Johan Ronkainen wro
The information I have is that the VS-DR LVS isn't working,
that Win2k drops packets on the loopback interface for the VIP
and the VPN between the director and the Win2k
real-servers appears to deliver the packets as expected.
If this the situation then
1. check that the Win2k machine is having problems by directly connecting
it to the director (no IPSEC, just ipv4)
2. put the VIP onto another NIC on the Win2k machine (see the HOWTO for this).
This works for linux boxes, but hasn't been tested on Win2k
Joe
> did you get a reply on this. I've been away and don't see anything.
>>No replies so far. I tried it but Win2000 appears to drop packets destined
>>to loopback interfaces IP (VIP) if they're coming thru IPSec VPN tunnel. VPN
>>itself between Freeswan+LVS box and Win2000 is working. When running tcpdump
>>on linux it shows that LVS is sending packets with VIP as destination thru
>>ipsec0. Since I don't have similar tool for win32 enviroment I don't know if
>>they are actually sent to Win2000 or not.
>
> +------------------------------------------------WAN---------+
> | +----------------------------WAN--------+|
> | | +--------LAN-------+||
> v v v |||
> +-----------------+ +-----------------+ +-----------------+
> +-----------------+
> | W2K, Building 1 | | W2K, Building 2 | | W2K, Building 3 | | LVS, Building 3
> |
> | VIP 192.168.3.9 | | VIP 192.168.3.9 | | VIP 192.168.3.9 | | VIP 192.168.3.9
> |
> | IP 192.168.1.1 | | IP 192.168.2.1 | | IP 192.168.3.3 | | IP 192.168.3.4
> |
> | VPN 192.168.3.1 | | VPN 192.168.3.2 | | | | FreeSwan Server
> |
> +-----------------+ +-----------------+ +-----------------+
> +-----------------+
> | | | ^
> | | | |
> Reply Reply Reply Request
> | | | |
> | | | |
> | | |
> +-----------------+
> | | +--------->| Windows95/NT/2K
> |
> | +----------------------------->| Client PC
> |
> +------------------------------------------------->| IP 192.168.4.1
> |
>
> +-----------------+
>
>
> Client sends request to 192.168.3.9. LVS load balances connection request
> using DirectRoute to one of Win2000 real servers. Two of Win2000 servers are
> on remote locations and one is on same physical subnet as LVS. Above picture
> is heavily simplified compared to our real enviroment.
>
> Building fault tolerant LVS machine with VPN might cause some headache, but
> is there any other reasons why it wouldn't work? Setting Win2000<->FreeSwan
> VPN is bit clumsy, but well documented. Also DirectRoute works on Win2000
> MS-Loopback adapter without playing with ROUTE command since you can just
> configure loopback using higher metric than any other interface. Also
> default route must be real IP instead of VPN tunnel.
>
> This approach will cause some extra traffic when client PC is located on
> buildings one or two since packets travel thru WAN to building three first
> instead of going to nearest server. However since WAN is already redundant
> and amount of traffic between client and server is minimal I don't think
> it's that bad. I'm planning to load balance Win2000 servers running in
> Terminal Server mode and would like to add servers on remote buildings to
> same farm as the servers in main building. If installation like this is
> possible I guess it could be used to do load balancing other services in
> different enviroments as well.
>
> Another task would be adding minimal httpd to Win2000 servers that serves
> text files that lists active and disconnected WTS sessions as well as
> running processes, amount of free memory and CPU. Then LVS box could finger
> Win2000 servers every 3 minutes and calculate new weights for WLC balancing.
>
> BTW. WTS is same as NT4 with TSE. It's like Citrix Win/Metaframe multiuser
> addon for Windows but crippled.
>
> Am I crazy? Should I drop LVS and simply go pure Microsoft WLBS? I've read
> that paper on LVS website explaining WLBS pros and cons. Company is not
> willing to buy additional extraordinary expensive Citrix licenses since MS
> licenses are a lot cheaper due our present agreements with MS.
>
> --
> Johan.Ronkainen@xxxxxx
>
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|