×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Outbound connection issues

Unanswered Question
Mar 20th, 2006
User Badges:

Hi,


I've got an issue with outbound connections from directly connected servers on my CSM.

The vserver/serverfarm setup as below, to allow routing via the CSM and I've an arp entry for the source address on the CSM.


vserver ROUTE_ALL

virtual 0.0.0.0 0.0.0.0 any

serverfarm FORWARDER

persistent rebalance

inservice


serverfarm FORWARDER

no nat server

no nat client

predictor forward

!

Incoming traffic using the forwarder is working fine.


To assist faulting I've added a new vserver with just the destination address and I can see drop's.


vserver TEST_CD

virtual 14x.14y.168.196 any

serverfarm FORWARDER

persistent rebalance

inservice



AP001DSW01#sh mod csm 3 vservers name TEST_CD det

TEST_CD, type = SLB, state = OPERATIONAL, v_index = 27

virtual = 14x.14y.168.196/32:0 bidir, any, service = NONE, advertise = FALSE

idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

max parse len = 2000, persist rebalance = TRUE

ssl sticky offset = 0, length = 32

conns = 0, total conns = 91

maxconn drops = 0, total drops = 91

Default policy:

server farm = FORWARDER, backup = <not assigned>

sticky: timer = 0, subnet = 0.0.0.0, group id = 0

Policy Tot matches Client pkts Server pkts

-----------------------------------------------------

(default) 91 91 0



The routing on CSM vlans is as follow's and I've got a arp entry for the gateway.


vlan 402 client

ip address 10.81.24.36 255.255.255.240 alt 10.81.24.37 255.255.255.240

gateway 10.81.24.35

alias 10.81.24.38 255.255.255.240


vlan 406 server

ip address 10.81.24.129 255.255.255.192 alt 10.81.24.130 255.255.255.192

alias 10.81.24.131 255.255.255.192


The routing is server, CSM, interface on Cat and then firewall but when doing a tcpdump on firewall I can't see anything when the server starts a connect but I can ping the destination server from the cat and see that on the firewall.


The SW on the CSM is vers 4.2.3 and I've done a tcpdump from the server and it looks like the CSM is resetting the connection.


This is working ok on other CSM's in the platform but they have SW vers 4.2.2.


Thanks









  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Gilles Dufour Mon, 03/20/2006 - 01:44
User Badges:
  • Cisco Employee,

we'll have to see where the csm forwards the packets.

We can see from your show command that there is packet coming in [client] but no response from the destination [server].

This is why after 10 sec the CSM will RESET the connection and mark it as fail/drop.


You can siff the csm etherchannel and you should see where the csm forwards the packet.


Another thing you can try is create a new serverfarm with 1 real being your firewall ip address.

Configure 'no nat server'.

Use this serverfarm in your vserver with the specific destination.

This should guarantee that the CSM forwards your traffic to the firewall and not to some incorrect route.


Regards,


Gilles.

c.downie Mon, 03/20/2006 - 06:57
User Badges:

Gilles,


Thanks for the info, I also noticed that we were having issues with another vserver, that was being routed via the gateway address. It was marked as OOS even with no probe (arp) but the gateway address was in the CSM's arp table. I reset the CSM and this cleared both issues.

Actions

This Discussion