Backend servers not talking to each other

Unanswered Question
Apr 20th, 2007

Hi there...we have several server "clusters" sitting behind a CSS 11501, eg) 2 web servers, 2 LDAP servers, etc... If a webserver wants to talk to the LDAP server, he is unable to do so using the front end VIP...is there a reason for that? I can't seem to figure it out...we want all servers that need to talk to other servers behind the CSS to use the front end VIP's for HA and redundancy in case one is down for maintenance or whatever... do I need to create some backend VIP's?


Any suggestions? This is probably a lot simpler than I am making it out to be....


thanks in advance!


Sandeep



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
diro Fri, 04/20/2007 - 10:12

i asume you using router mode, then you shoul use a backend vip which you can make perfectly redundant too.

Syed Iftekhar Ahmed Fri, 04/20/2007 - 11:19


You need to translate the ip of webserver before it hits the Vip. Under current setup when Ldap servers recieve traffic from web servers, the source address in the packet is "web server local ip" now the return traffic is delivered to webserver directly (bypassing CSS). You need to make sure that return traffic should be forwarded to CSS and CSS should send it back to Webservers.


You need to configure source group to achieve that.


(config)# group mygroup

(config-group[ftpgroup])# vip address 172.16.36.58

(config-group[ftpgroup])# add service webserver1

(config-group[ftpgroup])# add service webserver2

(config-group[ftpgroup])# active


Just remember -- VIP address can belong to only one active source group at a time,

the CSS will not allow you to activate a second source group that contains

the same VIP address as the one in the active source group



Syed Iftekhar Ahmed

yycsandman007 Tue, 04/24/2007 - 06:20

ok...so if I am getting this correctly, the VIP you have used above, is this a VIP from the OUTSIDE address space? And then which ever services are added will NAT through that address? I believe I also have to create a content rule after that as well? Using the same VIP and services?


Can the webservers and LDAP servers NAT through the same address? Or do I need to create a second group with a different VIP for them?


Thanks again for your assistance! I think I'm almost there!


sandeep



Gilles Dufour Fri, 04/20/2007 - 22:56

Sandeep,


the problem is that when a server access the vip, the traffic is sent to another server and the response goes directly to the first one without going through the CSS. This is because both client and server are one the backend side.

It is important that the traffic goes back to the CSS so that it can perform nating vip ip <> server ip.


One solution to guarantee that this happens is to do client nat.


To avoid doing client nat for all traffic, you can use acl.


First create a group.


group clientnat

vip x.x.x.x

active


Then configure an acl to define when to use the group. You want to match server opening connection to vip.


acl 1

clause 10 permit ip x.x.x.x/x destination content owner/rule sourcegroup clientnat

clause 99 permit any any destination any

apply all


Gilles.

yycsandman007 Mon, 04/23/2007 - 11:11

ok...I am starting to get this now...are you able to point me to a config example so I can understand it better?


thanks in advance

Actions

This Discussion