We've got a couple of AFS clients behind a new load balancer, and are seeing some weird behavior. Both clients are running OpenAFS 1.2.10, and the load balancer is an F5 box. The load balancer acts as the default router on a private network for the two clients. Their local configuration is to use a 10 net address, but they have corresponding IP addresses in our normal network space that can be used to contact the hosts directly. The F5 box then works as a NAT to translate the outside IP addresses to the inside IP addresses, but as far as I've been told, doesn't do anything else to the packets. Once it does the translation it forwards the packets to the appropriate machine behind the load balancer, so I don't think it does the simple portmapping that is done by a Linksys NAT box or something similar.
We have a read-only directory in AFS that we'd like them to be able to read information from. To access this directory, we created an IP ACL group with both the internal and external IP addresses of these machines, along with the IP addresses of two other machines that are not behind the F5 box. The volume was then moved from one server to another to get the IP ACL changes to take effect. (Since there's usually a delay in updating the PT database with IP ACLs.) When the volume was moved to the other AFS server, while the two boxes outside the load balancer could see the volume, the boxes on the inside could not. The volume was then moved back to the original AFS server, and then, one of the two boxes behind the load balancer could see the directory, but the other still couldn't. The two machines not behind the load balancer could still see the directory. There shouldn't be any sort of firewall differences between the load balanced machines and the two AFS servers; while we do have a firewall, it's on the other side of the network. While reading through some archives of openafs-info, I saw a few posts that indicated that Rx has some problems with NAT, but this seemed to be due to the port mapping done by a desktop NAT box. I've been told that the F5 boxes don't do this sort of port mapping when you contact the outside IP address to talk to one of the inside machines directly. If anyone has any suggestions, or ways of testing these connections (rxdebug?) I would appreciate it. Thank you, Brian Sebby -- Brian Sebby ([EMAIL PROTECTED]) | Distributed Computing Administration Phone: +1 630.252.9935 | Computing and Instrumentation Solutions Fax: +1 630.252.4601 | Argonne National Laboratory _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
