02-12-2004 12:58 AM
Is it possible to configure the CSS11051 to balance http servers behind a firewall cluster?
We put the CSS in a proxy zone of our Symantec Enterprise Firewall Cluster to balance our direct attached SSL Terminators. Now we want to balance the webservers on the internal LAN of the firewall cluster based on Rainwall. It works, but if we shut down the firewall with the virtual IP something strange happens:
1. The services are up and I can see the keepalives going through the other firewall but the packets with the payload still going to the MAC Address of the broken firewall.
Is the service designed to use MAC Adresses and not to look in the ARP Table and why work keepalives different ?
Any Idea how to change this ??
Thanks
Carsten
Solved! Go to Solution.
02-12-2004 01:47 AM
Carsten,
You can see release note info in Bug Toolkit
This is located at
http://www.cisco.com/kobayashi/support/tac/tools.shtml
Go there and select the link for "Software Bug Toolkit" under the "Troubleshooting Tools" section.
Here is the public release note:
The CSS forwards packets to the wrong MAC after receiving gratuitous ARP.
The updated MAC address of a service or next hop used to reach the
service or client is used for new flows only. The existing flows
are not modified and packets are sent to previous MAC address and lost.
02-12-2004 01:16 AM
Are these new connections? or Do you see the CSS forwarding new SYNs to the old MAC? What version?
Could be:
CSCdy46189 When a Gratuitous ARP (GARP) was received the CSS would not update existing flows with the new MAC and thus existing flows would be sent from the CSS would the incorrect MAC and be dropped. Only new flows and new keepalive requests were using the updated ARP information.
Fixed by 5.00.2.04.
02-12-2004 01:30 AM
Thank you for the quick response !!!
We are using ap0500045 and I assume that an update will fix our problem. Indeed I can see SYN's to the old MAC.
BTW:Where can I have a look on the notes e.g. CSCdy46189 you send me ?
Thanks
Carsten
02-12-2004 01:47 AM
Carsten,
You can see release note info in Bug Toolkit
This is located at
http://www.cisco.com/kobayashi/support/tac/tools.shtml
Go there and select the link for "Software Bug Toolkit" under the "Troubleshooting Tools" section.
Here is the public release note:
The CSS forwards packets to the wrong MAC after receiving gratuitous ARP.
The updated MAC address of a service or next hop used to reach the
service or client is used for new flows only. The existing flows
are not modified and packets are sent to previous MAC address and lost.
02-17-2004 07:59 AM
Hi,
nice try but
after updating the IOS I can still see the old Mac-Address in the requests to the firewall. Also new connections to the content use the old Mac but the Arptable is up to date and the service checks are positiv. Why are the services alive while connects to the service fail, using the old Mac.
Here is my config for the servicve:
service 1
keepalive type http
port 7777
ip address 10.11.70.11
active
service 2
keepalive type http
port 7777
ip address 10.11.70.12
active
service SSL1
port 443
ip address 10.11.64.11
keepalive type tcp
keepalive port 443
active
service SSL2
port 443
ip address 10.11.64.30
keepalive type tcp
keepalive port 443
active
owner http-server
content http
add service 2
add service 1
vip address 10.11.64.100
balance leastconn
protocol tcp
port 7777
owner SSL
content SSL-Accelerator
balance aca
protocol tcp
port 443
url "/*"
advanced-balance ssl
application ssl
add service SSL1
add service SSL2
vip address 10.11.70.200
active
Do I miss something in my config ?
Thanks
Carsten
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: