PIX loadbalancing woth CSM - probe problem
2 CSM/CATs on one side (FT)
2 CSM/CATS on other (also FT)
load balancing 2 PIX 535.
probing icmp pings only "direct" pix interface
the opposite interface will never answer to ping.
So switching off int in one pix make real FAILED on one side but other side still have working real and sends traffic to one leg PIX.
How to solve that ?
I thinking about that:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm_3_2/icn/fwldbal.htm#1037625
when Firewall 1 and Firewall 2 are pinged on directly connected interfaces then directly connected probe detect pix problem. But problem with whole PIX device is less typical than one of his interfaces down (ie. fiber patchcord unplug) than one (opposite/working) interface answers with ping and CSM sends traffic to that "real".
Great solution will be pinging opposite pix interface
but this isn't supported by PIX ASA. So i have tried
ping "any" ip behind pix which is currentl ip address of CSM VLAN.
When you had one PIX there is no a problem... but when you had two of them you need check both of them.. you defining static route:
ip_behind_pix VIA ip_pix_direct_int
Then thing not only about ECHO REQ but also on ECHO REPLY - there is no way to put static routing for those devices what active and standbys on both sides will detect pix interface errros...
There is no way to put REPLY on different gate than ECHO REQ...
Think of it drawing 6 icons, giving them 10 ip (2 for pix inside and outside, one for every CSM) adds
and then try set up static route that ping REQ and reply will go the same way. There is no such way...
IMHO 8-)
Similar Messages
-
Hello,
I have the following problem after configuring/setting up tcp probe:
probe TCP tcp
interval 10
failed 30
vserver test:3389
virtual x.x.x.x tcp 3389
serverfarm test
inservice
serverfarm test
real a.a.a.a
inservice
real b.b.b.b
inservice
real c.c.c.c
inservice
probe TCP
Vserver shows o.o.s
serverfarm shows o.o.s probe failed for all servers
when I show probe, I get:
real vserver serverfarm policy status
a.a.a.a:3389 test:3389 test (default) OPERABLE
I have a separate VIP setup for each server without a probe and I can connect to them on port 3389, so I know
the application/servers are ok.
The csm is running ver 3.1(4)
Can you explain why the probe shows operable yet the serverfarm shows probe_failed?
Thanks,if you remove the probe, is the vserver inservice ?
I would also recommend to test with a software more recent.
There was some probe issues in the past and they should be fixed with new releases.
Gilles. -
Redundant CSM probes not working using OneArmedMode+PBR
In a redundant configuration: 2xCat6500 with one CSM each, using One Armed Mode when we use Policy Based Routing for return traffic the redundant CSM probes fail. If we use Source NAT instead everything works fine (both Active and Standby ok).
The problem is that we need to user PBR because the servers need to know the source IP and we want to assure a quick failover.I'm pointing to the alias address. I didn't mention before but both C6500 have an IP interface configured in the Server Side VLAN and are using HSRP. I think the problem is related with that - when the redundant CSM sends the probe request, the response is routed to the active CSM. Maybe I need to define a specific PBR to the probes.
-
PIX balancing with CSMs on both ends...
I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:
Configuring Regular Firewall Load Balancing, page 5-17
where we got:
Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs
where DMZs could be internet users, intranet with FW-1 and so on.
