Layer7 API Management

Expand all | Collapse all

Issue to manage already configured "unlisted interfaces" via Policy manager

  • 1.  Issue to manage already configured "unlisted interfaces" via Policy manager

    Posted 02-09-2017 07:42 AM

    Hi Community,

     

    we have the following issue using respectively configuring further "unlisted interfaces" on the a cluster (GW1/GW2):

     

    we would like the enable respectively configure the already configured unlisted ports via the Policy Manager
    (Manage Listen Ports).
    I will try  to explain the setup in detail to provide you an exact overview what we have configured.

     

    Current state respectively what we have configured:
    - we have a cluster configuration with 2 Gateways which is running under Hyper-V as an virtual appliance
    - on each GW we have configured the "physical interfaces" eth0 to reach the Gateways via the network  (it is only allowed to use one interface "eth0" within the virtualization)
    - on GW1(primary) we have configured additionally unlisted interfaces:
        eth0:1 to use an "service1" with an dedicated IP (.111)
        eth0:2 to use an "service2" with an dedicated IP (.113)
    - on GW2(secondary) we have configured also unlisted interfaces:
        eth0:1 to use an "service1" with an dedicated IP (.111)
        eth0:2 to use an "service2" with an dedicated IP (.113)
    - the communication to the Policy Manager for service1/service2 pass through the Firewall via port 443
    - port 8443 is the "manage access port" for the Policy Manager on interface eth0 ( which is the physical interface-> cluster/two IPs)

     

    under manage listen ports we have configured the following but it doesn't work:
    - service1 is configured to use interface eth0:1 (with two IPs-> cluster ) on port 8445. The communication pass through the firewall via port 443 to the virtuell interface and routed intern to port 8445 ( which is configured under managed listen ports->manage firewall rules redirect from 443 to 8445)
    - service2 is configured to use interface eth0:2 (with two IPs-> cluster ) on port 8444. The communication pass through the firewall via port 443 to the virtuell interface and routed intern to port 8444 ( which is configured under managed listen ports->manage firewall rules redirect from 443 to 8444)

     

    The result respectively issue is that all requests are routed via the physical interface eth0 as you can see in the iptables extract:
    [ ~]# iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 771 packets, 52156 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 REDIRECT   tcp  --  eth0   any     anywhere             anywhere            tcp dpt:opsession-prxy redir ports 3306
        0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:http redir ports 8080
        0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere            tcp dpt:https redir ports 8443
        0     0 REDIRECT   tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https redir ports 8445
        0     0 REDIRECT   tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https redir ports 8444

     

    Why we do not seen the interfaces eth0:1 and eth0:2? Do we have such an massive misconfiguration?

     

    Has anybody an idea how to handle the issue or what ist the exact configuration?

     

    Best regards

    markus



  • 2.  Re: Issue to manage already configured "unlisted interfaces" via Policy manager

    Posted 04-22-2017 11:21 AM

    Good afternoon,

     

    From reviewing your post, I found that a case was opened as well to address this. I wanted to make sure that we updated the community post. The underlying OS used within the Gateway Appliance is either Centos or Red Hat which needs some additional configuration or avoid the configuration if 2 network cards on the same appliance are in the same subnet. Red Hat provides some solutions on how to configure this to work either How to connect two network interfaces on the same subnet? - Red Hat Customer Portal  or When using two IP addresses in the same subnet on the same system, why can only one interface use the default gateway? -…

     

    In most instance, we have seen customers avoiding using 2 interfaces in the same subnet due to the complexity it creates.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support