Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS11506 Problem with NAT

I’m trying to migrate some server farms out of our IOS SLB load balancer to our new CSS11506.

Need some help converting this IOS SLB config into a working CSS 11506 config. So far it’s not working. With the group command in the CSS config using the “add destination” the application works but, they see the CSS as the source address because it’s NATing the traffic to/from the client. This breaks the application, because it needs to build some session and cache information based on the source IP of the client which is being hidden by the NATing. Without the group command “add destination service” there seems to be a problem with the redirection/communication handoff from the CSS to the server and client. Does anyone see any glaring problems with my conversion of the IOS SLB config to the CSS?

------------------------

IOS SLB Config

------------------------

ip slb probe CS3MW-PROBE http

request url /lbprobe/status.jsp

port 8181

interval 30

!

ip slb serverfarm CS3MW-FARM

nat server

predictor leastconns

probe CS3MW-PROBE

!

real 192.168.252.171

inservice

!

real 192.168.252.172

inservice

!

real 192.168.252.173

inservice

!

ip slb vserver CS3MW-SVR

virtual 192.168.252.96 tcp 0

serverfarm CS3MW-FARM

inservice standby UNIV-PROD1-VLAN-252

!

-----------------------

CSS Config

____________

service tpa_pzo1_cs3_00-7011

port 7011

keepalive port 7011

keepalive type http

protocol tcp

ip address 192.168.252.171

keepalive uri "/main.jsp"

active

!

service tpa_pzo1_cs3_01-7011

ip address 192.168.252.172

port 7011

keepalive port 7011

keepalive type http

keepalive uri "/main.jsp"

protocol tcp

active

!

service tpa_pzo1_cs3_02-7011

ip address 192.168.252.173

port 7011

keepalive port 7011

keepalive type http

keepalive uri "/main.jsp"

protocol tcp

active

owner RTS

!

content pzo1-cs3-p1

vip address 192.168.3.34

add service tpa_pzo1_cs3_00-7011

add service tpa_pzo1_cs3_01-7011

add service tpa_pzo1_cs3_02-7011

protocol tcp

port 8181

active

!

group pzo1-cs3-p1

vip address 192.168.3.34

add service tpa_pzo1_cs3_00-7011

add service tpa_pzo1_cs3_01-7011

add service tpa_pzo1_cs3_02-7011

active

7 REPLIES
Bronze

Re: CSS11506 Problem with NAT

Hi,

So to be clear here, your clients connect via port 8181 and then are load balanced to the servers on port 7011 ? This is the way it is configured now

Thanks

Pete..

New Member

Re: CSS11506 Problem with NAT

Yes the clients are hitting port 8181 and being translated to port 7011 on the servers. This is also a (redundant pair in active standby) one armed CSS configuration with a single Gigabit FX connection to a pair of 6513's.

Bronze

Re: CSS11506 Problem with NAT

I'm not familiar with IOS SLB, but with the CSS, keep in mind that the CSS needs to see the session traffic in both directions to work properly, this generally meands that the CSS is directly in-line from a bridging or routing perspective. If there are any paths that the traffic can take that would bypass the CSS, you're going to have problems.

Considering that the traffic gets through when your services are configured as group destinations, I suspect that there is a non-CSS path that the servers are trying to use when responding to the client with the group disabled.

Bronze

Re: CSS11506 Problem with NAT

I've just read your reply to the other message. NAT is a requirement for a true one-armed configuration. One way to make this work without NAT and without changing the physical setup would be to trunk two vlans across the gigabit connection, one VLAN for the front-end virtuals, and a second back-end vlan for your servers. Configure the servers to point to the back end CSS address as their gateway, and the CSS will route between the VLANs for you.

I use this configuration in my environment with a pair of 6509's and it works pretty well.

New Member

Re: CSS11506 Problem with NAT

Thanks for the insight, this is the same conclusion i have come to as well after pouring through sniffer traces. I've added circuit interfaces for both the VIP and the servers. Now i've got to convince our server/app guys to change the default gateway.

Bronze

Re: CSS11506 Problem with NAT

HI,

I read through the conversation and am missing one detail regarding the communcation between the clients and theservers. is the original IP-Address of the clients necessary to be seen by the server? If not just do a source-nat on the CSS so that the server guys do not have to change der default GW

Best Regards,

Joerg

Bronze

Re: CSS11506 Problem with NAT

HI I re-read all and have to excuse I missed the thing with the natin in the very first posting.

so just forget about my posting...

Cheers,

Joerg

136
Views
3
Helpful
7
Replies
CreatePlease to create content