Hi

I suppose that your LB has configured so that all client connections has masked to its internal IP. You should as your network staff to fix it. The fix is dependent on what LB you are using.

r. Ismo

Hi @isoutamo ,

Thanks for your reply. The IP showing for all clients is the deployment server IP. Do you have any idea what could be the issue?

Hi @daniaabujuma ,

as @isoutamo said, you have to configure your Load Balancer in transparent mode to use the source IP.

Only one question: why are you using a Load Balancer for the Deployment Server?

You don't need to duplicate it because it isn't a Single Point of Failure and your infrastructure work also without it, so why it?

it's a unuseful component that add issues to your architecture.

Ciao.

Giuseppe  

We have upwards of 250k forwarders in one of our environments and various levels of DNS caching that make it very difficult for a forwarder to request a deployment server IP from a DNS name and maintain the connection consistently in order for it to get appropriate apps downloaded.  I have seen where a system will request an IP from a DNS name, make an initial connection to a deployment server, then send a DNS query again only to be given a different IP address, which causes issues with the forwarder trying to establish a consistent trusted connection to a deployment server.  That switch in deployment server destinations causes the forwarder to just try again later, until it can establish a consistent connection randomly.

We put our deployment servers behind a load balancer before, but all the connections and logs show the forwarders coming from the same ip address.. something x-forwarded-for should help solve at our scale.

Splunk 9.2.x has some new features/ framework for DS. That may helps in your kind of environments or not? But as it’s a x.x.0 version I don’t put it into production yet!