Forum Discussion

Doug_123818's avatar
Doug_123818
Icon for Nimbostratus rankNimbostratus
Jun 03, 2014

Load balancing SSH

I need some assistance on configuring a VIP where I can load balance ssh. I am using a unique port, 10022. Its a simple TCP config on the VIP, but I have to use Auto Map cause I am running this one-arm. I see it connect to the LTM under pool statistics, but my connection will timeout with "Network error: Software caused connection abort" When I go straight to the server, bypassing the LTM it works fine. ltm virtual /Common/VTR-TCP-10022-VS { destination /Common/10.25.240.135:10022 ip-protocol tcp mask 255.255.255.255 pool /Common/VTR-TCP-10022 profiles { /Common/tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vlans { /Common/internal } vlans-enabled }

 

5 Replies

  • Is the connection timing out after some time...try to up the "idle timeout" value for the TCP profile. Can u do a tcpdump and paste the results when the disconnect happens?

     

  • See below the tcpdump: We are getting resets and it fails quickly. We are running our LTM in one-arm mode. A few years ago I used telnet going back to a main-frame. It was running routed with an internal and external interface. As a hunch I think the Auto Map SNAT may be giving us problems.

     

    08:44:55.138208 IP 10.2.224.11.802-11-iapp > 10.2.232.35.29418: S 2658976969:2658976969(0) win 512 08:44:55.138407 IP 10.2.232.35.29418 > 10.2.224.11.802-11-iapp: S 1017739285:1017739285(0) ack 2658976970 win 14600 08:44:55.139000 IP 10.2.224.11.802-11-iapp > 10.2.232.35.29418: R 2658976970:2658976970(0) win 0 08:44:56.138089 IP 10.2.224.11.mc3ss > 10.2.232.35.webcache: S 1697615952:1697615952(0) win 512 08:44:56.138279 IP 10.2.232.35.webcache > 10.2.224.11.mc3ss: S 259112963:259112963(0) ack 1697615953 win 14600 08:44:56.139112 IP 10.2.224.11.mc3ss > 10.2.232.35.webcache: R 1697615953:1697615953(0) win 0 08:44:57.137821 IP 10.2.224.11.nssocketport > 10.2.232.35.8085: S 2641368868:2641368868(0) win 512 08:44:57.138019 IP 10.2.232.35.8085 > 10.2.224.11.nssocketport: S 3444298526:3444298526(0) ack 2641368869 win 14600

     

  • I got it figured out. I had to turn off Port Translation in the VIP configuration. At this point not sure why, but I'll do some more digging.

     

  • I am not sure port translation is the fix...I have my set up as below and works fine.

    virtual ssh_vs {

    destination 10.10.10.102:ssh
    ip-protocol tcp
    mask 255.255.255.255
    pool ssh_pool
    profiles {
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 4
    

    }