I had configuration exactly as in mentioned document:
cat6509 (Internet side):
module ContentSwitchingModule 5
vlan 100 client
ip address 100.0.0.25 255.255.255.0
gateway 100.0.0.13
vlan 101 server
ip address 100.0.0.25 255.255.255.0
alias 100.0.0.20 255.255.255.0
serverfarm FORWARD-SF
no nat server
no nat client
predictor forward
serverfarm INSEC-SF
no nat server
no nat client
predictor hash address source
real 100.0.0.3
inservice
real 100.0.0.4
inservice
vserver FORWARD-VS
virtual 0.0.0.0 0.0.0.0 any
vlan 101
serverfarm FORWARD-SF
persistent rebalance
inservice
vserver INSEC-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 100
serverfarm INSEC-SF
persistent rebalance
inservice
interface Vlan100
ip address 100.0.0.13 255.255.255.0
ip route 10.0.0.0 255.0.0.0 100.0.0.20
ip route 200.0.0.0 255.0.0.0 100.0.0.20
cat6509:DMZs/intRAnet side:
module ContentSwitchingModule 5
vlan 201 server
ip address 200.0.0.26 255.255.255.0
alias 200.0.0.20 255.255.255.0
vlan 20 server
ip address 10.1.0.26 255.255.255.0
vlan 200 client
ip address 200.0.0.26 255.255.255.0
serverfarm GENERIC-SF
nat server
no nat client
real 10.1.0.66
inservice
serverfarm SEC-SF
no nat server
no nat client
predictor hash address destination
real 200.0.0.3
inservice
real 200.0.0.4
inservice
vserver GENERIC-VS
virtual 200.0.0.127 tcp 0
vlan 201
serverfarm GENERIC-SF
persistent rebalance
inservice
vserver SEC-20-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 20
serverfarm SEC-SF
persistent rebalance
inservice
vserver SEC-200-VS
virtual 200.0.0.0 255.255.255.0 any
serverfarm SEC-SF
persistent rebalance
inservice
VLANs:
100 - Internet
101 - PIX Outisdes
201 - PIX Insides
200 - sample DMZ with users..
20 - sample DMZ with servers
Internet need access to servers@VLAN20
Hosts from VLAN 200 and VL 20 need access to Internet
Trafice beetwen DMZs need to be allowedI see one problem already.
Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.
Your MSFC probably can't ping 100.0.0.20
You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.
Also, the 2nd CSM does not have a serverfarm FORWARD.
You will need one normally to forward traffic to your local subnet without loadbalancing.
[what you configured is possible but I'm not sure this is the result you are expecting]
Regards,
Gilles. -
Pix vpn tunnel using certificates problem
hi
I have set up a small network at home to practice a branch office
pix 501 obtaining a digital certificate from a windows 2000 server
which is located on a dmz on a pix 515 over an encrypted tunnel
the tunnel is initually set up using pre-shared keys and once the
branch pix has its certificate altering the configs on both pix's
to use certificates for authentication,but have run into a problem
i have included an attachment to explain how i went about it and
the problem i have encounterd
would appreciate it if someone could take a look and tell me where
the problem lies
regards
melvyn brownI am having the same issues with small business server 2003. VPN from the iTouch works fine, but it will not sync with contacts,mail and calendar.
The Apple Store Genius bar was of no help. Generally their pretty good. I believe this will be NEW turf for the folks at Apple. -
Adding a cisco pix device to CSM 3.3
I've been trying to add a cisco pix6.3 to a New CSM 3.3 server and it complains that my credentials are bogus, I can log in to the pix's PDM using the same credentials so I'm stumped, Is there a way that I can get a better idea of what is happening under the hood? I tried a debug and the server is clearly hitting the pix and it is responding but no go.
I figured it out, the csm was set to use the users login credentials instead of the device credentials.Try Disable Java on Internet Options. This issue oculd be releated to Java version also.
-
Identity firewall NetBIOS Probe problem
Hi,
I've setup an Identity Firewall on a ASA5510 version 8.4.5 (inside interface). ADAgent is installed and configured on an Windows 2003 server and connected to the DC (Windows 2008 server). Everything works fine except the NetBIOS Probe function.
The NetBIOS probe function is active and configured as below.
user-identity domain TEST aaa-server LDAP_Identity
user-identity default-domain TEST
no user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 120
user-identity logout-probe netbios local-system
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent aaa-server adagent
user-identity user-not-found enable
The problem is following message...
"746013 user-identity: Delete IP-User mapping 192.168.3.61 - TEST\Peter Succeeded - Netbios probing failed"
I've never seen an NetBIOS probe successful message
Can anyone help me with this issue?
ThanksHi,
Could you please run some of these debug commands:
debug user-identity user
debug user-identity user-group
debug user-identity ad-agent
debug-user-identity ldap
debug user-identity logout-probe
debug user-identity acl
debug user-identity tmatch
debug user-identity fqdn
debug user-identity process
debug user-identity debug
debug user-identity error
debug ldap 255
Also here is a guide that may provide some direction -
https://supportforums.cisco.com/docs/DOC-20366
Tarik Admani
*Please rate helpful posts* -
Hi,
i've tried to debug a non-scripted probe on my csm, but i can't see any output. What does the message "Health Monitor quiet mode: output error messages" mean, and how can i make those messages visible?
TIA, StephanHi Gilles,
I was reading that CSM only supports on a HTTP Probes the request methods like "GET", "HEAD" and "URL", Not "POST".
It is possible to configure in a TCL script a HTTP Probe with "POST"?
I see in the manual (4.2(x) Release)that does not appears the generic tcl command "POST".
I will really appreciate your help.
Thanks
Hugo Rivas
Network Services
Data Center Triara -
Cisco Security Manager (CSM) License Problem
Hi All,
We have CSM V3.2 with Professional license edition and support 50 devices. It's installed properly in the Cisco Security Manager client as appeared in the attachement but the problem is in the server administration- license management which doesn't include any records for license (see attachment).
I tried to upload the .lic file by clicking the Update button in server administration but an error message appeared stated that the license file is corrupted although it's installed properly in CSM client!!!
Could you please advise what's the problem and what should I do?
Thanks in Advance!Sorry but Cisco seems to have removed that product bulletin from cisco.com.
Your reseller can use Cisco Commerce Workspace (CCW) to order the correct part number for your CSM installation. There is a unique number for each licensing level and/or upgrade.
For instance, for a 10-device standard license, the support would be part number CON-SAS-CSMST10K.
For the 100-device Pro license, the support would be CON-SAS-CSMPR4K9.
The reseller needs to adjust the support term (12-60 months) to suit when ordering. -
Hello
Just came across a problem we are facing and thought to share it.
wondering about the feasibility on the CSM to forward HTTP requests to a "Service not available" web page (which could be available on a web server located on the same server(s), i.e. front-end web server) when a particular threshold is reached on the Load-Balancer that control access to web services. This way, the user does not start the process of generating myKey then fails due to busy system (congestion of resources), as the clean-up process is pretty heavy.
Thanks for the help!Hi Aser,
I think you ned to configure backup serverfarm so that in case of primary server unavailable the backup servers can process further requests.
Whenever the primary serverfarm is down (all its vservers have failed or are down), the CSM will start using the sorry serverfarm servers to serve requests to the vserver.
new connection will use the backup serverfarm but existing active connection will try to use the old serverfarm.
You need to configure a 'failaction [purge|reassign]' to change this behavior.
The CSM only allow 1 backup server. When a client is connected to a server, it stays connected to that server even if a new server goes up. Only new connections from the client would be sent to a different server.
Please read my previous matching post for more info:
https://supportforums.cisco.com/thread/2056310?tstart=0
HTH
Sachin Garg -
CSM Probes went down for 15 minutes
Hi all,
This morning all the probes went down on the csm module for exactly 15 mins and then came back up. There has been nothing else in the logs to indicate whey the went down. I have found a watchdog process which i think might have started back up the process for SLB. Has anyone ever come across this and what was the reason that the probes stayed down for exactly 15 mins.
Cheers
KevA possible workaround is to reset the card from the SUP console.
Try:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a00800fe64c.html -
Hello,
We are currently running an http probe on the CSM which accepts a return code of 200 and 401 (because this application is single sign on and CSM does not have a user defined for it).
This application is having an issue where the web application is available and returning a 401 code, however in some cases the actual application instance is not available.
The only way we can see that is by looking at the HTTP stream:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
Content-Length: 0
Date: Thu, 05 Jul 2007 16:29:22 GMT
Server: Apache-Coyote/1.1
Connection: close
This connection close is the only value by which we can tell whether the application is working.
My question is there anyway we can use this value in the probe. I am quiet sure that its not possible but if anyone can confirm that will be great.
ThanksHi Gilles,
I was reading that CSM only supports on a HTTP Probes the request methods like "GET", "HEAD" and "URL", Not "POST".
It is possible to configure in a TCL script a HTTP Probe with "POST"?
I see in the manual (4.2(x) Release)that does not appears the generic tcl command "POST".
I will really appreciate your help.
Thanks
Hugo Rivas
Network Services
Data Center Triara -
below log is generated with csm
server is correct.(normal)
csm is correct.(normal)
service is correct.(normal)
why below log was contiuned with csm ?
Mar 7 05:20:13: %CSM_SLB-6-RSERVERSTATE: Module 3 server state changed: SLB-NETMGT: Got different MAC address from server 100.8.50.34 in response to ARP
Mar 7 05:20:13: %CSM_SLB-6-RSERVERSTATE: Module 3 server state changed: SLB-NETMGT: Got different MAC address from server 100.6.50.34 in response to ARPThe message is just informing you that the CSM is getting a different mac address each time it does an arp request.
So, you have either duplicate ip, or a device doing proxy-arp, or sth similar.
Gilles. -
Looks like 4 timer commands you can use on probes:
1) Interval - How often to normally Probe
2) Retries - How many consecutive normal interval probes have fail before marking server as failed
3) Failed - How often to probe after a server is failed to determine if it should be brought back online
4) Open - For TCP probes, how long to wait for a TCP socket to open.
What do you guys recommend for timer values.
Currently we're using 5-3-60-10
But, I'm wondering about the 10-second Open timer. 10 seconds for a TCP socket to open? That seems insanely long. I'm tempted to change it to 1 second.The default interval is 120 seconds and it would take 3 probes to fail before it would bring down the server. You can lowering this and also using the command "fail action purge" so when a server fails it forces the user to disconnect.
-
PIX 515e VPN Host Connectivity Problem
I am having an issue with a VPN connection that I have.. I have a VPN set up to allow all hosts in a /24 subnet to work across from a single host on my side. From the host on my side, I am able to ping to and access some of the hosts on the other side. I have however, one host that is not allowing me to ping to it. We have verified firewall on the far end is allowing all but I can't make any kind of connection. We have verified that the machine on the far end is pingable and accessible from other networks. It is almost like the host on my side doesn't even try to connect across the tunnel. I have verified in my logs that when I do a ping from my host, it shows it building and tearing down a connection on the firewall for NAT so I know that traffic is at least getting to the firewall but it looks like it is not getting any farther. Has anyone seen any strange behavior like this before? I know that ACLs and such are correct on both ends due to the tunnel coming up when I try to access another host. The tunnel doesn't come up though when I try to ping the problem machine.
Thanks,
BrandonAlso, we have tested from the far end of the tunnel and when I attemp a ping to the problem machine, they don't see any traffic hitting thier VPN endpoint. They do however see traffic to all the other hosts that I attemp to access on thier network.
Maybe you are looking for
-
PPC all of the sudden will not file share, what can I do?
I have a PPC G5 OSX 10.4.11 all of the sudden I went to connect to my MacBook Pro with file sharing and I can not. I can see the MacBook in my network area and when I hit connect it lets me put in my password and then I try to click on the folder to
-
We have a stand alone Java application that is a J2ee client. The client runs on a linux box running the 2.2.18 kernel. We are using the IBMJIT for 1.3.0 I have the ulimit -s 2048 set in the shell script that launches the java app. I am running it wi
-
No text wrapping in text indicator
If a line is too long to be displayed in a text indicator it wraps to the next line...is there a way to prevent this and rather have a horisontal scrollbar? At first I though this would be pretty elementary, but it seems not... One alternative is to
-
Strange Wi-Fi issue in Mountain Lion
Hello Mountain Lion Gurus/Users/All, Just yesterday I upgraded my 2009-mid-MacBook Pro to Mountain Lion (from Lion) I have this strange issue. I turn on my Wi-F Selected my home network from the list of all the networks Mac could find. (Actually this
-
Pre ordering iphone with other lines upgrade
How would I go about pre ordering the iPhone 4s using another lines upgrade on my plan? Would I be forced to activate in store when the phone arrives? Basically what I mean, is if I pre-order at Apple.com (there is a form you fill out which takes you