03-21-2013 05:41 PM
So I am configuring a VIP for a particular request and the application that this VIP will be load-balancing uses a single port initially (let's say 80), but then instigates the client to open another TCP session using a different port (let's say 60000) that is above the well-known ports... and this is picked at random... So, when this happens, per the VIP\Real Server not being configured for this new port, our ADX (running 12.400) reject's the new TCP session... Is there a way to configure a VP\Real Server to allow all ports? Obviously, this is less preferred from a security standpoint, alas, I need a VIP that will allow sessions to terminate to\through it with dynamic destination ports...
03-21-2013 06:02 PM
a) use port default. this is all ports. I wrote some document in details.
b) random port within predicted range, i.e. 30000-30050
ServerIronADX(config-pr-pr1)# port 8051 to 8100
one port range configuration supports up to 50 consecutive ports.
Optionally, you way want to configure ports as track-group, sticky, concurrent with a) or b) above.
03-22-2013 05:18 PM
Thanks for great and prompt reply! That does answer my question. I do have a related question for you or anyone that may know the answer to this... So if I open up all ports on a VIP and load balance between say 2 real servers, yet the real servers are dynamically opening up ephemeral ports between whatever and whatever, yet these real servers are opening up different ephemeral ports, when a client tries to use this VIP, without me enabling L4 health checks, the ADX will have no idea which server is listen on which random port and will thus send balanced traffic to the wrong real server... Would this not require me to enable L4 health checks on 10's of thousands of ports thus allowing the LB to know which server actually has which port up and thus directing requests to the proper server? I saw your reference to the track-group (and associated port-group) commands, but those only allow me to associate a small # of ports with the "primary" port, where, with this particular VIP I am configuring, the servers may open up non-well-known ports between the range of 49,000 and 65,000... Is there a elegant way to address this?