CSM clients on vlans

Similar Messages

• CSM client side VLAN without a gateway?

  Hi there,
  We are running in bridge mode, and are having some weird arp table issues. I think I have it traced down to the fact that the CSM is arping for addresses, and the replies are getting to the CSM and getting cached, but the MSFC is never seeing them.
  Would behavior like this happen if there is no gateway configured on the client side VLAN? Is a gateway on the client side VLAN a requirement?
  Thanks!

  Let's see if I can explain this coherently, sorry if I don't...
  Problem:
  What we're seeing is that a machine with multiple IP addresses tied to one NIC can only be reached via one of those IP addresses from a different VLAN. I look on the MSFC arp table, and I only see an entry with a MAC for that one IP address, none of the others. If I add a static ARP entry, I can then reach the other IP addresses from the other VLANs. So communication is possible, the ARP table is just not getting populated automatically.
  -HOST A in VLAN A is pointing at the MSFC for it's gateway.
  -HOST B in VLAN B is pointing at the MSFC for it's gateway.
  -The CSM is in bridge mode. VLAN C is the client side VLAN. VLAN B is the server side VLAN.
  -HOST A is trying ping HOST B. HOST A can ping HOST B on it's "main" IP address, but none of the others.
  -The ARP table on the MSFC has an entry for the "main" IP address on HOST B, but no entries for any others.
  -The ARP table on the CSM does have entries for the "extra" IP addresses on HOST B.
  -A static ARP entry for an "extra" IP address on HOST B solves the problem. HOST A can then ping HOST B's "extra" IP address.
  My thoughts:
  The ARP table on the MSFC is not getting populated automatically from the CSM. As I see it, this is because HOST B is in VLAN B, which only has an interface on the CSM. The arp replies are going to the CSM successfully, but aren't getting to the MSFC because there is no gateway or route defined for VLAN B on the CSM.
  The reason that anything at all works is that the hosts in VLAN B are initiating communication outbound to their gateway on the MSFC, so it's getting their MAC addresses that way. When a machine has multiple IP addresses, and it doesn't use them to communicate outbound, the MSFC doesn't learn the MAC for those addresses because the ARP replies are going to the CSM which isn't sharing.
  Hopefully that makes sense, and it also makes sense why I'm thinking it's the lack of a gateway entry. Thanks for your help.

• Cannot connect with CSM client

  One of our clients has a problem with their CSM deployment, they recently upgraded their CSM version which is deployed on a vmware environment, the services are listed as running and the webservice is available on port 1714 - when he tries to access it with the CSM client he gets the error.
  The client cannot connect to the authentication service."
  * Please cofnirm whether the security manager server is running
  I cant find any troubleshooting information for this specific issue - has anyone got any experience of this issue or what could be causing it.
  Regards
  Joel

  I'm having the exact same problem. My work around is to run C:\Program Files (x86)\cscopx\setup\support\resetcasuser.exe, select option 1 and reboot the CSM box.
  TAC said the issue was a GPO preventing the casuser for running batch, but we just modified the GPO yesterday and still have trouble.
  Strange thing is twe did not have this issue when the backup job was failing.

• CSM client device config

  Hi,
  On CSM Client >device> Access rules is showing the old config and not showing the active running config. Where as tools>preview configuration show me the running config.
  How do I make the csm client show the running config.
  Thanks.

  Raj;
    When managing devices with CSM, it is expected that all configuration changes made to the device are made via CSM.  Any changes made via PuTTY will not be reflected within CSM without first re-discovering the device's policies.
    The screenshot does not indicate a specific error, only that policy objects alreadty present in CSM were re-used with this device.  For the yellow triangle items, you will need to highlight each item and reference the matching description pane.  But from the overall status, the discovery was completed successfully with three warnings.
  Thanks,
  Scott

• ACE - ICMP Client --- Server VLAN

  I am still trying to get the idea why it is not possible to get some ICMP replys from the ALIAS of the server VLAN when requesting the echo coming from the client side.
  The ICMP and also the traceroute works great with the inspection of ICMP for RSERVER -> Server VLAN -> Client VLAN -> OUT.
  The problem or issue is only when you try to get echo replys from the Server VLAN Alias and it's according ip and peer ip addresses.
  Funny thing is one of the interface addresses answers. In a context A it is the "ip address" and in a context B it is the "peer ip address".
  Kind off questions my sanity here. :)
  My inspection rules are applied to the client vlan's or transfer network interfaces whatever view you prefer and work so far as intended.
  Any idea Gilles?
  Roble

  I see, but i also have the same beahvior when routing inside a context.
  Have a look at context "Test" config. It has a client side vlan (444) and a server side vlan (555).
  The communication path for my ping looks like below.
  MyWorkstation <-> L3 Device <-> Context Test (Vlan 444) <-> Context Test (Vlan 555) -> ip, peer ip, alias
  As you can see i am staying inside the context test just passing the packet coming from the vlan 444 to an ip address inside vlan 555. So this should work.
  I am not talking about following communication path which can't work regarding you're statement above.
  Context Admin (Vlan 444) <-> Context Test (Vlan 444) <-> Context Test Vlan (555)-> ip, peer ip, alias
  Roble

• Client/Server VLAN usage - ACE Module

  Is it a condition to use client/server VLAN definition only for VIP hits or can it also be used to pass normal traffic for e.g. passing traffic to the server directly on its actual IP (not VIP).
  Regards.

  No vip restrictions.
  With appropriate ACLs you can use ACE to route traffic between different vlans.
  Syed

• CSM client vlan addressing

  Hi there,
  I'm testing out some new topologies for a planned installation and I have a question about the addressing that should be used on the client vlan of the CSM.
  In my topology I'll be running the CSM adjacent to a FWSM, with the MSFC will be on the inside of the FWSM.  Typically I assign a router-router or router-FW link a /29 range and assign the actual devices addresses in that range.  In my first test I setup the CSM and FWSM in a /29, and used client side VIP addresses in a totally different range.  I added static routes to the FWSM to point to the CSM for those ranges and as far as I can tell it works great.  I also tried the setup with the CSM, FWSM, and VIP addresses all in the same /24 range, and it also worked great.
  So while it seems that both worked fine, is there any advantage or technical reason why one would be better than the other, or is it all a matter of choice?  I've attached a diagram to illustrate.
  Thanks,
  Brandon

  Hi Brandon,
  Any of the two options are perfectly valid, and I see no technical reasons to choose one over the other.
  Daniel

• Second Client Side VLAN - CSM

  Our current environment has grown to the size that a single Class C subnet on the client side of the CSM is full. We have a need to add an additional Class C subnet for the client side, but our TCOM group gave us a range which is not contiguous to the existing range and therefore cannot be added by simply changing the subnet mask (from 24 to 23).
  The default route for all traffic from the CSM is an IP address on the subnet described above.
  How should the new subnet be configured? I understand that there can only be one gateway on the CSM...so if traffic comes in on the second subnet, does this mean that it will go back out on the first subnet?
  Does this look right
  vlan 111 client
  ip address 192.168.111.5 255.255.255.0
  gateway 192.168.111.1
  vlan 222 client
  ip address 192.168.222.5 255.255.255.0
  On the Switch, when I run
  "sho ip route 192.168.111.5"
  it replys with "directly connected, via VLan111"
  When I run
  "sho ip route 192.168.222.5"
  it also replies back with the same:
  "directly connected, via VLan111"
  Please note: That I only manage the CSM and SSL-M. The switch and MSFC are managed by our TCOM group. Thanks for any information on this request!

  First, I want to thank you for the quick replies.
  I understand what you are explaining here and believe that our current configuration is as you have explained, but need to further clarify what we have in place.
  The single vlan on the client side previously had only a single class C subnet. It now has two separate Class C subnets. Traffic can reach the CSM, but never returns back to the client. When I added the configuration for the second VLAN client side and addressed it as part of the second class C address, content would now be returned to the client from the server side. But, I could not get the content to be forwarded to the SSL module which resides on a separate VLAN. I then removed client VLAN and traffic continued to flow properly (except to SSL module). I then cleared connections to the vservers (to emulate a reboot), this caused all traffic to no longer return to the client.
  Below is configuration (IP addresses changed to protect the innocent).
  ssl-proxy module 2 allowed-vlan 4,219
  ip subnet-zero
  vlan 200 server
  ip address 172.54.200.2 255.255.254.0
  alias 172.54.200.1 255.255.254.0
  vlan 4 server
  ip address 192.168.219.5 255.255.255.0
  vlan 219 client
  ip address 192.168.219.5 255.255.255.0
  gateway 192.168.219.1
  natpool SERVERSIDE1 172.54.200.241 172.54.200.254 netmask 255.255.254.0
  interface Vlan64
  description Network 64
  ip address 172.32.64.219 255.255.255.0
  ip accounting output-packets
  ip route-cache flow
  logging event link-status
  shutdown
  interface Vlan65
  description Network 65
  ip address 172.32.65.219 255.255.255.0
  ip accounting output-packets
  ip route-cache flow
  logging event link-status
  interface Vlan219
  description WebTeam URL Network
  ip address 192.168.222.2 255.255.255.0 secondary
  ip address 192.168.219.2 255.255.255.0
  no ip redirects
  no ip unreachables
  ip pim dense-mode
  ip route-cache flow
  no ip mroute-cache
  standby 10 ip 192.168.219.1
  standby 10 timers 3 9
  standby 10 priority 110
  standby 10 preempt
  standby 11 ip 192.168.222.1
  standby 11 timers 3 9
  standby 11 priority 110
  standby 11 preempt
  ip classless
  ip route 172.54.200.0 255.255.254.0 192.168.219.5
  NOTES: SSL-MODULE IP address 192.168.219.6 on VLAN 4.
  I will go ahead and open TAC Case and post results later.

• How can I use multiple client side vlans in ACE?

  In CSM we have a default-gateway per Client VLAN, in ACE there is no equivalent command! How does the ACE handles routing in this situation?

  Hi,
  Talk about a deja-vu. I was faced with the exact same challenge about a year ago.
  Basically, I think you're looking at two options:
  1) Firewall-consolidation - Consolidate your four firewalls into one, having one dedicated interface towards the ace and route all your vips using the ace as
      next-hop. It looks like your firewalls are virtual (but I don't know), so it's duable. But I don't know if this is even an option for you.
  2) Per. clientvlan context - Context A for vlan1001, Context B for vlan1002 and so on. Each context handles clienttraffic for the respective vlan and since
      each context handles it's own routingtable, simply use the firewall-address as your default route. But from your drawing, it looks like your server-vlans
      are all connected to the same ace, so you will need to split that up. Assign each servervlan to an ace-context as you do with the clientside-vlans.
  Well, a third option would be NAT in your firewall. Unless you have a specific need for the original client-ip the reach the ace, you could nat incoming clientsessions in each of the firewalls to an interface-address on that firewall, hence the ace will see the clientrequest as originating from the firewall and since ace has connected routes to each of the firewall, it wall return traffic to respective firewall and leave it to him to return the traffic to the client.
  Since each firewall will present the packets with a unique NAT'ed address, you can apply different policies, parameters etc. for that NAT-address, if this is required.
  hth
  /Ulrich

• CSM - Client NAT for routable server subnet

  I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

  Thanks. This is now working.
  I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
  no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
  natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
  Noticed that a previous "show mod csm 5 arp" showed:
  10.200.2.100 -->10.200.250.1 0 REAL routed
  10.200.2.101 -->10.200.250.1 0 REAL routed
  10.200.2.102 -->10.200.250.1 0 REAL routed

• Bridge with clients & multiple VLANs on 1242 AP

  Hi,
  I am trying to set up a test as per the attached diagram. I am looking to use 2x 1242 access points to bridge to a remote part of the network.
  I currently have 2 VLANs on the network, all network devices are on VLAN 1 for management and client access is on VLAN 2.
  What I am trying to achieve is to bridge between the two access points and also have clients connect to VLAN 2 on each access point.
  Firstly, are the 1242's capable of this or would I need to look at a 1300 Bridge?
  I have attached a copy of the base config I have on both AP's, the only difference between them is the root or non-root role.
  My bridge link currently works and I can ping across it on VLAN 1 but I cannot get a client to connect to the SSID on VLAN2. Although the SSID is set to guest mode I cannot see it being broadcast and if I manually try and connect nothing happens.
  Is there anything basic I am missing here or can anyone offer advice on bridging multiple VLANs with 1242 AP's?
  Thanks,
  Paul

  Ooops....forgot to add the attachments first time.
  Thanks,
  Paul.

• 6500 w/csm client talking with vip gets direct to real

  We got a small server farm with four real servers and one vserver. when the client initiate a connection with the vserv it opens up an RPC at a certain point and starts talking directly with one ofthe real servers totally bypassing the vserver and if we take down that real server, then the connection hangs and it does not get re-directed to another server. CSM is setup in bridge mode and the servers are being used for a document management application by Hummingbird. Has anyone seen that kind of behavior?
  Any help would be welcomed has we are going live with this project at the end of the week.

  what is the concern ?
  That the client goes directly to the real or that disconnecting the real does not redirect the connection ?
  For the later, you should use the command 'failaction purge' under the serverfarm definition.
  This will force the CSM to kill the connection if the real goes down.
  For the other concern, your application is probably sending at some point its server ip address.
  Each server will therefore send its own ip address and the client will go directly to it.
  You should see if there is a way for your application to return a "configured" ip address that would be your vip.
  You could also try to configure the vip as a loopback ip address on every real server and tell your application to advertise this address.
  Hope this helps.
  Gilles.

• VTP CLIENT ERASE VLAN INFO

  Could you pls explain how can a new switch added as vtp client (with higher rev no.)erase vlan info.In some materials it says it can erase it,but some says it cant.Pls clarify

  Incorrect.
  SW-11 will ignore the VTP updates from other switches because of their lower configuration revision number. At the same time, other switches will receive VTP updates from SW-11 ,finding that the received updates has a higher revison number and thus replace their own vlan info with the received updates. At that time, all switches will have identical vlan information as SW-11.
  A typical wrong concept is that switches in VTP client mode cannot overcome switch in server mode. There is no such a definition about VTP client mode. The true definition of VTP client mode , according to "Cisco Lan Switch" by Kenndy Clark, page 545, is that switch in client mode CAN source and listen to VTP messages, but CANNOT create and remember VLAN. ("source" means send out VTP message, "remember" means store VLAN info on the NVRAM)
  According to this definition, switches in server mode and client mode will both send out VTP messages, and there is no rule that messages from server mode should beat the one from client mode. The rule is the revision number determines who will win. However, it is rarely possible to make switch in client mode to have an higher revision number than one in server mode. I have designed a lab to make this happen, described as follows.
  I have 3 swithces and have them connect as below:
  SW1---SW3---SW2
  SW1 and SW2 are VTP servers, while SW3 is a VTP client. The connections among them are trunks.
  First I create 10 VLANs on SW1. All switches have 10 VLANs and VTP revision number 10.
  Then I shutdown the connection between SW3 and SW2. SW2 is isolated from others, but VLAN info among them is still the same
  Then I delete 5 VLAN on SW1. Now SW1 and SW3 have only 5 VLANs and VTP revision number 15. SW2 has 10 VLANs and VTP revision number 10.
  Then I shutdown the connection between SW1 and SW3. Now we have 3 isolated switches. SW3 have 5 VLANs and VTP revision number 15. SW2 has 10 VLANs and VTP revision number 10.
  Notice that SW3 is in VTP client mode and have an higher revision number than SW2 which is a VTP server. Now I restore the connection between SW3 and SW2 so they can start to exchange VTP message, and the result is -- Client prevails Server. HOORAY!
  Option A commit a wrong concept and hope someone fall into the trap. Unfortunately , this happens all the time.
  HTH
  SSLIN

• Cisco WAAS and Content Switching Module compatiblity

  We are planning to implement WAAS on our hub's 6500 core switches, so that TCP connections from the end sites users to the servers in the hub can be optimized. But we have the servers VLAN groups under the Cisco CSM module already. Are the client-server connections still able to be optimized by WAAS?

  Hi Joe
  let's seperate out the two topics here.
  a) WAAS traffic interception with wccp
  b) CSM
  a) when you say vlan 200 is where target servers are connected, is that the CSM client side vlan? or the actual server vlan ?
  the bottom line is you need to make sure the interface where you configure "ip wccp 61 redirect in" is recieving traffic from servers towards .
  Good reference for WCCP best practices in 6500
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-629052.html
  b) yes you can configure stickiness for session persistance as in below URL
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/addftrs.html
  Thanks

• CSM + multiple client vlan

  If a CSM has more than one client VLANs, connected to different routers, how does CSM decide what path to take when server initiate a connection? in other words is there a way to associate server vlan(s) to client vlan?

  The term client vlan actually represents an interface between the CSM and the 6500's L2 and L3 vlan.
  If you have multiple routers connecting to your 6500, they will be associated vlan(s) n the 6500 as any other vlan is...you define the balanced servers default gateway as the alias address within the server vlan define on the CSM...the CSM then forwards this to the gateway defined on the csm client vlan which is also the 6500's L3 interface. The 6500 then uses it's own routing table to define where the next hop for this destination is.
  Hope this helps
  Steve