a few questions about CSS

Unanswered Question
Dec 5th, 2008
User Badges:

router IP is

load balaner VIP is

2 syslog server need to be load balanced: and, with default gateway:

when I use layer2 design on the load balancer, I need to configure "group" to make sure that return traffic from server still need to pass through LB.

it works well until we found out that all the traffic source record in Syslog server are :, which is VIP on the LB, so that I change to layer3 approach on the LB:

on the server, default gateway changed to, which is layer 3 IP on the LB;

on the router, create 2 static host routes: -> and ->

I still have a few questions:

1). shall I point the default gateway to (VIP) or, which is configured on the LB circuitVLAN10?

2). in the LB, I configued:

service Server13

ip address

protocol udp

port 514

and I also specified the "protocol udp"and"port 514" in the service part:

owner L3_Owner

content L3_Rule_syslog

add service Server13

add service Server14

vip address

balance leastconn

protocol udp

port 514

advanced-balance sticky-srcip


do I need to specified that at 2 parts both? what is the difference?

3). when I shut down 1 server, I can see server down from "show keeplive", but it still direct traffic to the down server, I know I can fix this by restart the LB, is there any automatical way?

I have post the samiliar question before, so far i have not get any right answer yet, thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Gilles Dufour Mon, 12/08/2008 - 01:26
User Badges:
  • Cisco Employee,

1/ you should point to the redundant-interface ip address if you are in vip/interface redundancy mode.

You should point to interface ip if you are in box-to-box redundancy mode.

2/ you don't need to speficy protocol and port on the service if you want to reuse the same proto/port are the content rule.

3/ as long as the udp connection is open, even if the server goes down, we keep using the open connection.

You should maybe disable flow creation since syslog traffic is one-way anyway.

You then get a per-packet loadbalancing.

The command is "flow-state 514 udp flow-disable nat-disable"


shibindong Tue, 12/09/2008 - 03:34
User Badges:

thanks!!! Gilles. I get great help from you!

regarding question 3, can I say it is because of UDP issue? If I change to TCP, the problem can be solved? by the way, what does command "flow-state 514 udp flow-disable nat-disable" mean for?

Gilles Dufour Tue, 12/09/2008 - 09:28
User Badges:
  • Cisco Employee,

For question #3, yes the problem is probably due to the nature of udp which is connection-less. So all packets from the same src to the same dst will be a single flow with no begining and no end.

Unless the flow times out (no traffic for a while) we keep using the same flow entry even if the server goes down.

For tcp, this would be different since the client would expect an ACK for each data sent and if no response, the client will open a new connection and be re-balanced to a new server.

The flow-state command let's you decide if you want a flow to be created or not.

With no flow entry, the CSS is forced to do a new loadbalancing decision for every packet.

This could be a problem if your traffic is too high.


shibindong Wed, 12/10/2008 - 03:37
User Badges:

I am not quite clear about your explaination:

1) Can I understand that, the syslog (UDP) flow is always in the CSS, because of it is UDP traffic which is one-way and no begin and no end. can I set the flow-time out value to a samll value, so that flow can be deleted if the inactive time for syslog is larger than that?

2) what does per-packet mean? if the per-packet means:

ABCDEFGHI ->CSS -> A C E G I one server

-> B D F H another server

can server receive full version syslog?

3) I added this command you recommended in the CSS, and I suspend 1 server, I still can see the traffic go to the down server...


This Discussion