What is Drain Stop and when does it affect traffic?

Drain stopping allows user sessions to be gracefully removed from disabled servers. This allows users to finish their session before removing servers for maintenance.

Drain stopping only occurs for Layer 7 virtual services with persistence. Once a server is disabled, LoadMaster will automatically drain connections. This means that new sessions will not be sent to that server. However, sessions which have a persistence entry will continue to be directed to that server. This will happen until the persistence entry expires or until the L7 Connection Drain Time expires. This is found in System Configuration > Miscellaneous Options > L7 Configuration.

If the service is Layer 4 only or if the service is L7 without any persistence, drain stopping will not occur. Under these circumstances, no new connections will be sent to a disabled server whatsoever.

  • Note: Drain stopping does not affect established sessions. If a client is already connected to a server, that connection will continue until it finishes or is closed due to the idle connection timeout.

Can I restore backups from one model to another?

We recommend restoring “VS Configuration” only when restoring from a backup of a different model or version. This avoids any unnecessary complexity when dealing with different version details or different interface details.

What are some pitfalls regarding Adaptive Scheduling

Information about Adaptive Scheduling can be found on our documentation page. Contained in the zip file is the Windows executable file, details about configuring the Windows agent as well as details about Adaptive Scheduling in general. You can also find example scripts for Linux and other platforms in the LoadMaster Configuration Guide in Appendix H.

One of the most common problems arises from not adjusting the adaptive agent's configuration file. This is necessary in order to get the correct values. This is especially important for RAM, since it counts "down" - It counts the difference between the reported value and the max value and divides it by the max value. This percentage is then weighted using the weight in the configuration file. If this is misconfigured, it can easily yield a negative value and throw off the calculations. Negative values are almost always caused by a bad maximum RAM value.
If you are getting incorrect data, the agent can be run from the command line to see more details about the values returned and the weighted values used to compute the final value. This can help determine which aspect is incorrect..
Permissions problems can also prevent proper operation of the adaptive agent. As indicated by the LMperfagent-README.rtf, a -1 generally indicates that the agent was unable to open the local LMperfagent-config.txt file. This typically means there is a permissions issue. If that is the case, please confirm that all steps in the installation guide have been followed.

I would like to create VLANs on eth0, what is the best way to do so?

Creating VLANs on eth0 can prove challenging. Since VLANs can only be created via the web interface, it is tantamount to success that access to the web interface not be disrupted. To this end, the web interface will need to be temporarily moved to a different interface.

First, address an interface other than eth0. Once you have addressed the new interface and connected it to the relevant network, please connect from that subnet via SSH to ensure connectivity on the new network. Once SSH access is confirmed, move the web administrative interface. From the SSH menu, select:

3) Local Administration -> 5 Remote Access Control -> 6) Change Web address (Choose from the list the address which corresponds to the new interface).

After that, connect to the web interface from a workstation on that subnet. At this point, remove the addressing from eth0 entirely. Once the interface is cleared, the desired VLANs can be added. After adding all the VLANs, confirm connectivity on each VLAN by connecting to LoadMaster using SSH on each VLAN address.

Once all VLANs have been successfully added, the default gateway must be added to the correct interface. To do this Alternate Gateway Support must be enabled in System Configuration > Miscellaneous Options > Network Options. After this is enabled, navigate to the desired interface or VLAN and check the box the 'Use for Default Gateway.' You will then be brought to a page to set the gateway on that interface.

The last step is to move the administrative interface to its final destination. This can be done from the web interface in System Configuration > Miscellaneous Configuration > Remote Access. Change the 'Allow Web Administrative Access' option to the interface you would like to use. Note: as soon as you change this, you will lose access on the current interface. Connect to LoadMaster using the new interface. If you would like, you can set up an administrative default gateway that all web interface and SSH traffic to LoadMaster will use.

SMTP/IMAP/POP can’t get a banner message

Since SMTP, POP3 and IMAP4 all send a banner message before the client begins a request, Server Initiating Protocols must be set if the service operates at Layer 7. Please make sure this is set to the proper value.
If this is not set, it can cause the service to appear up and respond to pings and telnet, but the application will not work. A good way to test this is by telnet to the service: if the connection succeeds but does not display a banner message, this is the likely culprit.

Why do my real servers come in and out of service frequently?

This is what's known as 'server flapping.' This occurs when healthcheck settings are too aggressive and incorrectly marks real servers as down when they are not failing. This can be eliminated by changing the healthcheck settings in Rules and Checking > Check Parameters > Service Check Parameters.
Check Interval (sec) The time in seconds between healthchecks.
Connect (sec) The time in seconds before LoadMaster abandons a healthcheck.
Retry Count The number of healthchecks that must fail before LoadMaster marks a server as down.
LoadMaster will check every Check Interval seconds to see if the server is up. It will wait Connect Timeout seconds before giving up. If it gives up, it will retry Retry Count times before officially marking the real server as down.
To reduce false negatives when healthchecking, you can change these values to be less aggressive. Please note that making them too relaxed may result in users being sent to servers which are not responsive since it will take longer to detect a failed real server.

