Jump to content
Welcome to our new Citrix community!

ADC GSLB behind Azure Load Balancer


Recommended Posts

Hive-mind,

 

I have been working for a few days on an issue for a customer which manifests itself as follows:
Environment:

2 x ADC devices in HA pair at client datacentre
2 x ADC decives in single Azure location. These are in HA and sat behind an Azule Load Balancer to allow for floating IPs

The issue i have is that we are trying to set up GSLB, however the Azure external GSLB IP has the lower first octet and as such, initiates the MEP communications. I can see the MEP traffic leave the Azure ADC and hit the on-prem ADC on port 3009. The on-prem ADC then sends back an ACK, but this never reaches the Azure ADC. I believe this is because the Azure ADC uses a random port to initiate the connection and goes directly out to the internet for this. When the ACK response comes back, it comes back to the random ephemeral port that the Azure NetScaler initiated the connection on and as such, the Azure Load Balancer drops the packet as there are no rules for it to follow.

Also, we have ADNS and Gateway vServers sat behind the same Azure Load Balancer which all work fine as the incoming connection is coming into the correct ports (53, 80 and 443 etc). 

 

Has anyone managed to work around this issue? If not, does anyone know of a way to:


1. Force the on-prem ADC to initiate the MEP traffic

or

2. Force the initiating ADC to use port 3009 (or any specific port) for it's own outbound connection to the remote site

Thanks in advance

Link to comment
Share on other sites

Hi,

 

telnet is working fine from my laptop to port 3009 on the ADC - NSG rules are set appropriately for this.

ALB is in Active-Passive mode with floating IPs for the various services (GSLB, ADNS, Gateway).

We may have found a bit of a workaround. As the NSIPs have public IPs bound to them in Azure, we have made these static and on the RPC node, set the remote site to use the NSIP as the source address. This appears to be working as it comes back to the NSIP address directly rather than go through the ALB to the GSLB site address.

 

My understanding was that GSLB MEP traffic had to hit the GSLB Site IP, however this setup shows that is either wrong or not working correctly. Hopefully Citrix don't plug this gap anytime soon

Link to comment
Share on other sites

  • 2 weeks later...

Just an update on this one...

 

I had to force the GSLB MEP traffic to go out of the Azure ADC appliances on the NSIP. This is done by setting a source address against the RPC node in the Network section of the config. What happens then is that the traffic goes out of the NSIP (on a random port) to the other GSLB NetScaler(s) and hits them on tcp/3009. The MEP partners then respond to the Azure NetScaler, but rather than send traffic back to the NSIP on the random port, it is sent to the GSLB address on port tcp/3009

This is then allowed through the Azure Load Balancer and Azure NSG rules and successfully reports the GSLB sites as up.

 

Very strange situation, but it's working

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...