cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
808
Views
3
Helpful
6
Replies

CSS11503 One-arm not working

oinojosa12
Level 1
Level 1

I have One-arm configuration.

I can see bi-directional flows on CSS but client PC not receive anything, as I verified capturing packets.

When client PC request directly from the servers it receive content.

Also client PC receives ping reply from CSS and also stablishes telnet with CSS. Also when no servers are active, client PC receives tcp RST,ACK from CSS, so no Layer 3 problems exist.

I have attached "show run" and "show flows" outputs, plus "tcp SYN" packets that client PC sends to CSS.

Client IP address: 10.130.244.16

2 Accepted Solutions

Accepted Solutions

Gilles Dufour
Cisco Employee
Cisco Employee

The problem is that your configured vlan is :

circuit VLAN1

ip address 10.130.193.10 255.255.255.0

So x.x.193.0

And your vip is x.x.192.x.

This is ok, but it means there is a router between the CSS and the servers.

So when the server responds to the client, the router will bypass the CSS.

You can keep the same vip, but you have to change your group config

group CISCO

add destination service SERVER1

add destination service SERVER2

vip address 10.130.193.70

Replace the x.x.192.x with a x.x.193.x

Gilles.

View solution in original post

the flow is created with the first SYN.

We set the reverse flow anticipating the response.

That does not mean the CSS received it.

Gilles.

View solution in original post

6 Replies 6

dan.noel1
Level 1
Level 1

If you are not NATting the PC IP at the CSS, you will need to support policy routing to send packets back to the CSS. We elected to use the PBR, since there is a large benefit to having the original src IP shown at the host.

This configuration should be working. We're seeing the response in the show flows output:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1

10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1

So it looks like this traffic is returning through the CSS. Any chance you can sniff the client side vlan of the CSS to see if the return packet is making it to the wire?

Gilles Dufour
Cisco Employee
Cisco Employee

The problem is that your configured vlan is :

circuit VLAN1

ip address 10.130.193.10 255.255.255.0

So x.x.193.0

And your vip is x.x.192.x.

This is ok, but it means there is a router between the CSS and the servers.

So when the server responds to the client, the router will bypass the CSS.

You can keep the same vip, but you have to change your group config

group CISCO

add destination service SERVER1

add destination service SERVER2

vip address 10.130.193.70

Replace the x.x.192.x with a x.x.193.x

Gilles.

Thanks to all of you.

Gilles, I will test today noon, but how would you explain that "show flows" shows following:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.130.192.100 80 10.130.192.70 6011 10.130.244.16 TCP 2/1 2/1

10.130.244.16 53066 10.130.192.70 80 10.130.192.100 TCP 2/1 2/1

the flow is created with the first SYN.

We set the reverse flow anticipating the response.

That does not mean the CSS received it.

Gilles.

Worked after configuring a right netmask. Case solved. Thanks to all.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: