Solved: Re: Intermittend ping timeout when pinging the virtual IP add of

vdkhoa83csm · ‎08-23-2006

Hi,

We use two Catalyst 6513 with two modulers CSM on each for redundace. On the DNS server farm, we have 2 DNS server with 2 real IP A, B and 2 virtual IP (VIP) A1,B1.

Now, we have a problem:

1. When I ping A1 and B1 simultaneously , I can ping successfully.

2. When I ping A and A1 simultaneousl, ping A is successfully but ping A1 is request time out

3. When I ping B and B1 simultaneousl, ping B is successfully but ping B1 is request time out

I use public address for 2 real IP and 2 virtual IP. I configure the same with the sample on Cisco webpage.

Although we can use the DNS service normally, but I can't understand why is that.

Please explain for me early.

Thanks a lot.

module ContentSwitchingModule 2

ft group 55 vlan 55

priority 12

failover 2

preempt

!

vlan 8 server

ip address 202.x.224.x.255.255.192

route 10.12.0.0 255.255.254.0 gateway 202.78.224.187

alias 202.x.224.x.255.255.192

!

vlan 22 client

ip address 202.x.224.x.255.255.248

gateway 202.78.224.54

alias 202.x.224.x.255.255.248

!

probe DNS udp

interval 60

port 53

!

real DNS1

address 202.x.224.x

inservice

real DNS2

address 202.x.224.x

inservice

!

serverfarm DNS-FARM

nat server

no nat client

real name DNS1

inservice

real name DNS2

inservice

health retries 100 failed 300

probe DNS

!

serverfarm ROUTE

no nat server

no nat client

predictor forward

!

vserver ALL

virtual 0.0.0.0 0.0.0.0 any

serverfarm ROUTE

persistent rebalance

inservice

!

vserver DNS-VIP1

virtual 202.x.224.x any

serverfarm DNS-FARM

replicate csrp connection

persistent rebalance

inservice

!

vserver DNS-VIP2

virtual 202.x.224.x any

serverfarm DNS-FARM

replicate csrp connection

persistent rebalance

inservice

Gilles Dufour · ‎08-23-2006

on the front-end you see Client ip C connecting to both A and A1.

But on the backend, the connection is nated and the virtual ip A1 is translated into A.

So, on the backend you see client ip C connecting to A 2 times.

Therefore the CSM can't make the different between the 2 and it is nating or not nating which causes an issue.

You could change your DNS Vip into UDP vserver instead of any. The CSM would then respond to ping requests sent to the vip and the problem would disappear.

You could also create an icmp vserver and use a serverfarm with client nat enable.

Or just do nothing as we know this is not really an issue.

Another recommendation about your config would be to reduce the idle timeout.

Since udp traffic does not have connection termination function, a flow will stay in memory for 1 hour before being removed.

I would suggest to use the command 'idle 10'

Regards,

Gilles.

View solution in original post

Gilles Dufour · ‎08-23-2006

on the front-end you see Client ip C connecting to both A and A1.

But on the backend, the connection is nated and the virtual ip A1 is translated into A.

So, on the backend you see client ip C connecting to A 2 times.

Therefore the CSM can't make the different between the 2 and it is nating or not nating which causes an issue.

You could change your DNS Vip into UDP vserver instead of any. The CSM would then respond to ping requests sent to the vip and the problem would disappear.

You could also create an icmp vserver and use a serverfarm with client nat enable.

Or just do nothing as we know this is not really an issue.

Another recommendation about your config would be to reduce the idle timeout.

Since udp traffic does not have connection termination function, a flow will stay in memory for 1 hour before being removed.

I would suggest to use the command 'idle 10'

Regards,

Gilles.

vdkhoa83csm · ‎08-24-2006

Hi Gilles,

Thanks for your explaination and recommendation.

Please show me how to change DNS Vip into UDP. Can I do as below:

virtual 202.78.224.129 udp 53

virtual 202.78.224.130 udp 53

But I think "any" includes "udp"?

And would you show me how know to create icmp vserver?

Regards.

Vo.

Gilles Dufour · ‎08-24-2006

the ANY include UDP but also ICMP.

We want to avoid ICMP traffic from being loadbalanced. [if you want to fix your issue]

There is actually no reason to loadbalance ICMP.

Try first with the udp vserver, and let the CSM respond to ping request.

Don't forget to set the idle timeout to 10 sec instead of the default 1hour.

Gilles.

vdkhoa83csm · ‎09-07-2006

Hi,

I just set idle timeout to 10, and I can't change vserver any to udp because the system has running.

But when I set idle timeout, ping real server address timeout when ping vip (this situation is opposite before). Please explain for me.

Thanks,

Khoa

Gilles Dufour · ‎09-08-2006

it is the same explanation.

The CSM can't make the difference between the 2 connections on the backend.

So whatver ping you do first will work, and the next one will fail until you clean up the first connection.

Gilles.

vdkhoa83csm · ‎09-19-2006

Hi Gilles,

Thanks for support, my issue is fixed since replaced DNS vserver any with udp 53.

But now, I want to add tcp 53. Can I configure both udp&tcp 53 to one DNS vserver? Or must have to create another DNS vserver & DNS-TCP farm for tcp dns service?

Thanks,

Vo.

Intermittend ping timeout when pinging the virtual IP add of the DNS server