04-08-2004 07:03 AM
Hi,
I'm trying to get a configuration working for our CSS11503 and I'm pretty lost on what I need to do. I'm primarily a application developer/WebLogic admin so I have some understanding of networking but general at best.
What we're trying to accomplish is to establish connectivity through the CSS to a WebLogic cluster. Currently it doesn't look like anything is going through the CSS at all. So, how do I diagnose traffic coming into the CSS? I've turned logging levels to debug-7 and do see some traffic coming in from the outside interface but it shows it as a DOS attack?
Here is our current configuration:
CSS11503(config)# show running-config
!Generated on 04/08/2004 07:51:38
!Active version: sg0710405
configure
!*************************** GLOBAL ***************************
no restrict web-mgmt
sntp server 149.83.131.15 version 1
cdp run
logging subsystem ipv4 level debug-7
logging subsystem syssoft level debug-7
logging subsystem buffer level debug-7
logging subsystem flowmgr level debug-7
logging subsystem radius level debug-7
logging subsystem wcc level debug-7
logging subsystem chassis level debug-7
logging subsystem vlanmgr level debug-7
logging subsystem netman level debug-7
logging subsystem app level debug-7
logging subsystem rip level debug-7
logging subsystem ospf level debug-7
logging subsystem sntp level debug-7
logging subsystem dhcp level debug-7
logging subsystem vrrp level debug-7
logging subsystem redundancy level debug-7
logging subsystem csdpeer level debug-7
logging subsystem portmapper level debug-7
logging subsystem acl level debug-7
logging subsystem circuit level debug-7
logging subsystem security level debug-7
logging subsystem fac level debug-7
logging subsystem vpm level debug-7
logging subsystem publish level debug-7
logging subsystem keepalive level debug-7
logging subsystem urql level debug-7
logging subsystem nql level debug-7
logging subsystem dql level debug-7
logging subsystem pcm level debug-7
logging subsystem proximity level debug-7
logging subsystem hfg level debug-7
logging subsystem replicate level debug-7
logging subsystem boomerang level debug-7
logging subsystem fp-driver level debug-7
logging subsystem flowagent level debug-7
logging subsystem cdp level debug-7
logging subsystem slr level debug-7
logging subsystem natmgr level debug-7
logging subsystem ssl-accel level debug-7
ip route 0.0.0.0 0.0.0.0 206.88.44.254 1
!************************* INTERFACE *************************
interface Ethernet-Mgmt
description "Management Access"
interface 2/1
description "web-cluster-server1"
bridge vlan 10
interface 2/2
description "web-cluster-server2"
bridge vlan 10
interface 2/8
description "Outside-DMZ...206.88.44.225"
bridge vlan 11
!************************** CIRCUIT **************************
circuit VLAN1
ip address 206.88.45.225 255.255.255.0
circuit VLAN10
description "web-cluster"
ip address 10.1.1.254 255.255.255.0
circuit VLAN11
description "Outside-DMZ"
ip address 206.88.44.225 255.255.255.0
ip virtual-router 1 priority 110 preempt
ip redundant-vip 1 206.88.44.226
ip critical-service 1 upstream
ip critical-service 1 webserver1
ip critical-service 1 webserver2
!************************** SERVICE **************************
service upstream
ip address 206.88.44.254
type redundancy-up
active
service webserver1
ip address 10.1.1.1
active
service webserver2
ip address 10.1.1.2
active
!*************************** OWNER ***************************
owner ADP
content RuleForVIP1
vip address 206.88.44.226
balance leastconn
add service webserver1
add service webserver2
active
I should be able to talk to the two servers listening on 10.1.1.1:7003 and 10.1.1.2:7003.
Thanks,
-Brett
04-08-2004 10:20 AM
Brett,
Well, first off, if you are going to have a redundant VIP I am assuming there are 2 CSSs here. We need to make sure the server responses come back through the same CSS that is active for the VIP.
We can see who is active the the VIP by typing
"show redundant-vip"
You do not have any redundant IP on the server side, so is the gateway of the servers 10.1.1.254? What is the IP of the other CSSs circuit?
Typically, there is a redundant IP on the server side so we can fail over the server's gateway when we fail over the VIP.
To see connections to that VIP you can see the hits increment by typing "show summary". Show flow will show current flows, but HTTP flows are typically pretty quick and you are likely to miss them.
-Steve
04-08-2004 12:12 PM
Steve,
Thanks for the response. Our eventual configuration will have 2 CSS's but only one today.
show redundant-vip
Redundant-Vips:
Interface Address: 206.88.44.225 VRID: 1
Redundant Address: 206.88.44.226 Range: 1
State: Master Master IP: 206.88.44.225
State Changes: 3 Last Change: 04/07/2004 10:39:01
Show summary does show hits coming in and with debugging turned on I'm seeing messages like the following.
APR 8 12:56:23 1/1 1377 FLOWMGR-7:
DoS SYN attack: 206.88.41.248:2304->206.88.44.226:7003
synCnt: 3, initSeq: 2257383471
Is this dropping/preventing the packets from routing to the 10.1.1.x network?
Default gateway for the webservers is the 10.1.1.254 address.
Thanks,
-Brett
04-08-2004 01:44 PM
Looks like we've gotten this resolved. It was a routing issue on the two webserver machines. Guess I'm still a little confused as to how to monitor traffic leaving the CSS.
Thanks,
-Brett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide