Product Documentation

Use case 3: Configure load balancing in direct server return mode

Load balancing in direct server return (DSR) mode allows the server to respond to clients directly by using a return path that does not flow through the Citrix ADC appliance. In DSR mode, however, the appliance can continue to perform health checks on services. In a high-data volume environment, sending server traffic directly to the client in DSR mode increases the overall packet handling capacity of the appliance because the packets do not flow through the appliance.

DSR mode has the following features and limitations:

  • It supports one-arm mode and inline mode.
  • The appliance ages out sessions based on idle timeout.
  • Because the appliance does not proxy TCP connections (that is it does not send SYN-ACK to the client), it does not completely shut out SYN attacks. By using the SYN packet rate filter, you can control the rate of SYNs to the server. To control the rate of SYNs, set a threshold for the rate of SYNs. To get protection from SYN attacks, you must configure the appliance to proxy TCP connections. However, that requires the reverse traffic to flow through the appliance.
  • In a DSR configuration, the Citrix ADC appliance does not replace the load balancing virtual server’s IP address with the destination server’s IP address. Instead, it forwards packets to a service by using the server’s MAC address. The VIP must be configured on the server and ARP must be disabled for the VIP which is configured on the server to prevent the client request from bypassing the appliance when it is configured in one-arm mode. For example, a user needs to configure VIP in the loopback interface and disable the ARP for the same VIP.
  • The appliance obtains the server’s MAC address from the monitor bound to the service. However, custom user monitors (monitors of type USER), which use scripts stored on the Citrix ADC appliance, do not learn a server’s MAC address. If you use only custom monitors in a DSR configuration, for each request the virtual server receives, the appliance attempts to resolve the destination IP address to a MAC address (by sending ARP requests). Because the destination IP address is a virtual IP address owned by the Citrix ADC appliance, the ARP requests always resolve to the MAC address of the Citrix ADC interface. Consequently, all traffic received by the virtual server is looped back to the appliance. If you use user monitors in a DSR configuration, you must also configure another monitor of a different type (for example, a PING monitor) for the services, ideally with a longer interval between probes, so that the MAC address of the servers can be learned.

In the example scenario, the services Service-ANY-1, Service-ANY-2, and Service-ANY-3 are created and bound to the virtual server Vserver-LB-1. The virtual server load balances the client request to a service, and the service responds to clients directly, bypassing the Citrix ADC appliance. The following table lists the names and values of the entities configured on the Citrix ADC appliance in DSR mode.

Entity type Name IP address Protocol
Virtual server Vserver-LB-1 10.102.29.94 ANY
Services Service-ANY-1 10.102.29.91 ANY
  Service-ANY-2 10.102.29.92 ANY
  Service-ANY-3 10.102.29.93 ANY
Monitors TCP None None

The following diagram shows the load balancing entities and values of the parameters to be configured on the appliance.

Figure 1. Entity Model for Load Balancing in DSR Model

lb-entity-dsr-mode

For the appliance to function correctly in DSR mode, the destination IP in the client request must be unchanged. Instead, the appliance changes the destination MAC to that of the selected server. This setting enables the server to determine the client MAC address for forwarding requests to the client while bypassing the server.

Next, you configure a basic load balancing setup as described in Setting Up Basic Load Balancing, naming the entities and setting the parameters using the values described in the previous table.

After you configure the basic load balancing setup, you must customize it for DSR mode. To do this, you configure a supported load balancing method, such as the Source IP Hash method with a sessionless virtual server. You also need to set the redirection mode to allow the server to determine the client MAC address for forwarding responses and bypass the appliance.

After you configure the load balancing method and redirection mode, you need to enable the USIP mode on each service. The service then uses the source IP address when forwarding responses.

To configure the load balancing method and redirection mode for a sessionless virtual server by using the command line interface

At the command prompt, type:

set lb vserver <vServerName> -lbMethod <LBMethodOption> -m <RedirectionMode> -sessionless <Value>

Example

set lb vserver Vserver-LB-1 -lbMethod SourceIPHash -m MAC -sessionless enabled

Note

For a service that is bound to a virtual server on which -m MAC option is enabled, you must bind a non-user monitor.

To configure the load balancing method and redirection mode for a sessionless virtual server by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Open a virtual server, select Redirection Mode as MAC Based, and method as SOURCEIPHASH.
  3. In Traffic Settings, select Sessionless Load Balancing.

To configure a service to use source IP address by using the command line interface

At the command prompt, type:

set service <ServiceName> -usip <Value>

Example:

set service Service-ANY-1 -usip yes

To configure a service to use source IP address by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services.
  2. Open a service, and in Traffic Settings, select Use Source IP Address.

Some additional steps are required in certain situations, which are described in the succeeding sections.