A10 AX2000 Load Balancer Review
Posted by Sam
We've been using a Kemp load balancer for a bit over a year now. At the time we purchased the Kemp we weren't pushing that much traffic and the Kemp was an OK replacement for the Cisco LocalDirector that it replaced. However, our needs grew more quickly than we expected and the Kemp just couldn't keep up. When it was only pushing L4 traffic it was fine, but once we started pushing L7 traffic it just couldn't keep up. The CPU would spike to 100% and the load balancer would stop passing traffic until it caught it's breath. Usually only a few seconds but that's a lifetime for a website. The Kemp had other things that I didn't really like once I dug deeper. For example there was no way to setup a second server to only get traffic when the primary went down. You could set the weighting really high but it was still hacky. The interface also had it's quirks. Sometimes you could set a label on a VIP and sometimes you couldn't. I didn't feel confident that another Kemp would serve us well with our increased requirements. So I started researching other load balancers.
I'd never heard of A10 until I read this article on selective source NATing. I prefer to use the load balancer as the gateway in what's often called routed mode. This works great for everything except being able to hit the VIP on the same subnet. Selective source NATing lets me use routed mode, keep the client IP addresses and still be able to hit the VIP locally. This is really useful when you have one site that needs to call another site or for monitoring. You can hit the VIP and keep the benefits of load balancing the servers.
Another thing I like about the A10 is that they don't have licensing fees. Once you own the box you own all of the features that the software has. F5 and most of the other big vendors charge you a licensing fee to "unlock" additional features. They also don't require a license key like the Kemp does.
So far the A10 has been extremely fast. It's a quad CPU box and I've never seen the dedicated data CPUs rise about 2-3%. The A10 has other features that you'd expect such as caching, compression and SSL offloading. I'm not too concerned with any of those features yet, but so far the A10 nails the basics. I expect to be able to use caching and compression without any CPU congestion.
There are a couple of nitpicks with the A10 such as the web interface could use some usability tweaks and a quick start guide would be nice. Also, looking through the aFlex rules it looks like you can't override which server traffic goes to if you are using server persistence. I understand the logic but it's very possible that you might want to offload static files to a very fast web server while serving dynamic content from an app server for example. If I'm reading the aFlex guide correctly this isn't possible.
A couple of features I'd like to see are the ability to limit traffic based on bandwidth. This can be done through the firewall but it would be nice if it was integrated into the load balancer. The other thing I'd like to see are combined bandwidth and connections graphs. The A10 shows one graph per VIP. It would be really nice to see one graph with all the VIPs so you could see all the traffic with one graph instead of switching among perhaps a dozen or more individual graphs. This can be accomplished with something that monitors the A10 via SNMP but it would be nice to have it in the web interface. And last on my wish list would be some sort of application firewall. This might be possible with aFlex rules but writing a decent set of rules from scratch would be a pretty big task. At least a basic set of rules would be helpful (assuming the aFlex rules would work for that).
All in all I'm pretty happy with the A10. It's solid and fast. A few more features and nothing in it's price range could touch the A10. If you have any specific questions feel free to leave them in the comments.
Tags: loadbalancer
CoyotePoint review coming soon
Posted by Sam
A few weeks back I was contacted by CoyotePoint and asked if I would be interested in reviewing one of their load balancers. Naturally I was ecstatic. This was my first request as a blogger and it made this blog feel a little more real and a little more important. I remember looking at CoyotePoint back when I decided on the LoadMaster from Kemp. I don't recall why I decided against it at the time but now I'm hoping that I don't fall in love with CoyotePoint because I have to send it back. The load balancer reviews get consistenly good reviews and there's definitely a lot of room for improvement over the LoadMaster so I'm happy to be able to provide a third possibility for the lower end load balancer space. Look for a review in the next couple of weeks.
Tags: loadbalancer
Kemp Load Master 1500 Review
Posted by Sam
A while back I reviewed the Barracuda 340 load balancer. The review wasn't pretty, because frankly the experience was horrible. I was so disgusted that I shipped that box back pretty quickly and went with the other contender. The other contender was Kemp's Load Master 1500. Several people have written me to find out what my experience with the Kemp load balancer has been so I thought it was about time that I put my thoughts down on paper ... so to speak.
I've been using the Kemp in production for over three months. Because of the amount of sites that run behind the Load Master it's pretty difficult to tell exactly how much traffic passes through it. A quick look revealed that it easily handled over 2.1 million hits a day around Christmas last year. And it did this without breaking a sweat so I'm confident that it can handle much more than that. I have yet to experience any of the sort of strange issues that I experienced with the Barracuda and overall I have much higher degree of confidence in the Kemp solution.
The interface definitely doesn't do this machine justice. It could stand to be completely revamped and for some strange reason you can't always put a name on your virtual servers. Well you can name it, but the name doesn't stick. This is more of an annoyance than a real problem and just goes to show that their web interface could use some love. They have a very solid product, but I'd definitely love to see some more flexibility. Like being to add multiple users or allowing the admin user to be named something besides 'bal', which took me forever to get used to. How about something more normal like admin or root or something.
The only real complaint I have about the Load Master is Kemp using a license key. It's a physical box that I'm buying and having to enter in a license key for a physical piece of hardware never sits well with me. And to top it off their documentation isn't at all clear that the box requires a permanent license key or it will shutdown. I failed to install the permanent license key because I thought it was for the SSL acceleration and one day I wake up to phone calls saying all the sites are down. If you are going to enforce a license key (which I think is stupid on a physical product but whatever) then you need to have it fail better. I actually had the license key but the Load Master reverted back to it's pre-configured state and was completely unavailable remotely. This forced me to drive to the data center, through piles of snow, to figure out why the load balancer died. A much more sensible way of handling this would be to not allow you to make any changes next time you log into the admin tool. Or you could just make the documentation clear and explain exactly how important that permanent key is.
The Kemp Load Master 1500 is a very solid performer and other than the extremely irritating way they handle licensing I've been quite happy with it to date. At just under $2,500 is cheaper than the Barracuda with a more responsive interface and much more reliable track record. The Kemp wins hands down and is a great deal for the price. I was really looking forward to the IPS system in the Barracuda, but first and foremost the load balancing functions need to work.
Tags: loadbalancer
Barracuda Load Balancer 340 Review
Posted by Sam
Last week I tried out the Barracuda 340 Load Balancer. In more informal conversations (is that possible?) I've been referring to the Barracuda as the Barracrappy because that's the impression I was left with. A few weeks ago our Cisco LocalDirector died a sad and lonely death in our NetStandard data center. The LocalDirector had been working flawlessly for better than five years without a single problem and then one day it dies with very little warning. Nothing lasts forever so this wasn't shocking, but it was unexpected. Once the painful recovery process was over I immediately began looking at alternatives. Of course I'd love to go with a BIG-IP, but the cost really isn't reasonable and frankly most of the features are unnecessary for our needs. And so began the search for an inexpensive solution that would be a drop in replacement for the LocalDirector.
After a lot of searching I had basically narrowed down the search to the Barracuda 340 Load Balancer and the Kemp LoadMaster 1500. Both said they would do Layer 4 switching, which I needed so that we could simply drop in the load balancer and have it behave the same as the LocalDirector did. Having to re-ip all the boxes would be a pain and highly disruptive and I really didn't see the benefit. After looking at screenshots and demos I settled on the Barracuda. The price was excellent and as an added bonus it had Intrusion Prevention System which certainly isn't a necessity, but more of a bonus. The other deciding factor was the Barracuda name. I'd never used their products before but I'd heard of them and I like their philosophy on always reaching a human on the phone. So I set out to order the Barracuda 340.
