01-05-2009 08:37 PM
Hi,
im using a pair of CSS 11000, basically my problem is this. Site A is able to access through the vip whereby site B is not able to, site B is able to access using the physical server IP address.
CSS - L3(Core Switches) - Router -Site A
\Site B
Can advise ?
01-06-2009 12:36 AM
This looks like a routing or security issue.
is site B able to ping the vip? Is there a route back on the CSSes to site B (default route)?
Is traffic allowed with a source IP from Site B? Are you using any access-lists or is there a firewall inbetween?
When you try to hit the VIP from site B, do you see counters increment for that VIP?
01-06-2009 03:11 AM
site B is able to ping the vip, there's no issue on routing perspective.
There's a default rout in CSS thats point to the core switch.
thers no firewall in between, no access-lists configure on CSS.
when i try access from site B. i perform a show flow in the CSS, i do see it hits the CSS. but the content just wouldnt display on the user screen. I suppose its the problem of return traffic.. but i just cant find out the problem.
For info, both site A and B connects back to a same router in HQ, which connects to my core switch.
Any advise in troubleshooting is greatly appreciated.
Thanks,
Charles
01-06-2009 03:30 AM
Are there any static routes configured on the servers? Normally in routed mode, the CSS has to be the default gateway for the servers.
Are the servers L2 adjacent to the CSS?
Is any NAT performed?
Can you post your config of the CSS?
01-06-2009 03:35 AM
Hi, my CSSes are in 1 leg design.
therefore CSSes, and even my severs, their default gateway are pointed to core switches HSRP IP.
basically, my vip in CSS is in the same subnet as my physical servers 10.x.37.x
Config wise, im unable to post it as right now, i do not have access to the CSS.
in your term of NAT, are you refering to NAT perform in CSS? (converting VIP to physical ip) or from sites to my HQ?
If its from sites to my HQ, there isn't any NAT, we all belongs to a 10.x class B subnet
If possible, can we talk over IM?
01-06-2009 03:41 AM
If you are in 1 arm mode, you should perform source NAT on the CSS, because returntraffic has to flow through the CSS.
Can you post your config to verify your NAT configuration?
01-06-2009 03:56 AM
Below is the config i capture from my log.. I have changed some IP address
************** CIRCUIT
circuit VLAN1
ip address 10.1.2.8 255.255.255.0
ip virtual-router 1 priority 230 preempt
ip virtual-router 2 priority 230 preempt
ip virtual-router 3 priority 230 preempt
ip virtual-router 4 priority 230 preempt
ip redundant-vip 1 10.4.2.100
ip redundant-vip 2 10.4.2.200
ip redundant-vip 3 10.4.2.300
ip redundant-vip 4 10.4.2.400
!************************** SERVICE
service eWeb1
port 7001
ip address 10.1.2.26
keepalive type tcp
active
service eWeb2
port 7001
keepalive type tcp
ip address 10.1.2.27
active
owner eWeb
content eWeb
protocol tcp
add service eWeb1
add service eWeb2
port 7001
balance leastconn
vip address 10.1.2.300
advanced-balance sticky-srcip
sticky-serverdown-failover sticky-srcip
sticky-inact-timeout 180
active
!*************************** GROUP
group eWeb
vip address 10.1.2.300
add destination service eWeb1
add destination service eWeb2
active
01-06-2009 04:35 AM
If it works for site A, then the problem is somewhere else than the CSS.
Any firewall between site B and the CSS ?
If you sniff traffic in your CSS vlan, do you see request coming in for your vip address ?
Gilles
01-06-2009 04:40 AM
Theres no firewall.
using the show flow command in CSS, i do see the client hits the VIP of the CSS.
Im not sure if its the return traffic went into "black hole", but traceroute and ping from CSS to site B client and Site B client to CSS are all working fine.
any issue if the WAN connectivity is this way:
Rtr in HQ using ATM link connection whereby ISP provide different VPI/VCI to represent linkage to site A n Site B.
Therefore in the end, router in HQ is using a single physical interface with sub-interfaces connecting to remote sites (A n B)
on top of it, the link is further protect using IPSEC over GRE..
Any concerns over it?
01-06-2009 05:12 AM
That shouldn't make any difference.
Also, the config is OK, and like Gilles said, if it works for site A, it should work for site B aswell. The problem will not be caused by the CSS.
Can you connect directly on the server (bypassing the CSS) using the same protocol/application (TCP 7001) from site B?
01-06-2009 05:19 AM
Yes.. accessing to the physical IP of the server is not a problem.
the problem is the vip, the moment site B users access the URL (vip address), they will not be able to display the content (page). now the bypass solution is to allow Site B users to access using physical address.
My customer is very unhappy with such arrangement as it defeat the purpose of having a HA and load balance solution.
any other troubleshooting steps/ config i can try?
01-06-2009 05:44 AM
In your config there is, under Circuit VLAN1:
ip redundant-vip 1 10.4.2.100
ip redundant-vip 2 10.4.2.200
ip redundant-vip 3 10.4.2.300
ip redundant-vip 4 10.4.2.400
I assume you mean 10.1.2.x. The second byte is 1 instead of 4, correct??
01-06-2009 05:46 AM
yes.. u are right,
cos i modeify the IP addresses.. therefore there are some mistakes. sorry
01-07-2009 03:53 AM
Hi there,
For info, site B users will be able to access the VIP if they are using the proxy server which hosted in HQ site. But then it causes another set of issues.
please help if anyone knows about these problems.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide