer2#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 30
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password XXX
ppp pap sent-username XXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
service-policy output WAN-Control3-Parent
interface Dialer3
description #WAN-Dialer3-ATM#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 10
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password 7 XXX
ppp pap sent-username xxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
ip nat inside source route-map ISP1 interface Dialer1 overload
ip nat inside source route-map ISP2 interface Dialer2 overload
ip nat inside source route-map ISP3 interface Dialer3 overload
route-map ISP1 permit 10
match ip address 100
match interface Dialer1
route-map ISP2 permit 10
match ip address 100
match interface Dialer2
route-map ISP3 permit 10
match ip address 100
match interface Dialer3
access-list 100 remark #NAT-LIST#
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
Thank you for helping.Hey there,
I managed to fulfill my requirement..
If its a cluster on same machine or across machines, this should work
1. Login to machine, cd $DOMAIN_HOME
2. mkdir -p Apex_lsn_config/AdminServer Apex_lsn_config/<MS1> Apex_lsn_config/<MS2> # MS1 and MS2 are the Managed Server names as appropriate
#If you are planning for cluster spawning MS's across machines, make sure you create the dir's on step 2 for each machine respectively. (in my case $DOMAIN_HOME is not shared)
3. Copy apex-config.xml from the /tmp/apex or whatever location you have it currently to Apex_lsn_config/<MS1> Apex_lsn_config/<MS2>
4. cd $DOMAIN_HOME/bin; cp -p SetDomainEnv.sh SetDomainEnv.sh.orig #Backup the file
5. Append -Djava.io.tmpdir in SetDomainEnv.sh as below for JAVA_OPTIONS # Do it on both machine if you are not sharing DOMAIN_HOME and planning cluster across machines
-Djava.io.tmpdir=$DOMAIN_HOME/APEX_CONFIG/${SERVER_NAME}
Hint: Search for "iterativeDev" and append the same line with -Djava.jo.tmpdir
6. Modify "java.io.tmpdir" from the web.xml file of apex.war as below and re-deploy the war
<context-param>
<param-name>config.dir</param-name>
<param-value>${java.io.tmpdir}</param-value>
</context-param>
7. Bounce Weblogic Admin and Manged Servers. Make sure to tail the Managed Server log to see apex-config.xml is picked from the new location.
8. Brew a Coffee for yourself :)
- You find the instructions on creating a cluster from weblogic documentation, the steps mentioned above are only to overcome the bdb locking issue whilst creating a cluster.
Did it help?
Edited by: Oratime on Mar 25, 2013 2:44 AM -
ADSL & DSL internet link load balancing cisco router
Plz Help...
I need to distribute my Internet connection through internet link load balancing cisco router.
I have One ADSL & DSL Connection, which all are conntcted two seperate ADSL(RJ-11) & DSL(RJ 45) Router & distributed through 24 port switch (Router to Switch connection are manual mode ). But I need to use both simultaneous or 1st link 1st connecttion & mode.IOS NAT Load-Balancing for Two ISP Connections
-
Load-balancing nat-t connections to VPN concentrators
I'm currently using a CSS to provide redundancy across some nat-t VPN RAS sessions to some VPN concentrators (in different geographical areas) This works fine, but because I have to create content rules for both UDP 500 and UDP 4500 traffic, I'm concenred that if I move to a genuine load-balanced arrangement instead of merely redundancy, the CSS units might decide to direct UDP500 traffic from a remote user to one concentrator, and the subsequent UDP4500 traffic to another. I tried port ranges and a single content rule - no success. Does anyone know how to associate 2 udp content rules to enforce traffic symmetry, or will a default srcip balancing rule see the concentrator balance traffic based on srcip globally across all content rules?
if you do balance srcip, the CSS will use a hash and this hash function should be the same for all the content rules, so giving you the same results.
A single layer3 content rule with advanced-balance sitcky-srcip should work as well.
Regards,
Gilles. -
Hello,
If all the clients are behind an ISP and as a result coming in with a single NAT address is it still possible to attain load balancing across multiple servers using "predictor hash address dest 255.255.255.255"?
Thanks,
MurtazaComing from a single NAT source IP address, you may want to consider some form of alternative load balancing besides source IP(such as cookie, x-forwarded-for header, etc). A source IP address is a source IP address and is not likely to give you the results you need if the NAT IP address doesnt change.
-
IPsec on hosts behind load balancing NAT
Hi,
I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
On the side where the traffic comes from i allways see a debug output like this:
ar 1 05:23:54.294: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
195.10.0.1 is my global address for the FTP server
on the side where the encryption should be terminated i allways see an output like this:
*Mar 1 05:23:54.130: map_db_find_best did not find matching map
*Mar 1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
But i can see that there is a crypto map for address 10.0.10.1
RA#sh cryp map
Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
I tried to use some of the NAT traversal techniques for IPSec but without any success.
If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
Thanks, AdrianThis is a lab scenario and i want to test for my learning how IPSec would work in such a case.
I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
I have configured 2 loopback. on R1: 100.1.1.1
on R2: 200.1.1.1
R1:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.1.1
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.0.2
R2:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Now when i ping from R1:
ping 200.1.1.1 source 100.1.1.1
its not successful. Why doesnt it work any idea ? -
SRP541W WAN Load Balancing and NAT
Hello All,
New to the forums. Thanks for taking the time to read my post. I recently switched my office over from a RV042 to SRP541W. We have 2 DSL lines and have used the Load Balance feature on the RV42 to make the best of the connecton speeds. When setting up the SRP541W when i select load balancing it tells me NAT should be disabled. Why is that? I see a place to input static routes but Im not entirly sure what needs to be done here to set this up correctly. Any input would be appriciated. Also right off the bat we had some issues with access to Google Docs and Mail. I think its becuase those sites dont like seeing access from multiple IPs (fromt the Dual WAN) so I set up a entry in Policy Routing directing all traffic from port 443 to go through one WAN, is this the right way to do this?
Thanks!
Mike-Dear Mike,
Thank you and welcome to the Small Business Support Community.
It is possible to configure load balancing with NAT, however in this case, remote internet servers will potentially see sessions from remote hosts behind the SRP541W coming from different source IP addresses (the WAN IP addresses), causing the sessions to be reset unexpectedly.
The Policy Routing setting you setup is exactly what I would do in your case.
I hope these answer your question and please do not hesitate to reach me back if there is anything else I may assist you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
CSS 11050 Load Balancing with Single VLAN (no NAT)
We have several CSS 11050's in use on our network, cheifly for load-balancing web servers. In a test network I've set up, I've configured our test servers' IP addresses and our load-balanced IP address to be on the same subnet. This way our developers can easily check both single servers as well as the LB configuration. This got me thinking...
All the config documentation I've seen on the CSS seems to assume that you are putting the VIP for the content rule on a different VLAN than the IPs for the services. Is there any particular need for this? I'm in the process of setting up another network that will have its services NATed behind a PIX. There are some services (WWW) that I want load balanced and some services (passive FTP with one server) where there's really no need. Would I do any harm by putting the content rules' VIPs on the same subnet as the servers themselves? I can still plug the servers into the other ports on the CSS so that I'm not really doing a "one-arm" configuration.
-Mark RomerYou shouldn't have any problem doing this. In addition to load balancing web servers we've also balanced terminal servers that are configured to be accessed by remote users through VPN connections. Because we have over 90 remote locations, I didn't want the services and the VIP addresses to be on different VLAN's because I'd have to reconfigure the routers in all the remote locations. I was in the same position you're in, all the documentation indicated different VLAN's but I thought it would be a worth a try. Everything works perfectly...
Cody Rowland -
Lync 2013 Enterprise load balancing on the front end and edge pool
Hi,
I am setting up a Lync 2013 Enterprise deployment consisting of a Front End pool (x2 FE servers) and an Edge pool (x2 Edge servers). I'm seeing some conflicting advice regarding load balancing using hardware or DNS for the front end and the edge.
On the front end I have 2 internal DNS records 'lyncfepool1.contoso.local' each of which map to one of the IPs of the FE servers. I've used my details to populate the Detailed Design Planner excel spreadsheet and am told that I require a HLB to load
balance my front end pool. I'm aware of the need to load balance HTTPS traffic internally (which will be done by TMG) however other traffic to the front end (SIP, etc) can be balanced by DNS only, and not require a HLB?
Can someone clarify the front end requirement?
Also - looking now at the edge pool - this site again have two edge servers in a pool. We are using a total of six private IP addresses, two per edge service (2 x av.contoso.com, 2 x sip.contoso.com and 2 x webcon.contoso.com). These will be
NAT'ed by the external firewall and directed to the respective external (DMZ) IP addresses on the Edge servers on port 443. I know this isn't true roundrobin due to the intelligence of the Lync client when connecting (in that the Lync client will connect
to one of the public IPs and if it can't connect, it will know to connect to the other service IP), however I want to clarify this set up, particularly the need to direct the external public IP traffic at the DMZ Edge IP specified in the topology builder.
I've attached a basic diagram of the external/DMZ/Edge side which hopefully helps with this question
Persevere, Persevere, Per..That is because you will always need HLB for a front-end server since it hosts the Lync webservices which use HTTP/HTTPS traffic.
The description on the calculation tool also describes this correctly:
Supports Standard and Enterprise pools (up to 12 nodes), with pure device-based load balancing or a combination of DNS load balancing and device-based load balancing (for
Lync web services)
You can use either Hardware or DNS loadbalancing for SIP traffic only, but you will always need a HLB for the webservices. Both are applicable for the Front-End so you have either
full HLB for both SIP and HTTP(S) traffic
DNS LB for SIP traffic and HLB for HTTP(S) traffic
Hope this is more clear :-)
Lync Server MVP | MCITP Lync Server 2010 | If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it. -
ACE load balancing servers on different subnets...
Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy -
How do I load balance TFTP between two servers and a client on the same subnet?
Hi,
I have trawled through several documents and tried umpteen different configs, all to no avail. I have a PXE boot client trying to access a boot file via TFTP from a couple of TFTP servers on the same VLAN/subnet. For HA purposes I want to load balance the two TFTP servers.
Config is currently;
=====
probe icmp ICMP_PROBE
description icmp probe for default gateway tracking
interval 5
passdetect interval 15
rserver host server1
description Server1
ip address 10.0.0.1
inservice
rserver host server2
description Server 2
ip address 10.0.0.2
inservice
serverfarm host serverfarm_01
description servers used
probe ICMP_PROBE
rserver server1
inservice
rserver server2
inservice
class-map match-all L4_VIP_TFTP
10 match virtual-address 10.0.0.10 udp eq 69
policy-map type loadbalance first-match L7_TFTP
class class-default
serverfarm serverfarm_01
policy-map multi-match L4_LB_VIP_POLICY
class L4_VIP_TFTP
loadbalance vip inservice
loadbalance policy L7_TFTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
ip address 10.0.0.250 255.255.255.0
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.255 pat
service-policy input L4_LB_VIP_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.254
=====
I have read the doco by Ivan Kovacevic amongst many others but as my clients and servers are on the same subnet, the config doesnt work.
Can anybody point me in the right direction please. The devices are ACE 4710 running A3(2.3).
ThanksTry using the following configuration:
Note: Please make sure to configure also a udp probe to probe udp port 69, in case the application is down.
You need to configure a management policy on the interface when using a UDP probe.
That is because, when port 69 on the server will be unreachable, the server will send an ICMP unreachable.
ACE will consider a udp probe as "failed" only when it sees ICMP unreachable.
Without a management policy-map, the ICMP unreachable message will be dropped.
Also, add an ICMP probe to the rserver because udp probe will not be enough when the physical interface will be down.
That is because UDP is a connection-less protocol. To consider a UDP probe successfull, ACE need to see NO answer from the server in respose to the probe.
The ACE will not see any answer from the server when the interface is down and thus, will consider the probe as "sucessful".
With ICMP probe attached to the rserver, you also test the reachability of the server and not only the UDP port.
Here is the configuration (of course, you can chage the names of the of the objects to the name you are using if you want) :
access-list ALL line 10 extended permit ip any any
probe udp TFTP
port 69
interval 5
passdetect interval 15
probe icmp ICMP_PROBE
interval 5
passdetect interval 15
rserver host TFTP_1
ip address 10.0.0.1
probe TFTP
probe ICMP_PROBE
inservice
rserver host TFTP_2
ip address 10.0.0.2
probe TFTP
probe ICMP_PROBE
inservice
serverfarm host TFTP-SFARM
rserver TFTP_1
inservice
rserver TFTP_2
inservice
sticky ip-netmask 255.255.255.255 address source TFTP-STICKY
timeout 10
replicate sticky
serverfarm TFTP-SFARM
class-map type management match-any MANAGE
2 match protocol icmp any
class-map match-all NAT
2 match virtual-address 0.0.0.0 0.0.0.0 udp any
class-map match-all TFTP
2 match virtual-address 10.0.0.10 udp eq 69
policy-map type management first-match MANAGE
class MANAGE
permit
policy-map type loadbalance first-match ROUTE
class class-default
forward
policy-map type loadbalance first-match TFTP-POL
class class-default
sticky-serverfarm TFTP-STICKY
policy-map multi-match TFTP-MULTI
class TFTP
loadbalance vip inservice
loadbalance policy TFTP-POL
nat dynamic 1 vlan 212
class NAT
loadbalance vip inservice
loadbalance policy ROUTE
nat dynamic 2 vlan 212
interface vlan 212
ip address 10.0.0.250 255.255.255.0
no normalization
access-group input ALL
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.0 pat
nat-pool 2 10.0.0.10 10.0.0.10 netmask 255.255.255.0 pat
service-policy input TFTP-MULTI
service-policy input MANAGE
no shutdown
Let me know how it goes.
Good luck! -
Hi,
I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.
Below is the running configuration. Please help me to troubleshot the problem.
HOB-ACE-1/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
boot system image:c4710ace-mz.A3_2_0.bin
hostname HOB-ACE-1
interface gigabitEthernet 1/1
description Man_HOB_1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description VIP_HOB_1
switchport access vlan 24
no shutdown
interface gigabitEthernet 1/3
description HA_HOB_1
switchport access vlan 180
no shutdown
interface gigabitEthernet 1/4
shutdown
[7m--More-- [m
access-list ALL line 8 extended permit ip any any
probe icmp ICMP_PROBE1
interval 15
faildetect 4
passdetect interval 60
passdetect count 5
receive 5
rserver host MFREFSAS497
description MAAFAXSERVER
ip address 10.16.12.148
conn-limit max 4000000 min 4000000
inservice
rserver host MSHOFCFS489
description HOBFAXSERVER
ip address 10.26.12.130
conn-limit max 4000000 min 4000000
inservice
[7m--More-- [m
[K
serverfarm host SFHOBACE-1
description SFHOBACE-1
predictor hash header Accept
probe ICMP_PROBE1
rserver MFREFSAS497 80
conn-limit max 4000000 min 4000000
inservice
rserver MSHOFCFS489 80
conn-limit max 4000000 min 4000000
inservice
class-map match-all VSHOBACE-1
2 match virtual-address 10.26.24.242 any
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
[7m--More-- [m
[K
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VSHOBACE-1-l7slb
class class-default
serverfarm SFHOBACE-1
policy-map multi-match global
class VSHOBACE-1
loadbalance vip inservice
loadbalance policy VSHOBACE-1-l7slb
loadbalance vip icmp-reply
nat dynamic 1 vlan 24
nat dynamic 1 vlan 1000
service-policy input global
interface vlan 24
description "Client VLAN"
ip address 10.26.24.243 255.255.255.0
[7m--More-- [m
access-group input ALL
no shutdown
interface vlan 1000
ip address 10.26.12.132 255.255.255.0
peer ip address 10.26.12.133 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 180
ip address 192.168.180.2 255.255.255.248
peer ip address 192.168.180.3 255.255.255.248
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 180
ft group 1
peer 1
priority 140
associate-context Admin
[7m--More-- [m
inservice
ip route 0.0.0.0 0.0.0.0 10.26.12.1
snmp-server contact "HOB_ACE"
snmp-server location "HOB"
snmp-server community FAXSERVER group Network-Monitor
snmp-server user administrator Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI. role Admin domain
default-domain
username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1 role Admin domain de
fault-domain
ssh key rsa 1024 force
Thanks and Regards,
AshfaqueHello Hossain,
Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.
Use the
ACE/Admin(config)# no service-policy input global
ACE/Admin(config)# interface vlan 24
ACE/Admin(config-if)# service-policy input global
Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.
Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.
Do you happen to have a quick logical diagram of this piece of the network?
Thnx
Pablo
Maybe you are looking for
-
Windows 7 Pro x64 now BSOD just as it is starting and Startup Repair has failed
As the title says, a few days ago my Windows 7 Pro x64 started to BSOD just as Windows is starting but the error screen disappears immediately. Startup Repair fails and has Problem Signature 04: 21199350 I have used the Windows 7 Pro installation DVD
-
When iCloud was first launched, I set up access to iCloud accounts in Snow Leopard and iOS4 using the standard IMAP, CalDAV and CarDAV protocols which worked perfectly, as you would expect since those are exactly the protocols on which iCloud is base
-
Hi can anyone help me in creatig a form and assigning it to a resource object. please tell what all should i mention in the map which is to be passed to createForm() method. Thank you
-
Migrar una Licencia MAC a Windows.
Buen día. Cuento con una licencia de un Adobe CS 6 Design Standard en un equipo Mac, lamentablemente este dejó de funcionar hace algunos días. Sin embargo, mi nuevo equipo es un SO Windows y quiero conocer la posibilidad de migrar la licenc
-
More details from a day to day SCCM adminstrator job
Hi to all, All is on the tittle.I'm a junior SCCM 2007 adminstrator and i realize that i still have so many things to learn and i'm really motivated. First of all i would like to know exactly what do i have to do exactly everyday on SCCM (logs analyz