CSS11506 - show flows

Unanswered Question
May 9th, 2008
User Badges:

Hello all,


I have a CSS11506 with the following config...


!************************** SERVICE **************************


service pas_main_uswrnsa0ptf01_11111

ip address 172.16.25.30

keepalive type tcp

keepalive port 11111

port 11111

active


service pas_main_uswrnsa0ptf02_11111

ip address 172.16.25.31

keepalive type tcp

keepalive port 11111

port 11111

active


service pas_main_uswrnsa0ptf03_11111

ip address 172.16.25.32

keepalive type tcp

keepalive port 11111

port 11111

active


service pas_main_uswrnsa0ptf04_11111

ip address 172.16.25.33

keepalive type tcp

keepalive port 11111

port 11111

active


!*************************** OWNER ***************************

owner PAS


content PAS-pas_main-2008-11111

vip address 123.123.130.222

protocol tcp

port 11111

url "/*"

balance aca

application ssl

add service pas_main_uswrnsa0ptf01_11111

add service pas_main_uswrnsa0ptf02_11111

add service pas_main_uswrnsa0ptf03_11111

add service pas_main_uswrnsa0ptf04_11111

active


!*************************** GROUP ***************************

group PAS-pas_Dgraphs

vip address 172.16.25.11

add destination service pas_main_uswrnsa0ptf01_11111

add destination service pas_main_uswrnsa0ptf02_11111

add destination service pas_main_uswrnsa0ptf03_11111

add destination service pas_main_uswrnsa0ptf04_11111

active


I can access my servers just fine, but when issuing the 'show flows' command, I do not see my traffic... even though I can see my hit counters incrementing.


NOTE: The 'application ssl' command is something new for us, so I thought it may be related to this.


Any ideas?


Thanks,


-Adam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 05/09/2008 - 12:29
User Badges:
  • Cisco Employee,

Try


llama

flow-agent show active_fcbs

exit


Or a


show flows 0.0.0.0


Gilles.

a.veschak Fri, 05/09/2008 - 14:21
User Badges:

Gilles,


Still not seeing the flows.


Anything else you could recommend? Could the 'application ssl' config have anything to do with this behavior?


Thanks,


-Adam

Gilles Dufour Mon, 05/12/2008 - 22:49
User Badges:
  • Cisco Employee,

if you do not see any flow, there is no active flows !!

The flow-agent command does look at HW level for connections. If it does not return anything, it means there is no ACTIVE flow.


Gilles.

a.veschak Wed, 05/14/2008 - 12:31
User Badges:

Gilles,


The target IP is the content VIP 123.123.130.222 (as shown in my CSS config). However, I am testing from one of the four servers (services) associated with this content rule. Could that be causing the problem with the CSS not seeing these flows?


For example...


I am sitting on server uswrnsa0ptf01 and I test to the content VIP 123.123.130.222... and it works... but I see know flows in the CSS.


I've attached a drawing showing our network topology.


Thanks,


-Adam



Attachment: 
Gilles Dufour Thu, 05/15/2008 - 04:38
User Badges:
  • Cisco Employee,

try to open a telnet session to your VIP IP:PORT.

Do not close the telnet session and check with a 'show flows 0.0.0.0' if you see any flow.


It should not matter if you open the connection from the server or not.


G.

Actions

This Discussion