Jump to content


Photo

Servers under Barracuda service replying directly to source


  • Please log in to reply
1 reply to this topic

#1 Jim Walker

Jim Walker
  • Members
  • 1 posts

Posted 07 August 2018 - 12:16 PM

I am trying to configure the following load balancer:

 

Barracuda Load Balancer ADC
Firmware v6.3.0.005 (2018-06-08 05:41:20)
Model: 440
Attack definition v1.55
 
I have created a service with two physical servers. The service is configured for layer 4 TCP load balancing on port 7810 using a VIP that has a DNS record in the domain. The service is tied to the second interface on the LB (ge-1-2). The only option I changed from default on the service page was to choose weighted least connections over weighted round robin. Server monitor is set to TCP port check with a delay of 10 seconds. Manual testing succeeds to both servers. 
 
My test tool tries three times to establish a connection and then fails out. Checking the logs on the LB shows that the traffic is making it to the load balancer VIP and being forwarded to the servers under the service. Wireshark traces shows the issue. The load balancer forwards the TCP traffic on port 7810 to the physical servers. They process the traffic but the responses go directly to the source. The source never receives a response from the load balancer and closes the connection after three tries. Since the responses are coming from the physical servers directly back to the source, the source does not recognize the IP as a valid reply. 
 
My first thought was Direct Server Return (DSR) was enabled, but this is not the case. I confirmed this is disabled on both servers under the service. I'm stumped at this point. 
 
Thanks for any help or input.


#2 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 55 posts

Posted 08 August 2018 - 12:44 AM

Jim,

 

From the description in your post, it seems that the routing for the return path for the servers is not correct. In a flat network, this could be as easy as configuring the default gateway on the servers to point to the ADC.

 

It should be noted that for L4 services, the ADC will not change the source ip of the packet (normal packet forwarding behavior) when it forwards the connections to the backend servers. So its important that the servers return the responses back to the ADC, which will happen if the routing is configured correctly.. 

 

You will see that the service works just fine, if you configure the type as TCP proxy , in which case there will be connection termination on the front end and a new connection with the source ip of the adc will be established with the actual server (typical reverse proxy behavior)..