cancel
Showing results for 
Search instead for 
Did you mean: 

Two SA 4000 DNS Round Robin

bambam_
Occasional Contributor

Two SA 4000 DNS Round Robin

I'm a newbie so go easy on me. I'm stepping in the middle of a project for a client who would like to have two SA 4000 boxes work properly in a DNS round robin setup. One box is in one physical location and the other is at a seperate physical location. They would like to use one host name to round robin between both boxes. The client has configured DNS at their web host to point to both external IPs, and nslookup from outside the network shows both. Here is the issue, it sometimes takes up to 10 minutes to actually receive the login page on either box and sometimes we don't receive the login page at all. Both boxes work fine going direct to IP and using the host name works fine if it is setup to resolve to just one box. Host checker is set to run before presenting the login page and that is the page that seems to "stick" for that 10 minute delay. Is this something that can be done? Thanks for any help.
15 REPLIES 15
gdavies_
Occasional Contributor

Re: Two SA 4000 DNS Round Robin

Hi bambam,

This is just a guess, but I suspect that you're resolving to different addresses part way through the process so you're sending packets initially to box-A and then, part way through the process, you start sending other packets required to complete the process to box-B. Since box-B didn't see the first part of the exchange, it will probably drop the packets as part of an unrecognised session and box-A will sit there waiting patiently for the packets to arrive. When it works, I suspect that you've tried to create the connection to box-B and eventually given up and re-resolved and gone back to box-A, which says "where have you been" and finally completes the login.

To be honest, I really don't think that DNS round robin is a viable approach in this situation. You need something like Global Server Load Balancing that has sticky state for each session. This will guarantee that sessions are spread across the boxes but each session sticks to just one box.

Rgds,

Guy

Jickfoo_
Super Contributor

Re: Two SA 4000 DNS Round Robin

I've used DNS Round Robin before for various things. It is the poor mans load balancer and it usually works well. For example, we utilize it with MX Records for SMTP. When someone tries to resolve our mail record, then get 1 of 2 possible IP Addresses. There is no 10 minute delay.

What should happen is, the client should query DNS, it should resolve to 1 of the 2 IP Addresses and it should then start a conversation with that IP.

I'd like to see a trace of the conversation. I'd make sure the DNS Cache is cleared first. "ipconfig /flushdns".

I've never heard of anyone setting up an IVE with DNS Round Robin. I wonder if the client gets confused.. Are they both using the same certificate ?

Robot Happy

Message Edited by Jickfoo on 03-07-2008 07:40 AM
gdavies_
Occasional Contributor

Re: Two SA 4000 DNS Round Robin

Hi,

DNS round robin does work well, until there are devices that maintain state that you're round robining through. If you maintain state, you're going to have issues because you may well end up being pushed to different boxes, particularly if the device you are conversing with is a web server returning HTML containing numerous links to other *hostnames*. If you get sent to the hostname, you may well try to resolve it and end up somewhere else. :-(

With mail, you resolve the mailserver's name once and just setup a session to the IP address. That session doesn't return any information that requires another lookup so you're generally stuck to the one address for the duration of the session.

The best approach for this with any web based device is a load balancer that understands stickiness.

Rgds,

Guy

bambam_
Occasional Contributor

Re: Two SA 4000 DNS Round Robin

Thanks for the help Guy. Your answers helped clear up the confusion for me so I can relay this to my client. To be honest they don't really need two boxes anyway with the amount of users that will be using VPN. So they can just use the second as a hot spare by setting two host names, one for each box.
khowell333_
New Contributor

Re: Two SA 4000 DNS Round Robin

I know that there is an 'Accepted Solution' to this post. But I just want those who read this to know that you can use DNS round robin for 2 SA4000 IVEs in different geographical locations. We have done this for the past 3+ years without issue with 2 IVEs in an active/active cluster using Network Connect, SAM, Secure Meeting, and the rewriter.
bambam_
Occasional Contributor

Re: Two SA 4000 DNS Round Robin

I would be very interested in finding out how you were able to get the round robin to function properly.
Stephen_
Contributor

Re: Two SA 4000 DNS Round Robin

Are you using "clustered" SA's, or two "stand-alone" devices?

I'm not really how much session information is passed in the cluster, but I expect it would make a difference....

khowell333_
New Contributor

Re: Two SA 4000 DNS Round Robin

DNS Round Robin:

We have 2 SA4000 IVEs in different geographical locations. Each physical IVE has different external IPs. Our external DNS host entry (host.domain.com) has both devices' IPs associated with it. DNS by nature should alternate between the addresses, so every other request should be directed to a different IVE. This has worked well for us. We see a 55% to 45% load balance between the IVEs. We use IE to initiate\authenticate sessions. If an IVE is unavailable and it is the IVE that DNS directs the request to, IE will attempt the request again. The next time, the request should be directed to the other address. The sign-on page may take a few seconds longer to load because of the time it takes IE to make the second request, but we've never had anyone complain since connectivity is always available.

Cluster:

We have a true IVE Active\Active cluster. They are not stand-alone. So, session information spans both IVEs.

bambam_
Occasional Contributor

Re: Two SA 4000 DNS Round Robin

Ok so the only difference is that in our setup we don't have Active/Active Clustering, that must be the key to make this work. Thanks for the help!