« previous next »
Pages: [1]   Go Down

Author Topic: Routing thru NS fails when vserver is disabled  (Read 3521 times)

Offline jmelika

  • Administrator
  • Hero Member
  • *****
  • Posts: 339
  • Karma: 7
Routing thru NS fails when vserver is disabled
« on: October 25, 2007, 04:10:40 PM »
So I have a network diagram like this:

Office (Cisco) ----VPN---- (Cisco)
                                      |
                                      |
                                 NetScaler
                                      |
                                      |
                                  Servers

My Cisco connected to the NetScaler is setup on a different VLAN than the servers.  I have a bunch of vServers and vServices (HTTP) of course on the NetScaler.  If I disable a Load Balanced vServer and try to access that server using it's private IP using HTTP, it fails.  If I enable the vServer, it's accessible again.

It looks to me that the NetScalers does not distinguish itself handling routing from handling load balancing.  It drops routing traffic to a server that's disabled even from server-to-server when they're on 2 vlans and the NetScalers are doing the routing.

If anyone from Cisco can read this, please comment!

Thanks
« Last Edit: October 25, 2007, 04:15:54 PM by jmelika »
Logged

Offline TheOracle

  • Hero Member
  • *****
  • Posts: 152
  • Karma: 18
Re: Routing thru NS fails when vserver is disabled
« Reply #1 on: February 15, 2008, 10:18:32 AM »
The behavior you specify doesn't sound right to me--if you disable a service (not the vserver a service was bound to), the behavior does match though.  There is in fact a knob that controls this, the "accessdown" knob, which will allow traffic to pass through the NetScaler when the service is down or disabled.

To understand this behavior, consider that the Netscaler can also act as a L2 transparent accelerator.  In that mode, we capture and optimize the traffic (cmp/caching/http multiplexing, etc) while acting as an L2 bridge to the actual server.   In that mode, if a service goes down, well, we **know** we can't access it.  Alternatively, the server may be having maintenance done on it, and could be vulnerable to an attack that it isn't normally vulnerable to, so preventing access while in the disabled state also makes sense.  The accesdown flag will allow you to control the behavior however.

The Oracle
Logged

Offline jmelika

  • Administrator
  • Hero Member
  • *****
  • Posts: 339
  • Karma: 7
Re: Routing thru NS fails when vserver is disabled
« Reply #2 on: February 18, 2008, 11:06:43 AM »
Thanks for the clarification.  I will look into the accessdown flag and let you know.
Logged
Pages: [1]   Go Up
« previous next »