CSS Configuration for failover

wilson_1234_2 · ‎05-02-2007

I am trying to test a css config to set up a primary web sever and to failover to the dr test server when the primary dies.

Since I am just trying to test the config at the moment, I don't even know if this will work.

I do not want to disturb the live web server, so I have given that service an invalid IP address. The CSS should be sensing the primary server down and directing my request to the failover server.

I can access the failover server from the public ip address, and I can ping the VIP address, but cannot get the CSS to redirect the traffic.

A capture on the firewall shows the CSS never even attempts to connect to the address of the dr web server.

The services show up with no hits.

I am trying to access the dr server by just putting it's ip address in my web browser (which is how I tested the NAT address directly to the server).

Does this config look like there are any glaring problems?

!************************** CIRCUIT **************************

circuit VLAN1

ip address 2.1.1.4 255.255.255.0

!************************** SERVICE **************************

service dr

ip address 2.1.1.7

protocol tcp

port 443

keepalive type http

active

service hq

ip address 2.1.1.6

port 443

protocol tcp

keepalive type http

active

service backupredirect

type redirect

port 443

ip address 2.1.1.5

keepalive type none

redirect-string "test.com"

active

!*************************** OWNER ***************************

owner me

add service hq

primarySorryServer dr

balance aca

protocol tcp

port 80

url "/*"

vip address 2.1.1.8

secondarySorryServer backupredirect

active

!*************************** GROUP ***************************

group http-group

vip address 2.1.1.8

add destination service hq

add destination service dr

add destination service backupredirect

active

Diego Vargas · ‎05-03-2007

Hi,

If you do a show service summary, is service dr active? You have a keepalive type http configured and port 443 (SSL).

The CSS will not be able to see any answer from the server if this is HTTPS, so the keepalive will fail and the CSS will not attemp to send traffic to either service.

Also why the services are port 443 if the content rule is listening in port 80?

The reason why the VIP is pingable is probably because the service backupredirect is alive.

wilson_1234_2 · ‎05-03-2007

Thanks for the reply,

I do see the services for hq as active.

The services have been reconfigured to icmp prior to testing also all services are listening on 443.

I did not correct that config before posting.

so everything should be correct.

The owner, content rule and hq service is showing up in the summary with no service hits. This would make sense because the primary service should be down because the IP address is invalid.

But, the primarySorryServer is live, so shouldnt I get a redirect to it?

Also, I do not see rthe sorry server show up when I do a "sh summary"

Gilles Dufour · ‎05-03-2007

the port 80 on the content rule and 443 on the services is really a concern.

Could you remove the port 443 from the services.

Then, just for a test, remove the port 80 from the content rule and the command 'url "/*"'

This is a more generic rule , so we can see if you get any hits to the rule.

If yes, do a 'show flows' to verify what ports are being used.

If not, it means traffic is not coming to the CSS. It must be blocked somewhere.

Try to capture sniffer traces just in front of the CSS.

Gilles.

wilson_1234_2 · ‎05-03-2007

ok,

I was able to get the CSS to redirect my hit on the VIP address to the server on port 80.

Why wouldn't it work on port 443? I can get to port 443 if I go directly to the server from the internet, but the CSS would not redirect.

Also, what is the url in the content rule actually doing?

Do I need it if DNS is resolving the to the VIP address?