How does healthchecking work?

Essentially healthchecking works by requesting something and examining the response. Healthchecking can be done at different layers of the TCP/IP stack. The higher in the stack, the better the quality of the healthcheck at determining overall application health.
At Layer 3, LoadMaster can use ICMP Ping. This will send a ping request to the server. If we receive a ping response, the server is considered healthy. This however only checks that the server is running, not the application.
At Layer 4, LoadMaster can use TCP Connection. This will attempt to open a TCP connection to the server on the selected port. If the server completes the TCP handshake, the server is considered healthy. This checks that the application is at least accepting connections, but does not check that the application is functioning properly.
At Layer 7, there are a variety of protocol specific healthchecks. These will open a TCP connection to the server and begin application level communication. Once the server responds with good data, the server is considered healthy. This checks that the application is up and functioning properly.
For HTTP and HTTPS healthchecks, you can specify some of the parameters used to make the request. These parameters are URL, method, version, hostname as well as additional headers. These parameters are assembled as follows:
<Method> <URL> HTTP/<Version>
If HTTP/1.1 is specified, you can also set the hostname as a header if your server requires this.
<Method> <URL> HTTP/<Version> Host: <Hostname>
The default healthcheck looks like this:
HEAD / HTTP/1.0
Using the following settings, the healthcheck would look like this:
Method: GET URL: /healthcheck.html Version: 1.1 Hostname: example.com
GET /healthcheck.html HTTP/1.1 Host: example.com
If LoadMaster receives a 200, 301, 302 or 401 status code as a response, the server is considered healthy. You can get more granular if you specify the method to be GET. You can then specify a regular expression which is compared to the first 4KB of the response. If it matches, the server is considered healthy. This feature requires a 200 response code with content to be returned.

Why is the traffic to a Least Connection service unbalanced?

This is a known behavior when the scheduling method is set to Least Connections. Using this scheduler LoadMaster will send new connections to the server which has the least connections which are actively sending data. If the overall level of traffic is not great enough to ensure that a baseline of activity is happening at every moment, there may be a skewing of traffic to the first server. In these situations, it is recommend that the scheduling method be changed to Round Robin.

Why can’t I access my real servers using RDP?

If you are operating in one-arm mode, it may be a feature interaction with SNAT. Since SNAT is never needed in one-arm situations, try turning this feature off in System Configuration > Miscellaneous Options > SNAT Control. This controls whether LoadMaster NATs connections using it as a default gateway. This can be necessary in two-armed configurations but it generally presents a problem in one-arm deployments.

If you are operating in two-arm mode, you may need to set up routing to use LoadMaster to reach the server subnet. Alternatively you can use LoadMaster to forward traffic for the desired ports using a virtual service for each server.

How can I reset my LoadMaster to factory defaults?

A LoadMaster can be reset to factory default values by navigating to System Configuration > System Administration > System Reboot and selecting the button for ‘Reset Machine.’ Alternately, it can be done via the console or SSH navigating to:

7) Utilities -> 1) Software Upgrade -> 3) Reset to Factory Defaults

Either way will reset the device to a default state. The only exceptions to this are passwords and licensing

Can my LoadMaster support 4k/4096 bit SSL certificates?

LoadMaster currently supports key sizes higher than 2048 bit, however increasing the key size reduces the SSL TPS performance non-linearly, so performance with a 4096 bit key will drop substantially (by at least a power of four) compared to a 2048 bit key. In order to achieve the same performance with larger keys, more powerful hardware will be needed.

However, as indicated by NIST (page 66), 2048 bit keys has a security lifetime until 2030. (RSA keys are under the heading IFC in Table 4) In paragraph 2 on page 65, the document discusses the need for security vs. impact on operations: "In many cases, a variety of key sizes may be available for an algorithm. For some of the algorithms (e.g., public key algorithms, such as RSA), the use of larger key sizes than are required may impact operations, e.g., larger keys may take longer to generate or longer to process the data. However, the use of key sizes that are too small may not provide adequate security."

How can my LoadMaster help mitigate the impact of a DDoS?

While LoadMaster is not a security device, it is a hardened Linux appliance and can be applied to help mitigate certain kinds of DDoS attack as part of a well formed DiD strategy.

LoadMaster can help block SYN floods. Since LoadMaster supports a backlog of 1024 SYN connections before enabling SYN cookies (http://en.wikipedia.org/wiki/SYN_cookies). LoadMaster also supports something similar to TCP splicing/delayed binding (http://en.wikipedia.org/wiki/Delayed_binding); our L4 logic is handled by LVS/IPVS with a few enhancements and is a kind of splicing. When operating at Layer 7, LoadMaster acts as a full proxy terminating at the LoadMaster on both sides. This helps reduce load on real servers from fake requests. According to RFC 4987 (Section 4) (http://tools.ietf.org/html/rfc4987)

“Several vendors of commercial firewall products sell devices that can mitigate SYN flooding's effects on end hosts by proxying connections.”

