[OpenAFS] OpenAFS clients behind a load balancer

Brian Sebby sebby@anl.gov
Mon, 26 Apr 2004 19:04:42 -0500

We've got a couple of AFS clients behind a new load balancer, and are seeing
some weird behavior.  Both clients are running OpenAFS 1.2.10, and the load
balancer is an F5 box.  The load balancer acts as the default router on a
private network for the two clients.  Their local configuration is to use a
10 net address, but they have corresponding IP addresses in our normal
network space that can be used to contact the hosts directly.  The F5 box
then works as a NAT to translate the outside IP addresses to the inside IP
addresses, but as far as I've been told, doesn't do anything else to the
packets.  Once it does the translation it forwards the packets to the
appropriate machine behind the load balancer, so I don't think it does the
simple portmapping that is done by a Linksys NAT box or something similar.

We have a read-only directory in AFS that we'd like them to be able to read
information from.  To access this directory, we created an IP ACL group with
both the internal and external IP addresses of these machines, along with
the IP addresses of two other machines that are not behind the F5 box.
The volume was then moved from one server to another to get the IP ACL
changes to take effect.  (Since there's usually a delay in updating the PT
database with IP ACLs.)  When the volume was moved to the other AFS server,
while the two boxes outside the load balancer could see the volume, the
boxes on the inside could not.  The volume was then moved back to the
original AFS server, and then, one of the two boxes behind the load balancer
could see the directory, but the other still couldn't.  The two machines not
behind the load balancer could still see the directory.

There shouldn't be any sort of firewall differences between the load
balanced machines and the two AFS servers; while we do have a firewall, it's
on the other side of the network.

While reading through some archives of openafs-info, I saw a few posts that
indicated that Rx has some problems with NAT, but this seemed to be due to
the port mapping done by a desktop NAT box.  I've been told that the F5
boxes don't do this sort of port mapping when you contact the outside IP
address to talk to one of the inside machines directly.

If anyone has any suggestions, or ways of testing these connections
(rxdebug?) I would appreciate it.

Thank you,

Brian Sebby

Brian Sebby  (sebby@anl.gov)  |  Distributed Computing Administration
Phone: +1 630.252.9935        |  Computing and Instrumentation Solutions
Fax:   +1 630.252.4601        |  Argonne National Laboratory