CSM Bridged mode config issue
I currently have a CSM that is load balancing two web servers. Everything working great. I have two new web servers that are being used for a different system so I basically copied the old config, changed the names of the vservers, serverfarms and policies and expected the same result as the first.
What is happening is that when I ping the VIP, it gets redirected to one of the reals but then the real responds back instead of the VIP.
Not sure why that is happening.
Sean,
When you said "Typically, the rservers would use the same gateway you have configured on the client VLAN. The important thing to make sure of, is that you must make sure that the ONLY for these rservers to reach their gateway is through the CSM that is bridging the servers' VLAN to that client VLAN."
Now I assume you meant to say "Typically, the rservers would use the same gateway you have configured on the client VLAN. The important thing to make sure of, is that you must make sure that the ONLY way for these rservers to reach their gateway is through the CSM that is bridging the servers' VLAN to that client VLAN.
Well, I have a working bridging configuration for a different system and I have found that the real servers in my server vlan do have the client vlan IP address... But the server vlan is in fact a layer 2 vlan, it does not have it's own gateway so it has no other way out other than through the CSM and to the client vlan gateway, just as you said.
What I have found is that the server vlan for my new set up actually has its own gateway. Because of other servers in this vlan I cannot do away with it. So, I looked at an ealier post where you stated" If the adding source-NAT resolves the issue, then you know that asymmetric routing was your problem. One solution would be to leave the source-NAT config in permanently. The other would be to set the default gateway of your new servers to the CSM interface, and another would be to use policy-based routing."
The two solutions I am interested in is the client nat and the setting of the default gateway of the new servers to the CSM interface. Exaclty what interface are you referring? Are you referring to the IP address that bridges the client and server vlan together?
Regarding your client nat example, you mentioned that the client nat address is owned by the CSM, but in your example config I did not see that IP address at all so I am a little confused as to how the csm owns this IP.
I really appreciate your responses!
Similar Messages
-
Hi,
I have a pair of CSM running 4.2.6 (tried 4.2.7 too) on cat 6500 sup 720 chassis.
config is following :
vlan 902 server
ip address 192.168.1.36 255.255.255.224 alt 192.168.1.37 255.255.255.224
vlan 100 client
ip address 192.168.1.36 255.255.255.224 alt 192.168.1.37 255.255.255.224
vserver VS_MWINA_WWW
virtual 192.168.1.59 tcp www
serverfarm SF_MWINA_W
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
real R_PARKINSON
address 192.168.1.42
inservice
real R_GUEDEL
address 192.168.1.39
inservice
serverfarm SF_MWINA_W
nat server
no nat client
real name R_SRV1 8098
inservice
real name R_SRV2 8098
inservice
I am sniffing on the PO to the CSM module and what I see is the SYN goin from the chassis to the blade, nothing else. then sometimes it goes well and I have SYN/ACK and ACKs following.
Any help would be greatly appreciated.If it was transmitted, ok I didn't see it but I don't see where it would have gone.
The csm is a fine blade but sometimes not easy to trouleshoot I find.
With our config I don't see what could cause it to stop working.
Tech Proc 1 give me this
scsm1 tech proc 1
Software version: 4.2(7)
--------------------- SESSION Statistics ---------------------
Current time 438570 324085 1
Aborted rx 152564848 2673378996 10183
Total Packets rx 163666741 101777820 387
Packets Dropped 80262 59218 0
Packets Drop Stale Connection 22473 16390 0
Packets Drop No More Sessions 0 0 0
Packets Drop No VLAN 233026 172035 0
Packets Drop Bad Checksum 0 0 0
Packets Drop IP Fragments 0 0 0
Packets Drop SI with no SMAC 0 0 0
Packets Drop: SI, Route Mode, no DMAC 116827 115609 0
Packets Drop: Not IP, SNAP 0 0 0
Packets Drop: Zero L3 offset 0 0 0
Packets Drop: vlan/vs Force Drop 204 0 0
Packets Drop: Slowpath limit exceeded 0 0 0
Packets Drop: LP non-ip, non-arp 0 0 0
Packets Drop: TCP/UDP with zero port 1 0 0
Packets Drop: CDP 0 0 0
Packets Spanning Tree DMAC 0 0 0
Packets Repeat: Slowpath limit exceeded 0 0 0
Packets Rx on secondary vlan 0 0 0
Packets Slowpath 5056349 3584950 13
Packets Shakira 0 0 0
Packets High Priority 467142 346215 1
Packets Session Hit 43583067 12829485 48
Packets New Sessions 333858 142719 0
New Session- source route checks 79701 22473 0
New Session- source ecmp route 0 0 0
Packets Repeat 114240674 84857415 323
Packets Repeat Reverse Frag 0 0 0
Packets Repeat and Slowpath 0 0 0
Packets Force Repeat 0 0 0
Packets One Shot 0 0 0
Packets bad parse 0 0 0
Packets Session Hit TCP+NAT 0 0 0
Packets Session Hit TCP 1364769 591465 2
Packets Session Hit NAT 42218298 12238019 46
Packets Session Hit Slw 0 0 0
Packets Session FIN 664593 283296 1
Packets Dropped- SYN+ACKs 0 0 0
Packet, Transmit retries 0 0 0
SYN Packets routed (w/o conn) 115956 115143 0
Packets routed (w/o conn) 0 0 0
Packets routed (w/o conn), bad enc 0 0 0
Packets routed (w/o conn), FT 0 0 0
Packets with no SMAC, sent to slowpath 539 0 0
there are quite a lot of drops here. -
CSM - Bridged Mode - Routed Mode Question
Customer's request involves setting up a backup (failover) BCR server to receive hand held device scan events.
The following needs to be performed:
- Build new server up as identical to AAEPRDBCR01 (named AAEPRDBCR02).
- Application to be installed onto the new server (configured identically to AAEPRDBCR01)
- Configure customer's CSM to parse requests to AAEPRDBCR01, and failover to AAEPRDBCR02. i.e. when BCR01 is unplugged the CSM should realise and begin parsing requests through BCR02. If BCR01 comes online again, the requests should once again fall back to BCR01.
I was thinking that the two servers would reside on eg.....VLAN 13 'BiscomBCR' and Users access these servers.
Does it need to be routed or can we do the same config in Bridged mode, where the servers have the same IP addressing?
Any pointers to any useful links is much appreciated.You can do this in bridged mode. You can basically create a backup serverfarm which contains your new server. (CR02). It will only be used if the normal serverfarm containing your existing server (CR01) is unavailable.
Attached is a link to the CSM config doc - have a look at the config examples for the backup server farm. (Make sure you read the caveats about stickiness to understand what happens when the primary serverfarm comes back on line).
http://www.cisco.com/en/US/products/hw/switches/ps708/module_installation_and_configuration_guides_book09186a0080470b20.html
Hope this helps -
CSM Bridge Mode Vserver Redirect
I have a CSM in bridge mode, the MSFC in on the client side.
vlan 28 client
ip address 192.168.29.253 255.255.254.0
gateway 192.168.28.253
vlan 173 server
ip address 172.17.3.8 255.255.255.0
alias 172.17.3.5 255.255.255.0
vlan 163 client
ip address 172.17.3.8 255.255.255.0
gateway 172.17.3.1
I want to have a VIP on the 28 vlan and redirect to a VIP on the 163 vlan. I'm not sure how to do that. Plus this is all netbios, so could I do it with a virtual x.x.x.x any
or do I have to specify tcp 137,138,139,445...
any ideas would be great...thankshow can you redirect netbios traffic ???
We can use HTTP redirect but I don't think this works for Netbios - correct me if I'm wrong.
Therefore, I don't see how you can do a redirect.
Moreover, why would you want to redirect to another vip ?
As long as the traffic is coming to the CSM why don't you simply loadbalance to the end server ????
Thanks,
Gilles. -
Shared office internet/bridge mode speed issues
I recently moved into an office that shares Comcast internet among various offices. When I setup my airport extreme it automatically set to bridge mode -- something about assigning a unique IP address.
I get fast upload but slow download (15 mbps upload, 1 mbps download). When I plugin directly via ethernet cable there is no issue. So it's an airport extreme/wifi issue. Any fixes?Sorry, I actually can't plug my computer in because there is no ethernet (macbook pro 2013).
Is the main router also providing a wireless signal?
I don't know.
How many other wireless networks can you see if you do a scan?
How do I check/why does this matter?
How far is the computer from the AirPort Extreme? Line of sight between the computer and Extreme?
10 feet clear sight. Again, upload is fast 15, download is slow.
Are there any cordless phones there?
no
WiFi security or cameras?
no
BlueTooth devices?
no
Any metal cabinets near the AirPort Extreme?
no
Are you using a Mac or PC? What operating system?
MAC OSX -
Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Configuration
Hi,
Need serious help here..
I'm facing a challenging situation here.
Customer just purchased a pair of SSLM module for their web server HTTPS termination.
Here's the situation.
Currently customer already have a pair of Catalyst 6509 running with MSFC->FWSM<->CSM Bridge Configuration (i.e. client and server vlan on the same subnet).
I've been assigned the task to deploy SSLSM module seaminglessly onto this existing setup without any other major configuration changes required on their systems by this week.
My question is currently they doing bridge configuration between FWSM - CSM. How do I transparently deploy SSLM in this situation ? without changing any i.p. addresses which will break their server-to-server communications.
I read and understand CSM-SSLM bridge configuration but that requires changing their i.p. addressing scheme? hopefully somebody shed some light on this...I've attached a logical diagram of the existing setup as well as the SSLM placement (where i think it fits in).
I've also came up with a draft configuration below, i don't really understand NAT client and NAT server applications:
module ContentSwitchingModule 7
ft group 1 vlan 201
priority 110 alt 100
heartbeat-time 1
failover 3
preempt
vlan 6 client
ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
gateway 192.168.20.1
alias 192.168.20.6 255.255.255.0
vlan 60 server
ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
vlan 7 client
ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
alias 192.168.10.6 255.255.255.0
vlan 70 server
ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
vlan 40 server
ip address 192.168.60.4 255.255.255.0 alt 192.168.60.5 255.255.255.0
alias 192.168.60.6 255.255.255.0
probe ICMP icmp
interval 3
failed 5
probe HTTPWEB http
interval 3
failed 5
probe HTTPSWEB tcp
interval 3
failed 5
port 445
probe TCP tcp
interval 2
failed 3
serverfarm MOCINT-VIP1
nat server
no nat client
predictor leastconns
real 192.168.20.71
inservice
real 192.168.20.72
inservice
probe ICMP
probe HTTPWEB
serverfarm MOCWEB-VIP1
nat server
no nat client
predictor leastconns
real 192.168.10.65
inservice
real 192.168.10.66
inservice
probe ICMP
probe HTTPWEB
serverfarm SSL-MOCINT
nat server
no nat client
real 192.168.60.11 445
inservice
real 192.168.60.12 445
inservice
probe TCP
serverfarm SSL-MOCWEB
nat server
no nat client
real 192.168.60.21 445
inservice
real 192.168.60.22 445
inservice
probe TCP
sticky 10 netmask 255.255.255.255 timeout 20
sticky 20 cookie cookie-server timeout 30
vserver DECRYPT-MOCINT
virtual 192.168.60.10 tcp 445
vlan 40
serverfarm MOCINT-VIP1
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver DECRYPT-MOCWEB
virtual 192.168.60.20 tcp 445
vlan 40
serverfarm MOCWEB-VIP1
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver HTTP-MOCINT
virtual 192.168.20.70 tcp www
vlan 6
serverfarm MOCINT-VIP1
advertise active
sticky 20 group 10
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver HTTP-MOCWEB
virtual 192.168.10.60 tcp www
vlan 7
serverfarm MOCWEB-VIP1
advertise active
sticky 30 group 20
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver HTTPS-MOCINT
virtual 192.168.20.70 tcp https
vlan 6
serverfarm SSL-MOCINT
persistent rebalance
inservice
vserver HTTPS-MOCWEB
virtual 192.168.10.60 tcp https
vlan 7
serverfarm SSL-MOCWEB
persistent rebalance
inservice -
How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?
hi.
