Application Delivery (ADX)

Reply
New Contributor
Posts: 4
Registered: ‎02-19-2011

Serveriron intercepts traffic destined directly for real servers

I have a real basic setup.

3 recursive DNS servers connected directly to a Serveriron:

server real DNS1 10.1.123.2

port dns

server real DNS2 10.1.123.3

port dns

server real DNS3 10.1.123.4

port dns

server virtual DNS 192.168.74.89

port dns

port dns stateless no-hash

bind dns DNS1 dns DNS2 dns DNS3 dns

# nslookup news.com 10.1.123.2

;; reply from unexpected source: 192.168.74.89#53, expected 10.1.123.2#53

# nslookup news.com 10.1.123.3

;; reply from unexpected source: 192.168.74.89#53, expected 10.1.123.3#53

# nslookup news.com 10.1.123.4

;; reply from unexpected source: 192.168.74.89#53, expected 10.1.123.4#53

# nslookup news.com 192.168.74.89

Server: 192.168.74.89

Address: 192.168.74.89#53

Non-authoritative answer:

Name:   news.com

Address: 64.30.224.26

Does anyone know why with port DNS stateless enabled the ServerIron intercepts traffic destined directly for the real servers it should be passing ALL traffic destined to the real servers to the real servers without mangling.

Contributor
Posts: 47
Registered: ‎07-14-2010

Re: Serveriron intercepts traffic destined directly for real servers

This is good question that we should all aware in case of stateless SLB.

Stateful SLB:

From ADX's point of view, if ADX receives packet from real server whose Source IP is real server's IP and Source Port is 53 (dns), and if that packet matches session tables, we rewrite Source IP to VIP instead of real server's IP. If we don't match session table, we simply do L2 or L3 forwarding. In case of stateful, we don't create session table for those traffic destined directly to real servers, hence we don't trigger VIP rewrite in this case.

Stateless SLB:

ADX does not maintain session tables, and ADX cannot decide whether ADX should rewrite SourceIP to VIP or should do L2/L3 forwarding. Then, adx always rewrite Source IP to VIP as long as Source IP and Source Port matches in SLB criteria.. This is inevitable in case of Stateless SLB.

i.e.

If ADX receives packet from real server, that is 10.1.123.2 as Source IP and 53 as Source Port, ADX has to rewrite Source IP to VIP. If ADX does not rewrite, it means that Stateless SLB won't work even for nslookup for VIP (192.168.74.89).

In order to workaround this, configure your dns server to listen to both 53 as well as 10053. For ADX's configuration, if you do below, then Source IP matches, but Source Port will not match, hence ADX will not rewrite Source IP to VIP. ADX will simply do L2/L3 forwarding.

----

server real DNS1 10.1.123.2

port 10053

server real DNS2 10.1.123.3

port 10053

server real DNS3 10.1.123.4

port 10053

server virtual DNS 192.168.74.89

port dns

port dns stateless no-hash

bind dns DNS1 10053

bind dns DNS2 10053

bind dns DNS3 10053

----

Thanks.

//Kono

New Contributor
Posts: 4
Registered: ‎02-19-2011

Re: Serveriron intercepts traffic destined directly for real servers

Hi,

I am talking about traffic from a client machine outside of the load balancer directly to the real servers.

Why would the load balancer need to manipulate traffic that is not destined for the VIP or the load balancer's IP address?

thanks,

-Drew

Contributor
Posts: 47
Registered: ‎07-14-2010

Re: Serveriron intercepts traffic destined directly for real servers

OK, this is darn good question ! Let's take more example.

1. Please take packet trace on each real server side. For dns client side, please do following.

a) # nslookup news.com 10.1.123.2

b) # nslookup news.com 10.1.123.3

c) # nslookup news.com 10.1.123.4

d) # nslookup news.com 192.168.74.89


e.g. # tcpdump -nni eth0 port 53 and host <ip of dns client> -s 0 -w real1.pcap


2. Please open each packet trace and be focused on packet that is going back to client (dns query reply).


3. You will notice that dns query reply in each a), b), c), and d) are exactly the same in IP (L3) header as well as dns reply (L4) header.


4. Now, assuming that you are ADX, let's think about how you determine which dns reply packet that ADX "have to" replace its Source IP address to VIP and which not. Well, you will notice this is impossible because there is no session matching in case of Stateless SLB. Please re-read my previous post again.


5. In short summary, for incoming packet to VIP (dns query), ADX must change destination IP address to Real server's IP. For outgoing packet back to client, ADX must change Source IP address to VIP for SLB to work. But, when all dns reply packet in a), b), c), and d) are exactly the same, how we can decide which reply packet to rewrite to VIP and which not. The answer is whether thers is session match or not.


5a) In case of stateful SLB, this is determined by session match. If match, we change Source IP to VIP. If not, we L2/L3 forwarding.


5b) In case of stateless SLB, there is no session, hence ADX always "have to" replace Source IP  to VIP as long as Source IP and Source Port matches.


6. Please be aware that this limitation from your point of view is not only to apply to ADX, but also to any Load Balancers in the world in case of Stateless SLB.


Thanks.


//Kono

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook