Cisco Content Switch Module CSM

Unanswered Question
Feb 22nd, 2010

Hi;

I am runnig CSM ver 4.3(4) latest CSM Software on WS-C6513 , IOS  (12.2(18)SXF8) I had Configured CSM as below:


vlan 170 client  // Routed VLAN
  description *** CSM Client VLAN ***
  ip address  172.30.170.8 255.255.255.0
  gateway 172.30.170.1
!
vlan 172  server // Layer 2 VLAN & its configured on PIX Firewall.
   description *** CSM Servers VLAN ***
  ip address 172.30.172.253  255.255.255.0
  gateway 172.30.172.245 // Firewall Interafce
!
probe  HTTP http
  description *** P8_Application_Engine ***
  port 80
!
!
serverfarm  CONTENT_ENGINE
  nat server
  no nat client
  predictor  leastconns
  description *** P8_Content_Engine ***
  failaction  reassign
  real 172.30.172.52
inservice
  real 172.30.172.53
inservice
   health retries 3 failed 30
probe HTTP
!
sticky 1 netmask  255.255.255.255 timeout 180
!
policy CONTENT_ENGIN_P
   sticky-group 1
  serverfarm CONTENT_ENGINE
!
!
vserver  CONTENT_ENGINE
  description *** VIP_Content_Engine ***
  virtual  172.30.170.250 any
  serverfarm CONTENT_ENGINE
  advertise active
   inservice

interface Vlan170
description **** CSM Client VLAN  ****
ip address 172.30.170.3 255.255.255.0
no ip proxy-arp
glbp  170 ip 172.30.170.1
glbp 170 priority 99
glbp 170 preempt
glbp  170 load-balancing host-dependent
end


The VLAN  170 Configured as Routed VLAN & The Defualt Gateway for VLAN  170 is 172.30.170.1.

The VLAN 172 is Layer 2 VLAN where is routed  to firewall & all Servers member of this VLAN as (VLAN mode access 172) so The Real Servers behind the PIX firewall.

I am able to ping the Virtual  IP but the problem that I can not open Port 80 & I had tested by run (telnet  172.30.170.250 80) but no luck.

Even I am able to open port 80 on these Real Servers & when I ping The VIP the Reals Servers Respond   (172.30.172.52 & 172.30.172.53)  but I am not able to  open port 80 http using Virtual Address(VIP).


Please Advice !!!!!!!

Best Regards,
Mohanad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Sean Merrow Tue, 02/23/2010 - 07:02

Hello Mohanad,

Looking at your configuration, I have a few comments:

  • Since you can ping the VIP successfully, this means that the routing path from client-to-CSM-to-server is working, as is server-to-CSM-to-client.  I know this because your vserver is only layer-3.  It is only looking for traffic destined to the VIP.  So your ping to the VIP is actually being load balanced to one of the servers, and the server load balanced to is actually replying to the ICMP Request with an ICMP Reply.  The only way this could work is if the CSM is properly performing the load balancing and required NAT'ing. 

     With that said, since the CSM is only looking at the source and destination addresses for load balancing and NAT'ing, it doesn't matter whether it is ICMP or TCP to the CSM.  Therefore, I think your problem may not be with the CSM, but rather with the firewall or the servers themselves.  For the primary issue that you are looking for an answer, you may need to get a capture to see exactly where the connection fails.  I would recommend setting up a SPAN on the Catalyst and make the monitor session's source interface the port-channel of the CSM, which will be 256 plus the slot number of the CSM.  For example, if the CSM is in slot 3, then the source interface of the SPAN will be Po259.  Now you'll capture both client side and server side traffic of the connection through the CSM in a single capture.

  • You have two gateways configured, and since the server VLAN is only layer 2, I cannot see why you would need the gateway on VLAN 172.  Unless you have a compelling reason to have it, it should be removed.

  • You have route-health injection configured under the vserver.  Since the VIP is on the same IP subnet as the VLAN 170 interface on the switch, this is not needed.

  • The CSM does not support GLBP for its gateway.  You may get it to work, but it may produce unpredictable results.  You should change that interface on the switch to use HSRP instead of GLBP.

Hope this helps,

Sean

CSCO10911935 Tue, 02/23/2010 - 09:37

Dear Sean;

Thanks for your feedback,

I had resolved the problem  Since I am using Routed Mode on CSM Module & all my Server Configured to be behind the PIX Firewall so I should enable the

The NATING for CLIENT users & the Pool should be within Servers IP Range.

Now when I telnet Port 80 to VIP it works great & I think before when I used to Ping VIP once on of REALS was respond to me as below:

Pinging 172.30.170.6 with 32 bytes of data:
Reply from 172.30.172.52: bytes=32 time<1ms TTL=128

But after I had changed the Config & enable NATING for CLIENT uesers:

Pinging 172.30.170.6 with 32 bytes of data:
Reply from 172.30.170.6: bytes=32 time<1ms TTL=128

Then it's works fine & there was no issue with the Server @ all & I had configured Gateway on Server VLAN since it's not routed VLAN & all Server behind the Firewall so I should configure the Gateway.

As per your Advice I will remove GLBP since it's not supported with CSM & I will configure HSRP but could you please explain what's the impact if I used GLBP.

Please Advice !

Thanks for you support & assistance.

Regards,

Mohanad.

Sean Merrow Tue, 02/23/2010 - 12:36

Hello,

The CSM uses the source MAC address of the packets to determine which gateway the server reply should be sent to.  The CSM does not like seeing duplicate MAC addresses which is what happens due to the nature of GLBP.

Sean

Actions

This Discussion

Related Content