Hi Gilles,

Thanks for your reply.

First a brief description of my network topology:

I have 2 servers with a direct connection each to 2 CSS 11501 wich in turn has a direct connection each to 2 PIX 515E in failover mode.The CSS are connected through an interface . The outside interface of the PIX is shares a subnet with the internet router through a small hub. Server requests to the internet are translated by the PIX to a valid internet address. The server address the PIX sees is the group ( each server is a group)address translated by the CSS.

The master for vip redudancy is configured for the CSS wich has direct connection with the active PIX, and the other CSS is the master for interface redundancy. Requests for VIP address are handled just fine and requests from the servers to other internasl networks also. The server wich is connected to the master for interface redundancy can also browse the internet. The other server, wich is connected to the master for VIP can not. They are identically configured as the PIX and other equipments throughout the path to internet.

I have run tcpdump on the server and did not see any icmp package to the internet, just SYN packets. DNS works fine.

Run ethereal on the outside subnet i can see SYN/ACK packets returning from the internet( but not delivered to the server). In the middle I can see icmp ttl exceeded sent from the server group address to the internet address. How can I run a trace on the CSS?

Thanks

David

P.S hope I was clear

Firstm you SHOULD NOT have one CSS master for the vip and the other one master for the interface.

What kind of benefit do you think you get by doing this ????

The CSS requires to see all traffic from client to server and from server to client.

With your design you create asymetric routing and the traffic would have to go accross BOTH CSS. I have the feeling in some circunstances, it is not.

So, you should start by making 1 CSS active for both vip and interface redundancy.

Then, I understand the servers are directly connected to the CSS and you have a link between the 2 CSS. It would be interesting to see how you have set this up. If you can, please upload your config.

I usually recommend to have a hub/switch between the CSS and the servers. It makes the design/configuration easier.

Finally, you can sniff from the CSS with the setspan command, but if you can sniff in front and on the back, you don't get anything more by sniffing on the CSS itself.

Finally, in the trace that you have, you should check the ttl and see if the same SYN or SYN/ACK is bouncing between 2 devices.

Gilles.

Yes, I should not have one master VIP and another master Interface. But in this topology the master VIP rules, because it is connected with the active Firewall. All the traffic must go through it( avoiding asymetric routing i think). How do I force an CSS to be master vip or interface on the fly?

How do I see if the traffic is bouncing between the devices?

Attached is the configuration of one the CSS devices. The other is identically configured, but without the preempt.

David

First, in your config, you have multiple virtual-router - one for each vip. It is not needed to use 1 virtual-router per vip.

A single virtual router can handle all the vip.

So, remove all the virtual-router except 1 per interface.

Then, you should set the priority of the master to 150 and on the standby a priority of 100.

Set the same priority on all interfaces.

This will guarantee that the same CSS is active on all interfaces.

Finally, you should create a critical service to monitor the pix or CSS interfaces, and assign it to all your virtual-routers. This will guarantee that upon failover all interfaces will failover.

Gilles.

I will do it. Should I use the same VRID ( 10 for example)for all the vips?

I didn't figured out how to configure critical services for the pixs since they both respond to requests.

Thanks for the advices

David