Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

problem about CSS

i configued layer2 CSS 11503 as the following:

2 servers (10.122.70.13 and 10.122.70.14 need to be balanced using VIP 10.122.70.15)

!************************* INTERFACE *************************

interface 1/1

vlan 70

interface 1/2

isc-port-one

interface 2/1

vlan 70

!************************** CIRCUIT **************************

circuit VLAN70

ip address 10.122.70.30 255.255.255.0

!************************** SERVICE **************************

service Server13

ip address 10.122.70.13

port 514

protocol udp

service Server14

ip address 10.122.70.14

port 514

protocol udp

active

!*************************** OWNER ***************************

owner L3_Owner

content L3_Rule_syslog

add service Server13

add service Server14

vip address 10.122.70.15

balance leastconn

protocol udp

port 514

advanced-balance sticky-srcip

active

!*************************** GROUP ***************************

group syslog

vip address 10.122.70.15

add service Server13

add service Server14

active

after that I suspended server13, and I can see:

CSS11503# sh keepalive-summary

Keepalives:

AUTO_Server13 State: Suspended 10.122.70.13

AUTO_Server14 State: Alive 10.122.70.14

but even that, CSS still direct the traffic to 10.122.70.13:

CSS11503# sh flows

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.122.70.2 2333 10.122.70.15 514 10.122.70.13 UDP 1/1-70 1/1-70

10.122.23.18 514 10.122.70.15 514 10.122.70.13 UDP 1/1-70 1/1-70

10.122.48.41 49 10.122.25.37 11593 0.0.0.0 TCP 2/1-25 Ipv4

10.122.23.13 2307 10.122.70.15 514 10.122.70.13 UDP 1/1-70 1/1-70

10.122.23.17 514 10.122.70.15 514 10.122.70.13 UDP 1/1-70 1/1-70

can someone show me where is the problem? thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: problem about CSS

You should define your serives in your group as destination services. This way, the source IP of a flow originated from the client-side is NATed to the VIP, and the response from the server will go through the CSS.

The way you configured it, flows initiated from the servers are NATed.

it should look like this:

group syslog

vip address 10.122.70.15

add destination service Server13

add destination service Server14

active

regards,

Dario

1 REPLY
Silver

Re: problem about CSS

You should define your serives in your group as destination services. This way, the source IP of a flow originated from the client-side is NATed to the VIP, and the response from the server will go through the CSS.

The way you configured it, flows initiated from the servers are NATed.

it should look like this:

group syslog

vip address 10.122.70.15

add destination service Server13

add destination service Server14

active

regards,

Dario

133
Views
0
Helpful
1
Replies
CreatePlease to create content