Direct Server Access in One-armed, Routed mode

tonybourke · ‎01-14-2010

I'm having an issue with direct server access in a one-armed, routed mode as shown below.

Packets come in from the router, to the server directly. When the server responds, the packets go to the ACE as its default gateway, and then are forwarded by the ACE to the router as the ACE's default gateway.

Load balancing works fine, however connecting directly to the server (192.168.1.100) doesn't seem to work. ACLs are "any any" on input and output on the 192.168.1.10 interface of the ACE.

From what I'm reading it may be required to turn off IP normalization, but I wanted to get any other insights into possible causes.

Tony

dario.didio · ‎01-15-2010

Hi,

What you should do is configure the router to be the default gateway of the server, and use sourceNAT for load-balancing to force the returntraffic from the server to ACE in case of load-balancing.

What you could do as a workaround is configure sourceNAT on your router for direct server traffic. The same principle as when using sourceNAT on the ACE, the return traffic is send to an address that is local to the subnet, so it will send directly to it, not using the default gateway.

HTH,

Dario

tonybourke · ‎01-15-2010

Normally, SNAT is what we'd do. However, there is a requirement to preserve the true client source IP address, and the insert HTTP header option won't work because of the non-HTTP protocol being used.

JASON KENNEMER · ‎01-17-2010

In this case, you could create a static route on your router for the server IP to the ACE. You may have MAC address conflicts as the router will try to answer on behalf of the server, but in that case you can statically map the server MAC addresses to your ACE. Not perfect, but it works.