CSS vip is not accessible from remote site

Unanswered Question
dario.didio Tue, 01/06/2009 - 00:36
User Badges:
  • Silver, 250 points or more

This looks like a routing or security issue.

is site B able to ping the vip? Is there a route back on the CSSes to site B (default route)?

Is traffic allowed with a source IP from Site B? Are you using any access-lists or is there a firewall inbetween?

When you try to hit the VIP from site B, do you see counters increment for that VIP?

site B is able to ping the vip, there's no issue on routing perspective.

There's a default rout in CSS thats point to the core switch.

thers no firewall in between, no access-lists configure on CSS.

when i try access from site B. i perform a show flow in the CSS, i do see it hits the CSS. but the content just wouldnt display on the user screen. I suppose its the problem of return traffic.. but i just cant find out the problem.

For info, both site A and B connects back to a same router in HQ, which connects to my core switch.

Any advise in troubleshooting is greatly appreciated.



dario.didio Tue, 01/06/2009 - 03:30
User Badges:
  • Silver, 250 points or more

Are there any static routes configured on the servers? Normally in routed mode, the CSS has to be the default gateway for the servers.

Are the servers L2 adjacent to the CSS?

Is any NAT performed?

Can you post your config of the CSS?

Hi, my CSSes are in 1 leg design.

therefore CSSes, and even my severs, their default gateway are pointed to core switches HSRP IP.

basically, my vip in CSS is in the same subnet as my physical servers 10.x.37.x

Config wise, im unable to post it as right now, i do not have access to the CSS.

in your term of NAT, are you refering to NAT perform in CSS? (converting VIP to physical ip) or from sites to my HQ?

If its from sites to my HQ, there isn't any NAT, we all belongs to a 10.x class B subnet

If possible, can we talk over IM?

dario.didio Tue, 01/06/2009 - 03:41
User Badges:
  • Silver, 250 points or more

If you are in 1 arm mode, you should perform source NAT on the CSS, because returntraffic has to flow through the CSS.

Can you post your config to verify your NAT configuration?

Below is the config i capture from my log.. I have changed some IP address

************** CIRCUIT

circuit VLAN1

ip address

ip virtual-router 1 priority 230 preempt

ip virtual-router 2 priority 230 preempt

ip virtual-router 3 priority 230 preempt

ip virtual-router 4 priority 230 preempt

ip redundant-vip 1

ip redundant-vip 2

ip redundant-vip 3

ip redundant-vip 4

!************************** SERVICE

service eWeb1

port 7001

ip address

keepalive type tcp


service eWeb2

port 7001

keepalive type tcp

ip address


owner eWeb

content eWeb

protocol tcp

add service eWeb1

add service eWeb2

port 7001

balance leastconn

vip address

advanced-balance sticky-srcip

sticky-serverdown-failover sticky-srcip

sticky-inact-timeout 180


!*************************** GROUP

group eWeb

vip address

add destination service eWeb1

add destination service eWeb2


Gilles Dufour Tue, 01/06/2009 - 04:35
User Badges:
  • Cisco Employee,

If it works for site A, then the problem is somewhere else than the CSS.

Any firewall between site B and the CSS ?

If you sniff traffic in your CSS vlan, do you see request coming in for your vip address ?


Theres no firewall.

using the show flow command in CSS, i do see the client hits the VIP of the CSS.

Im not sure if its the return traffic went into "black hole", but traceroute and ping from CSS to site B client and Site B client to CSS are all working fine.

any issue if the WAN connectivity is this way:

Rtr in HQ using ATM link connection whereby ISP provide different VPI/VCI to represent linkage to site A n Site B.

Therefore in the end, router in HQ is using a single physical interface with sub-interfaces connecting to remote sites (A n B)

on top of it, the link is further protect using IPSEC over GRE..

Any concerns over it?

dario.didio Tue, 01/06/2009 - 05:12
User Badges:
  • Silver, 250 points or more

That shouldn't make any difference.

Also, the config is OK, and like Gilles said, if it works for site A, it should work for site B aswell. The problem will not be caused by the CSS.

Can you connect directly on the server (bypassing the CSS) using the same protocol/application (TCP 7001) from site B?

Yes.. accessing to the physical IP of the server is not a problem.

the problem is the vip, the moment site B users access the URL (vip address), they will not be able to display the content (page). now the bypass solution is to allow Site B users to access using physical address.

My customer is very unhappy with such arrangement as it defeat the purpose of having a HA and load balance solution.

any other troubleshooting steps/ config i can try?

dario.didio Tue, 01/06/2009 - 05:44
User Badges:
  • Silver, 250 points or more

In your config there is, under Circuit VLAN1:

ip redundant-vip 1

ip redundant-vip 2

ip redundant-vip 3

ip redundant-vip 4

I assume you mean 10.1.2.x. The second byte is 1 instead of 4, correct??


This Discussion