You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "sadhu suresh (JIRA)" <ji...@apache.org> on 2013/05/23 13:54:19 UTC

[jira] [Created] (CLOUDSTACK-2645) When firewall and LB service providers are different, it should not allow both the rules on same public IP

sadhu suresh created CLOUDSTACK-2645:
----------------------------------------

             Summary: When firewall and LB service providers are different, it should not allow both the rules on same public IP
                 Key: CLOUDSTACK-2645
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2645
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Network Devices
    Affects Versions: 4.2.0
            Reporter: sadhu suresh


fail to access VM when we configured LB rules and port forwarding rules are configured on same iP


Steps:
1.create a shared network offering with SRX(sourcenat/pf/snat/firewall) as  NS(lb) and with conserve mode  on
2.create a shared network using above network offering
3.deploy few vms  using above network and acquire public IP
4.create pf rule with ports 222,22(public port 222 &private port 22)assign to guest vm& configure the firewall to allow all the IP's
5.ssh to the Guest VM with port 23
6.on the same IP configure LB rule with port 22 22 
7.try to ssh to guest VM  with port 222 again

Actual result:

steps 5:
able to access the guest VM 222

Step7:
after configuring lb rule,unable to ssh  the Guest VM  with port 222 and it failed with connection refused because same IP is active at both providers(SRX & Netscalar)

 on SRX

  rule destnatrule-1206020519 {
        match {
            destination-address 10.147.44.93/32;
            destination-port 222;
        }
        then {
            destination-nat pool 10-0-17-17-22;
        }
    }
}


Cloud-VirtualServer-10.147.44.93-22 (10.147.44.93:22) - TCP     Type: ADDRESS
        State: UP
        Last state change was at Thu May 23 11:15:32 2013
        Time since last state change: 0 days, 00:33:48.580
        Effective State: UP
        Client Idle Timeout: 9000 sec
        Down state flush: ENABLED
        Disable Primary Vserver On Down : DISABLED
        Appflow logging: ENABLED
        No. of Bound Services :  1 (Total)       1 (Active)
        Configured Method: ROUNDROBIN
        Mode: IP
        Persistence: NONE
        Connection Failover: DISABLED
        L2Conn: OFF
        Skip Persistency: None
        IcmpResponse: PASSIVE
        New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0



Expected result:
When firewall and LB service providers are different, it should not allow both the rules on same public IP.
  










--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira