Mailing List Archive

Re: [c-nsp] strange issue
> On Jul 29, 2021, at 11:55 AM, james list <jameslist72@gmail.com> wrote:
>
>
> Internet - Firewall – Lan - Load balancer – Lan – hypervisor- VM
>
>
>
> It happens sometime that the VM do not respond anymore to Load balancer for
> external ip addresses until on the Load balancer it is setted to source NAT
> (SNAT) the internet traffic and then SNAT it’s removed.
>

Can you share the routing table of the VM in question? Specifically/most importantly - Is the load balancer being used as the VM’s default gateway, or does the VM use the firewall as its default gateway? In the latter case, I would expect the load balancer to SNAT traffic or act as a full layer 7 proxy where a new TCP connection is established from the load balancer to the upstream servers.

With a misconfiguration or misaligned design intention here, I could see the intended behavior depending on ARP or firewall/connection state tracking behavior in the devices.


> Something like an action that solicit the VM to refresh the arp.
>
>
>
> While health check from Loadbalancer to VM in the same LAN subnet never
> stops to work.
>
>
>
> Does anybody ever encountered the same problem on VM environments ?

In the absence of evidence otherwise, I suspect your issue is not VM-specific. Do you have examples of physical hosts in the same LAN that do not exhibit this problem? If so, has the routing table (default gateway and possibly other persistent static routes) been compared?

>
> Any idea ?
>
>
>
> Thanks in advance
>
> James
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [c-nsp] strange issue [ In reply to ]
Hi
I've to ask for the VM routing table and then I will share.

VM gateway is load balancer.

Cheers
James

Il giorno gio 29 lug 2021 alle ore 18:17 Ryan Rawdon <ryan@u13.net> ha
scritto:

>
> > On Jul 29, 2021, at 11:55 AM, james list <jameslist72@gmail.com> wrote:
> >
> >
> > Internet - Firewall – Lan - Load balancer – Lan – hypervisor- VM
> >
> >
> >
> > It happens sometime that the VM do not respond anymore to Load balancer
> for
> > external ip addresses until on the Load balancer it is setted to source
> NAT
> > (SNAT) the internet traffic and then SNAT it’s removed.
> >
>
> Can you share the routing table of the VM in question? Specifically/most
> importantly - Is the load balancer being used as the VM’s default gateway,
> or does the VM use the firewall as its default gateway? In the latter
> case, I would expect the load balancer to SNAT traffic or act as a full
> layer 7 proxy where a new TCP connection is established from the load
> balancer to the upstream servers.
>
> With a misconfiguration or misaligned design intention here, I could see
> the intended behavior depending on ARP or firewall/connection state
> tracking behavior in the devices.
>
>
> > Something like an action that solicit the VM to refresh the arp.
> >
> >
> >
> > While health check from Loadbalancer to VM in the same LAN subnet never
> > stops to work.
> >
> >
> >
> > Does anybody ever encountered the same problem on VM environments ?
>
> In the absence of evidence otherwise, I suspect your issue is not
> VM-specific. Do you have examples of physical hosts in the same LAN that
> do not exhibit this problem? If so, has the routing table (default gateway
> and possibly other persistent static routes) been compared?
>
> >
> > Any idea ?
> >
> >
> >
> > Thanks in advance
> >
> > James
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp