Application Delivery (ADX)

Reply
N/A
Posts: 1
Registered: ‎07-12-2010

ServerIron use VIP as dynamic NAT address for real server

Hi,

I have a pair of ServerIronGT with router code(10.2.01bTD2) to perform SLB for two radius servers.(udp port 1812 and 1813)

The ServerIron was configured in symatric SLB mode for redundancy.

In the radius proxy situration, we need radius servers to use the VIP as source address to other radius servers that are not in my domain.

I enable "server reverse-nat" on the ServerIron and it works fine.

But when I add another VIP, (let's say VIP2, which is on different VLAN than VIP1, and it's bind to the same ports and same real servers as VIP1 did.)

I noticed that the port default can not bind to the VIP2 due to it's characteristics or limitation.

According to the manual described:

"Dynamic NAT for Real Servers Using Virtual Server Address
Release 10.0.00a enhances dynamic NAT functionality by enabling the ServerIron to use virtual server address as
dynamic NAT address for real servers. The previous releases required use of reverse NAT in such situations
leading to security concerns. This enhancement enables use of virtual server IP address for outbound
connections from real servers."

Then I add dynamic NAT configuration for VIP2 but VIP1 stay with "reverse-nat" and "bind port default" configuration.

The traffic initial from real server is translated to VIP2 correctly, but when the client send traffic to VIP2. Clients never get any response.

After using sniffer trace packet flow, it tells that the return traffic is stucked in the ServerIron.

Would someone tell me where goes wrong or any suggestion?

New Contributor
Posts: 3
Registered: ‎07-13-2010

Re: ServerIron use VIP as dynamic NAT address for real server

Based on the fact that you mentioned you have two VIPs in different VLANs and with different configurations for a common set of servers, my first concern would be asymmetric routing breaking the flow state. (i.e. TCP SYN from client enters VIP1 and reaches the server, the server response with a SYN-ACK and the NAT configuration applied to the VIPs forces it to be sent out VIP2, the LB see's an irregular flow and drops the SYN/ACK response from the server to the client attempting to be sent out VIP2.)

This might not be the issue, but hopefully it will knock one more item off the process-of-elimination list.

-Matt

Contributor
Posts: 47
Registered: ‎07-14-2010

Re: ServerIron use VIP as dynamic NAT address for real server

Below are the details:

Vip2: binded to Rs3 and Rs4

Rs1 -> Vip2 ->  Rs3/Rs4


The background of this issue is syn/ack packet from rs3/rs4 will be forwarded locally to rs1 without adx’s  translation of VIP address.
3way handshake will never be established in this case. So, if your rs1 and rs3/rs4 are on different physical interface of adx, you don’t have to do any additional configuration.

Now, I am going to explain to you how “source-nat access-list” feature will work.

When this feature is enabled and rs1(10.210.40.201) connect vip1(10.210.40.100), adx replaces its source IP address with 10.210.40.241.
From rs3 and rs4 point of view, connection is coming from 10.210.40.241 instead of 10.210.40.201.

This source NAT will apply only to the source IP address matching access-list 2. So, any other IP address will not be replaced, or affected.
Here is the sample configuration for you.

--------------------------
server source-ip 10.210.40.241 255.255.255.0 0.0.0.0

server real rs3 10.210.40.207
source-nat access-list 2
port http

server real rs4 10.210.40.208
source-nat access-list 2
port http

server virtual vip1 10.210.40.100
port http
bind http rs3 http rs4 http

server real rs1 10.210.40.201

access-list 2 permit host 10.210.40.201
access-list 2 deny any
--------------------------


Optionally, you can configure multiple source-ip and bind one source-ip with one real server.
Here is the sample configuration.
--------------------------

server source-ip 10.210.40.241 255.255.255.0 0.0.0.0
server source-ip 10.210.40.242 255.255.255.0 0.0.0.0

server real rs3 10.210.40.207
source-nat access-list 2
source-ip 192.168.1.241
port http

server real rs4 10.210.40.208
source-nat access-list 2
source-ip 192.168.1.242
port http
--------------------------

reverse-nat and source-nat acl won't work together. But Dynamic NAT and source-nat acl will work together.

Thanks.

//Kono

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook