Hi folks, I finally have a working lab setup that uses LVS-DR to load balance across two zorp proxies. The lab configuration is inspired by the load balanced configuration presented on page 10 of the Zorp Professional 2 Product Description at http://www.balabit.com/dl/zorp2.pdf, and a diagram of my implementation is available at http://starjuice.net/zorp/lab_implementation.png [1]. I'm using Linux LVS-DR with fwmarks for both front and back load balancers; birdy (the front load balancer) uses the SH (source hash) balancing algorithm, while wormy (the back load balancer) uses DH (destination hash). This works okay, but the algorithm doesn't balance very well, and doesn't cope well[2] with node addition and removal of nodes (realservers in LVS jargon). Ideally, what the back load balancer for a Zorp cluster needs to do is this: 1) When a SYN comes in from a Zorp host, create a new connection table entry, including the Layer 2 (Ethernet) address of the packet in the entry. 2) When a packet comes back from the servers and is associated with a connection table entry based on Layer 3 and 4 features, route the packet via the Layer 2 address stored in the entry. I've contacted 3 vendors and an open source group looking for a solution like this. Here are the responses: 1) Cisco say their 650x with Content Switching Module support transparent proxy firewalls, and a friend of mine at Cisco confirms this. 2) Enterasys engineering have confirmed that they have no device that can do this. 3) Alcatel have confirmed that they have no device that can do this. 4) The folks on the LVS mailing list can't think of anything better than the SH/DH approach. Now a Cisco 650x w/ CSM costs more than USD 70,000. That's a lot of money to spend on a load balancer for 4 Zorp boxes! So my question is, has anyone solved the Zorp clustering problem in an affordable way, or is the Product Description just describing a theoretical possibility for marketing purposes? Ciao, Sheldon. [1] Beware of [1] In a simple test of 200 packets with randomly generated IP addresses, zorp01 got 44% and zorp02 got 56%.