Enabling Kerberos on Cisco CSM load balancer

Unanswered Question
Sep 4th, 2008

Hello all,

I am using Cisco CSM as a load balancer for my servers which is enabled with Single Sign-on. I have enabled session stickiness as netmask (source IP).

My application IE client is using two hops with http request. Since we have enabled Single sign-on, the first time i send a request , the server responses with 401 response, then the client send the kerberos ticket with credentials to the server.

So there are 2 hops, I wantmy CSM to maintian session stickiness to the same server.So we enabled "netmask" stickiness on CSM.

Now when we test the environemnt, without CSM load balancer, the scenario is working fine.The communication is happening well with client and server. But when we enable CSM and netmask, we are facing lot of issues on the server side. The two hops are going to same server, but information about the ticket is not reaching the Apache/tomcat enabled server. We confirmed this using Ethereal tool.

We find that the Cisco CSM load balancer drops the kerberos ticket from the request and sends to the server. SO client is not getting authenticated as ticket is not reaching the server.

We want to know two things:

1. Is CSM not able to recogonize the kerberos ticket?

2. Can we enable kerberos protocol on CSM so that it recogonize kerberos requests from client.

Thanks in advance

Sunil C

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I am not sure if this is solution to your problem or not, but what i have learned from my experience with CSM is that it actually works on 2 different sorts of VLANs. 1st VLAN ID created for the CSM itself, and 2nd VLAN ID used from the defined vlans on Switch. 1st works like some sort of natting, meaning the sessions from outside have to use an internal (kind of natted, not fully natted) IP to communicate with the internal servers. I guess you are already knowledgable abt that stuff, so cut it short, my suggestion would be,

1. try to find out which host is replying to the request by using

sh mod csm {module_number} session

You'll come to know (if u don't know already) that the request from the client comes to the Virtual IP, and the reply gets back from the physical IP. So, i guess you should check which IP your server's are using to talk to client.



sunilcnair Sun, 09/07/2008 - 22:33


Thank you for the mail.

I still have a confusion. Where should i run this command :

sh mod csm {module_number} session

My server is running on Linux.

I checked my server side Apache logs and found that I am receiving Virtual IP of the CSM Load balancer.

What i need is the IP address of the client with the kerberos ticket.

Please tell me how to advance


Sunil C


This Discussion