Re: Loadbalacing with LocalDirector 416s

ahoangphan · ‎12-17-2004

Hi all,

I'm trying to config the LocalDirector for loadbalacing a website, the problem that I'm having right now is http requests from internal network to the virtual server which resides on the DMZ of my Pix firewall. I know that I can access any servers on the DMZ because I set the DMZ interface up with a lower level of security than the internal interface, traffic coming back in to the internal network from the DMZ is allowed by access lists.

From any machines on the DMZ I can access the virtual server, but not from the internal network, I was just wondering if I'd need any other route command on the LocalDirector to tell it to route the requests from any machines on the internal network to the virtual server.

On Pix I have:

nameif ethernet1 inside security100

nameif ethernet3 dmz security80

Inside network is 10.1.1.0, dmz is 10.1.4.0, any machines on 10.1.1.0 can access any machines on 10.1.4.0, but not the virtual server which has an ip of 10.1.4.51 (I'm trying only web traffic for now).

Help!!!

Thanks,

Anthony.

seilsz · ‎12-18-2004

Are you translating the 10.1.1.0 address space as it passes through the PIX?

Assuming you are not, the LD will need a route for the 10.1.1.0 network pointing back to the PIX. Depending on your topology and/or routing policy, it may just make more sense to put a default route on the LD pointing back to the PIX.

~Zach

ahoangphan · ‎12-18-2004

Zach,

Thanks for replying. Yes, I did set a default route on the LocalDirector pointing back to the Pix.

route 0.0.0.0 0.0.0.0 10.1.4.254

I also set a route on the LD for the 10.1.1.0 network.

route 10.1.1.0 255.255.255.0 10.1.4.254

And no, I'm not transtlating the 10.1.1.0 ađress space, they will appear as 10.1.1.* to any machines on the dmz and same for the machines on the dmz back to the internal network.

The question I have is, on my real servers, what is the default gateway? the ip ađress of the LD or ip ađress of the dmz interface? I read somewhere that the LD doesn't do routing.

Anthony.

seilsz · ‎12-18-2004

The default gateway on your real servers should be the PIX dmz interface.

~Zach

ahoangphan · ‎12-18-2004

That's what I set as the default on all real servers. The other thing I forgot to mention is these real servers are linux and dual homed servers. The second nics were added to connect to a different network which hosts the nfs server and database server. So they have two different default gateways, but they should know where requests are coming from and sending replies back to the right places. This is where I'm stuck.

seilsz · ‎12-19-2004

Do you have the client and server side interfaces of the LD in different VLANs?

Can you take a sniffer trace between the LD and one of the real servers to make sure it is responding back through the correct interface?

What happens when you add an explicit route for the inside network on one of the real servers?

~Zach

ahoangphan · ‎12-26-2004

Zach,

I found out that on all of my real servers I can't ping the gateway, but I can ping the gateway from the LD, the gateway is a Pix interface, and all real servers are connecting with the gateway through the LD...

Pix-LD'sinterface1-LD'sinterface2-realservers

Is it supposed to work that way? Please help.

seilsz · ‎12-27-2004

Can you take a sniffer trace between the LD and one of the real servers to make sure it is responding back?

~Zach

ahoangphan · ‎12-27-2004

Zach, this is what I got from the sniffer: once I made a connection to virtual server, virtual server then gave me a real server ip, then the client and real server talked to each other but, I'm still getting nothing or "page can not be displayed" even though there's stuff on the page. But any machines on the same subnet as the virtual server can get to it.

Anthony.

seilsz · ‎12-27-2004

Would you mind posting the packet capture?