Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
4
Replies

CSM Server to Server

Muhammad Anser Khan
Level 1
Level 1

‎01-30-2010 04:26 AM

Dear All

Find the attached configuration.

When we try to access 10.1.100.50 (LB IP) from 10.1.100.20 (real server IP), it’s failing. Because CSM is assuming this request from server VLAN to server VLAN. 10.1.100.20 is already defined as a real server for 10.1.100.22 (LB IP).

!
  vlan 802 server
   ip address 10.1.100.200 255.255.255.0
   alias 10.1.100.202 255.255.255.0
!

Here is the connection output from 10.1.100.20 to 10.1.100.50 (LB IP) :

SWITCH#sh module contentSwitchingModule 8 conns vserver PORTAL-HTTP | inc 10.1.100.20
In  TCP   802  10.1.100.20:2673      10.1.100.50:80        ESTAB
Out TCP  802  10.1.100.51:80        10.1.100.20:2673      ESTAB 

How can I solve this issue? Whereas If I bypass the LB IP (10.1.100.50), I can create the connection between 10.1.100.20 & 10.1.100.51.

Regards,

Anser

      





Labels:
60513-Server to Server Post.txt.zip
0 Helpful
4 Replies 4

Sean Merrow
Level 4
Level 4

‎02-01-2010 06:15 AM

Hi Muhammad,

You will need to have the CSM perform source-NAT on the client connections so that when the servers receive the connection, they see the source address as an IP that the CSM owns.  This will force them to send their responses back to the CSM instead of sending them directly back to the locally connected client.  See sample config below.  Only clients on the server/VIP subnet get source NAT'd.  Clients from other subnets will not be NAT'd.:

======================================
        On MSFC
======================================
ip access-list standard SERVER-SUBNET
permit 10.1.100.0 0.0.0.255


======================================
        On CSM
======================================
vlan 20 client
  ip address 20.20.20.2 255.255.255.0
  gateway 20.20.20.1
!
vlan 10 server
  ip address 10.1.100.1 255.255.255.0
!
natpool SRC-NAT 10.1.100.100 10.1.100.100 netmask 255.255.255.0
!
probe PING icmp
!
serverfarm WEB
  nat server
  no nat client
  real 10.1.100.51
   inservice
  real 10.1.100.52
   inservice
  real 10.1.100.33
   inservice
  probe PING
!
policy SVR-TO-SVR
  client-group SERVER-SUBNET
  nat client SRC-NAT
  serverfarm WEB
!
vserver WEB
  virtual 10.1.100.50 tcp www
  persistent rebalance
  slb-policy SVR-TO-SVR
  serverfarm WEB
  inservice
!   

Hope this helps!

Sean

0 Helpful

Muhammad Anser Khan
Level 1
Level 1
In response to Sean Merrow

‎02-02-2010 01:01 AM

Dear Sean,


Thanks for your reply.


Our CSM is in bridged mode. If I configure the following configuration, Will this solve our issue?

But in our case, Connection is initiating with the same server VLAN 802. As shown in this output:


SWITCH#sh module contentSwitchingModule 8 conns vserver PORTAL-HTTP | inc 10.1.100.20
In  TCP  802  10.1.100.20:2673      10.1.100.50:80        ESTAB   
Out TCP  802  10.1.100.51:80        10.1.100.20:2673      ESTAB   


        On MSFC
======================================
ip access-list standard SERVER-SUBNET
permit 10.1.100.0 0.0.0.255


or

Is this the client subnet(initiator of the connection) which is 10.1.100.20 in our case, So can I configure this:


ip access-list standard SERVER-SUBNET
permit host 10.1.100.20


======================================
        On CSM
======================================
vlan 402 client
  ip address 10.1.100.200 255.255.255.0
  gateway 10.1.100.254
!
vlan 802 server
  ip address 10.1.100.200 255.255.255.0
!

natpool SRC-NAT 10.1.100.100 10.1.100.100 netmask 255.255.255.0
!
probe PING icmp
!
serverfarm WEB
  nat server
  no nat client
  real 10.1.100.51
   inservice
  real 10.1.100.52
   inservice
  probe PING
!
policy SVR-TO-SVR
  client-group SERVER-SUBNET
  nat client SRC-NAT
  serverfarm WEB
!
vserver WEB
  virtual 10.1.100.50 tcp www
  persistent rebalance
  slb-policy SVR-TO-SVR
  serverfarm WEB
  inservice
!  


Regards,

Anser


0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to Muhammad Anser Khan

‎02-02-2010 02:26 AM

Anser,

Your CSM is in one-armed mode and probably set as the default gateway of your servers.

This does guarantee that all traffic from the server goes to the CSM.

However, for local clients, in the same subnet as the servers, the default gateway is not used and instead the servers can directly arp for the client address.

This is why in this case the resposne from the servers bypasses the CSM and create connection failures.

The solution provided by Sean is to src nat traffic coming from local clients to trick the servers into believing the request came from the CSM itself.

Your proposed configuration should work.

Gilles.

0 Helpful

Muhammad Anser Khan
Level 1
Level 1
In response to Gilles Dufour

‎02-02-2010 03:06 AM

Dear Gilles,

I just mentioned in my last post that our CSM is in Bridged mode. And FWSM is the default gateway for all the subnets (including servers).

Regards,

Anser

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents