Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
You can specify only two target addresses in each round-robin rule, but you can configure two
rdr rules for the same interface, for a total of four target addresses. IPFilter will load balance the
packets equally between all four target addresses. For example:
rdr lan0 0.0.0.0 -> 192.168.0.1,192.168.0.2 round-robin
rdr lan0 0.0.0.0 -> 192.168.0.3,192.168.0.4 round-robin
6.4.4 Sticky NAT sessions
NAT sessions can be redirected to the same destination IP to achieve source IP-based persistence.
This feature only works with rdr NAT rule.
The following example creates sticky sessions with all packets coming to 10.1.1.40 redirected to
10.1.1.41 and 10.1.1.27. Round-robin algorithm is used for load balancing because the sticky
session feature ensures that all packets go to same IP address as the first packet.
rdr lan4 10.1.1.40/32 port 23 -> 10.1.1.41,10.1.1.27 port 23 tcp round-robin sticky
For more information, see the ipnat(4) manpage.
NOTE: This feature is available only on HP-UX 11i v3.
6.4.5 Verifying connection health with l4check
A health check tool continually verifies the health of the servers to ensure client connections are
not forwarded to servers that are down or failed. Sometimes the server is up and responsive, but
the application it is hosting is dead or unresponsive.
The l4check utility monitors all remote servers and ports mentioned in the configuration file for
TCP connections. It adds or removes the IP/port pairs from the NAT rdr rule dynamically, based
on whether the remote servers or ports are reachable and responding for specific requests.
Health checks can be in-band or out-of-band checks. In-band checks use the traffic flow between
clients and servers to check server health. For example, the health of a TCP-based application is
verified by monitoring the TCP 3-way handshake. An incomplete handshake indicates that the
server or application is not working. This verification can be followed by additional verifications
to confirm the situation. Out-of-band health checks are explicit health checks made by the load
balancer.
The /etc/opt/ipf/l4check.conf_template file is provided with l4check. Use this file
format to update the configuration file required for l4check.
HP-UX IPFilter V17.05 and earlier provide /etc/opt/ipf/l4check.conf. On HP-UX IPFilter
V18.0 and later, this file is renamed l4check.conf_template. The l4check.conf_template
file is only a template and should be copied to a different file name before editing and using as
input to the l4check tool. This template file will be replaced when the system is upgraded to the
next version of HP-UX IPFilter.
6.4.5.1 Known issues and limitations
Running more than one copy of l4check can disburse NAT rdr rules among the running
copies. No notification is sent.
l4check adds or deletes rules with only one IP address. rdr rules with multiple IP addresses
are ignored.
l4check cannot add rules with sticky password.
This feature is available only on HP-UX 11i v3.
6.4.5.2 Syntax
l4check [-nv] -f <filename>
46 Configuring and loading NAT rules