I have implemented the forwarding vserver(s) in accordance with Document ID: 26290 from Cisco (Configuring Content Switching Module for Server Load Balancing and Direct Access to Real
Servers) with minor adjustments for our environment which I think I have correct.
I ahve also removed the VLAN restrictions and in the case of the SLB vservers changed them from TCP 0 to any.
The following behaviour is observed:
Note: The 3rd byte of IP Addresses refers to the VLAN number.
(1) servers in VL40 can only talk to other VL40 servers using the 10.20.40.x addresses - using the VIPs fail to connect
(2) servers in VL40 can talk to servers in VL42 using both the 10.20.42.x address and the VIPs, same in reverse.
(3) servers in the dmz VL38 cannot establish connection to the VIPs although the firewall acl permit counters detect traffic for the particular VIP/port combination - *may* be unrelated to the CSM - can't be sure without a sniffer but firewall does *seem* to be OK where CSM clearly isn't.
(4) other internal VLs can connect to the VL40 and VL42 servers using both real addresses and VIPs
Don't know if its relevant or not but show module csm 9 stats is
indicating quite a high number of "failed" connections.