Re: [Zenloadbalancer-support] What is a reasonable Mean-Time-To-Take-Over?

Wed, 27 Apr 2016 06:20:15 -0700 

Hi Emilio,

I’ve found the answer:
My server side hardware switch is connected to a Juniper firewall that is run 
by our IT department.
When a passive ZLB node becomes active it sends out a gratuitous ARP package to 
announce itself to the network. This package triggers an ARP table update of 
all connected network devices to map the service IP to the new MAC address.
But the Juniper firewall rejects this package. This is due to its default 
security configuration that disregards gratuitous ARP packages to prevent from 
MAC spoofing attacks.
Now as all traffic from external networks is channeled through the firewall 
which still maps the service IP to the old ZLB node so the service is not 
reachable.
Reconfiguring the Juniper firewall to accept gratuitous ARP packages solves 
this issue.
This is somewhat unfortunate because it means that I have to rely on my network 
provider if I would like to introduce the Zen load balancer.
I suppose there is no other solution without relying on the network provider?
Except maybe replacing my switch by a router that accepts gratuitous ARP 
packages and introducing NAT?

Best Regards,
C. Scharfenberg

Von: Emilio Campos [mailto:emilio.campos.mar...@gmail.com]
Gesendet: Montag, 25. April 2016 18:47
An: zenloadbalancer-support@lists.sourceforge.net
Betreff: Re: [Zenloadbalancer-support] What is a reasonable 
Mean-Time-To-Take-Over?

Are your clients outside the network where zen lb is? then maybe the following 
is the reason:

When a cluster service switches (you can check if service switches it in 
/var/log/messages & /var/log/syslog) the  VIRTUAL IPS and farms are started in 
the secondary node, and gratuitous arp packets are sent to the network in order 
to indicate to switches and firewalls that the MAC of  given IP[s] have been 
modified. Some vendors additionaly to ARP gratuitous packets, require to 
receive also many numbers of icmp packets.

Also happen with clients inside zen network?

This behaviour (to change the MAC for IPs) could be marked as switches 
(physical and virtual) as MAC Spoofing, so ensure this is disabled for the vlan 
where zen configures VIrtual IPs

For example in vmware vswitches "Forded transmission" should be configured as 
Accept:

https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html



2016-04-25 14:57 GMT+02:00 Scharfenberg, Carsten 
<c.scharfenb...@francotyp.com<mailto:c.scharfenb...@francotyp.com>>:
Hello,

I managed to get my load balancer farms up and running.
Now I’m performing some tests:
·         A failure of a single farm node is not perceivable by the client – 
great ☺
·         A failure of the primary ZLB cluster node leads to a downtime of 10 
to 20 minutes until the secondary node takes over ☹

So my question is: is this a normal recovery time or can it be optimized?

Note: when I access my services from within the server network there is no 
perceivable downtime. But from my client network point of view there is this 
downtime.
Obviously the overall network setup is important. So I include – once again – 
an image of this layout in my email.

Thanks a lot in advance,
C. Scharfenberg



------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support



--
Load balancer distribution - Open Source Project
http://www.zenloadbalancer.com
Distribution list (subscribe): 
zenloadbalancer-support@lists.sourceforge.net<mailto:zenloadbalancer-support@lists.sourceforge.net>

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support

Reply via email to