05-02-2007 06:53 PM
I am trying to test a css config to set up a primary web sever and to failover to the dr test server when the primary dies.
Since I am just trying to test the config at the moment, I don't even know if this will work.
I do not want to disturb the live web server, so I have given that service an invalid IP address. The CSS should be sensing the primary server down and directing my request to the failover server.
I can access the failover server from the public ip address, and I can ping the VIP address, but cannot get the CSS to redirect the traffic.
A capture on the firewall shows the CSS never even attempts to connect to the address of the dr web server.
The services show up with no hits.
I am trying to access the dr server by just putting it's ip address in my web browser (which is how I tested the NAT address directly to the server).
Does this config look like there are any glaring problems?
!************************** CIRCUIT **************************
circuit VLAN1
ip address 2.1.1.4 255.255.255.0
!************************** SERVICE **************************
service dr
ip address 2.1.1.7
protocol tcp
port 443
keepalive type http
active
service hq
ip address 2.1.1.6
port 443
protocol tcp
keepalive type http
active
service backupredirect
type redirect
port 443
ip address 2.1.1.5
keepalive type none
redirect-string "test.com"
active
!*************************** OWNER ***************************
owner me
add service hq
primarySorryServer dr
balance aca
protocol tcp
port 80
url "/*"
vip address 2.1.1.8
secondarySorryServer backupredirect
active
!*************************** GROUP ***************************
group http-group
vip address 2.1.1.8
add destination service hq
add destination service dr
add destination service backupredirect
active
05-03-2007 04:13 AM
Hi,
If you do a show service summary, is service dr active? You have a keepalive type http configured and port 443 (SSL).
The CSS will not be able to see any answer from the server if this is HTTPS, so the keepalive will fail and the CSS will not attemp to send traffic to either service.
Also why the services are port 443 if the content rule is listening in port 80?
The reason why the VIP is pingable is probably because the service backupredirect is alive.
05-03-2007 05:34 AM
Thanks for the reply,
I do see the services for hq as active.
The services have been reconfigured to icmp prior to testing also all services are listening on 443.
I did not correct that config before posting.
so everything should be correct.
The owner, content rule and hq service is showing up in the summary with no service hits. This would make sense because the primary service should be down because the IP address is invalid.
But, the primarySorryServer is live, so shouldnt I get a redirect to it?
Also, I do not see rthe sorry server show up when I do a "sh summary"
05-03-2007 07:19 AM
the port 80 on the content rule and 443 on the services is really a concern.
Could you remove the port 443 from the services.
Then, just for a test, remove the port 80 from the content rule and the command 'url "/*"'
This is a more generic rule , so we can see if you get any hits to the rule.
If yes, do a 'show flows' to verify what ports are being used.
If not, it means traffic is not coming to the CSS. It must be blocked somewhere.
Try to capture sniffer traces just in front of the CSS.
Gilles.
05-03-2007 04:14 PM
ok,
I was able to get the CSS to redirect my hit on the VIP address to the server on port 80.
Why wouldn't it work on port 443? I can get to port 443 if I go directly to the server from the internet, but the CSS would not redirect.
Also, what is the url in the content rule actually doing?
Do I need it if DNS is resolving the to the VIP address?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: