Solved: Re: Round-robin forward to 2 hosts

jonathanburg · ‎09-15-2017

Hi everyone,

Currently I'm having one ASA 5516 with behind it two loadbalancers/proxys and two FTP servers.

See below.

I'm trying to figure out how to send incoming ftp connections to the two proxy servers, but my current configuration doesnt seem to work. It sends al the connections to 192.168.18.1 (Proxy01) instead of sending it to both Proxy01 and Proxy02 servers. See below for my current configuration.

object network dmz-proxys-nat
 range 192.168.1.1 192.168.1.2
 description LB FTP

and

object network dmz-proxys-nat
 nat (dmz,outside) static ext_198.128.16.211 dns

Is what I'm trying to accomplish possible at all?

Regards,

Jonathan

RyanB · ‎09-15-2017

I dont believe the ASA would be doing any load balancing to your load balancers, in this case it's merely providing filtering and NATing.

The ASA will route to a VIP configured on your load balancers, say 192.168.1.10.

Under normal operating conditions, 192.168.1.10 VIP will be serviced by Proxy01.

Proxy01 will then load balance the traffic to FTP01 (192.168.1.11) and FTP02 (192.168.1.12) using the ~~round robin~~ least-conn method you configured on the load balancers.

In the event that Proxy01 goes down (heartbeat breaks), that VIP will be assumed by Proxy02, who will then handle the load balancing to FTP01/02.

View solution in original post

RyanB · ‎09-15-2017

I dont believe the ASA would be doing any load balancing to your load balancers, in this case it's merely providing filtering and NATing.

The ASA will route to a VIP configured on your load balancers, say 192.168.1.10.

Under normal operating conditions, 192.168.1.10 VIP will be serviced by Proxy01.

Proxy01 will then load balance the traffic to FTP01 (192.168.1.11) and FTP02 (192.168.1.12) using the ~~round robin~~ least-conn method you configured on the load balancers.

In the event that Proxy01 goes down (heartbeat breaks), that VIP will be assumed by Proxy02, who will then handle the load balancing to FTP01/02.

jonathanburg · ‎09-18-2017

Hi Ryan,

Thank you for your reply!

What you are discribing is my second plan for when the ASA can't help me out with the routing part. I saw some NAT and PAT pools with a round-robin option which made me think this could be possible. These NAT or PAT pools can't be used to route the traffic to the Proxy servers like the way I described in the picture?

Regards,

Jonathan

RyanB · ‎09-18-2017

I dont have any first hand experience with this type of round-robin NATing, I just recognized your physical setup as I have used it in a managed IT environment many times before.

From my limited understanding about round-robin with regards to NAT (more specifically PAT), was that the ASA would pick a new IP address from the pool in a circular fashion (abc, abc, abc), rather than exhausting all the ports for IP before moving on to the next (aaa, bbb, ccc).

jonathanburg · ‎09-18-2017

Thanks Ryan.

It seems that the Virtual IP option is the only way to go.

There are some Linux applications that can be installed on both the Proxy servers that create a VIP between the two Proxy's so it seems doable.

RyanB · ‎09-19-2017

Is it ipvsadm?
I have experience with that, pretty easy to work with. We would deploy servers with that tool instead of Brocade ADX's for lower budget environments.

jonathanburg · ‎09-25-2017

No for the loadbalancing to the FTP server we use HAproxy, but we need another application to create a Virtual IP between the two HAproxy servers (Proxy01 and Proxy02) and keepalived seems to do this although I still need to research it further.