cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
572
Views
0
Helpful
8
Replies

CSM Load Balancer Help

anthony.baker
Level 1
Level 1

Hey all,

I had a config working for load balancing websites but now need something to work for a flash app that uses port 1935 instead.

Everything worked but I couldn't see the real source IP (which is a requirement of the business). I know that this was because I was taking it from the HTTP header before and it's not HTTP now.

What are my options here? Is there something similar I could do or do I need to change the basic design?

My design at present looks like this:

Client -- CSM -- FWSM -- Real Servers

The servers have a DG of the FWSM and are on VLAN205.

module ContentSwitchingModule 12

vlan 205 server

ip address 10.1.205.5 255.255.255.0

!

vlan 150 client

ip address 10.1.205.5 255.255.255.0

!

natpool MAND8 10.1.205.50 10.1.205.50 netmask 255.255.255.0

!

probe TCP_80 tcp

interval 5

failed 3

port 80

!

map SOURCEIPHEADER header

insert protocol http header sourceip header-value %is

!

serverfarm MAND8

nat server

nat client MAND8

failaction reassign

real 10.1.205.209

no inservice

real 10.1.205.219

inservice

probe TCP_80

!

policy INSERTSOURCEIP

header-map SOURCEIPHEADER

serverfarm MAND8

!

vserver MAND8

virtual 10.1.205.50 tcp 1935

vlan 205

unidirectional

serverfarm MAND8

advertise active

persistent rebalance

inservice

!

As I say, the above config works fine, apart from the NAT so if anyone has any ideas that would be great!

Thanks in advance

Anthony

8 Replies 8

Gilles Dufour
Cisco Employee
Cisco Employee

You need to change the design.

Do something like this

client -- FW -- CSM --- servers

Have the same configured in bridge mode so the servers can keep the FW as their DG.

After that you can remove the natpool from the serverfarm and you will see the client ip address on the servers.

Gilles.

Ok, thanks Gilles...

I'm trying to do what you suggest but what's the main config difference between what I have and what you suggest?

I have the outside FW VLAN as VLAN15 - VLAN205 is one that is off the FWSM and VLAN150 is just on the CSM.

So how do I change what I have to 'bridge'?

Thanks for the help

Anthony

The goal is to have the traffic hit the CSM before it goes to the firewall which could send the traffic back to the client without going through the CSM.

If I understand correctly, the servers are in vlan 205.

So you need sth like this :

vlan15 -- FW ---- vlan150 ---- CSM ----vlan205

Configure the same ip in vlan150 and vlan205 for the CSM.

Use an ip from the servers subnet.

Remove vlan 205 from the FW and replace it with vlan 150.

I hope this makes sense like this.

Don't hesitate to send more questions if you need to clarify something.

Gilles.

Hey Gilles,

Thanks for the help.

When you say remove 205 from the FW which part do you mean. I thought that all the machines still use the FWSM as their DG or am I wrong -- so I still need to keep the IP, access-lists etc there??

the CSM will bridge between the FW and the servers.

But the FWSM can't have direct access to the server vlan.

So you keep everything the same on the firewall, but you need to remove the server vlan and replace it with a new vlan id that will exist only between the csm and the fwsm.

The fwsm will keep the same ip addresses.

Just the vlan id will change.

The csm takes care of the rest.

Gilles.

Ok, I think I understand. I've deleted VLAN205 on the FWSM and replaced it with VLAN150 but with the original VLAN205 IP address - to still be used as the DG.

When I try now I can see requests coming into the server from the non-natted address but the page doesn't load.

Should I have a gateway configured on either the server/client VLAN's on the CSM config to sort this problem or is it something else?

Thanks again!

So now I have:

interface Vlan105

nameif inside

security-level 100

ip address 10.2.250.1 255.255.255.0

firewall vlan-group 50 15,105

and then the same as before in terms of CSM config...

Hey Gilles,

Thanks for all your help!

I got it working in the end. I kept 205 as the bridged VLAN so that my other servers can stay on that without needing to be changed, then created a new VLAN for the servers that are to be load balanced. I now see the source IP and all is good!

Next problem!!

Do you know if it's possible for a probe script to look inside a text file and look for a certain line of text or if not look for a certain line of text on a webpage i.e. 'ok' or whatever?

I'm reading loads of stuff at the moment but you seem to have the answers so thought I'd ask!!

Cheers,

Anthony

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: