03-06-2008 11:01 AM
I have One-arm configuration.
I can see bi-directional flows on CSS but client PC not receive anything, as I verified capturing packets.
When client PC request directly from the servers it receive content.
Also client PC receives ping reply from CSS and also stablishes telnet with CSS. Also when no servers are active, client PC receives tcp RST,ACK from CSS, so no Layer 3 problems exist.
I have attached "show run" and "show flows" outputs, plus "tcp SYN" packets that client PC sends to CSS.
Client IP address: 10.130.244.16
Solved! Go to Solution.
03-07-2008 12:30 AM
The problem is that your configured vlan is :
circuit VLAN1
ip address 10.130.193.10 255.255.255.0
So x.x.193.0
And your vip is x.x.192.x.
This is ok, but it means there is a router between the CSS and the servers.
So when the server responds to the client, the router will bypass the CSS.
You can keep the same vip, but you have to change your group config
group CISCO
add destination service SERVER1
add destination service SERVER2
vip address 10.130.193.70
Replace the x.x.192.x with a x.x.193.x
Gilles.
03-07-2008 11:24 AM
the flow is created with the first SYN.
We set the reverse flow anticipating the response.
That does not mean the CSS received it.
Gilles.
03-06-2008 11:34 AM
If you are not NATting the PC IP at the CSS, you will need to support policy routing to send packets back to the CSS. We elected to use the PBR, since there is a large benefit to having the original src IP shown at the host.
03-06-2008 11:55 AM
This configuration should be working. We're seeing the response in the show flows output:
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1
10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1
So it looks like this traffic is returning through the CSS. Any chance you can sniff the client side vlan of the CSS to see if the return packet is making it to the wire?
03-07-2008 12:30 AM
The problem is that your configured vlan is :
circuit VLAN1
ip address 10.130.193.10 255.255.255.0
So x.x.193.0
And your vip is x.x.192.x.
This is ok, but it means there is a router between the CSS and the servers.
So when the server responds to the client, the router will bypass the CSS.
You can keep the same vip, but you have to change your group config
group CISCO
add destination service SERVER1
add destination service SERVER2
vip address 10.130.193.70
Replace the x.x.192.x with a x.x.193.x
Gilles.
03-07-2008 05:53 AM
Thanks to all of you.
Gilles, I will test today noon, but how would you explain that "show flows" shows following:
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1
10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1
03-07-2008 11:24 AM
the flow is created with the first SYN.
We set the reverse flow anticipating the response.
That does not mean the CSS received it.
Gilles.
03-16-2008 07:34 AM
Worked after configuring a right netmask. Case solved. Thanks to all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide