Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

SNAT Scenario: Real server cannot communicate with the Internet without Virtual Service to Real Server mapping

 

Information

 

Summary:

Real server cannot communicate with the Internet without Virtual Service (VIP) to Real Server mapping (RS).

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:
  • Unless there is some VIP:DummyPort-to-RS:DummyPort mapping on the LoadMaster, that real server cannot communicate with the Internet.
  • If there is a RS mapped to a VIP on the LoadMaster however, then that real server can successfully communicate out to the internet.
Steps to Reproduce:
  • Enable SNAT on LoadMaster.
  • Set the default gateway of a real server to be the loadmaster.
  • Add that server to a virtual service on the loadmaster, and run a TCP Dump.
  • Try to reach the internet on that real server and it should be successful.
  • A TCP Dump should show outbound requests to several public internet IPs, sourcing from either the LM interface, or the VIP that real server resides on (Depending on the specific SNAT setting enabled).
  • Remove that real server from the VIP, and try to reach the internet again, and it should fail.
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: Packet routing filtering being enabled, or not having the real server configured on an existing loadmaster virtual service.
Resolution:
  • Either a real server is required to be added to a VIP on the LoadMaster in order for outbound internet access to be possible, OR Packet Routing filtering needs to be DISABLED on the LoadMaster.
  • In order to disable Packet Routing Filtering, Global Balancing (GSLB) must first be disabled. 
  • GSLB can be disabled under Global Balancing > Disable GSLB.

                                          Disable_GSLB.png

  • Packet routing filtering can then be disabled under Packet Routing Filter option within System Configuration > Network Setup > Packet Routing Filter 

 

           Disable_PacketFilter.png

  • With the packet routing filter disabled, any server with the loadmaster configured as its network default gateway should now be able to communicate out to the internet.

 

Workaround: Disable Packet Filtering
Notes: Packet Routing Filter

Was this article helpful?
0 out of 0 found this helpful

Comments