< Home

Limitations and Precautions for SLB

Hardware Requirements

The SLB tunnel function is supported by all models except the USG6510E/6510E-POE/6530E.

License Requirements

The SLB function is not license-controlled.

Limitations

  • IPv4 is the only IP protocol supported by SLB.
  • FTP is the only multi-channel protocol supported by SLB.
  • After server load balancing (SLB) is configured, the FW will automatically generate a black-hole route for the virtual server IP address to prevent routing loops. Check the routing table through the web UI or CLI. You can view the corresponding routing entry: The destination address is the IP address of the virtual server, the mask length is 32 bits, and the next hop is the NULL0 interface. After you delete the virtual server IP address or cancel the binding between the virtual server and physical server group, the black-hole route will be automatically deleted. However, if the virtual server IP address is the same as the WAN interface IP address, the corresponding black-hole route will not be automatically generated. After the FW receives a packet from the Internet, if the packet matches a server-map entry, the FW translates the packet's address and forwards the packet to the specified private network; if the packet does not match any server-map entries, the FW considers the packet destined for itself. In this case, the security policy between the security zone of the WAN interface and the Local security zone determines how the FW processes the packet. If the policy permits the packet, the FW processes it. If the policy denies the packet, the FW discards it.
  • After you configure SLB, configure the routing function based on the IP addresses of real servers, configure the policy (such as security policies) based on the IP address of the virtual server.
  • If the service health check function is configured, the load balancing algorithm is directly affected by the health check result, which furthers affects the SLB result. Physical servers whose health check status is inactive are not involved in load balancing.
  • If the FW is deployed in hot standby networking and the virtual server IP address and VRRP group virtual IP address reside on the same network segment, you need to bind the VRRP group. Before you modify the VRRP group bound to the virtual server, unbind the virtual server from the physical server group. Then bind the new VRRP group.
  • For Layer 7 SLB functions (HTTP cookie-based sticky session, SSL Session ID-based sticky session, HTTP X-Forward, HTTP Class scheduling policy, and SSL offloading), ensure that the forward and reverse paths are the same. Otherwise, services will be abnormal. In cluster or hot standby networking, certain session information cannot be backed up. As a result, Layer 7 SLB services cannot be smoothly switched.
  • In cluster or hot standby networking, the source NAT function of SLB cannot use the outbound interface mode. In the outbound interface mode, the FW directly uses the IP address of the host interface as the translated address, but the standby device does not have the interface IP address of the host. Therefore, the host session becomes unavailable after being backed up to the standby device. Consequently, when the active/standby FW switchover occurs, SLB cannot be smoothly switched, compromising services.
  • The virtual server IP address in the virtual system must be pre-allocated to the current virtual system.
  • The IP address and port number used to log in to the SSL VPN virtual gateway and device web UI cannot conflict with the public IP address and port number configured for the SLB virtual service. Otherwise, login to the virtual gateway or device web UI will fail.

Precautions

The IP address of a virtual server must be different from any of the following IP addresses:

  • Public IP address (global IP address) of the NAT server

    When the protocol ID and port number are the same, the IP address of the virtual server cannot be the same as the public IP address.

  • Public IPv4 address statically mapped by NAT64
  • IP address in the public IPv4 address pool (global pool) statically mapped by NAT444
  • Public IP address (global-ip) assigned to the virtual system
  • IP address of a real server

The IP address of a real server must be different from any of the following IP addresses:

  • IP address of the virtual server
  • IP address of the gateway
  • IP address of the interface on the FW
Parent Topic: SLB
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >