02-22-2010 10:28 AM
Hi;
I am runnig CSM ver 4.3(4) latest CSM Software on WS-C6513 , IOS (12.2(18)SXF8) I had Configured CSM as below:
vlan 170 client // Routed VLAN
description *** CSM Client VLAN ***
ip address 172.30.170.8 255.255.255.0
gateway 172.30.170.1
!
vlan 172 server // Layer 2 VLAN & its configured on PIX Firewall.
description *** CSM Servers VLAN ***
ip address 172.30.172.253 255.255.255.0
gateway 172.30.172.245 // Firewall Interafce
!
probe HTTP http
description *** P8_Application_Engine ***
port 80
!
!
serverfarm CONTENT_ENGINE
nat server
no nat client
predictor leastconns
description *** P8_Content_Engine ***
failaction reassign
real 172.30.172.52
inservice
real 172.30.172.53
inservice
health retries 3 failed 30
probe HTTP
!
sticky 1 netmask 255.255.255.255 timeout 180
!
policy CONTENT_ENGIN_P
sticky-group 1
serverfarm CONTENT_ENGINE
!
!
vserver CONTENT_ENGINE
description *** VIP_Content_Engine ***
virtual 172.30.170.250 any
serverfarm CONTENT_ENGINE
advertise active
inservice
interface Vlan170
description **** CSM Client VLAN ****
ip address 172.30.170.3 255.255.255.0
no ip proxy-arp
glbp 170 ip 172.30.170.1
glbp 170 priority 99
glbp 170 preempt
glbp 170 load-balancing host-dependent
end
The VLAN 170 Configured as Routed VLAN & The Defualt Gateway for VLAN 170 is 172.30.170.1.
The VLAN 172 is Layer 2 VLAN where is routed to firewall & all Servers member of this VLAN as (VLAN mode access 172) so The Real Servers behind the PIX firewall.
I am able to ping the Virtual IP but the problem that I can not open Port 80 & I had tested by run (telnet 172.30.170.250 80) but no luck.
Even I am able to open port 80 on these Real Servers & when I ping The VIP the Reals Servers Respond (172.30.172.52 & 172.30.172.53) but I am not able to open port 80 http using Virtual Address(VIP).
Please Advice !!!!!!!
Best Regards,
Mohanad
02-23-2010 07:02 AM
Hello Mohanad,
Looking at your configuration, I have a few comments:
With that said, since the CSM is only looking at the source and destination addresses for load balancing and NAT'ing, it doesn't matter whether it is ICMP or TCP to the CSM. Therefore, I think your problem may not be with the CSM, but rather with the firewall or the servers themselves. For the primary issue that you are looking for an answer, you may need to get a capture to see exactly where the connection fails. I would recommend setting up a SPAN on the Catalyst and make the monitor session's source interface the port-channel of the CSM, which will be 256 plus the slot number of the CSM. For example, if the CSM is in slot 3, then the source interface of the SPAN will be Po259. Now you'll capture both client side and server side traffic of the connection through the CSM in a single capture.
Hope this helps,
Sean
02-23-2010 09:37 AM
Dear Sean;
Thanks for your feedback,
I had resolved the problem Since I am using Routed Mode on CSM Module & all my Server Configured to be behind the PIX Firewall so I should enable the
The NATING for CLIENT users & the Pool should be within Servers IP Range.
Now when I telnet Port 80 to VIP it works great & I think before when I used to Ping VIP once on of REALS was respond to me as below:
Pinging 172.30.170.6 with 32 bytes of data:
Reply from 172.30.172.52: bytes=32 time<1ms TTL=128
But after I had changed the Config & enable NATING for CLIENT uesers:
Pinging 172.30.170.6 with 32 bytes of data:
Reply from 172.30.170.6: bytes=32 time<1ms TTL=128
Then it's works fine & there was no issue with the Server @ all & I had configured Gateway on Server VLAN since it's not routed VLAN & all Server behind the Firewall so I should configure the Gateway.
As per your Advice I will remove GLBP since it's not supported with CSM & I will configure HSRP but could you please explain what's the impact if I used GLBP.
Please Advice !
Thanks for you support & assistance.
Regards,
Mohanad.
02-23-2010 12:36 PM
Hello,
The CSM uses the source MAC address of the packets to determine which gateway the server reply should be sent to. The CSM does not like seeing duplicate MAC addresses which is what happens due to the nature of GLBP.
Sean
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: