cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2569
Views
10
Helpful
6
Replies

Round-robin forward to 2 hosts

jonathanburg
Level 1
Level 1

Hi everyone,

 

Currently I'm having one ASA 5516 with behind it two loadbalancers/proxys and two FTP servers.

See below.

pci01.png

I'm trying to figure out how to send incoming ftp connections to the two proxy servers, but my current configuration doesnt seem to work. It sends al the connections to 192.168.18.1 (Proxy01) instead of sending it to both Proxy01 and Proxy02 servers. See below for my current configuration.

pci02.png

object network dmz-proxys-nat
 range 192.168.1.1 192.168.1.2
 description LB FTP

and

object network dmz-proxys-nat
 nat (dmz,outside) static ext_198.128.16.211 dns

Is what I'm trying to accomplish possible at all?

 

Regards,

 

Jonathan

1 Accepted Solution

Accepted Solutions

RyanB
Level 1
Level 1

I dont believe the ASA would be doing any load balancing to your load balancers, in this case it's merely providing filtering and NATing.

 

The ASA will route to a VIP configured on your load balancers, say 192.168.1.10.

Under normal operating conditions, 192.168.1.10 VIP will be serviced by Proxy01.

Proxy01 will then load balance the traffic to FTP01 (192.168.1.11) and FTP02 (192.168.1.12) using the round robin least-conn method you configured on the load balancers.

 

In the event that Proxy01 goes down (heartbeat breaks), that VIP will be assumed by Proxy02, who will then handle the load balancing to FTP01/02.

 

large.png

View solution in original post

6 Replies 6

RyanB
Level 1
Level 1

I dont believe the ASA would be doing any load balancing to your load balancers, in this case it's merely providing filtering and NATing.

 

The ASA will route to a VIP configured on your load balancers, say 192.168.1.10.

Under normal operating conditions, 192.168.1.10 VIP will be serviced by Proxy01.

Proxy01 will then load balance the traffic to FTP01 (192.168.1.11) and FTP02 (192.168.1.12) using the round robin least-conn method you configured on the load balancers.

 

In the event that Proxy01 goes down (heartbeat breaks), that VIP will be assumed by Proxy02, who will then handle the load balancing to FTP01/02.

 

large.png

Hi Ryan,

 

Thank you for your reply!

 

What you are discribing is my second plan for when the ASA can't help me out with the routing part. I saw some NAT and PAT pools with a round-robin option which made me think this could be possible. These NAT or PAT pools can't be used to route the traffic to the Proxy servers like the way I described in the picture?

 

Regards,

 

Jonathan

I dont have any first hand experience with this type of round-robin NATing, I just recognized your physical setup as I have used it in a managed IT environment many times before.

From my limited understanding about round-robin with regards to NAT (more specifically PAT), was that the ASA would pick a new IP address from the pool in a circular fashion (abc, abc, abc), rather than exhausting all the ports for IP before moving on to the next (aaa, bbb, ccc).

Thanks Ryan.

 

It seems that the Virtual IP option is the only way to go.

There are some Linux applications that can be installed on both the Proxy servers that create a VIP between the two Proxy's so it seems doable.

Is it ipvsadm?
I have experience with that, pretty easy to work with. We would deploy servers with that tool instead of Brocade ADX's for lower budget environments.

No for the loadbalancing to the FTP server we use HAproxy, but we need another application to create a Virtual IP between the two HAproxy servers (Proxy01 and Proxy02) and keepalived seems to do this although I still need to research it further. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco