Jump to content
Welcome to our new Citrix community!

Issues load balancing from an SSL lb_vserver (ip:port) to http or tcp lb_vserver (ip:port)


Chris McCord

Recommended Posts

Basic load balancing is working from Client ->SSL lb_vserver.

 

When I try to go from Client -> SSL lb_vserver -> to a 2nd lb_vserver (http/tcp) communication doesn't work.

 

When I go from Client -> SSL lb_vserver -> to a 2nd lb_vserver (ANY) with layer 2 protocols ENABLED then communications work as expected.

 

Ultimately I am converting F5 load balanced servers to the Netscaler. (no iRules involved)

 

I feel like I am missing some Netscaler networking nuance that no one has been able to pinpoint yet.

 

Can anyone hazard some ideas as to why this is the only way to get this to work?

 

Thanks

Link to comment
Share on other sites

Show your lb vserver and service config for better idea of what you are comparing.

From cli:

show ns runningconfig | grep <lb vservername> -i

show ns runningconfig | grep <service name1> -i

show ns runningconfig | grep <servicegroup name> -i

 

Show both lb vservers, and all services or service group if in use in the config to better understand what you are doing and what you are trying to do.

 

If you have a specific F5 config you can share that for translating.

 

Now, what do you mean that you are going from one LB vserver to another LB vserver?  Where does the traffic end up on the backend?
Example, are you trying to do something like this and maybe why, in case there is a better way to accomplish this?
client --> VIP1 (172.21.10.100) --> VIP2 (192.168.20.100 --> Server IP 192.168.10.11
 

I have initial thoughts, but I figured I would wait on clarification before diving in.

 

 

Link to comment
Share on other sites

Thanks for taking a stab at this Rhonda, its fairly complicated, hope I haven't missed anything.

 

A FW uses static routes for Frontend and Backend traffic for both the F5 and ADC(so 1 snip for frontend subnet, and 1 snip for backend subnet).

 

Here are 3 traffic flows I need to satisfy, the F5/ADC being in the middle, balancing services on web servers and application servers.

Scenario 1:  (client ->vip1->Server IP).  This is OK, easy peasy.

 

Scenario 2: (client ->vip1->Server IP1->Vip2->Server IP2->vip1->Server IP1) (only works as service type ANY with layer 2 protocols enabled on the lb_vserver)(not how I would like to do it, would like to use service type HTTP to take advantage of ADC features).

 

Scenario 3:  (client ->vip1->server1->vip2->server2->vip3->server3->vip1->server1->vip2->server2) (doesn't work as vip3 doesn't respond (syn but no syn-ack), traffic is seen between vips1&2/servers1&2)

 

Configuration information

 

add serviceGroup lb_vserver1SG SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add lb vserver lb_vserver1 SSL 10.20.41.5 1111 -persistenceType SOURCEIP -timeout 3 -cltTimeout 180 -tcpProfileName nstcp_internal_apps -httpProfileName nshttp_default_strict_validation
bind lb vserver lb_vserver1 lb_vserver1SG
bind lb vserver lb_vserver1 -policyName RP_Enforce_Content-Security-Policy -priority 90 -gotoPriorityExpression Next -type RESPONSE
bind lb vserver lb_vserver1 -policyName RP_Enforce_Expect_CT -priority 100 -gotoPriorityExpression Next -type RESPONSE
bind lb vserver lb_vserver1 -policyName RP_Enforce_Referrer -priority 110 -gotoPriorityExpression Next -type RESPONSE
bind lb vserver lb_vserver1 -policyName RP_Enforce_XContent_Header -priority 120 -gotoPriorityExpression Next -type RESPONSE
bind lb vserver lb_vserver1 -policyName RP_Enforce_XSS_Header -priority 130 -gotoPriorityExpression Next -type RESPONSE
bind lb vserver lb_vserver1 -policyName RP_Enforce_STS -priority 140 -gotoPriorityExpression END -type RESPONSE
bind serviceGroup lb_vserver1SG web_server1 1111
bind serviceGroup lb_vserver1SG web_server2 1111 -state DISABLED
bind serviceGroup lb_vserver1SG -monitorName tcp
set ssl serviceGroup lb_vserver1SG -sslProfile ns_default_ssl_profile_backend
set ssl vserver lb_vserver1 -sslProfile cert.com-ssl
bind ssl serviceGroup lb_vserver1SG -eccCurveName P_256
bind ssl serviceGroup lb_vserver1SG -eccCurveName P_384
bind ssl serviceGroup lb_vserver1SG -eccCurveName P_224
bind ssl serviceGroup lb_vserver1SG -eccCurveName P_521
bind ssl vserver lb_vserver1 -certkeyName certname
bind ssl vserver lb_vserver1 -certkeyName CAname -CA -ocspCheck Optional

---
ltm pool F5_pool1 {
    load-balancing-mode least-connections-node
    members {
        web_server1:1111 {
            address 10.20.6.5
            session monitor-enabled
            state up
        }
        web_server2:1111 {
            address 10.20.6.6
            session monitor-enabled
            state up
        }
    }
    monitor https 
}

ltm virtual F5_vserver1 {
    destination 10.20.40.5:1111
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        source_addr_15m {
            default yes
        }
    }
    pool F5_pool1
    profiles {
        serverssl {
            context serverside
        }
        tcp { }
        certname {
            context clientside
        }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 35
}


add serviceGroup lb_vserver2 ANY -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO
add lb vserver lb_vserver2 ANY 10.20.51.5 2222 -persistenceType SOURCEIP -timeout 3 -cltTimeout 120 -l2Conn ON
bind lb vserver lb_vserver2 lb_vserver2SG
bind serviceGroup lb_vserver2SG app_server1 2222
bind serviceGroup lb_vserver2SG app_server2 2222 -state DISABLED
bind serviceGroup lb_vserver2SG -monitorName http

---
ltm pool F5_pool2 {
    load-balancing-mode least-connections-node
    members {
        app_server1:2222 {
            address 10.20.7.77
            session monitor-enabled
            state up
        }
        app_server2:2222 {
            address 10.20.7.78
            session monitor-enabled
            state up
        }
    }
    monitor http 
}

ltm virtual F5_vserver2 {
    destination 10.20.50.5:2222
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        source_addr {
            default yes
        }
    }
    pool F5_pool2
    profiles {
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 159
}

 

Link to comment
Share on other sites

  • 1 month later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...