IP address of ClusterXL outgoing traffic

[bgrenda]

Hi

This my first post this forum, I just joined as user. Greetings to everone :-)

My question regards IP address of outgoing connections originating from ClusterXL members.
My configuration consists of two SecurePlatform (R61) gateways working in High Availability New Mode. Both gateways are configured to send syslogs to central syslog server. At syslog server I see only entries with cluster address, no entries with member real IP addresses. Is this default behaviour? Can I change this to have logs with machines real IP addresses?

Bart

[northlandboy]

Welcome in.

Two options here:

A/ On the ClusterXL tab of the cluster object in SmartDashboard, there's an option there for hiding all outbound traffic from the cluster behind the cluster IP. Currently you will have it selected. You could uncheck it.

B/ Add a manual NAT rule, saying that traffic from the cluster to the syslog server should keep the original source and destination.

[bgrenda]

Thank you for quick response!

Regarding option A: there is no such a option in ClusterXL, I have checked it twice even before posting my question. There is another cluster in my environment based on Nokia IP Clustering and there is such a option indeed - in 3rd Party Cluster configuration page.

Regarding option B: I will try it (can't do it right now) but won't it just keep cluster address in source field?

Bart

[northlandboy]

Ah, I just assumed it was there for ClusterXL too - I'm normally working with Nokia VRRP/IP Clustering, where you can see it on the 3rd party config tab, as you've noted.

Thinking about B, you might actually have to have two separate NAT rules, one for each node of the cluster, rather than using the cluster object.

[bgrenda]

Option B does not seems to work :-(

My current minimum plan is to force cluster members to send syslogs to syslog server with its real IP addreses (further on, I would like to have NTP working on both members, etc).

I tried you recommendation without success:

• It is impossible to add cluster into "Source" field of NAT rule
• Adding 2 rules with cluster members in orginal_packet:source and syslog server in orginal_packet:destination and keeping all the rest field as "Original" haven't resolved problem too - syslogs are still appearing on syslog server with cluster address.

Bart

[david]

you will have to add 2 rules with clustermemberA in one, then clustermemberB in the other.

[bgrenda]

David

That's exactly what I did.

Bart

[david]

sorry mate, didn't see that in your previous post, i should have read it properly =)

[david]

what do you have set on the NAT tab of the cluster?

[jamjam]

If you want to avoid using the cluster IP address for some specific protocol, you can do the following:
On the SmartCenter Server (Management module)
1) Type cpstop to stop the firewall services.
2) Backup the $FWDIR/lib/table.def (%FWDIR\lib\table.def) file.
3) Edit the $FWDIR/lib/table.def (%FWDIR%\lib\table.def) file with a text editor.
Note: The procedures to edit the table.def file is for the purpose of preventing the cluster member from hide NATing its own real IP address.
4) Locate the line starting with the string no_hide_services_ports, which looks like the following:
no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17> };
5) Change to:
no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <your port number,17 (17 means UDP)> };
6) Save the edited table.def file and exit the editor.
Note: When the version or HFA of the SmartCenter Server (management module) is upgraded, the changes made to table.def file are lost.
7) Type cpstart to start the firewall services.
8) Log in to SmartDashboard.
9) Install the Security Policy.
Worked for me . Hope this helps

[bgrenda]

JamJam

I have tried your recommendation. My new line looks like this now:

no_hide_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17>, <1645, 17>, <514,17> };

514 UDP is meant for syslogs, 1645 UDP is meant for RADIUS.
Unfortunatelly, no success so far. I still see syslogs beind sent to Syslog server with cluster address :-(

I also found following discussion thread:

strange nat-problem with cluster

I tried method listed there ("disabled clusterXL, unchecked the hide-thing in 3rd party, checked clusterXL, installed and now ist _W O R K S")

Unfortunatelly still no success: logs are visible with cluster address.

Any other ideas?

Bart

[bgrenda]

Hi

To make this thread valuable I need to state that method proposed by JamJam eventually worked.

After implementing it I was checking only syslog messages, which where still arriving with cluster address. But now it seems that it was because of missing blank space between 514 and 17. Radius worked OK, but I failed to check it.

After correction it seems to work as expected. Thx JamJam!

Bart