I found How to Configure Transparent caching on Cat 6500 with CSM in routed mode.
But,
I need help How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?
Please let me know sample configuration.
thanks.Hi,
I wrote the document you mentioned and I also wrote the one below.
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml
The one with the SSLM is a bridge mode config.
If you replace the SSLM with a cache [or a farm of caches] it would be a similar config.
Replace the SSL21 vserver with an HTTP vserver [most important is to keep the vlan configured on each vserver]
Regards,
Gilles. -
CSM redundant bridged mode - alias IP required?
Hi! I am a little bit confused about the configuration guides concerning csm + fwsm
+ csm bridged mode. in my opinion when using bridged mode with the csm i do not really need any alias ip configuration - neither in the client vlan nor the server vlan. in bridged mode the csm does not route - thus i won't have any routes pointing to the csm. why are there always alias ip configurations in redundant bridged mode config guides? can somebody please clear that up for me? is there any other function of the alias IPs that I need them for?
Thanks,
DanielDaniel,
In general, if no router is present on a server-side VLAN, then each server's default route points to the aliased IP address. In the case of bridge mode, like you have, there is no need for the alias ip.
Regards
Pete.. -
CSM config-sync in bridge mode?
We are planning to upgrade our CSM from 4.1.6 to 4.2.6 and wanted to be able to utilize the config-sync capabilites in the new code. First, is config-sync supported in bridge mode and has anyone had much success or problems? We weren't able to find documentation on this? Please help!
config-sync works with bridge mode and routing mode.
You might want to go to 4.2.7 due to this ddts :
CSCse65938: CSM config-sync causes standby csm to core dump
Also, make sure your IOS version is at the right level due to this
CSCej00341: CSM Configuartion Sync timing out for large configurations
Gilles. -
CSM issue when using bridge mode
I have 2 CSM installed on 2 6509 each,and configured as bridge mode.One is acting active,another is standby.I know that client and server vlan have to use same IP,but I'm confused that the IP on standby CSM,does it need to differ from active CSM vlan IP or not?
Hello,
yes the ip adresses of the vlans on both CSM have to be different as you would have dupplicate IP-Adresses in any other case (not talking of the same IP-Adress in vlan1 and vlan2 configured in bridged mode). You should use the alias command to make the gateway redundant (only if this is needed in your scenario). In regards of the VIP-Adresses they have to be the same for failover purpose. I guess you know that you need the failover vlan too.
Kind Regards,
Joerg -
CSM route mode and bridge mode can exist at the same time?
I'm using CSM on ver 4.x,and I used to the bridge mode for firewall load balance,for a new requset,I have to create a new server/client vlan,but the original firewall load balance was effected when I issued the server vlan command,and I'd like to use route mode for the new server farm,I'm wondering that route mode and brige mode can't exist at the same time,because it seems it doesn't make sense.Any reply will be very appreciated.
you can use bridge mode and route mode at the same time.
Traffic with desintation mac address being the CSM will be routed, otherwise it will be bridged.
Gilles. -
I reset my airport extreme router the other day because I was too lazy to reset the password on my private network.
I have been reading the advice found on apple support communities and wide web, but the solutions do not solve any problems and often create new ones.
I'm regretting because everything was working just fine.
But I remember having this double nat error when I first set it up a few months back, but now I cannot resolve it.
I would live with the yellow light, but it seems that this double nat error is preventing my playstation 3 from connecting to the airport extreme.
When I put the aiport extreme into bridge mode, I loose all my wireless networks, even when I reboot the airport extreme and the modem.
I try rebooting the modem, then the airport. and vice versa. No internet.
