Application Delivery (ADX)

Reply
Occasional Contributor
Posts: 5
Registered: ‎02-14-2012

ip nat pool - virtual server loopback problem

Hi,

We are running

ServerIron 4G SSL, SYSIF 2 (Mini GBIC)

SW: Version 10.2.01yTI4

Compiled on Nov 03 2011 at 18:46:02 labeled as WJR10201y

JetCore ASIC IGC version 49

SW: (1)10.2.01yTJ3

We have several ip nat pool source nating for our outgoing private network which works perfectly.

My problem is that i can't establish connection between an ip nat pool adderss and a virtual server address.

I can open web pages from outside on both virtual server but they cant access eachother using the external URL-s.

I assume i am missing some sort of loopback config between ip nat pool and virtual server address.

Can you help me or point me to the right direction?

Relevant config:

server real store01 10.66.4.12

no-l3-check

source-nat

weight 35 0

port http

port http keepalive

port http url "HEAD /"

port http server-id 1025

port http group-id  2 2

port http status-code  200 299

port ssl

port ssl server-id 1025

port ssl group-id  2 2

port 8080

port 8080 server-id 1025

port 8080 group-id  2 2

!

server real web01 10.66.4.14

no-l3-check

source-nat

weight 35 0

port http

port http keepalive

port http url "HEAD /"

port http server-id 1027

port http group-id  3 3

port http status-code  200 299

!

server virtual store 208.131.141.230

acl-id 10

sticky-age 5

predictor weighted

port http sticky

port http csw-policy "store-http"

port http csw

port http request-insert client-ip "X-Forwarded-For"

port ssl sticky

port ssl ssl-terminate star_cluster

port ssl csw-policy "store"

port ssl csw

port ssl request-insert "X-Forwarded-Proto: https"

port ssl request-insert client-ip "X-Forwarded-For"

port ssh

bind http store01 http store02 http

bind ssl store01 8080 real-port http store02 8080 real-port http

!

server virtual web 208.131.141.231

acl-id 10

sticky-age 5

predictor weighted

port http sticky

bind http web01 http web02 http

!

vlan 1 name DEFAULT-VLAN by port

router-interface ve 1

!

vlan 130 name CLUSTER-FRONT by port

untagged ethe 3

router-interface ve 130

!

vlan 140 name CLUSTER-BACK by port

untagged ethe 4

router-interface ve 140

!

interface ethernet 1

port-name inet1

!

interface ethernet 2

port-name inet2

disable

!

interface ethernet 3

port-name front

!

interface ethernet 4

port-name back

!

interface ve 1

port-name inet

ip address 208.131.141.195 255.255.255.192

ip nat outside

!

interface ve 130

port-name cluster-front

ip address 10.66.4.11 255.255.255.0

ip nat inside

!

interface ve 140

port-name cluster-back

ip address 10.66.3.11 255.255.255.0

!

ip nat inside source list 11 pool pool_1 overload

ip nat inside source list 12 pool pool_2 overload

ip nat pool pool_1 208.131.141.230 208.131.141.230 prefix-len 32

ip nat pool pool_2 208.131.141.231 208.131.141.231 prefix-len 32

ip route 10.0.0.0 255.0.0.0 ethernet 4

ip route 0.0.0.0 0.0.0.0 208.131.141.193

!

!

access-list 10 permit any

!

access-list 11 permit host 10.66.4.12

access-list 11 permit host 10.66.3.12

access-list 11 permit host 10.66.4.13

access-list 11 permit host 10.66.3.13

!

access-list 12 permit host 10.66.4.14

access-list 12 permit host 10.66.3.14

access-list 12 permit host 10.66.4.15

access-list 12 permit host 10.66.3.15

Brocadian
Posts: 70
Registered: ‎03-14-2009

Re: ip nat pool - virtual server loopback problem

Hi Peter,

do you need access from the reals to the VIPs?

Occasional Contributor
Posts: 5
Registered: ‎02-14-2012

Re: ip nat pool - virtual server loopback problem

Hi Alexander,

Actually yes. Web application running on one stack of real servers tries to make API calls to the web application running on the other stack of real servers through the public URL. And i wanted to avoid to handle this with hosts files.

Brocadian
Posts: 70
Registered: ‎03-14-2009

Re: ip nat pool - virtual server loopback problem

Hi Peter,

I tested this in a lab environment withour any issues.

NAT is not used, if the reals are accessing the VIPs. It's plain SLB + Source NAT.

Do you have dedicated Sourde NAT IPs?

Do the reals access the VIP via name (DNS) or IP?

Is routing ok for the reals, or do they have multiple IF with a route not pointing to the VIPs directly?

Alex

Occasional Contributor
Posts: 5
Registered: ‎02-14-2012

Re: ip nat pool - virtual server loopback problem

Hi Alexander,

Reals are accessing VIPs with the public DNS-name which is pointing to the VIPs IP.

When they go out as you see in my config every stack of reals has a dedicated IP to go out with which is actually the same IP as the VIPs IP.

Reals default route is the Foundry however they have a secondary interface and route for that as well.

Occasional Contributor
Posts: 5
Registered: ‎02-14-2012

Re: ip nat pool - virtual server loopback problem

So anybody was able to reproduce this issue or find a solution?

We still cant connect with source NAT-ed real server to VIPs on the same load balancer.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook