LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Cisco PIX problem with LVS-TUN setup

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Cisco PIX problem with LVS-TUN setup
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Wed, 05 Dec 2007 09:45:14 +0000
On Fri, 2007-11-30 at 12:28 +0000, Steve Drew wrote:
> Load balancing to Realserver1 is working correctly, but when the
> director sends the request to realsever2 I'm seeing the following on the
> PIX:
> 
> %PIX-6-106015: Deny TCP (no connection) from host lb0/80 to
> my.external.i.p/1083 flags SYN ACK  on interface dmz2-network
> 
> I'm presuming because the PIX doesn't know about the connection.
> 
> I have disabled reverse-path verification on the dmz2 network.

Hrm...

Turning off reverse-path verification on dmz2 won't work, since the PIX
sees lb0's address on the network attached to dmz1 and is keeping the
connection table for sessions from clients to lb0 locked to that
interface.

What happens if you add an explicit PERMIT rule for traffic from lb0
which is ingress traffic to the dmz2 interface? I'd write one for you
but it's so long since I drove a PIX I'd get it wrong :)

Graeme



<Prev in Thread] Current Thread [Next in Thread>