Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VIP not reachable on CSS.

Hi Experts,

I have CSS and it was working fine before. For testing purpose I added another CSS for redundancy after which CSS stopped doing load balancing.

Hence I have removed the backup CSS and have only one CSS which is active but still  CSS is not working as expected(i.e no load balancing).

Setup:

CSS--switch-Servers

1) Checked the connectivity CSS are able to ping the servers were as servers not able to ping the VIP of CSS.

2) CSS and Servers are on the same segment.  Content rule is active and services are up and fine but still the issue persists.

I appriciate if someone please help me in resolving this issue?

Thanks in advance,.

REgards,

FAriha

13 REPLIES
Cisco Employee

Re: VIP not reachable on CSS.


Is the VIP not local to the server subnet?

Do the servers route through the CSS?

Is it possible the servers GW bypasses the CSS

Can u ping the VIP from off subnet upstream?

Maybe a quick explaination on the IP's

Peter

Bronze

Re: VIP not reachable on CSS.

- The CSS will ping servers from the IP configured within the circuit VLAN. Are you able to ping that IP from the servers?

- As for pinging a VIP from a server (when the server and VIP are within the same network) -- Do you have a source group rule enabled?

Were there any other changes made *besides* adding a 2nd CSS for redundancy? Did you physically remove the standby CSS without removing the app session from the primary CSS?

James

New Member

Re: VIP not reachable on CSS.

Hi,

Please find my answers below:-

The CSS will ping servers from the IP configured within the circuit VLAN. Are you able to ping that IP from the servers?

Answer: NO CSS is not pinging the cirtuit vlan ip address.

- As for pinging a VIP from a server (when the server and VIP are within the same network) -- Do you have a source group rule enabled?

Answer: NO  the VIP IP and servers are in the different subnets.

Example:

Servers are in 10.1.1.x

and Content VIP address 10.1.2.X

Were there any other changes made *besides* adding a 2nd CSS for redundancy? Did you physically remove the standby CSS without removing the app session from the primary CSS?

Answer: No changes been made after removing the secondary CSS.

Thanks in advance,.

Regards,

Fariha

Cisco Employee

Re: VIP not reachable on CSS.

What type of redundancy are the CSS running, Box-to-Box or Vip & Interface?

You should check the primary css logs to see if duplicate IPs are shown during that time

& confirm the CSS were configured properly for redundancy.

New Member

Re: VIP not reachable on CSS.

Hi Peter,

Yes you are correct I saw some duplicate ip address in the logs:-

IPV4-4: Duplicate IP address detected for vip: 10.1.2.1  01-23-65-78-a9-b3.

Okay now I have removed the redundancy box but still I am not able to poing the VIP address fronm the server.

The servers are able to ping the physical address of the CSS box. Can you let me know whats happening and what do i need to change???

Thanks in advance.

Cisco Employee

Re: VIP not reachable on CSS.

How do the servers reach this VIP?  Is the CSS the default GW or is another device?  If another device maybe that is the issue and you should create a route to VIP using the CSS local subnet.

If default GW is NOT the CSS check that other router to see what it has for an ARP address for the CSS to ensure it is correct.  Maybe the Active/Active corrupted the routers ARP table.

Can you get content from these VIPs?

Does a TCP request from the server to the VIP get diff behavior?

Peter

Silver

Re: VIP not reachable on CSS.

Hello,

When you brought the redundant CSS online, it may have briefly taken active role.  This would account for the duplicate IP address message.  If this happened, then the new standby would've sent out a GARP to let everyone know that he now owns the VIP.  If the original active never went to standby role, then he won't update that GARP.  Bottom line is that you may just have to update your ARP tables manually on the upstream device.  Here's how:

First make sure VIP is active:

CSS# llama
CSS(debug)# find ip address 10.86.178.12

CSS(debug)# exit
CSS#

Then you can send the GARP for the VIP:

CSS# llama
CSS(debug)# arp vip 10.86.178.12
Sending ARP for VIP: 10.86.178.12

CSS(debug)# exit
CSS#

After you have done this on the active CSS, test to see if it works.  Be sure that your pair of CSS are not both in the master state.

Sean

New Member

Re: VIP not reachable on CSS.

Hi Sean,
Thanks for that information. I tried this and found the rule and its active in the arp.

Secondly I have changed the VIP address but still its not working as expected.

CSS pings the server without any issue. but SErver are not able to reach the VIP nor the CSS box.

Server---df CSS.

Wht next??

My config looks like this:

ip route 0.0.0.0 0.0.0.0 10.20.1.1 1

!************************** CIRCUIT **************************
circuit VLAN60
        
  ip address 172.16.1.1 255.255.255.0
    redundancy-protocol

circuit VLAN70
  redundancy

  ip address 10.20.1.18 255.255.0.0

!************************** SERVICE **************************
service server1
  protocol tcp
  port 80
    ip address 10.20.2.11
  keepalive method get

  keepalive type http
  active

service server2
  protocol tcp
  port 80
  ip address 10.20.2.11
  keepalive method get

  keepalive type http
  active

!*************************** OWNER ***************************
owner vinci

  content webin
    port 80
    protocol tcp
    url "/*"
    add service server1 
    add service server2
    advanced-balance arrowpoint-cookie
    vip address 10.20.1.56
    active

owner redirects

!*************************** GROUP ***************************
group sharepoint.es.ie
  add destination service server1
  add destination service server2
  vip address 10.20.1.60

Server config:

IP address: 10.20.1.x  Default gateway: 10.20.1.1

Regards,

Fariha

Bronze

Re: VIP not reachable on CSS.

I can't tell if your output is truncated, but is the group rule active on your CSS? It would need to be made active to be effective (and it is necessary in your scenario).

James

New Member

Re: VIP not reachable on CSS.

Hi James,

Yes its active.

Any other steps which need to be checked???? Its very critical please help.

Thanks

Far

New Member

Re: VIP not reachable on CSS.

Hi,

Can anyone look into this please???

Bronze

Re: VIP not reachable on CSS.

Someone else may chime in, but I can't really tell anything is wrong from the config. You may want to verify that both of services are passing their keepalives. You can also monitor the flows on the CSS to see your incoming connection to the VIP and how it gets balanced:

CSS# monitor
CSS#
                                         DEFAULT:ip route
Enter show sub-command to monitor [HELP: show ?]: flows 64.39.0.40
Enter refresh interval [default:5]: 2

--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address     SPort Dst Address     DPort NAT Dst Address Prt InPort  OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
64.39.0.40      5794  192.168.192.220 80    192.168.192.120 TCP e1        e5
64.39.0.40      9454  192.168.192.3   22    0.0.0.0         TCP e1        Ipv4


*** Iteration: 7 ***

64.39.0.40 is the IP I initiated traffic from. 192.168.192.220 is the VIP, and 192.168.192.120 is the server that it sent traffic to.

You would also be able to tell from the IN/OUT ports whether or not the destination server was in the proper VLAN (ie. frontside or backside).

Good luck,

James

New Member

Re: VIP not reachable on CSS.

Please clear the mac-address table and also try bouncing your physical interfaces.

Cheers,

DS

1788
Views
0
Helpful
13
Replies
CreatePlease to create content