Solved: PBR is not working with ip slb configured

tortoricir · ‎05-15-2006

I have a 7609 with a slb firewallfarm configured. It is running IOS 12.2(18)SXE3 with sup720. The firewallfarm is configured with default settings with no access parameter, only real servers configured.

All the traffic is coming from a single vlan (it's not possible to implement another layer 2 way to make the traffic pass through) and I would like to make a single flow to exit from another interface and not pass to the real servers configured on FWfarm. I wrote the following PBR statements:

!!!!!!! Begin !!!!!!!

access-list 110 permit ip host XX.XX.XX.XX any

!where XX.XX.XX.XX is an omitted IP address

route-map NEW-ROUTEMAP permit 10

match ip address 110

set ip next-hop 192.168.253.3

interface Vlan55

!vlan 55 is the interface from where the selected flows comes

ip route-cache policy

ip policy route-map NEW-ROUTEMAP

!!!!! END !!!!!!!

The route-map seems working, in fact I can see matched ACL and route-map.

The problem is the SLB seems to take all the traffic in charge, also the one I would like to route to another interface, in fact if I put my desidered output interface in monitor I can see no traffic passing through.

SLB creates the sticky entry anyway, in fact as far as I know, the SLB has the priority to static routing and route-maps.

Any idea for a workaround? Is there a way to make PBR works with SLB?

Thanks in advance.

Ric

Gilles Dufour · ‎05-16-2006

Ric,

I knew about this bug and thought this was it.

I checked your description and realised you are already running a version which normally integrates the fix.

This sounds like a bug and you should probably open a TAC case so we can report the problem and work on a fix.

regarding your workaround, I think it should work.

The access-group should limit the traffic to only this host.

You will also need a static route using this real server.

Gilles.

View solution in original post

Gilles Dufour · ‎05-16-2006

CSCin82741

PBR does not work if both PBR & SLB are applied on same interface

Fixed in:

12.2(18)SXE & 12.2(17d)SXB05

Gilles.

tortoricir · ‎05-16-2006

Thanks Gilles.

I was thinking about create a new firewallfarm like this:

!Begin

ip slb firewallfarm NEWONE

inservice

access source XX.XX.XX.XX 255.255.255.255

!

real 192.168.253.3

inservice

! End

Theoretically the FWLB should do the same work the PBR was supposed to do.

How will the IOS choose the right firewallfarm to apply? Do you think it will work?

In this way I can do the same job without re-testing the new IOS for the production environment.

Thanks in advance,

Ric

Gilles Dufour · ‎05-16-2006

Ric,

I knew about this bug and thought this was it.

I checked your description and realised you are already running a version which normally integrates the fix.

This sounds like a bug and you should probably open a TAC case so we can report the problem and work on a fix.

regarding your workaround, I think it should work.

The access-group should limit the traffic to only this host.

You will also need a static route using this real server.

Gilles.

tortoricir · ‎05-16-2006

Gilles,

we opened a TAC and we are waiting for a solution because I still don't know if someone will approve my workaround.

Thank you very much for your help.

Riccardo

tortoricir · ‎05-18-2006

Gilles,

TAC answer me the router behaviour is correct because the SLB has priority to PBR in every case. Anyway they are analyzing my workaround proposal, I can declare this issue as closed.

Thanks for your answers,

Ric

tortoricir · ‎06-01-2006

Gilles,

just to tell you my solution went in production last night and works perfectly.

The only issue was I had to create another uplink vlan in which receive packets because of HSRP, in fact if you state replicate casa on the same subnet of the other firewallfarm casa instance it doesn't work.

The rule seems to be: n firewallfarms on n uplink vlans.

Two fwfarms applied on the same interface works only if you don't have casa redundancy.

Regards,

Riccardo