PIX balancing with CSMs on both ends...

I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:
Configuring Regular Firewall Load Balancing, page 5-17
where we got:
Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs
where DMZs could be internet users, intranet with FW-1 and so on.
I had configuration exactly as in mentioned document:
cat6509 (Internet side):
module ContentSwitchingModule 5
vlan 100 client
ip address 100.0.0.25 255.255.255.0
gateway 100.0.0.13
vlan 101 server
ip address 100.0.0.25 255.255.255.0
alias 100.0.0.20 255.255.255.0
serverfarm FORWARD-SF
no nat server
no nat client
predictor forward
serverfarm INSEC-SF
no nat server
no nat client
predictor hash address source
real 100.0.0.3
inservice
real 100.0.0.4
inservice
vserver FORWARD-VS
virtual 0.0.0.0 0.0.0.0 any
vlan 101
serverfarm FORWARD-SF
persistent rebalance
inservice
vserver INSEC-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 100
serverfarm INSEC-SF
persistent rebalance
inservice
interface Vlan100
ip address 100.0.0.13 255.255.255.0
ip route 10.0.0.0 255.0.0.0 100.0.0.20
ip route 200.0.0.0 255.0.0.0 100.0.0.20
cat6509:DMZs/intRAnet side:
module ContentSwitchingModule 5
vlan 201 server
ip address 200.0.0.26 255.255.255.0
alias 200.0.0.20 255.255.255.0
vlan 20 server
ip address 10.1.0.26 255.255.255.0
vlan 200 client
ip address 200.0.0.26 255.255.255.0
serverfarm GENERIC-SF
nat server
no nat client
real 10.1.0.66
inservice
serverfarm SEC-SF
no nat server
no nat client
predictor hash address destination
real 200.0.0.3
inservice
real 200.0.0.4
inservice
vserver GENERIC-VS
virtual 200.0.0.127 tcp 0
vlan 201
serverfarm GENERIC-SF
persistent rebalance
inservice
vserver SEC-20-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 20
serverfarm SEC-SF
persistent rebalance
inservice
vserver SEC-200-VS
virtual 200.0.0.0 255.255.255.0 any
serverfarm SEC-SF
persistent rebalance
inservice
VLANs:
100 - Internet
101 - PIX Outisdes
201 - PIX Insides
200 - sample DMZ with users..
20 - sample DMZ with servers
Internet need access to servers@VLAN20
Hosts from VLAN 200 and VL 20 need access to Internet
Trafice beetwen DMZs need to be allowed

I see one problem already.
Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.
Your MSFC probably can't ping 100.0.0.20
You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.
Also, the 2nd CSM does not have a serverfarm FORWARD.
You will need one normally to forward traffic to your local subnet without loadbalancing.
[what you configured is possible but I'm not sure this is the result you are expecting]
Regards,
Gilles.

Similar Messages

  • How can I print a full frame photo from iPhoto 11?  Even though I click on scale to fit paper size, it crops both ends of the photo in landscape set up.  I have an Epson R1800 with the latest drivers.

    How can I print a full frame photo from iPhoto 11?  Even though I click on scale to fit paper size, it crops both ends of the photo in landscape set up.  I have an Epson R1800 with the latest drivers. (I'm also 3 days new to iMac and iPhoto 11 from an eMac and iPhoto 6.)

    " Hello Jeff. Here at Oki Data, we do not support programming.  I would recommend contacting Adobe for further assistance. You can also browse their website at http://www.adobe.com/products/postscript/.

  • My desktop IMac OSX 10.6.8 : IMovie '11: Trying to upload a home movie clip from my Panosonic camera model PV-DV203D. I've had this camera several years, and used it with Windows desktop. Now trying to work with my Mac. I have a USB cable, both ends fit,

    My desktop IMac OSX 10.6.8 : IMovie '11: Trying to upload a home movie clip from my Panosonic camera model PV-DV203D. I've had this camera several years, and used it with Windows desktop. Now trying to work with my Mac. I have a USB cable, both ends fit, but iMovie '11 does not recognize it. Is there a driver fix for this?

    What kind of Mac to you have?  This camera is a tape based DV one that connects best with firewire and I cannot tell if your Mac has firewire.  If your mac *does* have firewire, get a camcorder firewire cable and try again.
    ETA:  Oops, I am pretty sure that all the "desktop iMacs" have firewire, so you should be good to go.  You will probably need a cord that goes from FW800 to your camcorder.

