This message was originally HTML formatted. View in a HTML capable client to
see the original version.\r\n\r\nHello everyone!
Some of our customers are experiencing a problem that seems to be occurring on
an l4txnat farm w/DNAT. Some customers are unable to access our website when
forwarded through our primary l4txnat farm but if the customer is redirected
instead to a TCP farm, on the same load balancer, the customer is able to
access the site properly.
Here are some specifics:
Load Balancer (zenloadbalancer v3.02)
192.168.11.10
l4txnat farm w/DNAT: 192.168.11.19 ports 80,443, real servers (site6, site7)
TCP farm: 192.168.11.13 port 80, real servers (site6, site7)
TCP farm: 192.168.11.13 port 443, real servers (site6, site7)
Real servers are on the same 192.168.11.0/25 network and use the load balancer
for their gateway: 192.168.11.10
Firewall policies:
Primary Site: Public IP: 66.186.161.235 NAT - 192.168.11.19 ports 80,443
Alt-Site: Public IP: 66.186.161.233 NAT - 192.168.11.13 ports 80,443
The customer cannot access our website through the Primary Site.
The customer can access our website through the Alt-Site.
Customer can ping both public addresses.
I can trace the customer's requests to the Primary Site through the firewall
and forwarded to 192.168.11.19 but there is no mention of the customers IP in
our webserver's logs suggesting that the requests never arrive. I can't seem
to find any logging, or how to enable any logging, on the load balancer that
shows the activity of requests (source, forwarded to, response, etc) so I can't
verify anything about the requests once forwarded to the l4txnat farm by the
firewall.
I can trace the customer's requests to the Alt-Site through the firewall and
forwarded to 192.168.11.13, they appear properly in the webserver's logs and
the customer has access to our site.
To verify that it is at the l4txnat farm that the problem is occurring, I
changed the Alt-Site firewall rule to forward requests to the l4txnat farm
(192.168.11.19), rather than the tcp farms, and the customer was no longer able
to access our website through the Alt-Site. Undoing the change, pointing the
Alt-Site firewall rule back to the tcp farms (192.168.11.13), restores the
customer's access to our site.
DNAT is required.
We have had numerous customer complaints of this type. Not sure how many others
may be experiencing it.
Approx 15,000 customers access the Primary Site, through the l4txnat farm each
day.
Thank you for any suggestions!
- Jay
_____________________________________________
Jay A. Rossignol, MCSE, CNE
Sr. Systems/Network Engineer
Uncle Henrys
[email protected]
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
