04-01-2008 09:45 AM
I have a CSS 11506. I have one content rule with two services. If I try to access the servers directly (via real IP address) all goes well and I get access to the web page, if I try to access the web page via the CSS VIP I dont see the web page. You can see the config that I am using at the end of this post; I think there is no problem with it but I just want to make sure.
Thanks in advance,
Joao Carvalho
Config:
!*************************** GLOBAL ***************************
date european-date
cdp run
no restrict web-mgmt
dns secondary 192.168.40.254
dns primary 192.168.40.5
ip route 0.0.0.0 0.0.0.0 192.168.12.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 3
vlan 12
interface 1/2
trunk
vlan 12
!************************** CIRCUIT **************************
circuit VLAN12
ip address 192.168.12.22 255.255.255.0
!************************** SERVICE **************************
service www-hux1
ip address 192.168.12.26
keepalive frequency 20
port 80
protocol tcp
active
service www-hux2
ip address 192.168.12.25
keepalive frequency 20
port 80
protocol tcp
active
!*************************** OWNER ***************************
owner HS
billing-info "ahp"
content rule1
vip address 192.168.12.21
add service www-hux1
add service www-hux2
port 80
url "/*"
protocol tcp
active
04-02-2008 06:32 AM
you have only 1 vlan on the CSS.
Therefore, this is called one-armed and precautions need to be taken to guarantee that the response from the server will not go directly to the client - which will break the setup since the client expect a response from the css not the server.
If the CSS is not the default gateway of the server, you need to configure client nat.
ie:
group clientnat
vip address 192.168.12.21
add destination service www-hux1
add destination service www-hux2
active
Gilles.
04-02-2008 07:20 AM
I tried your solution and it worked just fine.
I also tried another thing that worked; I changed the default gateway of the real server to 192.168.12.22 (IP address of vlan circuit in CSS). Is this a commom solution? Are there any known problems with this aproach?
Joao
04-02-2008 08:35 AM
the problem with the client nat solution is that the server loses the information about client ip address.
The problem with the gateway pointing to the CSS is one the server opens a connection directly to the outside, the response will go back directly to the server, bypassing the server....same problem as before but the other way around.
And if you send all traffic to the CSS, you take the risk to lose in performance if you have a lot of traffic that normally does not require loadbalancing.
The best solution is to put the CSS inline with the servers.
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: