CSS vip is not accessible from remote site

Unanswered Question
dario.didio Tue, 01/06/2009 - 00:36
User Badges:
  • Silver, 250 points or more

This looks like a routing or security issue.


is site B able to ping the vip? Is there a route back on the CSSes to site B (default route)?


Is traffic allowed with a source IP from Site B? Are you using any access-lists or is there a firewall inbetween?


When you try to hit the VIP from site B, do you see counters increment for that VIP?



site B is able to ping the vip, there's no issue on routing perspective.


There's a default rout in CSS thats point to the core switch.


thers no firewall in between, no access-lists configure on CSS.


when i try access from site B. i perform a show flow in the CSS, i do see it hits the CSS. but the content just wouldnt display on the user screen. I suppose its the problem of return traffic.. but i just cant find out the problem.


For info, both site A and B connects back to a same router in HQ, which connects to my core switch.


Any advise in troubleshooting is greatly appreciated.


Thanks,

Charles

dario.didio Tue, 01/06/2009 - 03:30
User Badges:
  • Silver, 250 points or more

Are there any static routes configured on the servers? Normally in routed mode, the CSS has to be the default gateway for the servers.


Are the servers L2 adjacent to the CSS?


Is any NAT performed?


Can you post your config of the CSS?

Hi, my CSSes are in 1 leg design.

therefore CSSes, and even my severs, their default gateway are pointed to core switches HSRP IP.


basically, my vip in CSS is in the same subnet as my physical servers 10.x.37.x


Config wise, im unable to post it as right now, i do not have access to the CSS.


in your term of NAT, are you refering to NAT perform in CSS? (converting VIP to physical ip) or from sites to my HQ?


If its from sites to my HQ, there isn't any NAT, we all belongs to a 10.x class B subnet


If possible, can we talk over IM?


dario.didio Tue, 01/06/2009 - 03:41
User Badges:
  • Silver, 250 points or more

If you are in 1 arm mode, you should perform source NAT on the CSS, because returntraffic has to flow through the CSS.


Can you post your config to verify your NAT configuration?

Below is the config i capture from my log.. I have changed some IP address



************** CIRCUIT

circuit VLAN1


ip address 10.1.2.8 255.255.255.0

ip virtual-router 1 priority 230 preempt

ip virtual-router 2 priority 230 preempt

ip virtual-router 3 priority 230 preempt

ip virtual-router 4 priority 230 preempt

ip redundant-vip 1 10.4.2.100

ip redundant-vip 2 10.4.2.200

ip redundant-vip 3 10.4.2.300

ip redundant-vip 4 10.4.2.400


!************************** SERVICE

service eWeb1

port 7001

ip address 10.1.2.26

keepalive type tcp

active


service eWeb2

port 7001

keepalive type tcp

ip address 10.1.2.27

active


owner eWeb


content eWeb

protocol tcp

add service eWeb1

add service eWeb2

port 7001

balance leastconn

vip address 10.1.2.300

advanced-balance sticky-srcip

sticky-serverdown-failover sticky-srcip

sticky-inact-timeout 180

active


!*************************** GROUP


group eWeb

vip address 10.1.2.300

add destination service eWeb1

add destination service eWeb2

active


Gilles Dufour Tue, 01/06/2009 - 04:35
User Badges:
  • Cisco Employee,

If it works for site A, then the problem is somewhere else than the CSS.

Any firewall between site B and the CSS ?


If you sniff traffic in your CSS vlan, do you see request coming in for your vip address ?


Gilles

Theres no firewall.


using the show flow command in CSS, i do see the client hits the VIP of the CSS.


Im not sure if its the return traffic went into "black hole", but traceroute and ping from CSS to site B client and Site B client to CSS are all working fine.


any issue if the WAN connectivity is this way:


Rtr in HQ using ATM link connection whereby ISP provide different VPI/VCI to represent linkage to site A n Site B.


Therefore in the end, router in HQ is using a single physical interface with sub-interfaces connecting to remote sites (A n B)


on top of it, the link is further protect using IPSEC over GRE..


Any concerns over it?



dario.didio Tue, 01/06/2009 - 05:12
User Badges:
  • Silver, 250 points or more

That shouldn't make any difference.


Also, the config is OK, and like Gilles said, if it works for site A, it should work for site B aswell. The problem will not be caused by the CSS.


Can you connect directly on the server (bypassing the CSS) using the same protocol/application (TCP 7001) from site B?

Yes.. accessing to the physical IP of the server is not a problem.


the problem is the vip, the moment site B users access the URL (vip address), they will not be able to display the content (page). now the bypass solution is to allow Site B users to access using physical address.


My customer is very unhappy with such arrangement as it defeat the purpose of having a HA and load balance solution.


any other troubleshooting steps/ config i can try?


dario.didio Tue, 01/06/2009 - 05:44
User Badges:
  • Silver, 250 points or more

In your config there is, under Circuit VLAN1:

ip redundant-vip 1 10.4.2.100

ip redundant-vip 2 10.4.2.200

ip redundant-vip 3 10.4.2.300

ip redundant-vip 4 10.4.2.400


I assume you mean 10.1.2.x. The second byte is 1 instead of 4, correct??

Actions

This Discussion