I had a couple problems getting the demo unit from Barracuda. First, I talked to a guy at Barracuda who took my info and was supposed to pass it along to a reseller. I let him know that we were replacing a busted load balancer and I was in a hurry. A full day passed and I didn't hear anything, so I called Barracuda again and talked to somebody else who gave me the information for a reseller nearby and this got the ball rolling. I cut a PO to the reseller who promised to have the unit overnighted. The next day I found out that Barracuda had shipped the load balancer through normal shipping instead of the overnight shipping I'd requested and paid for. So we waited another day for Barracuda to ship another one, overnight this time. Unfortunately, this was only the beginning of the problems. And if this had been the most problematic part of the ordeal it wouldn't have been a big deal.
The demo unit finally arrived, but it was shipped to the wrong person in the company. After I tracked down the unit we immediately went to work to get it configured. My expectation was that we'd simply plug it in, turn it on and after 15-20 minutes of configuration we'd have a load balancer passing traffic. Boy was I wrong! Having configured the LocalDirector through the command line for years I expected the web interface that came with the Barracuda to be a cake walk and it mostly was, except for the fact that it didn't work. We tried everything and I mean everything to get it to work. Finally we called tech support. This really shouldn't have been necessary because like I said it should have been dead simply. After waiting for at least 4 hours for tech support to call me back they finally did, but because I had left for the day I had to have them call me back the next day. Once they called me back I told them what I was trying to do and the guy told me that was impossible in the current setup and when I protested he realized that I had a load balancer and not whatever the heck he thought I had. Somebody else had entered the trouble ticket and they entered it wrong so he was working with faulty information. Grrrr. He transfered me to somebody that can trouble shoot a load balancer. Good call!
Once, I got on the phone with the correct person I was hoping that he'd have some simple solution to our problem. It seems like such a simple thing. The load balancer acts as a bridge, watches the traffic and intercepts and rewrites the traffic it's supposed to handle. I explain our set up to the guy and immediately he grills me on why I'm using Layer 4 load balancing. I explain our setup and that I don't want to re-ip our setup and their instructions on setting up direct server return were less than helpful. And to top it all off they only covered making the changes to Linux. I have happily left the days of Linux behind and we are nearly completely Solaris and Windows. I'd love to leave Windows behind as well but that's currently not an option since our biggest hosting client has to run on Windows. So the direct server return route didn't seem like a viable option and source natting (snat) was definitely out. So I explained most of this and basically told the guy this is how I want it to work, your web site said it will, let's get it working.
The support guy asks all the usual questions and then realizes that our firmware and energize versions are out of date. Energize is the updates for intrusion prevention. Since we have that disabled I'm pretty sure that's not the problem, but the firmware update definitely couldn't hurt. Because we have this on an isolated network (two laptops, two switches and the Barracuda) we have to jump through a bunch of hoops to get this connected to the network. We finally get it setup and update the firmware and the energize versions and try our load balancing setup again. This time it works. Hurray! Unfortunately, that's the last of the good news.
After a couple of minutes of passing traffic through the virtual IP address the load balancer just completely stopped passing traffic for that virtual IP. There was nothing in the logs and no clues to be found. We added a second virtual IP address going to the same two real machines and the same thing happened. It passed traffic for a few minutes and then stopped. We tried a third virtual IP address going to same physical machines and this one worked and seemed to keep on working. I tried deleting the other virtual IP addresses and re-adding the virtual IP addresses and they wouldn't pass traffic to save the world. At this point I was so frustrated with this box and I had zero confidence that I immediately boxed it up and sent it back. When something just doesn't work it's one thing, but when it selectively works that's a very disconcerting thing. Like I said I had zero confidence that this would perform correctly in production and a poorly behaving load balancer is worse than no load balancer.
After packing up the Barracrappy, um I mean Barracuda load balancer I got in touch with my second choice Kemp Technologies' LoadMaster. I'm currently in the process of ordering one and once I've had a chance to play with it I will share my thoughts on it. Hopefully it will be a better experience than the Barracuda load balancer. It certainly couldn't be much worse.
Tags: loadbalancer