rgk_76855
Feb 12, 2012Nimbostratus
Load Balancing and NAT
Hi
Just wanted to get your opinion on an issue i am facing right now and was wondering if you could confirm my hypothesis. Also, if F5 recommends any solution to this peculiar problem !!! Just a brief background we have an application which is hosted behind a load balancer. The virtual IP on the load balancer receives the request from the client and LB then redirects the request to the appropriate real server based on algorithm selected could be fastest response, weighted round robin etc. Session persistence is enabled to ensure the same client is redirected to the same real server.
This persistence is based on Source IP of the client. We have some sites that are accessing this application from behind firewalls installed at those locations. I dont have access to those firewalls thus am unable to change the behavior. Now the problem is that all the clients behind these firewalls are being NAT'd using a single IP address. As a result when the requests of these users reach load balancer, they appear to be coming from a single IP and thus are redirected to the same real server causing an imbalance in the sessions on the real servers.
Someone proposed that we should try to find a load balancer that would be able to carry out persistence based on Source IP + Source Port. From a laymans perspective it would appear to be the correct solution but, when the NAT session table is looked @ it becomes pretty evident this cannot be done. Why ? The first time the client would initiate a session to the virtual IP on the load balancer, based on source IP + source port the server would be redirected to lets suppose real server A. But, when the second connection in the same session is initiated it will bring the same source IP but a different TCP port at the client end into play thus redirecting the client's session to a different real server - meaning no persistence because user session is being redirected to a different real server !!! Thus defeating the purpose why we were looking at this solution in the first place. This solution is ok if we are considering stateless access to the real servers i.e. in case we do not need persistence. But, where persistence is required i doubt any load balancer vendor implements this !!! The best solution for all those clients behind the firewall in my opinion is to either use SSL or cookies to ensure session persistence and more even load distribution.
E.g:
users original IP range is: 10.1.76.0/24
Juniper FW(SSG) LAN IP is: 10.1.76.1/24
Juniper FW(SSG) WAN IP is: 10.200.240.1/30 (this interface is in NAT mode, therefore all requests are being NAT'd - the request that is reaching
SLB is from 10.200.240.1/32)
So when 50 users from my site start session on LB, the requests would appear to come from 10.200.240.1 thus the SLB would load-balance them ALL to the same real-server. Looking forward to your response :) ...