Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS

111

112

113

114

115

116

117

118

119

120

Chapter 2 Troubleshooting Active Network Management Load Balancing Configuration Guides

Advanced Technical Reference Guide 4.1 • June 2000 108

Load Balancing Configuration Guides

How to configure VPN-1/FireWall-1 with Connect Control (Load-

Balance across multiple servers)

See the configuration document How to Configure VPN-1/FireWall-1 With Connect Control (Load-Balance

across multiple servers (ID 55.0.2061878.2576947) in the Check Point Technical Services SecureKnowledge

site (6 pages).

How to configure Connect Control and NAT for Server Load Balancing

without Default Routes

See the configuration document Connect Control with Address Translation (ID 55.0.2061723.2576947) in the

Check Point Technical Services site (4 pages).

Resolving Common Load Balancing problems

This section lists some common problems and solution, mostly from the Check Point Technical Services

SecureKnowledge knowledge base.

HTTP connections and the “Other” load balancing method

A problem may arise if the OTHER method is chosen for HTTP connection. Since this method uses the NAT

mechanism, each connection is handled separately and therefore every connection can be redirected to different

server.

This may be a problem when user fills in few HTTP Forms, where a single HTTP server needs to handle all the

data.

NAT and the “Other” load balancing method

If using Other as the load balancing method (see Non-HTTP (Other) Method, above) NAT is activated in the

inbound direction.

If also applying a DST Static rule on the same physical server, in some cases it won’t be possible to perform

load balancing. This may lead to unexpected results.

The reason for this is that the Connect Control module does DST Static NAT on the inbound direction.

Therefore, if a DST Static NAT rule is applied as well, the DST IP address will be translated twice– the first

time on the inbound direction because of the Connect Control, and again on the outbound because of the NAT

rule.

If using Static NAT to associate external IP addresses with internal

servers, which IP addresses should be used in the server group that

is part of the HTTP logical server definition?

If using Static NAT to associate external IP addresses with internal servers, use the external IP addresses in the

server group that is part of the HTTP logical server definition. The HTTP logical server will use the HTTP

redirect to assign the client to a physical server. The client now directs its packets to the routeable IP Address of

the physical server. If the physical server is actually hidden, then the client must be provided with the valid,

external IP address that maps to the physical server through Static NAT.