Deployment Architecture

All systems showing same IP Addresses in Forwarder Management

DEADBEEF
Path Finder

My deployment server sits behind a load balancer.  What I have noticed is that on the DS under Forwarder Management (Clients tab), all my UFs phoning home now appear with the same IP address (they have unique client names, host name, instance name).

Is there a macro or something on the back end that I can update to display the true IP address of each system phoning home?  The true source IP is showing in in metrics.log so I'd like to modify the existing SPL to use the IP from metrics rather than wherever it's getting it from.

Labels (2)
0 Karma

Dblevins
Observer

To configure NetScaler to pass the source IP, you'll need to enable the Use Source IP (USIP) mode. Here are the steps to do this:

  1. Log in to NetScaler: Open your NetScaler management interface.

  2. Navigate to Load Balancing: Go to Traffic Management > Load Balancing > Services.

  3. Open a Service: Select the service you want to configure.

  4. Enable USIP Mode: In the Advanced Settings, find the Service Settings section and select Use Source IP Address.

This will ensure that NetScaler uses the client's IP address for communication with the backend servers.

Would you like more detailed instructions or help with another aspect of your setup?

0 Karma

daniaabujuma
Explorer

Hello, I know this was a while ago but were you able to find a solution for this issue?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I suppose that your LB has configured so that all client connections has masked to its internal IP. You should as your network staff to fix it. The fix is dependent on what LB you are using.

r. Ismo

0 Karma

daniaabujuma
Explorer

Hi @isoutamo ,

Thanks for your reply. The IP showing for all clients is the deployment server IP. Do you have any idea what could be the issue?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @daniaabujuma ,

as @isoutamo said, you have to configure your Load Balancer in transparent mode to use the source IP.

Only one question: why are you using a Load Balancer for the Deployment Server?

You don't need to duplicate it because it isn't a Single Point of Failure and your infrastructure work also without it, so why it?

it's a unuseful component that add issues to your architecture.

Ciao.

Giuseppe  

0 Karma

daniel_goolsby_
Explorer

We have upwards of 250k forwarders in one of our environments and various levels of DNS caching that make it very difficult for a forwarder to request a deployment server IP from a DNS name and maintain the connection consistently in order for it to get appropriate apps downloaded.  I have seen where a system will request an IP from a DNS name, make an initial connection to a deployment server, then send a DNS query again only to be given a different IP address, which causes issues with the forwarder trying to establish a consistent trusted connection to a deployment server.  That switch in deployment server destinations causes the forwarder to just try again later, until it can establish a consistent connection randomly.

We put our deployment servers behind a load balancer before, but all the connections and logs show the forwarders coming from the same ip address.. something x-forwarded-for should help solve at our scale.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Splunk 9.2.x has some new features/ framework for DS. That may helps in your kind of environments or not? But as it’s a x.x.0 version I don’t put it into production yet!
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...