Server load balancing service can't work normally because of SLB

Publication Date:  2012-10-30 Views:  413 Downloads:  0
Issue Description
Networking topology



Phenomenon description:
1. Customer want the two intranet Servers can provide TCP 8001, 8003 port service, and can realize load balancing.
2. Device type is USG2130, V100R005.
3. Failure symptom:
configuration is as follows:
slb
rserver 1 rip 192.1.1.200 weight 32 healthchk
rserver 2 rip 192.1.1.203 weight 32 healthchk
group diy8001
metric srchash
addrserver 1
addrserver 2
group diy8013
metric srchash
addrserver 1
addrserver 2
vserver diy8001 vip 58.63.225.51 group diy8001 tcp vport 8001 rport 8001
vserver diy8013 vip 58.63.225.51 group diy8013 tcp vport 8013 rport 8013

the problem symptom
1.     Extranet access to: http://58.63.225.51:8001,and can access to the 8001 website;
2.     Extranet access to: http://58.63.225.51:8013, become failure. Access to the 8013 website, but not the 8001 website;
3.     Delete the configuration item: vserver diy8001 vip 58.63.225.51 group diy8001 tcp vport 8001 rport 8001, extranet access to: http://58.63.225.51:8013 again, become failure, Access to the 8013 website, but not the 8001 website;
Alarm Information
none
Handling Process
1. Only configure a virtual IP corresponding to a group, do not configure port correspondence
2. use inter-domain policy to permit the corresponding port for outside service, other ports denied
Configuration is as follows
slb
  rserver 1 rip 192.1.1.200 weight 32 healthchk
  rserver 2 rip 192.1.1.203 weight 32 healthchk
group diy8001
  metric srchash
  addrserver 1
  addrserver 2

vserver diy8001 vip 58.63.225.51 group diy8001 tcp

define port group
ip service-set ccc type object
service 0 protocol tcp destination-port 8001
service 1 protocol tcp destination-port 8013
create inter-domain rule
[USG2100-policy-interzone-trust-untrust-inbound]
policy interzone trust untrust inbound
policy 0
  action permit
  policy service service-set ccc
  policy destination 192.168.1.1.200 0

policy 1
  action permit
  policy service service-set ccc
  policy destination 192.168.1.203 0
policy 2
action deny
Root Cause
 Cause analysis
At present our version does not support a virtual IP corresponding multiple groups, namely only the first command can effect
vserver diy8001 vip 58.63.225.51 group diy8001 tcp vport 8001 rport 8001
vserver diy8013 vip 58.63.225.51 group diy8013 tcp vport 8013 rport 8013
Suggestions
Because all versions including V100R005 version series do not support a virtual IP corresponding multiple groups, can only after use the full mapping way, use inter-domain policy to open up corresponding port to strengthen security, so this kind of way need customers have a multipurpose public IP.

END