Cisco CSS 11501 Content Services Switch Configuration

Unanswered Question
Feb 5th, 2008

Hi all,

I have a Cisco CSS 11501 Content Services Switch with the bellow configurations.

!************************** SERVICE **************************

service service1

ip address 10.122.193.100

active

service service2

ip address 10.122.193.101

active

!*************************** OWNER ***************************

owner erefill_service1

content L3_Rule

protocol tcp

add service service1

add service service2

balance aca

advanced-balance sticky-srcip

port 8080

vip address 10.122.193.97

active

the two services are connected to a switch, and the 11501 content switch is connected to the same switch, and my laptop is connected to the same switch also.

when I try to request the "L3_Rule" from my laptop by doing "http://10.122.193.97:8080" nothing is returned.

I can ping the two services from the content switch and I can ping the content rule virtual IP from my laptop also, but I can't get any thing in return when request the service... Except when I connect the services directly to the content switch, but this is not the way I want to work...

My configurations looks fine to me... but why it's not working...

Please help and advice.

Regards,

Moz.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sg37868 Tue, 02/05/2008 - 08:23

Hi,

please find a brief presentation of the problem and an easy solution in the attachment (PowerPoint).

It sounds like the requests are passing the CSS while the responses are directly switched from service to your laptop (bypassing the CSS).

As the CSS performs NAT on the request, the client is unable to classify those direct responses from the services.

To solve this behaviour, just make sure the traffic is always passing the CSS in both directions. The CSS will then be able to revert the NAT on the responses.

I hope this helps.

Attachment: 
sg37868 Tue, 02/05/2008 - 09:13

Your understanding of my reply is correct.

eMail is under way with Topic: CSS-Issue.

M.Alnouri Tue, 02/05/2008 - 10:46

OK,

Many thanks for your response...

I think that it doesn't differ if the laptop is connected to the switch also... In this case the request will pass the switch to the CSS, and the CSS will send the request to the server... and the server will replay back through the CSS, then the switch to my laptop...

I really appreciate your patient with me.. but this is very important for me...

If the above is totally correct, can you please help me in troubleshooting why I can't get back the date to my laptop...

Thanks again...

Moz.

M.Alnouri Wed, 02/06/2008 - 01:47

Mt friend you are right...

Once I connect the laptop to the CSS and request for http://10.122.193.97:8080 it works fine...

If I connect it to the switch and requested the same no replay is back...

Please note that I've checked the vlans and all the ports are in the same one.

Please advice,

Thanks in advance,

Moz.

sg37868 Thu, 02/07/2008 - 07:57

Hi.

This behaviour is because the server does not send back the response to the CSS by default!

The Layer 3 functionality, the CSS uses to forward requests to the servers, is NAT (Network Address Translation - or Port Address Translation if configured).

Unfortunately by default, only the server-IP is translated, so a real server always answers to the original client-IP.

If now the CSS is used in so called "one armed" mode (clients and servers are connected through the same interface to the CSS), by default the responses will bypass the CSS and the NAT won't be reverted.

The infrastructure-design you described is "one armed".

To also perform a NAT for the client IP and thereby force all responses to always pass the CSS, you may use so called source groups.

In your example following additional config should work (unfortunately i never used it in production myself):

group Servers

vip address 10.122.193.97

add destination service1

add destination service2

active

Here's an additional CCO-Link describing the problem and its solution very detailed:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

M.Alnouri Sat, 02/09/2008 - 23:09

Thank you very much... actually it's a very useful document.

I'll get back to this conversation and finish it...

Actions

This Discussion