I switch back to NAT/DCHP and the internet works fine on apple devices, but not the playstation 3, and I have the 1 Double NAT error.
I have a plain stock Motorolla modem and I can dial in and see settings (although nothing about NAT). I didn't see where to see them.
I tried setting the DHCP only but it said it didn't like the settings. is there a stock range i could be using?I have a plain stock Motorolla modem and I can dial in and see settings (although nothing about NAT). I didn't see where to see them.
Exact model .. motorola make adsl, cable and probably wireless modems.. with some modems and some modem router.. we need exact info. What kind of broadband do you have?
I would note.. some of the motorola cable modems seem to have issues with the apple routers. If you are about due to change modems.. now is a good time.. not another motorola.
If the modem is a straight cable modem, the AE must be in router mode.. but you need to power down the cable modem. maybe for 20min so the new router can pick up the IP address.
You cannot use DHCP alone.. the ISP do not give you a block of IP addresses.
You cannot use bridge with a pure modem.. you will find it works.. but only to one device.
The only reason you get double NAT is the failure to pick up the public IP.
Give the info required..
If you have trouble, I need the actual IP of the modem. the actual IP of the AE WAN port when plugged in. Screenshots are good. -
Hi,
Can the CSM be used in both the bridge and router mode for different VLANS ? Or does it need to use all router mode and all bridged mode ?you can have a mix of both.
Gilles. -
CSM-S in bridge mode with more than one vlan.
I want to understand well how CSM works with more vlans in bridge mode?
Can a host in a vlan contact another server in vlan if I change the IP address?
Thanks for your help.
Andrea.Hi,
Yes it can
Please look @ this documents:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00800946e0.shtml
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml
If you find this post usefull
please don't forget to rate this
#Iwan Hoogendoorn -
Adding direct server access to CSM in bridge mode
I have a CSM that I have set up in bridge mode and want to allow direct management access to the real servers.
It looks like this. MSFC 10.1.100.1
CSM 10.1.100.3
Reals 10.1.100.10
10.1.100.20
10.1.100.25
Virtual 10.1.100.130
10.1.100.140
I tried to use the same method that I found for routed mode on CCO.
Serverfarm SERVER-SUBNET
No nat server
Predictor forward
Vserver DIRECT-ACCESS
Virtual 10.1.100.0 255.255.255.0 tcp any
Serverfarm SERVER-SUBNET
Inservice
The next step in the documentation says to add a static route to the CSM
Ip route 10.1.100.0 255.255.255.0 10.1.100.3
But this does not make since since the MSFC 10.1.100.1 address is already the default gateway.
So is there another way to configure bridge mode and enable direct management access?After I thought about bridge mode again and took out the direct-access and server-subnet commands. I tested again and I can now directly access the servers.
Maybe you are looking for
-
Constant kernel panics since upgrade to 10.4.4. help!
Well ive just spent the past 3 hours trying to figure out exactly what went wrong with my iBook, but it was Kernel Panicing like crazy. I couldnt even get online long enough to make a post about it. Lets recap. I updated to 10.4.4 Several hours later
-
Has anyone verified the temp readings as of the 3.7 bios?
Just flashed my bios to 3.7. 3.6 reported 38- 43°C idle, 60-64°C load. 3.7 show 32-36°C idle to 55°C load. Temps look nice, but how accurate are they? Has anyone used a probe to verify the accuracy of the temps? I wonder how close the readings a
-
Hi all, I've a problem with my jsp. When I first run my script on the browser it works fine. But when I refresh it, I always got this message: "Application Error" Return Error Message: 0 I really don't know what is the error? Can somebody enlightened
-
I have been a programmer all of my adult life and a software developer ever since I can remember. My language of choice is the IBM OS/390 Assembler and the IBM mainframe is my world. All the things that seem big deals in C/C++/Java I was already doin
-
Exported HTML not work in my host.
Exported HTML not work in my host. The program works fine. Looks good in the browser preview and published in businesscatalyst, but when i exporting as html and upload it to my server is bad, all misplaced.