cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
796
Views
0
Helpful
13
Replies

CSS vip is not accessible from remote site

smart5
Level 1
Level 1

Hi,

im using a pair of CSS 11000, basically my problem is this. Site A is able to access through the vip whereby site B is not able to, site B is able to access using the physical server IP address.

CSS - L3(Core Switches) - Router -Site A

\Site B

Can advise ?

13 Replies 13

dario.didio
Level 4
Level 4

This looks like a routing or security issue.

is site B able to ping the vip? Is there a route back on the CSSes to site B (default route)?

Is traffic allowed with a source IP from Site B? Are you using any access-lists or is there a firewall inbetween?

When you try to hit the VIP from site B, do you see counters increment for that VIP?

site B is able to ping the vip, there's no issue on routing perspective.

There's a default rout in CSS thats point to the core switch.

thers no firewall in between, no access-lists configure on CSS.

when i try access from site B. i perform a show flow in the CSS, i do see it hits the CSS. but the content just wouldnt display on the user screen. I suppose its the problem of return traffic.. but i just cant find out the problem.

For info, both site A and B connects back to a same router in HQ, which connects to my core switch.

Any advise in troubleshooting is greatly appreciated.

Thanks,

Charles

Are there any static routes configured on the servers? Normally in routed mode, the CSS has to be the default gateway for the servers.

Are the servers L2 adjacent to the CSS?

Is any NAT performed?

Can you post your config of the CSS?

Hi, my CSSes are in 1 leg design.

therefore CSSes, and even my severs, their default gateway are pointed to core switches HSRP IP.

basically, my vip in CSS is in the same subnet as my physical servers 10.x.37.x

Config wise, im unable to post it as right now, i do not have access to the CSS.

in your term of NAT, are you refering to NAT perform in CSS? (converting VIP to physical ip) or from sites to my HQ?

If its from sites to my HQ, there isn't any NAT, we all belongs to a 10.x class B subnet

If possible, can we talk over IM?

If you are in 1 arm mode, you should perform source NAT on the CSS, because returntraffic has to flow through the CSS.

Can you post your config to verify your NAT configuration?

Below is the config i capture from my log.. I have changed some IP address

************** CIRCUIT

circuit VLAN1

ip address 10.1.2.8 255.255.255.0

ip virtual-router 1 priority 230 preempt

ip virtual-router 2 priority 230 preempt

ip virtual-router 3 priority 230 preempt

ip virtual-router 4 priority 230 preempt

ip redundant-vip 1 10.4.2.100

ip redundant-vip 2 10.4.2.200

ip redundant-vip 3 10.4.2.300

ip redundant-vip 4 10.4.2.400

!************************** SERVICE

service eWeb1

port 7001

ip address 10.1.2.26

keepalive type tcp

active

service eWeb2

port 7001

keepalive type tcp

ip address 10.1.2.27

active

owner eWeb

content eWeb

protocol tcp

add service eWeb1

add service eWeb2

port 7001

balance leastconn

vip address 10.1.2.300

advanced-balance sticky-srcip

sticky-serverdown-failover sticky-srcip

sticky-inact-timeout 180

active

!*************************** GROUP

group eWeb

vip address 10.1.2.300

add destination service eWeb1

add destination service eWeb2

active

If it works for site A, then the problem is somewhere else than the CSS.

Any firewall between site B and the CSS ?

If you sniff traffic in your CSS vlan, do you see request coming in for your vip address ?

Gilles

Theres no firewall.

using the show flow command in CSS, i do see the client hits the VIP of the CSS.

Im not sure if its the return traffic went into "black hole", but traceroute and ping from CSS to site B client and Site B client to CSS are all working fine.

any issue if the WAN connectivity is this way:

Rtr in HQ using ATM link connection whereby ISP provide different VPI/VCI to represent linkage to site A n Site B.

Therefore in the end, router in HQ is using a single physical interface with sub-interfaces connecting to remote sites (A n B)

on top of it, the link is further protect using IPSEC over GRE..

Any concerns over it?

That shouldn't make any difference.

Also, the config is OK, and like Gilles said, if it works for site A, it should work for site B aswell. The problem will not be caused by the CSS.

Can you connect directly on the server (bypassing the CSS) using the same protocol/application (TCP 7001) from site B?

Yes.. accessing to the physical IP of the server is not a problem.

the problem is the vip, the moment site B users access the URL (vip address), they will not be able to display the content (page). now the bypass solution is to allow Site B users to access using physical address.

My customer is very unhappy with such arrangement as it defeat the purpose of having a HA and load balance solution.

any other troubleshooting steps/ config i can try?

In your config there is, under Circuit VLAN1:

ip redundant-vip 1 10.4.2.100

ip redundant-vip 2 10.4.2.200

ip redundant-vip 3 10.4.2.300

ip redundant-vip 4 10.4.2.400

I assume you mean 10.1.2.x. The second byte is 1 instead of 4, correct??

yes.. u are right,

cos i modeify the IP addresses.. therefore there are some mistakes. sorry

Hi there,

For info, site B users will be able to access the VIP if they are using the proxy server which hosted in HQ site. But then it causes another set of issues.

please help if anyone knows about these problems.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: