CSS VIP Issues (Source Group with 'add destination service')

Unanswered Question
Jul 27th, 2010

I have a pair of Cisco CSS 11503 boxes with a ap-kal-pinglist applied to both virtual routers, as a Critical Service, on the Primary CSS.  When a link goes down, the VRRP fails over all traffic to the Secondary, as expected, but there is an issue with two particular VIPs.  These VIPs have Source Groups configured, like below:

  add destination service XYZ_Server_1
  add destination service XYZ_Server_2
  vip address

  add destination service ABC_Server_1
  add destination service ABC_Server_2
  vip address

Once a failover occurs, the VIPs are unreachable via a browser.  I have also seen 1 VIP OK and 1 VIP not, but never both working.  At times, when I failback to the Primary, the VIPs are OK again.  The services are reachable via a browser during this issue.

any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 07/28/2010 - 04:00

You need to check if during the failover the css sends a G-ARP to inform that the arp associated with the nat ip address now belongs to the secondary css.

Get sniffer trace during failver and check if this g-arp is sent.

If not, this is a bug and you need to report it.

If yes, then the problem is not the CSS but another device on the path...did the switch correctly learned the new path ?  Does the server have the correct arp table ?


kevin-shaw Wed, 07/28/2010 - 09:00

I was thinking about the gratuitous arp as a possibility, but I have yet to get a trace.  I will do so in the next couple of days.  I will have to get the server team involved to see the arp cache on the web servers as well.  Also, I will read the release notes on the code train I am running, in order to see if something similar has been fixed in a newer release.

Thanks for the reply!

kevin-shaw Fri, 09/03/2010 - 08:42

This issue was complicated by the fact that I have two IP subnets on one VLAN.  The VLAN that the servers are on also hosts the VIPs.  By configuring virtual-routers and ip redundat VIPs on that VLAN, the GARPs were then sent and the failover worked as advertised.



This Discussion