Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS11503 One-arm not working

I have One-arm configuration.

I can see bi-directional flows on CSS but client PC not receive anything, as I verified capturing packets.

When client PC request directly from the servers it receive content.

Also client PC receives ping reply from CSS and also stablishes telnet with CSS. Also when no servers are active, client PC receives tcp RST,ACK from CSS, so no Layer 3 problems exist.

I have attached "show run" and "show flows" outputs, plus "tcp SYN" packets that client PC sends to CSS.

Client IP address: 10.130.244.16

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: CSS11503 One-arm not working

The problem is that your configured vlan is :

circuit VLAN1

ip address 10.130.193.10 255.255.255.0

So x.x.193.0

And your vip is x.x.192.x.

This is ok, but it means there is a router between the CSS and the servers.

So when the server responds to the client, the router will bypass the CSS.

You can keep the same vip, but you have to change your group config

group CISCO

add destination service SERVER1

add destination service SERVER2

vip address 10.130.193.70

Replace the x.x.192.x with a x.x.193.x

Gilles.

Cisco Employee

Re: CSS11503 One-arm not working

the flow is created with the first SYN.

We set the reverse flow anticipating the response.

That does not mean the CSS received it.

Gilles.

6 REPLIES
New Member

Re: CSS11503 One-arm not working

If you are not NATting the PC IP at the CSS, you will need to support policy routing to send packets back to the CSS. We elected to use the PBR, since there is a large benefit to having the original src IP shown at the host.

Cisco Employee

Re: CSS11503 One-arm not working

This configuration should be working. We're seeing the response in the show flows output:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1

10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1

So it looks like this traffic is returning through the CSS. Any chance you can sniff the client side vlan of the CSS to see if the return packet is making it to the wire?

Cisco Employee

Re: CSS11503 One-arm not working

The problem is that your configured vlan is :

circuit VLAN1

ip address 10.130.193.10 255.255.255.0

So x.x.193.0

And your vip is x.x.192.x.

This is ok, but it means there is a router between the CSS and the servers.

So when the server responds to the client, the router will bypass the CSS.

You can keep the same vip, but you have to change your group config

group CISCO

add destination service SERVER1

add destination service SERVER2

vip address 10.130.193.70

Replace the x.x.192.x with a x.x.193.x

Gilles.

New Member

Re: CSS11503 One-arm not working

Thanks to all of you.

Gilles, I will test today noon, but how would you explain that "show flows" shows following:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1

10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1

Cisco Employee

Re: CSS11503 One-arm not working

the flow is created with the first SYN.

We set the reverse flow anticipating the response.

That does not mean the CSS received it.

Gilles.

New Member

Re: CSS11503 One-arm not working

Worked after configuring a right netmask. Case solved. Thanks to all.

187
Views
3
Helpful
6
Replies
CreatePlease to create content