Load-balancing ICMP traffic over Server pool
(1 votes, average: 4.00 out of 5)
Loading ...Sometimes there is a necessity to load-balance not only TCP/UDP sessions over a server pool but also redirect ICMP echo requests to the servers themselves. This is needed for troubleshooting purposes, or for probing real servers through a VIP (virtual IP) with a monitoring tool.
I observed the following default firewall behavior: it proxies all incoming ICMP packets and responds to them on behalf of itself, instead of forwarding them to the real servers in the pool, so playing with the server monitoring agent settings and “excluding” the servers from the pool does not affect the observed results at all.
To force the firewall to “move on” ICMP packets I unchecked the “proxy ARP entry generation” in the “External addresses” section properties. After that the firewall did his job correctly (as I expected at least 
)
One Response to “Load-balancing ICMP traffic over Server pool”
Leave a Reply
You must be logged in to post a comment.
December 22nd, 2008 at 11:25 am
In fact ping is handled in server pool exactly like any other service. There is no proxying or answering on behalf functionality. Proxy arp setting does not effect to this either.
In some operating system ping is always using the same ICMP ID value. This always increases risk that old ping “connection” is still present and new ping packet to this same connection are handled according to NAT and timeout of the existing connection. If the OS always reuses same ICMP ID value, functionality is the same as tcp or udp connections would always use same SRC port. -> Not a new connection, only additional packets to existing connection. Only when there is more than idle timeout between this kind of packets, there can be a change in the NAT because NAT never changes in the middle of connection.
Seems like false assumption.