CSS Access to VIP not working, access to real server IP working.
I have an issue with access to a VIP on the CSS. The CSS is designed as a Dual Arm with two interface bridging a L2 L/B Vlan and a L2 Non L/B Vlan. The firewall in front of the CSS acts as a L3 gateway.
I can get to the real server IP and port combination fine but hitting the VIP I see the flow created on the CSS and the return flow is sent but the firewall in front of the CSS never sees the SYN/ACK packet from the server.
I sniffed the traffic on the server and it replis to the original SYN packet and there's only one interface of that server.
What is strange is that I can get to the VIP successfully from the servers that are bridged to the CSS, like the non-load balanced servers in the same L3 VLAN. So traffic that does not need to pass through the firewall seems to work fine.
Sounds like a symetrical routing issues but I can't find the problem.
Re: CSS Access to VIP not working, access to real server IP work
This issue has been resolved. The firewall has two "inside" interfaces and the CSS was using the wrong MAC address (the second FW interface) to send the reply traffic.
I had to remove the "ip uncond-bridging" command and re-apply it to get the traffic to flow properly and also had to set up static routes to point to the default gateway of the FW for the particular subnet.
My understanding was that "ip uncond-bridging" command takes care of bridging and the CSS does not need to use the routing table. But if I remove the static routes traffic does not flow properly, it is being sent to the second FW "inside" interface but traffic comes in on the first "inside" interface and thus the FW silently drops it.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...