CSS11503 One-arm not working

Answered Question
Mar 6th, 2008

I have One-arm configuration.

I can see bi-directional flows on CSS but client PC not receive anything, as I verified capturing packets.

When client PC request directly from the servers it receive content.

Also client PC receives ping reply from CSS and also stablishes telnet with CSS. Also when no servers are active, client PC receives tcp RST,ACK from CSS, so no Layer 3 problems exist.

I have attached "show run" and "show flows" outputs, plus "tcp SYN" packets that client PC sends to CSS.

Client IP address: 10.130.244.16

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 9 months ago

the flow is created with the first SYN.

We set the reverse flow anticipating the response.

That does not mean the CSS received it.

Gilles.

Correct Answer by Gilles Dufour about 8 years 9 months ago

The problem is that your configured vlan is :

circuit VLAN1

ip address 10.130.193.10 255.255.255.0

So x.x.193.0

And your vip is x.x.192.x.

This is ok, but it means there is a router between the CSS and the servers.

So when the server responds to the client, the router will bypass the CSS.

You can keep the same vip, but you have to change your group config

group CISCO

add destination service SERVER1

add destination service SERVER2

vip address 10.130.193.70

Replace the x.x.192.x with a x.x.193.x

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
dan.noel1 Thu, 03/06/2008 - 11:34

If you are not NATting the PC IP at the CSS, you will need to support policy routing to send packets back to the CSS. We elected to use the PBR, since there is a large benefit to having the original src IP shown at the host.

Kristopher Martinez Thu, 03/06/2008 - 11:55

This configuration should be working. We're seeing the response in the show flows output:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1

10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1

So it looks like this traffic is returning through the CSS. Any chance you can sniff the client side vlan of the CSS to see if the return packet is making it to the wire?

Correct Answer
Gilles Dufour Fri, 03/07/2008 - 00:30

The problem is that your configured vlan is :

circuit VLAN1

ip address 10.130.193.10 255.255.255.0

So x.x.193.0

And your vip is x.x.192.x.

This is ok, but it means there is a router between the CSS and the servers.

So when the server responds to the client, the router will bypass the CSS.

You can keep the same vip, but you have to change your group config

group CISCO

add destination service SERVER1

add destination service SERVER2

vip address 10.130.193.70

Replace the x.x.192.x with a x.x.193.x

Gilles.

oinojosa12 Fri, 03/07/2008 - 05:53

Thanks to all of you.

Gilles, I will test today noon, but how would you explain that "show flows" shows following:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1

10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1

Correct Answer
Gilles Dufour Fri, 03/07/2008 - 11:24

the flow is created with the first SYN.

We set the reverse flow anticipating the response.

That does not mean the CSS received it.

Gilles.

oinojosa12 Sun, 03/16/2008 - 07:34

Worked after configuring a right netmask. Case solved. Thanks to all.

Actions

This Discussion