07-26-2006 08:42 AM
We have a situation where dual homed servers behind a CSM are accessed via both interfaces.
A diagram is attached in ASCII.
The default route on the Servers is 172.16.16.254, a VRRP address on the CSM.
- Client 10.1.1.1 can successfully connect to VIP services on the CSM which load balance to the Servers.
- Client 10.1.1.1 can successfully connect to 172.16.16.21 & 22 using ssh.
- However, the Client 10.1.1.1 cannot connect to the management IP 192.168.32.21 & 22 using ssh.
I believe this is due to the fact that the Servers route the return traffic to the default gateway of the CSM. the CSM has not seen the TCP SYN packet and so cannot reconsile it to an existing flow, therefore rejects it in the belief it is a DOS attack.
I base this on the document http://www.cisco.com/en/US/products/hw/modules/ps2706/products_white_paper09186a0080160311.shtml
section Connection Processing - "TCP state machine and denial of service detection"
& section Forwarding Processing - "Classify packets".
The questions I have are:
1) Has anyone else come accross a similar scenario?
2) Can anyone confirm or correct my understanding of why the connectivity is failing?
2) Is there a way of chainging the CSM behaviour to enable this connectivty?
Thanks,
Rob
Solved! Go to Solution.
07-28-2006 12:08 AM
Rob,
try to set the following var in CSM config
ROUTE_UNKNOWN_FLOW_PKTS 2
Let me know if this works.
Gilles.
07-26-2006 08:48 AM
07-26-2006 10:19 AM
1)no
2)yes
3)use the msfc as dg on servers, now the problem is that the loadballancing does not work anymore (csm does not see the return traffic), this can be then solved by source nat
07-27-2006 01:39 AM
Thanks, I thought that may be the case.
The one-arm-bandit approach is not feasible in this situation as we need to reall IP of the clients so NAT is not feasible.
I recall the CSS has similar DOS detection facilities that were not configurable when I came across them a few years ago, I suspect I may be in a simialr boat, but am hoping someone has an idea...
The only option I have so far is to NAT the source of the management traffic through the MSFC but security aren't happy with this for audit purposes.
Thanks,
Rob
07-27-2006 04:54 AM
Hi Rob,
Is there a chance to manage them from subnet that doesn?t need access to the load balanced application and add a static route to that subnet on the servers.
Ivo
07-27-2006 07:35 AM
Hi Ivo,
That is one avenue I am pursuing :)
Typically a minority of people require this level of connecivity and I am looking for ways to address this through process...
Rob
07-27-2006 11:46 AM
you could also create a vip per server with each one real (the server)
07-28-2006 12:08 AM
Rob,
try to set the following var in CSM config
ROUTE_UNKNOWN_FLOW_PKTS 2
Let me know if this works.
Gilles.
07-28-2006 01:59 AM
Fantastic, this connectivity is now working!
That is just the kind of detailed config I needed. I hadn't found this document in my searches.
I have noted that these variables are included in the config-sync which is good.
Thanks Giles!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: