Is there any reason for an ICMP unreachable on a farm port when all other
traffic is being forwarded properly? This doesn't make sense. Should I reboot
the ZLB?
RB
________________________________
From: Randy Baca [ra...@rbaca.com]
Sent: Thursday, October 20, 2016 11:17 AM
To: zenloadbalancer-support@lists.sourceforge.net
Subject: Re: [Zenloadbalancer-support] UDP Port 514 Unreachable
Here is sanitized output. It all looks normal.
root@zenlb01<mailto:root@zenlb01>:~# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK udp -- anywhere (ZLB VIP) statistic mode random
probability 1.00000000000 multiport dports syslog /* FARM_SyslogUDP_4_ */
MARK set 0x206
MARK udp -- anywhere (ZLB VIP) statistic mode random
probability 0.72727272706 multiport dports syslog /* FARM_SyslogUDP_3_ */
MARK set 0x205
MARK udp -- anywhere (ZLB VIP) statistic mode random
probability 0.45454545459 multiport dports syslog /* FARM_SyslogUDP_2_ */
MARK set 0x204
MARK udp -- anywhere (ZLB VIP) statistic mode random
probability 0.18181818165 multiport dports syslog /* FARM_SyslogUDP_1_ */
MARK set 0x203
MARK udp -- anywhere (ZLB VIP) statistic mode random
probability 0.03636363614 multiport dports syslog /* FARM_SyslogUDP_0_ */
MARK set 0x200
MARK tcp -- anywhere (ZLB VIP) statistic mode random
probability 1.00000000000 multiport dports shell /* FARM_SyslogTCP_3_ */ MARK
set 0x208
MARK tcp -- anywhere (ZLB VIP) statistic mode random
probability 0.75000000000 multiport dports shell /* FARM_SyslogTCP_2_ */ MARK
set 0x207
MARK tcp -- anywhere (ZLB VIP) statistic mode random
probability 0.50000000000 multiport dports shell /* FARM_SyslogTCP_1_ */ MARK
set 0x202
MARK tcp -- anywhere (ZLB VIP) statistic mode random
probability 0.25000000000 multiport dports shell /* FARM_SyslogTCP_0_ */ MARK
set 0x201
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@zenlb01<mailto:root@zenlb01>:~#
root@zenlb01<mailto:root@zenlb01>:~#
root@zenlb01<mailto:root@zenlb01>:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere mark match 0x201
/* FARM_SyslogTCP_0_ */ to:(Server0):514
DNAT tcp -- anywhere anywhere mark match 0x202
/* FARM_SyslogTCP_1_ */ to:(Server1):514
DNAT tcp -- anywhere anywhere mark match 0x207
/* FARM_SyslogTCP_2_ */ to:(Server2):514
DNAT tcp -- anywhere anywhere mark match 0x208
/* FARM_SyslogTCP_3_ */ to:(Server3):514
DNAT udp -- anywhere anywhere mark match 0x200
/* FARM_SyslogUDP_0_ */ to:(Server0):514
DNAT udp -- anywhere anywhere mark match 0x203
/* FARM_SyslogUDP_1_ */ to:(Server1):514
DNAT udp -- anywhere anywhere mark match 0x204
/* FARM_SyslogUDP_2_ */ to:(Server2):514
DNAT udp -- anywhere anywhere mark match 0x205
/* FARM_SyslogUDP_3_ */ to:(Server3):514
DNAT udp -- anywhere anywhere mark match 0x206
/* FARM_SyslogUDP_4_ */ to:(Server4):514
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RB
________________________________
From: Laura Garcia [nev...@gmail.com]
Sent: Thursday, October 20, 2016 10:52 AM
To: zenloadbalancer-support@lists.sourceforge.net
Subject: Re: [Zenloadbalancer-support] UDP Port 514 Unreachable
Hi Randy, maybe the L4 rules are not generated properly for this certain
firewall client.
Could you check if the rules for this firewall has the same rules than the
others in the following commands?
iptables -L -t mangle
iptables -L -t nat
Regards.
Laura Garcia
Zen Load Balancer Team
www.zenloadbalancer.com<http://www.zenloadbalancer.com>
On Thu, Oct 20, 2016 at 7:29 PM, Randy Baca
<ra...@rbaca.com<mailto:ra...@rbaca.com>> wrote:
Hi,
I am running ZLB to load balance syslog messages coming from my firewalls to a
farm of log parsers. One firewall is sending syslogs but instead of
load-balancing the packets like the other firewalls ( all Cisco ASA) the ZLB
responds to the one firewall with this message:
10:21:25.683555 IP (firewall).514 > (ZLB VIP).514: SYSLOG
local4.info<http://local4.info>, length: 147
10:19:44.045419 IP (ZLB VIP) > (firewall): ICMP 10.251.253.50 udp port 514
unreachable, length 183
Does anyone know why this is happening? All the other firewalls are being
load-balanced properly.
RB
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net<mailto:Zenloadbalancer-support@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Zenloadbalancer-support mailing list
Zenloadbalancer-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
