CSS One Armed Mode Questions

1arichardson · ‎10-30-2006

Hi all.

I have a couple of questions with regard to configuring the CSS and would welcome some assistance.

Firstly the CSS has multiple servers on a subnet that provide different services. The VIP addresses are also on the same subnet.

The clients are on another subnet and we are using loopbacks on the servers to allow DSR for the purpose of logging IP addresses. This all works fine.

The problem that we now have is that we require server to server communication via VIPs also. This will obviously not work as the servers will respond directly to the source thereby breaking TCP communication and timing out.

My question is can the CSS provide static source NAT like the F5 Big-IP can which gets around this ? I have tried using the add destination service to hide the source address but this does not work either.

I have tried setting up a server to be NAT'd wherever it talks by using:

acl 1

clause 10 permit any x.x.x.x destination any sourcegroup DST

clause 50 permit any any destination any

apply circuit-(VLAN252)

This didn't work either.

Any ideas here ?

On final question, is it possible to have a VIP monitor another VIP so if one fails then the other does too ?

I can post the config is that will help.

Thanks in Advance.

Gilles Dufour · ‎11-01-2006

for clarity of the response, assume the Vip your server needs to communicate with is called MYVIP.

What you have to do is this

group YOUR_GROUP

vip x.x.x.x

active

acl 1

clause 10 permit ip x.x.x.x destination content MYVIP sourcegroup YOUR_GROUP.

This should work.

However, your description contains some anomalies. The CSS does not support DSR [direct server return]. So, I'm not really sure what you configured exactly.

If the config I gave you does not work, collect a sniffer trace on the server vlan to see if nat is occuring and the destination server does.

Gilles.