Since LoadMaster supports Layer 7 full proxy it provides comparable mitigation to those devices. We do not have full numbers for a SYN flood situation, but 1800 SYN packets/second only generated 15% of CPU utilization of a LoadMaster 2200. Using an attack script (juno.c - http://www.packetstormsecurity.org/DoS/juno.c), a LoadMaster 2200 and it was able to withstand over 60,000 SYN packets/second at 100% CPU utilization. Meanwhile, the web interface and virtual service both remained available though slowed. Since LoadMaster does not pass half opened TCP connections, so LoadMaster will take the brunt of any such attack.

How does VMAC work and how can it improve HA failover?

Virtual MAC is a means of doing HA at layer 2, rather than layer 3. Essentially, in addition to a shared IP there is a shared MAC address which is owned by whichever unit is active. By implementing this, all virtual service traffic will communicate to this shared MAC address, allowing the standby device to pick up the traffic seamlessly. In the event of a failover, upstream devices do not need to change the ARP record associated with services. The only change that must occur is that the switch must begin sending frames out a different port. VMAC is the best way to accomplish HA, the only reason it is not the default is because some environments prohibit migrating MAC addresses across ports. Settings such as Cisco’s Port-Security can prevent VMAC from working properly.

A quick way to test whether your environment can use this is the 'laptop test'. If you take a laptop and plug it into a port on the switch, get connectivity, then move the connection to a different port on the same switch. If the connectivity returns without incident, then you should also be able to use VMAC. If your HA pair is connected to two different switches, the laptop test should be done on the switch that those switches converge at (rather than the switches LoadMaster connect to) since that is where the MAC bookkeeping will have to change quickly.
After confirming that VMAC will work in your environment, you can change to Virtual MAC during a maintenance window since it will require a reboot and for ARP to be flushed on relevant devices. To turn it on, can check the "Use Virtual MAC addresses" checkbox in Local Administration > HA Parameters on both devices. Following that you will need to reboot both. You will need to flush the ARP on all upstream devices. It is recommended but may not be necessary to flush the real servers' ARP as well.

How to Enable SNMP on the Kemp LoadMaster

To enable Simple Network Management Protocol (SNMP) which can be used to monitor the Loadmaster e.g. Virtual Service Statistics.

  1. Select System Configuration – Logging Options – SNMP Options
  2. Select enable SNMP
  3. To add SNMP client name input the IP or hostname of the SNMP server
  4. Next add the community string, normally Public implies Read-Only and Private implies Read-Write.
  5. The contact name is related to the username of the contact person who has the management information e.g. “Kemp Support”
  6. The location is related to the device location for example “Ireland”
  7. Enable SNMP traps: When enabled this will display the options for Sink1 and Sink2, Sink 1 is related to SNMP v1 and Sink 2 is related to SNMPv2. These options allow the user to specify a list of hosts to which a SNMPv1 or v2 trap will be sent when a trap is created.

How do I know what processes are running on my Kemp LoadMaster?

To capture all the running processes running on the Loadmaster a PS command can be run. A PS will display the PPID’s of the processes running on the load master.

  1. Go to System Configuration – Logging Options – Log Files.
  2. Select Debug Options and select Perform a PS and select PS button.
  3. A new page will be displayed with the data from the PS.

Add port 80 redirect

You can enable a port 80 redirect for a HTTPS virtual service.

  1. Select Virtual Services – View Modify Service.
  2. Select the HTTPS service for port 443 and select modify.
  3. Under the virtual service select Advanced Properties and select Add HTTP Redirector under Add a Port 80 Redirector VS This will create a redirect Virtual Service on port 80 that will redirect the traffic received on it to the HTTPS 443 virtual services running on the Loadmaster.

What is the High Availability Protocol used on the Kemp LoadMaster?

The High Availability Protocol used on the Kemp Loadmaster is CARP. CARP works in the same way as Cisco’s VRRP. It uses multicast address 224.0.0.18. In order for CARP to work between a pair of Loadmasters, both Loadmasters need to be on the same broadcast domain.

Can I use one SSL certificate on my Virtual Service for deploying multiple domains?

It is not possible to use multiple certificates in the same Virtual Service; if you require multiple domains then you will need to use a certificate that can handle this, such as a SAN Certificate or Unified Communications Certificates (UCC).

How many VS's can you setup on the Kemp Hardware LoadMaster?

You can setup up to:

  • 256 Virtual Services and 1000 Real Servers on the LoadMaster 2200
  • 500 Virtual Services and 1000 Real Servers with the LoadMaster 2600
  • 1000 Virtual Services and 1000 Real Servers for the LoadMaster 3600 and 5300

Do Kemp Provide Built in ASIC-enabled hardware SSL Acceleration?

Processing of SSL demanding applications is extremely computer intensive and can be very costly.

Kemp provides a special built-in ASIC SSL card on the 2600, 3600 and 5300 Loadmasters to handle SSL Transactions efficiently.