  • Is Apple making a connector with the lightening on both ends for 5s and ipad mini syncing capabilities

    I can not sync my 5S with IPad Mini because of adapter not having lightening connector on both ends. I can't afford a new computer to sync my phone. Getting replacement phone because camera stopped working but can't backup my phone. My Mac doesn't have intel.

    Okay great..bought ipad mini for nothing..everybody said get an ipad you can use it to sync your phone blah blah blah..
    Thank you for info

  • Load balancing of PIX firewalls with multiple DMZs

    I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
    In all the documentation related to the subject, I see always the firewalls with only two interfaces:
    http://www.cisco.com/warp/customer/117/fw_load_balancing.html
    http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
    What if I need to balance on more than 2 interfaces?
    Do I have to add more content switches, one for each interface ?
    Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
    Thank you in advance for any help.

    We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
    Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

  • DCN Case Study 3: ONS 15454 Linear Topology with DCN Connections at Both Ends Using OSPF

    Hi, I need advise regarding design of Network Connectivity - DCN Case Study 3: ONS 15454 Linear Topology with DCN Connections at Both Ends Using OSPF.
    Am I need area 100 and 200 on Router 1 and Router 2 or I can don't do that?
    Am 

  • I have a mac book pro that both USB ports have stopped working one about a year ago and one recently. Is it possible to connect to another one of the other MBP's  ports with a cord that ends with a USB port?

    I have a mac book pro that both USB ports have stopped working one about a year ago and one recently. Is it possible to connect to another one of the other MBP's  ports with a cord that ends with a USB port?

    Thank you For your time and thoughts!
    I went by the Apple Store and they told me that there was a "Flat Rate" repair service for this particular part where they would replace the logic board along with the USB ports for $350. Seems like best avenue. All of this would have been moot but my wifi in the computer also doesn't work so I was using my phone as a hot spot and tethering it to the computer for Internet access when the last port quit. This left me with no internet and no printing capabilities on the computer I use for my business. Basically became a nice paperweight. lol
    They will ship it off Monday and I should have it back Thursday!
    Again, thank you!

  • EIGRP and Load Balacing Per Packet CEF required on both ends???

    Here's what I have.
    -2 T1's with same EIGRP metric
    -CEF is enabled and load sharing currently
    1 Link is being used more than the other due to nature of load sharing and not per packet using CEF.
    I need per packet setup to see if this improves performance and distributes the usage over both links effectively.
    If I enable per-packet on my remote office, do I also have to enable it on each PVC that connects back to my central office per PVC. Or can you enable per packet on the remote location only and be ok? I dont have control over central office router and need to justify if I need to enable that on the Central office or not.
    Cisco docs I reviewed on this doesn't say both ends.

    I agree with Sundar's point about needing to configure both ends if you want to use per packet in each direction. His point about the implications of forcing process switching and its impact on CPU utilization of the router is true but I am not sure that is what the original post was asking about. As I understood the original post he was asking about the per-packet option available with CEF switching which does not produce process switched packets.
    I have one caution to offer about turning on the per-packet option with CEF. If you do that you will probably get better - but still not even - balancing of the serial links. But the performance may not improve. In fact it may degrade. This is because doing per packet balancing introduces the liklihood of out of order packets. The impact of out of order packets varies depending on the application being run and the impact of out of order packets. Many applications when they get an out of order packet will discard the packet and retransmit packets to get them in the correct order. I actually know of one customer site where they enabled per packet balancing and the performance of the application got worse. So I suggest that you evaluate carefully the implications of per packet balancing.
    HTH
    Rick

  • How to Configure Transparent caching on Cat 6500 with CSM in routed mode

    I am trying to configure Transparent caching on Cat 6500 with CSM in routed mode, but facing some problems in it , also I have gone thru the example config on cisco site for transparent caching using CSM on Cat 6500 , but the above does not fit my clients requirement.
    The scenario is like
    Access Switches - Cat6500 with MSFC & CSM - Internet Router
    |
    Cache Engines and Real servers
    The clients as well as real servers are on seperate VLANs (L3) and the requirement is to load balance the internet traffic using cache engines.
    I'd really appreciate any helpful suggestions or any useful links/docs/info on this.
    Thanks
    kumar

    Hello Joerg,
    Thanks for the reply.
    I have already gone thru the sample config shown by this weblink, however this link refers to configuring transparent caching on the CSM in BRIDGED MODE ( i.e both the client and server vlans are having the same IP address ) but in our case , we have multiple L3 VLANS on the CAT6509 having IP addresses in different SUBNETS , and the Real servers to be used for caching also exist on one of these VLANS. Thus, the scenario described by the Weblink does not apply here. Also , in the configuration referred by the above weblink, the VLAN 100 is configured as client , however the endusers are shown to be on vlan200 which is configured as SERVER VLAN in the CSM.
    Dont you think there is something wrong here, I mean the endusers should be on VLAN 100 (Client) and real servers on VLAN 200 (SERVER).
    So, I have to configure CSM in routed mode ( i.e both the client and server vlans will have seperate IP addresses in different subnets ) and the endusers will be on all VLANS .
    Pls let me know , how I can implement this solution.
    Thanks again
    Sudhir

  • Runtime error - FBL1N - vendor balance with customer line item

    Hi gurus,
    One scenario where i have assign vendor as customer & customer as vendor in vendor & customer data. also make tick mark for both clearing with vendor & customer.
    when i see the customer report with vendor item it shows me the customer & vendor dues but when i tried to see the vendor balance with customer line item it gives dump error.
    Runtime Errors         PERFORM_NOT_FOUND
    Exception              CX_SY_DYN_CALL_ILLEGAL_FORM
    Error analysis
        An exception occurred that is explained in detail below.
        The exception, which is assigned to class 'CX_SY_DYN_CALL_ILLEGAL_FORM', was
         not caught in
        procedure "%_LDB_CALLBACK" "(FORM)", nor was it propagated by a RAISING clause.
        Since the caller of the procedure could not have anticipated that the
        exception would occur, the current program is terminated.
        The reason for the exception is:
        The program "RSDBRUNT" is meant to execute an external PERFORM,
        namely the routine "CB_DDF_GET_KNA1 " of the program "RFITEMAP ", but
        this routine does not exist.
        This may be due to any of the following reasons:
        1. One of the programs "RSDBRUNT" or "RFITEMAP " is currently being developed.
        The name "CB_DDF_GET_KNA1 " of the called routine may be incorrect, or
        the routine "CB_DDF_GET_KNA1 " is not yet implemented in the program "RFITEMAP
        2. If the program SAPMSSY1 is involved in the runtime error, one of
        the function modules called via RFC is not flagged as remote-capable.
        (see Transaction SE37  Goto -> Administration -> RFC flag)
        3. There is an inconsistency in the system. The versions of the
        programs "RSDBRUNT" and "RFITEMAP " do not match.
    Warm regards,
    Dhananjay R.

    Hi martin
    still problem was not solved. actually i am working on ECC 6.0 & not required to implement the sap note on development. i had done the configuration in vendor master & customer master for clearing.
    please suggest me.....what to do ?
    Than'x
    Dhananjay R

  • FBL1N error - vendor balance with customer item

    Hi gurus,
    One scenario where i have assign vendor as customer & customer as vendor in vendor & customer data. also make tick mark for both clearing with vendor & customer.
    when i see the customer report with vendor item it shows me the customer & vendor dues but when i tried to see the vendor balance with customer line item it gives dump error.
    Runtime Errors         PERFORM_NOT_FOUND
    Exception              CX_SY_DYN_CALL_ILLEGAL_FORM
    Error analysis
        An exception occurred that is explained in detail below.
        The exception, which is assigned to class 'CX_SY_DYN_CALL_ILLEGAL_FORM', was
         not caught in
        procedure "%_LDB_CALLBACK" "(FORM)", nor was it propagated by a RAISING clause.
        Since the caller of the procedure could not have anticipated that the
        exception would occur, the current program is terminated.
        The reason for the exception is:
        The program "RSDBRUNT" is meant to execute an external PERFORM,
        namely the routine "CB_DDF_GET_KNA1 " of the program "RFITEMAP ", but
        this routine does not exist.
        This may be due to any of the following reasons:
        1. One of the programs "RSDBRUNT" or "RFITEMAP " is currently being developed.
        The name "CB_DDF_GET_KNA1 " of the called routine may be incorrect, or
        the routine "CB_DDF_GET_KNA1 " is not yet implemented in the program "RFITEMAP
        2. If the program SAPMSSY1 is involved in the runtime error, one of
        the function modules called via RFC is not flagged as remote-capable.
        (see Transaction SE37  Goto -> Administration -> RFC flag)
        3. There is an inconsistency in the system. The versions of the
        programs "RSDBRUNT" and "RFITEMAP " do not match.
    Warm regards,
    Dhananjay R.

    Hi Dhananjay,
    Pls show the error/ dump to the ABAPer
    Regards,
    Kiran

  • Load balancing with JSP

    Anyone and everyone,
    When configuring load balancing with Weblogic clusters, does load
    balancing take effect for all services or just EJB and RMI? Or another
    way of saying the same thing, can I setup weighted load balancing for
    the JSP engines across 2 weblogic servers.
    Thanks in advance,
    Mike

    The load-balancing documentation you read describing the different algorithms only applies to RMI stubs (e.g., EJB clients). Please see http://www.weblogic.com/docs51/cluster/concepts.html#1026091 for a description of how load-balancing/clustering works with servlets/JSPs.
    The short answer is that in using servlet clustering, most people want/need/use in-memory replication for HttpSession objects. In WLS 5.1 (and before), in-memory replication requires one or more proxy servers be set-up in front of the cluster. Typically, most people use something like BigIP to load-balance
    across the proxy servers and let the weblogic plug-in for the proxy server handle the routing to the cluster. The plug-in uses round-robin until an HttpSession is established for a user, then it always tries to route to the server where the user's session is located.
    Hope this helps,
    Robert
    Brian Lin wrote:
    All,
    I have a quesiton here regarding load balancing with DNS round robin. As of Chapter Adminstration of Clustering Weblogic server, Weblogic can be configured to balance by weight. How about Weblogic handle weight based balancing after DNS round robin ip response? or just can choose one way instead of both?
    What's the big difference between choosing BigIP and software balancing (WL)?
    Brian
    "Wei Guan" <[email protected]> wrote:
    I don't think you can configure this load balancing in weblogic in current
    release. However, if you have Big-IP or LocalDireoctr, you can set up
    weighted load-balancing there. Otherwise, weblogic proxy will use DNS round
    robin to do the load-balancing between JSP engins.
    My 2 cents.
    Cheers - Wei
    Michael Yakimisky <[email protected]> wrote in message
    news:[email protected]...
    Anyone and everyone,
    When configuring load balancing with Weblogic clusters, does load
    balancing take effect for all services or just EJB and RMI? Or another
    way of saying the same thing, can I setup weighted load balancing for
    the JSP engines across 2 weblogic servers.
    Thanks in advance,
    Mike

  • Dual ISP load balancing with 2 routers and 2 FW without using BGP

    Hi all,
    Based on the attachment diagram, is the design viable?
    Do anyone has a similar deployment before and can you share with me the config guide to this because I'm at lost on a few configs:
    1. On core switch A and B, I understood we need to have a default route pointing to the firewall interface. For this case, I have different IPs for the same context on both the firewalls.
    So, how should the config be?
    CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.110
    CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.111
    I don't think the above will work as the core switch will load balance the traffic to both firewalls even if one of the context is on standby mode?
    2. The area from the firewall to the internet would all be public IP. Thus, if i put a switch in between the firewall and the router, then i would waste some public IP addresses but if i remove the switch, I would not have enough ports on the ASA firewall. What is the best recommended solution for this?
    3. How do I load balance traffic to both R1 and R2 to their respective ISPs without using BGP? I may be using only a 2811 router.
    Thanks alot!!.. really much looking forward for some guidance and tips on this as I havent found any guides on this deployment yet.. mostly are LAN HA.

    For policy based routing, I would need to create route maps on the core switch itself right?
    Correct me if I'm wrong, if i use route-maps, i would be assigning e.g. internal network A to go through firewall context A and internal network B to go through firewall context B.
    Context A will only have path to Router A and context B will only have path to Router B. But if router B goes down, network B won't be able to access the Internet, right?
    I'm not sure whether it's a PI or PA for this as the ISP will assign us a block of IP address, for example 202.111.1.8/29 (these IPs can be used for webservers, etc). There will also be a public IP of /30 on the serial interface to connect to their router.
    Thanks alot..

  • Multihomed eBGP load balancing with 3 ISP's

    We currently peer with 2 ISPs using BGP in an active/failover configuration.  My company wants to move to a 3 ISP model where Internet traffic is split across the 3 providers so that bandwidth is equally distributed on outgoing traffic across our 2 /22 ARIN IP ranges.  This is from our 2 edge switches that have VSS.  
    Within my limited knowledge of BGP, I have determined that we could do load sharing pretty easily by adding multiple default routes and breaking up our /22's into /24 and advertising them that way.  However, I don't think this satisfies the request that downtime must be seamless, should one link drop.  
    Currently, our ISP's advertise default routes.  From the research that I've done, we could get close to load balanced links if we receive full BGP routes and community settings and definitions.  I'm nervous about this because it looks really complicated, and I don't want our AS to turn into a transit AS.  I've been told the same can be accomplished with only partial BGP routes and community settings and definitions.  
    Personally, I think we just need a WAN load balancer.  However, given the request, is there a thread out there that can explain this, or can someone discuss this requested scenario a little bit?  
    Thanks!

    Hi there
    First question would be what is the required reconvergence time for the applications using the Internet? Should an outage occur, when do they lose their state? Once you know that, you then have a target to aim for in terms of recovery
    With regards load-balancing, with BGP we are always talking inbound and outbound.
    The outbound solution is relatively simple - each ISP advertises a default route to your Internet edge router(s). Create an eBGP session from each edge router to the core, advertise the default route and redistribute into the IGP. Ensure the IGP cost to each BGP next hop is equal and you have ECMP for outbound routing.
    Inbound influence is usually via MED (not likely in this case given 3 ISPs), adjusting local-pref in the ISP via BGP EXT communities configured your end, or via AS-PATH prepending for longer prefixes from your /22. Prepending would be simplest, but your unlikely to get an exact inbound traffic split, however a relatively even distribution should be sufficient. 

  • Load Balancing with BigIP / SSL question

    I have an oddball question. We're load balancing ColdFusion
    MX7 across 3 servers using a BigIP load balancing server. We
    decided to go the hardware approach and it has been great except
    for one small configuration issue.
    We use a mix of SSL and non SSL pages, prior to the switch
    from a single server to a load balanced setup I used to script that
    would determine if a page that was supposed to be SSL had the
    variable CGI.HTTPS turned on or off. If it was off, the page would
    redirect back to itself with the SSL turned on.
    The problem we have is that we followed BigIP's instruction
    to secure the load balancing hardware instead of the three servers
    running behind it. So what happens is that the traffic goes to the
    load balancer port 441, but then the calls from the load balancer
    to the individual servers is port 80. So even if a page is called
    as HTTPS://... the coldfusion server says that CGI.HTTPS is "off"
    since the traffic is port 80.
    This isn't much of a problem, our SSL pages are linked as
    HTTPS:// and the only problem would actually arise if someone was
    to type in the URL and call it as HTTP rather than HTTPS.
    My questions is this, does anyone know of a way that I can
    detect if the page should be HTTPS and is not without changing our
    configuration and putting SSL certificates on each individual
    server?

    Hey,
    Well the load balancing with the BigIP device is really very
    amazing. I think
    what i liked most was swapping out servers when their lease
    was up, through the
    BigIP manager I just stopped all traffic to a server, shut it
    down, plugged in
    the new one and turned traffic back on. It was really very
    easy.
    The SSL stuff still gives me a headache to think about. but
    I should mention I
    no longer work where I was, plus now I'm all .net C# but
    that's a different
    story.
    I think if I was going to do this all again I would not have
    secured the bigIP
    unit. It was nice to buy one SSL cert for all the servers I
    attached rather
    than one per server, but getting the SSL sites to work
    properly was a headache.
    We also use windows file replication where now I would go
    with like a pair of
    Dell MD1000's mirrored for storage and just have tons of ram
    and cpu on the
    front end units. Depends what you want to spend I guess. I
    think the bigIP unit
    we bought was like 20 grand, i think they are cheaper now
    though.
    Hope I helped.

Maybe you are looking for

  • Can the row ID number be locked when moving task around in the schedule?

    I have a schedule in which I want to move row ID 9 to row ID 5; but do NOT want the row ID of 9 to change to 5.  I want to keep original row ID's upon moving them around in my schedule.  Is this possible? If yes, how?  Thank you

  • Creating a Summary Cube from Line Item Cube

    Friends, 1. I have a GL Line Item cube that gives me item level information 2. As I needed to create a summary cube I copied line item cube adjusted dimensions (removed Line Item) and activated it. 3. When I loaded the summary cube from Line Item cub

  • Remote enabled function module to copy a variant

    Hi Kindly let me know whether there is any remote enable function module to copy a variant  and save a  variant. Thanks and Regards neeta

  • Cisco FWSM 'deny inbound' error in ASDM

    Hello We have an explicit rule allowing inbound traffic, however it recently stopped working. The rule is still in place but we get a Deny message in the logs and the traffic does not pass. Would NAT have an affect on this? Someone changed the NAT fr

  • FM Planning Layout Error

    Hello, I am getting an ABAP error when I try either to create or change a planning layout for funds management and also if I try to change plan data in an existing layout. Are there steps in customizing I am not aware of? I have set-up funds manageme