Real Servers can not initiate traffic to Internet through the CSM

Unanswered Question
Mar 4th, 2008
User Badges:

Hello,


I really hope that someone will be able to give me a hand on this. Has been struggling for a while with no luck.

Somehow, the real servers can not access Internet in our Data Center. We are running paired 6500s with FWSM and CSM-S. If we change the gateway on the server to point directly to the FWSM (10.10.2.1) it works, but it has to go through the CSM (10.10.20.10) and that is when I run into problem.

Below is the partial configuration from one of the switches.


****************************************

serverfarm SRVR1-SSL

nat server

no nat client

description SRVR1 SSL

real 10.10.14.52 local

inservice


serverfarm SRVR1-WWW

nat server

no nat client

predictor leastconns

description Srvr1 Web

real 10.10.20.52

inservice

real 10.10.20.53

inservice

real 10.10.20.54

inservice


vserver SRVR1-SSL

virtual 10.10.8.52 tcp https

serverfarm SRVR1-SSL

persistent rebalance

inservice

!

vserver SRVR1-WWW

virtual 10.10.8.52 tcp www

serverfarm SRVR1-WWW

persistent rebalance

slb-policy CSM_WRS

inservice



vlan 14 server

ip address 10.10.14.11 255.255.255.0 alt 10.10.14.12 255.255.255.0

alias 10.10.14.10 255.255.255.0


vlan 8 client

ip address 10.10.8.11 255.255.255.0 alt 10.255.8.12 255.255.255.0

gateway 10.10.8.1


static nat virtual

real 10.10.20.0 255.255.255.0


ip route 0.0.0.0 0.0.0.0 10.10.2.1 (IP address of the FWSM)


interface Vlan8

no ip address


interface Vlan14

no ip address

interface Vlan20

ip address 10.10.20.251 255.255.255.0

standby 20 ip 10.10.20.254

standby 20 timers 5 15

standby 20 preempt

standby 20 authentication XXXXX

**********************************


The Real Server has default gateway of 10.10.20.10


**********************************

SSL Daughter Card Config:

**********************************

ssl-proxy service SRVR1

virtual ipaddr 10.10.14.52 protocol tcp port 443 secondary

server ipaddr 10.10.8.52 protocol tcp port 80

certificate rsa general-purpose trustpoint TP-SRVR1

inservice


ssl-proxy vlan 2

ipaddr 10.10.2.31 255.255.255.0

gateway 10.10.2.254

admin


ssl-proxy vlan 14

ipaddr 10.10.14.1 255.255.255.0

route 10.10.8.0 255.255.255.0 gateway 10.10.14.10


ip route 0.0.0.0 0.0.0.0 10.255.2.254

ip route 10.10.8.0 255.255.255.0 10.10.14.10

************************************

************************************

FWST Configuration

************************************

interface Vlan2

nameif inside

security-level 100

ip address 10.10.2.1 255.255.255.0 standby 10.10.2.2


interface Vlan8

nameif SERVER1

security-level 10

ip address 10.10.8.1 255.255.255.0 standby 10.10.8.2


interface Vlan20

nameif WEB

security-level 25

ip address 10.10.20.1 255.255.255.0 standby 10.10.20.2


nat (inside) 1 10.10.2.0 255.255.255.0

nat (SERVER1) 1 10.10.8.0 255.255.255.0


access-list acl_out extended permit tcp any host 206.206.206.206 eq https

access-list acl_out extended permit tcp any host 206.206.206.206 eq www

static (Sbox_WebOut,outside) 206.206.206.206 10.10.8.53 netmask 255.255.255.255

****************************************

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Vargas Tue, 03/04/2008 - 14:36
User Badges:
  • Cisco Employee,

Hi,


can you clarify something? you said that when reals (10.10.20.52/53/54) are pointing to 10.10.20.10 as default gateway, this is not working, right?


Now, only the server VLAN that I see on the CSM is

vlan 14 server

ip address 10.10.14.11 255.255.255.0 alt 10.10.14.12 255.255.255.0

alias 10.10.14.10 255.255.255.0


And those reals are not on that subnet, also I see no server vlan defined for 10.10.20.x 255.255.255.0 and I see it configured as Vlan20 on the MSFC.


Also I do not see 10.10.20.10 configured on the CSM.


Don't you have a server VLAN20 on the CSM?


Diego M

evguenipesliak Wed, 03/05/2008 - 06:07
User Badges:

Sorry - I missed that in my original snapshot. We do have Vlan 20 on both - the CSM and MSFC:


vlan 20 server

description Reals

ip address 10.10.20.11 255.255.255.0 alt 10.10.20.12 255.255.255.0

alias 10.10.20.10 255.255.255.0


vlan 20

description Reals


And we link them to the FWSM on the MSFC:


firewall multiple-vlan-interfaces

firewall module 1 vlan-group 1

firewall vlan-group 1 2,3,5-8,10,15,20,40,50,51,992


******************************

NATing on the CSM is working - when I ping the FWSM on 10.10.8.1 going through the CSM I can see hits coming from the virtual (10.10.8.52) IP address. Not from the real 10.10.20.52. But I can not ping any other interface on the firewall (10.10.2.1 for example) or go through it.


Do you know what debuging on the FWSM can I use to see what exactly is happening there? I have a feeling that I am either missing an access-list or NATing/Routing is wrong...


Diego Vargas Wed, 03/05/2008 - 06:21
User Badges:
  • Cisco Employee,

Well, if the ping from the real can make it to the FWSM, then I would say that the CSM is working fine and probably the FWSM is blocking or something else is happening.


With regards with the ability of pinging that FWSM IP but not others, well is weird, perhaps is related to the fact that the CSM ARPs only for gateway and reals IPs, so it might have the ARP entry for 10.10.8.1 and not for other FWSM IPs.


You can check that with:


show mod csm x arp


Unfortunately I am not such an expert on FWSM so I am not sure what debugging ca be turn on there, but perhaps a trace between the CSM and FWSM can you what the issue is.


Hope it helps!!


Diego M

Actions

This Discussion