We are just deploying CSS as a replacement to Local Director. A major problem we have concerns the ability of the servers behind the CSS to initiate sessions on their own for such things as dynamic page builds, SQL calls, or routine backup and maintenance. CSS is erratic about permitting this. We were told this could be fixed using groups. We tried it and it did fix the problem. But then it broke other things. With a server defined in a group, (we did groups of 1) now, we can no longer get into the server to perform any admin function. We are effectively locked out of the server unless we have a second NIC or KVM. Has anyone experienced similar problems that can share a fix?????
the group commands perform source ip translation (nat) for traffic coming from the server and not hitting a rule.
You might not need a group if the real address of the server is well-known in your network (routable). For this, just see the CSS as a router.
The CSS (router) should be known as the gateway the real servers.
If this is not possible to do this, you need a group to nat the real server ip address to another well-known address.
However, now you can't use the ip address of the real server directly.
So, if you need management to access it for management reason, you can use a separate network and a 2nd Nic on each server, or you can create new VIPs on the CSS, or you can remove the group and make sure the real address is well-known through out your network or finally you can use the group differently.
Remove any server from the group and then use an ACL to define when to use this group.
ie: group servers
vip address x.x.x.x
clause 10 permit any udp destination any source-group servers
clause 20 permit any tcp destination any
clause 30 ....
In the example above we use the group called 'servers' for udp but not tcp.
We finally managed to solve this ourselves. Using group definitions for each server, we are able to permit the real servers to initiate sessions as needed. To continue to be able to connect to the servbers, without a backdoor NIC or KVM, we defined a new content rule using the ip address we used in the group definition as the vip, we can get back into the server.
Note that our configuration does not terminate the servers on the css. the css is but another part of the vlan.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
Introduction Prepositioning is a powerful tools on the WAAS platform but
it is not always easy to figure out why your jobs are failing when
trying to retrieve the files.Here is a method that should help you to
figure out the reason why they are not succes...