CSS Vip

Similar Messages

• CSS VIPs use old MAC address after firewall failover

  We have our CSS load balancers behind our firewalls in a DMZ and when the firewall fails over the physical interface changes the MAC address to the new address of the now active firewall but the VIP's do not and all traffic to those VIPs are broken. Has anyone experienced an issue like this before? Any help would be appreciated.
  Thanks.

  I understand you have CSS load balancers behind firewalls in a DMZ,  could you clarify what interface changes the MAC address  to the new address of the now active firewall after firewall failover? are you expecting VIPS failing over too?
  If firewall failed over, depends on types of firewall, for some firewall, mac will change, new Active Firewall sends a 'gratituous' arp which makes the neighboring devices to save the new mac address of the Active firewall with the ip address. It seems to be your case. If for some reason, that is not happening (gratituous arp missing), it could cause issues like VIPS on CSS broken.
  The failover of the firewall should be transparent to CSS VIPS. Did you take a capture to see what is happening? did CSS receive requests properly? is CSS load balance to server properly?
  If you require CSS failover when firewall failover, then you can define critical service (layer 3) or critical physical interface(layer 2), and if that detect link to firewall down, then it could fail over.

• Connections between servers using CSS VIP?

  In our new pre-production environment we have several servers connected to a 3750 switch, which is then connected to a CSS 11503. Upstream the CSS is then connected to an ASA firewall pair. The CSS VIPs are 10.22.1.0/24 on the "outside" and the servers have 10.21.1.0/24 addresses on the inside. The CSS inside & server 3750 switchports are all on the same VLAN. There is no PAT/NAT configured (except for the VIP being translated to a chosen server IP I suppose).
  Whilst the clients will connect to the servers via the VIPs what we want is for each server to also be able to talk to other servers via a VIP. This is because some of the servers provide a service (LDAP actually) that we would like to be load balanced.
  Now, what is curious, is that *this works* in our production environment where the servers are *directly* attached to the 8 port switch module in the CSS. However in this new environment, where the 3750 is between the servers and the CSS, it doesn't (actually you can ping the VIP sucessfully but nothing else works).
  I have seen other postings on NetPro where people are trying similar things, like: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Networking%20Solutions&topic=Application%20Networking&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd81312 and http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Emerging%20Technologies&topic=Content%20Networking&CommCmd=MB?cmd=display_location&location=.1dd72fd0
  The relevant CSS config I think (there are lots more services etc but they are all similar) is:
  circuit VLAN1
  ip address 10.21.1.100 255.255.255.0
  circuit VLAN2
  ip address 10.22.1.1 255.255.255.0
  keep alive ssokeepalive
  type http
  keepalive port 7777
  uri "/sso/status"
  keepalive frequency 10
  keepalive maxfailure 2
  tcp-close fin
  active
  service pulpldp001sso
  ip address 10.21.1.6
  keepalive type named ssokeepalive
  active
  content SSO
  vip address 10.22.1.12
  protocol tcp
  port 7777
  application http
  url "/*"
  advanced-balance cookie
  add service pulldp001
  active
  i.e. VIP 10.22.1.12 will be directed to the server 10.21.1.6 (only the one shown above).
  Q1) My first question is: is server to server communication via an outside VIP possible?!
  Q2) Given that this seems to work our production environment without the 3750s any idea what areas of config could be wrong on the 3750 or the servers? (we've tried default routes of both the 3750 and the ISS inside address but that hasn't worked). Note the ping from a server works but when we try, say, "telnet 10.22.1.12 7777" that doesn't connect.
  Q3) Let's assume that the servers run more than one service, e.g. an HTTP and an LDAP service. If a server can communicate with another server using its VIP, will it work from one server up to the CSS/VIP and back to itself? (of course it may or may not actually return to itself depending on the load etc)
  I can provide full configs on Monday if required.
  Hope these aren't dumb questions! Many thanks!
  Simon
  PS. the CSS is running 7.50 at the moment but could upgrade to 8.2 if required

  Thank you Adedayo - that appears to have done the trick! I can't believe it: one little keyword!
  I have to say, even once you told me the answer I still didn't find the Cisco content config manual very helpful on this point (perhaps I'm looking in the wrong place?).
  Note: we're not currently doing any PAT on the CSS so don't have any source groups set up - perhaps most people do and so don't have the same problem.
  I'll get chance to report back on some proper testing next week and promise to update this conversation.
  Adedayo: sorry, I wanted to flag your post as solving my problem once I was sure next week but now the tick box has gone - if you reply again I'll flag that! I appreciate you taking the trouble to post.
  One final question: do you have a situation where you use a VIP from a server to potentially connect back to itself? If so, does it work OK? (e.g. if you have a webserver can you connect to the content VIP that it belongs to?)
  Simon

• CSS VIP Issues (Source Group with 'add destination service')

  I have a pair of Cisco CSS 11503 boxes with a ap-kal-pinglist applied to both virtual routers, as a Critical Service, on the Primary CSS.  When a link goes down, the VRRP fails over all traffic to the Secondary, as expected, but there is an issue with two particular VIPs.  These VIPs have Source Groups configured, like below:
  group WEBSITE_ABC
    add destination service XYZ_Server_1
    add destination service XYZ_Server_2
    vip address 10.10.3.25
    active
  group WEBSITE_XYZ
    add destination service ABC_Server_1
    add destination service ABC_Server_2
    vip address 10.10.3.24
    active
  Once a failover occurs, the VIPs are unreachable via a browser.  I have also seen 1 VIP OK and 1 VIP not, but never both working.  At times, when I failback to the Primary, the VIPs are OK again.  The services are reachable via a browser during this issue.
  any ideas?

  You need to check if during the failover the css sends a G-ARP to inform that the arp associated with the nat ip address now belongs to the secondary css.
  Get sniffer trace during failver and check if this g-arp is sent.
  If not, this is a bug and you need to report it.
  If yes, then the problem is not the CSS but another device on the path...did the switch correctly learned the new path ?  Does the server have the correct arp table ?
  Gilles.

• CSS -Can TCP port number under the VIP be different to real server TCP Port

  Client
  TCPrt : 80 -----------------------------> CSS VIP to the actual server on TCP port 5555 --------------> Server
  The requirement is that client will send a request to VIP on port 80 and VIP has to forward the request to server on a different port(TCP port 5555).

  Yes its possible.
  Port command under service translates the destination port.
  content whol_eiwebsit_80
  add service srvr1
  add service srvr2
  vip address 128.1.1.1 <-- Vip
  port 80 <-- Listening on port 80
  protocol tcp
  url "/*"
  active
  service srvr1
  ip address 10.10.10.1
  protocol tcp
  port 5555 <-- will translate dest port
  keepalive type tcp
  keepalive port 5555
  active
  service srvr2
  ip address 10.10.10.2
  protocol tcp
  port 5555
  keepalive type tcp
  keepalive port 5555
  active
  HTH
  Syed Iftekhar Ahmed

• Radius traffic is no loner SNAT'd after a failover, CSS-CSS

  Hi Experts,
  I have case where i have 2 CSS's in active standby mode. We use a VIP for radius traffic ie. UDP 1813. When in normal operation, all is OK. The IP src of the packet from CSS to the GGSN (NAS) has the CSS VIP IP. After we failover to the other CSS, this new CSS stops un NATing. This means the the packet from CSS to the GGSN in the radius response has the src IP of the real radius server. The GGSN doesn't accept this as this ip is unexpected.
  Why is CSS stopping doing NAT after a switchover. Software is 7.10.504.
  TIA
  Alan

  In order to find the root cause of the issue more information is needed. What I can tell you for sure is that the code version that you are running is very old and is vulnerable so several problems.
  We already have 8.20, so it would important to consider an upgrade in the future.
  Perhaps you can attach the showtech of both CSS and I can take a look to see if something is wrong, also please clarify if when failing over back to the Primary the NATing started working again.
  Hope it helps!!

• HSE 1.7 and CSS

  I read that the HSE doesnt support CSS VIP/Interface redundancy and that's what were using with the 11506's with ssl modules. What features will I lose by not having this supported?
  Will there be any difference in the device management?
  It seems to work well with the 3.1 CSM's
  What it the roadmap for the HSE product?
  thanks

  HI,
  are you runnign version 1.8.1 or 1.8.2?
  You need to run 1.8.2 as there was a change of the OIDs from 7.3 to 7.4 and only 1.8.2 is supporting the new OID tree.
  see http://www.cisco.com/en/US/products/sw/cscowork/ps150/products_device_support_table09186a00803597e4.html#wp31498
  Kind Regards,
  Joerg

• CSS11000 VIP not communicating with FWSM Vlans

  There are two physical servers behind the load balancer. These servers are
  in VLAN54
  SRV212 -  205.190.54.212
  SRV213 -  205.190.54.213
  Load Balancer VIP for the above servers - 204.190.54.67
  Load balancer keep alive port - TCP 9999
  Load Balancer VLAN54 IPaddress - 204.190.54.69
  mac address of 204.190.54.69 - 000c.abcd.efgh
  ARP entries
  =======
  The FWSM has a static ARP entry for VIP 204.190.54.67 configured with the
  mac address of 204.190.54.69.
  204.190.54.67   000c.abcd.efgh
  Issue
  ===
  The FWSM is the routed interface (with the L3 Gateway) for VLAN54 as well as other server VLANs.
  VLAN3 is a point to point vlan that
  connects to another L3 boundary, beyond which are located the end users.
  These end users are routed via a different L3 gateway and use VLAN3 of the
  FWSM to reach the server vlans. The end users routed in different L3
  gateways are successfully able to connect to the VIP of the load balancer
  and hence connect to the application on the keepalive port of 9999. (a
  simple telnet to 204.190.54.67 on tcp port 9999 is opening)
  Server VLANs that are routed via the FWSM (with their default gateways set to FWSM) are not able to
  connect to the VIP 204.190.54.67 on port 9999. (a ping or a telnet to
  204.190.54.67 on tcp 9999 failed.)
  Observation
  ========
  server VLANS that are directly routed on the FWSM cannot communicate with the load
  balancer VIP 204.190.54.67 where as L3 boundaries that are beyond the FWSM
  perimeter can access the VIP (ping and telnet).
  Has anyone experienced a similar scenario and if so what should i do to make this work.
  Regards
  CJ

  CJ-
    Sounds like its asymetric, the firewall is not going to appreciate that and the client will recieve a SYN,ACK from the server directly, not the CSS VIP.  Try configuring a group like this for testing:
  Group TestNAT
    add destination service SRV212
    add destination service SRV213
    vip address 204.190.54.67
    active
  Regards,
  Chris Higgins

• GSS - Keepalive using TCP/VIP

  Hi,
  I created content is the CSS for FTP
  When i used Keepalive type as ICMP for GSS answer everything is working fine.
  when I configured GSS Answer using keepalive VIP/TCP the answer status is offline.
  when i do tcp dump on the GSS interface the keepalives are sending from the GSS.
  Do i have to do any configuration in CSS to respond to GSS keepalives.

  Are you doing KAL-AP ?
  Or is it TCP keepalive and the GSS is just opening a TCP port with the CSS VIP ?
  Is your content rule alive ? Check with 'show summary'
  Did you try it from a client ?
  Is there a firewall between GSS and CSS ?
  Try to capture a trace on the CSS.
  Does the real servers know how to reach the GSS ?
  Gilles.

• CSS to transparent Proxy load-balancing

  We have a single bluecoat proxy that is exposed to internet ,  which we need to add another one and load balance traffic to both of them . The problem is that this traffic cannot be routed to proxy explicitly ( i.e not like the Ineternet Explorer ) so this loadbalancing has to be done blindly to the users .
  So is there a way or another that I can loadbalance internet traffic to these proxies with an inline CSS or maybe L2 loadbalancing to the proxies without involving a VIP ?
  I was thinking about making the CSS VIP the default gateway of the clients so that traffic hits by it and make the 2 proxies the two real servers behind this VIP but I'm not sure if this will hit through the rule before routing traffic or not .

  Thank you Gilles , I was hoping that YOU see and reply to this post
  This sounds logical to remove the VIP , but I am not going to connect the CSS physically inline , I will make it the gateway of the clients so that all traffic hits by it and then by the rule .
  Do you have concerns ?

• CSS loadbalancing "Telnet"

  Hello:
  I have a CSS 11501 where I need to balance Telnet,I can´t get service up and running.
  My client need telnet to server connected to a server farm. I adjunt config and Troubleshooting.
  !*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 192.168.198.1 1
  !************************* INTERFACE *************************
  interface e7
  bridge vlan 16
  interface e8
  bridge vlan 16
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 192.168.198.200 255.255.255.0
  circuit VLAN16
  ip address 10.10.10.1 255.255.255.0
  !************************** SERVICE **************************
  service serv1
  description "Server for Telnet"
  ip address 10.10.10.2
  active
  !*************************** OWNER ***************************
  owner CSS
  content Telnet
  vip address 192.168.198.100
  add service serv1
  protocol tcp
  port 23
  active
  CSS11050# sh ser
  Services (2 entries):
  Name: serv1 Index: 2
  Type: Local State: Alive
  Rule ( 10.10.10.2 ANY ANY )
  Redirect Domain:
  Redirect String:
  Keepalive: (ICMP 5 3 5 )
  Last Clearing of Stats Counters: 11/09/2004 05:20:12
  Mtu: 1500 State Transitions: 6
  Mtu: 1500 State Transitions: 6
  Total Connections: 12 Total Reused Conns: 0
  Weight: 1 Load: 2
  DFP: Disable
  CSS11050# sh summary
  Global Bypass Counters:
  No Rule Bypass Count: 0
  Acl Bypass Count: 0
  Owner Content Rules State Services Service Hits
  CSS Telnet Active serv1 1
  CSS11050# sh service summary
  Service Name State Conn Weight Avg State Idx
  Load Transitions
  serv1 Alive 0 1 2 6 2

  Hi,
  What's the server's default gateway? It should be the CSS vips of the back-end.

• I think I'm going crazy getting my CSS11501 to work as intended!

  I've been posting here before regarding CSS and NAT'ing and how our web servers just log the VIP address of the CSS.
  Now it turns out after a talk with our programmers, we can't use NAT at all because the backend servers will deliver services based on source IP addresses.
  So here's my configuration: backend servers -> HP Procurve 2650 -> CSS11501
  The CSS interface where the servers are connected to have the following configuration:
  interface e5
  bridge vlan 2
  redundancy-phy
  phy 100Mbits-FD
  And circuit VLAN2 is as follows:
  circuit VLAN2
  description "LAN"
  redundancy
  ip address 192.168.1.4 255.255.255.0
  I tried yesterday to separate two servers as a test in a vlan so that the CSS would act as a bridge between the servers and our firewall (which acts as a router).
  So on the switch, I assign the ports for e5 on the CSS as untagged in the default vlan and tagged in vlan2. I then assigned the server ports for untagged in vlan2 and 'no' for the default vlan.
  They can't see each other with this configuration, and setting the e5 interfaces as untagged in vlan2, tagged in vlan1 and the server ports untagged in vlan2, they still can't see each other!
  And I really mean they can't see each other, if I clear the arp cache for the servers, the CSS doesn't pick up the MAC addresses again, so it's clear that there's something with the vlan tagging.
  I've been working on this for a week and it's just getting more frustrated as I try different things which still doesn't work, what am I doing wrong?
  Also there's a potential additional problem which I hope I can get an answer to: The servers has two nic's active. The primary nic has an IP address which is on the same subnet as the CSS WAN interface. If I get the servers and the CSS to talk across the vlans, will this be a problem with bridging, as the CSS finds a host on its LAN segment which has an IP address that belongs to its WAN segment?

  Thanks Gilles.
  I read the list of advantages and disadvantages.
  However the only disadvantage I can see, is that the CSS yelds lower performance since it has to shuffle inbound and outbound traffic on the same interface.
  For instance: "When using this configuration, the load balanced servers will see all traffic as being originated from the CSS rathar than the real client source IP address. You do not get a true representation of where your traffic is coming from."
  and in the following example:
  "The CSS is now configured to load balance to the services, however, there is one problem. When the traffic goes through the CSS to get load balanced, the destination IP address is changed but the source IP address is not changed. When those packets head back to the client, they bypass the CSS through the switch because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet.
  You must not only NAT the destination address of the packet but the source addresses as well. In order to do this, configure the source groups."
  This could be considered a bit misleading; I set the default gateway for the servers to the CSS, and not only do I *not* need to NAT, I *do* see the real client source IP address not the CSS VIP address, and furthermore, the servers have full access to all of our network resources as well as the internet if we chose to.

• Load balancing LDAP Servers

  Hi
  Load balancing to be achieved on two LDAP Servers.
  In CSS, round robin configuration is carried out between the LDAP Servers.
  My query is when the client initiates the tcp connection to CSS VIP Address and which in turn redirected the request to server A termed as LDAP binding. During that and any activities like LDAP modify comunication from the client will the CSS sees that as different request and redirect it to the Server B( as Round robin configuration carried out) ?
  Any help on this higly appreciated.
  Thanks & regards
  R.Sundara Rajan

  If I am reading your question correctly, it sounds like you are asking if, once a TCP session is established to the VIP, if subsequent LDAP transactions from that connecting client will be load balanced.
  The answer is no, once the TCP session is established, you will continue to use the same backend server until the TCP session ends(fin or rst or whatever).
  Simply described in a healthy system, from TCP SYN to FIN everything will be directed to the same server.

• Multiple JDS as a name serivce question

  I have three JDS (5.2) running as a naming service for host and user authentication: one master, and two slaves. My problem is that the ldap servers themselves point to another ldap server for information. So when I take one server down (patching) everything pointing to that server (ldap1) goes down, and everything pointing to ldap2 (which uses ldap1 for a naming services) goes down as well. The basic effect is I lose 2/3 of my applications.
  I read an LDAP server can not point to itself for authentication. Do I just need to remove the ldap client and run the ldap servers old school (local accounts)? Or is there another solution?
  I do have normal hosts (non-LDAP servers) pointing to a VIP (virtual IP). Do I just need to treat my LDAP servers the same?

  No, I'm not saying that.... I guess I should have spelled out the "clients" comment a little more.
  I have all (well, a majority in the 90% range) of my clients pointing to a Cisco CSS VIP which is really all three of my LDAP servers. This way LDAP queries should never go down. I've tested this on indivudal servers and it appears to run nicely.
  The problem is with my LDAP servers, and their LDAP client configurations. The axiom I'm using is: "you can not point an LDAP server to itself for name service resolution". Would pointing the LDAP servers to the VIP break this axiom?
  Right now they are pointing to other LDAP servers than themselves. And when one goes down for patching (ldap1), the other LDAP server that is using it (ldap1) for it's name service resolution will also go down; effectively shutting down 2/3 of my applicaitons.
  This is really a check-egg type of question.

• One-Armed Load Balancing

  Can CSS 11000 load balance multiple server farms, using different load balancing algorithms on the same ip subnet and having multiple VIPs in the one-armed configuration.
  I know this is not an ideal configuration but have to do it for a relocation project.
  Thank yoi

  yes you can.
  No need for a trunk.
  But you have to keep in mind that the CSS must see both sides of a connection.
  So, obviously the traffic from the client will hit the CSS vip, but for the server response, you have to make sure it goes back to the CSS.
  This can be done with source nating or policy routing.
  Gilles.