Some connectivity issues with this CSM config. Need help.

Unanswered Question
Oct 31st, 2005
User Badges:

I have implemented the forwarding vserver(s) in accordance with Document ID: 26290 from Cisco (Configuring Content Switching Module for Server Load Balancing and Direct Access to Real

Servers) with minor adjustments for our environment which I think I have correct.


I ahve also removed the VLAN restrictions and in the case of the SLB vservers changed them from TCP 0 to any.


The following behaviour is observed:


Note: The 3rd byte of IP Addresses refers to the VLAN number.


(1) servers in VL40 can only talk to other VL40 servers using the 10.20.40.x addresses - using the VIPs fail to connect

(2) servers in VL40 can talk to servers in VL42 using both the 10.20.42.x address and the VIPs, same in reverse.

(3) servers in the dmz VL38 cannot establish connection to the VIPs although the firewall acl permit counters detect traffic for the particular VIP/port combination - *may* be unrelated to the CSM - can't be sure without a sniffer but firewall does *seem* to be OK where CSM clearly isn't.

(4) other internal VLs can connect to the VL40 and VL42 servers using both real addresses and VIPs


Don't know if its relevant or not but show module csm 9 stats is

indicating quite a high number of "failed" connections.




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Wed, 11/02/2005 - 00:32
User Badges:
  • Cisco Employee,

(1) this is normal.

If you want devices in the same subnet to talk to each other through a vip, you need to nat the source ip address otherwise the destination server will reply directly to the client without going through the CSM and nating will break.

(2) normal

(3) you need a sniffer trace. The traffic must enters the csm via vlan 46 as this is the only vlan with a gateway configured. You also need to make sure the server response goes back to the CSM for the reverse nating.

(4) normal


The failed counter indicates the CSM did not see a response from the server. This is linked to your issue #1.


Regards,


Gilles.

Thanks for rating this answer.

astanislaus Wed, 11/02/2005 - 05:25
User Badges:

Thank you very much Gilles. I was reading a training manual on CSM that someone lent to me today and in it they show the NAT'ing that you are talking about and ONE ARM SOURCE NAT example. The example config is given which I understand except that they show as if I could nat 10.20.40.22 / 24 to 10.20.40.222 /24 - i.e. NAT to a differnet address but in the same subnet. I think this is wrong because the server 10.20.40.11 or .13 in the serverfarm HEALTH_PROD_APP is going to try and return the packet back to 10.20.40.222 and will try and send it directly without using the CSM since 10.20.40.222 is in the same subnet as the servers 10.20.40.11 or .13.


OR


Will this work if the server returns to 10.20.40.222. Will the packet get fielded by the CSM, get NAT'ed to 10.20.40.22 and sent to the initiator 10.20.40.22 by the CSM. If this happens then that is great, because customer doesn't need a new subnet to NAT 10.20.40.22 to. He can NAT 10.20.40.22 to 10.20.40.222. If this cannot happen then customer will need a new subnet to NAT 10,20,40,22 / 24 to something like 10.20.80.22 / 24. Right?. Thanks again.


Gilles Dufour Wed, 11/02/2005 - 06:41
User Badges:
  • Cisco Employee,

if nat it to address x.x.x.x whatever it is, the addres s belongs to the CSM and therefore all traffic for this address will get to the CSM.

The CSM can then change the ip and forward the traffic to the correct destination - even if in the same subnet.


Regards,


Gilles.

Actions

This Discussion