cisco CSM balancing

Answered Question
Dec 11th, 2009
User Badges:

HI all,


i've got two questions about CSM:


     1     i've got this config:

real foo

  address 1.1.1.5

  inservice

real bar

  address 1.1.1.6

  inservice

real foo1

address 1.1.1.7

  inservice

!

serverfarm S_foo

  nat server

  no nat client

  real foo 53

   inservice

  real bar 53

   inservice

  real foo1 53

   inservice

!

serverfarm ROUTE

  no nat server

  no nat client

  predictor forward

!

vserver V_route

  virtual 1.1.1.0 255.255.255.0 any

  serverfarm ROUTE

  persistent rebalance

  inservice

!

vserver V_foo

  virtual 1.1.1.1 udp dns

  serverfarm  S_foo

  idle 4

  persistent rebalance

  inservice

!

vserver V_bar

  virtual 1.1.1.2 udp dns

  serverfarm  S_foo

  idle 4

  persistent rebalance

  inservice


may you see any issue in having serverfarm and vserver for forwarding real address and having some VIP for load balancing with different subnet?

what is order of hit for CSM? I need to reach real IP and also to loadbalnce...do you thing i'll have some problem? do you think should be better to have different subnet for real ip and vserver?


     2     sometimes when i query balanced DNS server (resolver) i can see (checking on a firewall beetwen CSM and client, inside interface is csm side, outside client side) some connection that seems to be generated from 1.1.1.1, 1.1.1.2...is pretty strange 'cause all response from the DNS should be in conn table of ASA and not generated from DNS towards client. on firewall i can see an ACL (applied on inside interface CSM side) increasing hits (ACL is permit 1.1.1.1-2 to any). My expectation was seeing just outside ACL increasing HITS (client --> DNS trought ASA and CSM).


tnx for any response


Dan                            

Correct Answer by Gilles Dufour about 7 years 7 months ago

Dan,


1/ this is ok.  You can have multiple vip subnets.

CSM does a longest match - so first /32 and then /24.


2/ You should configure a very low idle timeout - 4sec.

Because currently, the CSM will setup flows and keep them for one hour.

Since this is UDP, the connections will stay there and if the server sends a udp packet which matches an existing connections, the CSM will forward assume it belongs to the old connection and send everything to the firewall doing nat with the virtual ip.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
busterswt Fri, 12/11/2009 - 18:05
User Badges:
  • Bronze, 100 points or more

On a CSS I would recommend implementing some sort of source group rule if your DNS servers are replying directly back to the client. I've never used a CSM, but I would imagine you would would want to NAT the source address of the client so that your DNS servers will reply back through the CSM and then back out to the clients.


Consider this existing serverfarm:



serverfarm S_foo

  nat server

  no nat client

  real foo 53

   inservice

  real bar 53

   inservice

  real foo1 53

   inservice



You can create a NAT pool consisting of (1) or more IP's, and use that to NAT incoming client traffic:


natpool MY_POOL 1.1.1.254 1.1.1.254 netmask 255.255.255.0





serverfarm S_foo

  nat server

  nat client MY_POOL

  real foo 53

   inservice

  real bar 53

   inservice

  real foo1 53

   inservice



All incoming requests to your DNS servers would appear to come from 1.1.1.254, and the DNS servers would reply to that address. The CSM would then perform NAT to change 1.1.1.254 to the VIP that was originally requested, and the destination IP would be that of the client. On the ASA you would then only see DNS traffic to/from the VIP. 1.1.1.1 and 1.1.1.2 should not be seen unless they initiate outbound traffic.


Hope I'm even close to what you're asking for!


- James

danilodicesare Fri, 12/11/2009 - 23:56
User Badges:

Hi James,


tnx but i think is not the answer....'cause i can reach DNS server from the real IP address of client (clients are on internet). I need not source group and src NAT for letting infrastructure works properly.


I wonder wheter serverfarm 'forward' serverfarm balanced can work without problem toghether if i have same subnet fot both (as i said befor for SF balancing i've got two /32 and for serverfarm forward i've got /24 on same 1.1.1.0).


And why sometimes i can see traffic beginning from server in subnet 1.1.1.0 BUT the source is 1.1.1.1 and 1.1.1.2 (are vserver IP address) ports 53 towards client port random. I can see that traffic begin from there because hit an ACL on a firewall on inside interface, inside interface side to CSM and outside interface side to internet.


tnx


Dan

Correct Answer
Gilles Dufour Mon, 12/14/2009 - 07:19
User Badges:
  • Cisco Employee,

Dan,


1/ this is ok.  You can have multiple vip subnets.

CSM does a longest match - so first /32 and then /24.


2/ You should configure a very low idle timeout - 4sec.

Because currently, the CSM will setup flows and keep them for one hour.

Since this is UDP, the connections will stay there and if the server sends a udp packet which matches an existing connections, the CSM will forward assume it belongs to the old connection and send everything to the firewall doing nat with the virtual ip.


Gilles.

Actions

This Discussion