PIX loadbalancing woth CSM - probe problem

2 CSM/CATs on one side (FT)
2 CSM/CATS on other (also FT)
load balancing 2 PIX 535.
probing icmp pings only "direct" pix interface
the opposite interface will never answer to ping.
So switching off int in one pix make real FAILED on one side but other side still have working real and sends traffic to one leg PIX.
How to solve that ?

I thinking about that:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm_3_2/icn/fwldbal.htm#1037625
when Firewall 1 and Firewall 2 are pinged on directly connected interfaces then directly connected probe detect pix problem. But problem with whole PIX device is less typical than one of his interfaces down (ie. fiber patchcord unplug) than one (opposite/working) interface answers with ping and CSM sends traffic to that "real".
Great solution will be pinging opposite pix interface
but this isn't supported by PIX ASA. So i have tried
ping "any" ip behind pix which is currentl ip address of CSM VLAN.
When you had one PIX there is no a problem... but when you had two of them you need check both of them.. you defining static route:
ip_behind_pix VIA ip_pix_direct_int
Then thing not only about ECHO REQ but also on ECHO REPLY - there is no way to put static routing for those devices what active and standbys on both sides will detect pix interface errros...
There is no way to put REPLY on different gate than ECHO REQ...
Think of it drawing 6 icons, giving them 10 ip (2 for pix inside and outside, one for every CSM) adds
and then try set up static route that ping REQ and reply will go the same way. There is no such way...
IMHO 8-)

Similar Messages

  • Csm probe problem

    Hello,
    I have the following problem after configuring/setting up tcp probe:
    probe TCP tcp
    interval 10
    failed 30
    vserver test:3389
    virtual x.x.x.x tcp 3389
    serverfarm test
    inservice
    serverfarm test
    real a.a.a.a
    inservice
    real b.b.b.b
    inservice
    real c.c.c.c
    inservice
    probe TCP
    Vserver shows o.o.s
    serverfarm shows o.o.s probe failed for all servers
    when I show probe, I get:
    real vserver serverfarm policy status
    a.a.a.a:3389 test:3389 test (default) OPERABLE
    I have a separate VIP setup for each server without a probe and I can connect to them on port 3389, so I know
    the application/servers are ok.
    The csm is running ver 3.1(4)
    Can you explain why the probe shows operable yet the serverfarm shows probe_failed?
    Thanks,

    if you remove the probe, is the vserver inservice ?
    I would also recommend to test with a software more recent.
    There was some probe issues in the past and they should be fixed with new releases.
    Gilles.

  • Redundant CSM probes not working using OneArmedMode+PBR

    In a redundant configuration: 2xCat6500 with one CSM each, using One Armed Mode when we use Policy Based Routing for return traffic the redundant CSM probes fail. If we use Source NAT instead everything works fine (both Active and Standby ok).
    The problem is that we need to user PBR because the servers need to know the source IP and we want to assure a quick failover.

    I'm pointing to the alias address. I didn't mention before but both C6500 have an IP interface configured in the Server Side VLAN and are using HSRP. I think the problem is related with that - when the redundant CSM sends the probe request, the response is routed to the active CSM. Maybe I need to define a specific PBR to the probes.

  • PIX balancing with CSMs on both ends...

    I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:
    Configuring Regular Firewall Load Balancing, page 5-17
    where we got:
    Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs
    where DMZs could be internet users, intranet with FW-1 and so on.
    I had configuration exactly as in mentioned document:
    cat6509 (Internet side):
    module ContentSwitchingModule 5
    vlan 100 client
    ip address 100.0.0.25 255.255.255.0
    gateway 100.0.0.13
    vlan 101 server
    ip address 100.0.0.25 255.255.255.0
    alias 100.0.0.20 255.255.255.0
    serverfarm FORWARD-SF
    no nat server
    no nat client
    predictor forward
    serverfarm INSEC-SF
    no nat server
    no nat client
    predictor hash address source
    real 100.0.0.3
    inservice
    real 100.0.0.4
    inservice
    vserver FORWARD-VS
    virtual 0.0.0.0 0.0.0.0 any
    vlan 101
    serverfarm FORWARD-SF
    persistent rebalance
    inservice
    vserver INSEC-VS
    virtual 200.0.0.0 255.255.255.0 any
    vlan 100
    serverfarm INSEC-SF
    persistent rebalance
    inservice
    interface Vlan100
    ip address 100.0.0.13 255.255.255.0
    ip route 10.0.0.0 255.0.0.0 100.0.0.20
    ip route 200.0.0.0 255.0.0.0 100.0.0.20
    cat6509:DMZs/intRAnet side:
    module ContentSwitchingModule 5
    vlan 201 server
    ip address 200.0.0.26 255.255.255.0
    alias 200.0.0.20 255.255.255.0
    vlan 20 server
    ip address 10.1.0.26 255.255.255.0
    vlan 200 client
    ip address 200.0.0.26 255.255.255.0
    serverfarm GENERIC-SF
    nat server
    no nat client
    real 10.1.0.66
    inservice
    serverfarm SEC-SF
    no nat server
    no nat client
    predictor hash address destination
    real 200.0.0.3
    inservice
    real 200.0.0.4
    inservice
    vserver GENERIC-VS
    virtual 200.0.0.127 tcp 0
    vlan 201
    serverfarm GENERIC-SF
    persistent rebalance
    inservice
    vserver SEC-20-VS
    virtual 200.0.0.0 255.255.255.0 any
    vlan 20
    serverfarm SEC-SF
    persistent rebalance
    inservice
    vserver SEC-200-VS
    virtual 200.0.0.0 255.255.255.0 any
    serverfarm SEC-SF
    persistent rebalance
    inservice
    VLANs:
    100 - Internet
    101 - PIX Outisdes
    201 - PIX Insides
    200 - sample DMZ with users..
    20 - sample DMZ with servers
    Internet need access to servers@VLAN20
    Hosts from VLAN 200 and VL 20 need access to Internet
    Trafice beetwen DMZs need to be allowed

    I see one problem already.
    Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.
    Your MSFC probably can't ping 100.0.0.20
    You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.
    Also, the 2nd CSM does not have a serverfarm FORWARD.
    You will need one normally to forward traffic to your local subnet without loadbalancing.
    [what you configured is possible but I'm not sure this is the result you are expecting]
    Regards,
    Gilles.

  • Pix vpn tunnel using certificates problem

    hi
    I have set up a small network at home to practice a branch office
    pix 501 obtaining a digital certificate from a windows 2000 server
    which is located on a dmz on a pix 515 over an encrypted tunnel
    the tunnel is initually set up using pre-shared keys and once the
    branch pix has its certificate altering the configs on both pix's
    to use certificates for authentication,but have run into a problem
    i have included an attachment to explain how i went about it and
    the problem i have encounterd
    would appreciate it if someone could take a look and tell me where
    the problem lies
    regards
    melvyn brown

    I am having the same issues with small business server 2003. VPN from the iTouch works fine, but it will not sync with contacts,mail and calendar.
    The Apple Store Genius bar was of no help. Generally their pretty good. I believe this will be NEW turf for the folks at Apple.

  • Adding a cisco pix device to CSM 3.3

    I've been trying to add a cisco pix6.3 to a New CSM 3.3 server and it complains that my credentials are bogus, I can log in to the pix's PDM using the same credentials so I'm stumped, Is there a way that I can get a better idea of what is happening under the hood? I tried a debug and the server is clearly hitting the pix and it is responding but no go.
    I figured it out, the csm was set to use the users login credentials instead of the device credentials.

    Try Disable Java on Internet Options. This issue oculd be releated to Java version also.

  • Identity firewall NetBIOS Probe problem

    Hi,
    I've setup an Identity Firewall on a ASA5510 version 8.4.5 (inside interface). ADAgent is installed and configured on an Windows 2003 server and connected to the DC (Windows 2008 server). Everything works fine except the NetBIOS Probe function.
    The NetBIOS probe function is active and configured as below.
    user-identity domain TEST aaa-server LDAP_Identity
    user-identity default-domain TEST
    no user-identity action mac-address-mismatch remove-user-ip
    user-identity inactive-user-timer minutes 120
    user-identity logout-probe netbios local-system
    user-identity poll-import-user-group-timer hours 1
    user-identity ad-agent aaa-server adagent
    user-identity user-not-found enable
    The problem is following message...
    "746013 user-identity: Delete IP-User mapping 192.168.3.61 - TEST\Peter Succeeded - Netbios probing failed"
    I've never seen an NetBIOS probe successful message
    Can anyone help me with this issue?
    Thanks

    Hi,
    Could you please run some of these debug commands:
    debug user-identity user
    debug user-identity user-group
    debug user-identity ad-agent
    debug-user-identity ldap
    debug user-identity logout-probe
    debug user-identity acl
    debug user-identity tmatch
    debug user-identity fqdn
    debug user-identity process
    debug user-identity debug
    debug user-identity error
    debug ldap 255
    Also here is a guide that may provide some direction -
    https://supportforums.cisco.com/docs/DOC-20366
    Tarik Admani
    *Please rate helpful posts*

  • CSM probe debugging

    Hi,
    i've tried to debug a non-scripted probe on my csm, but i can't see any output. What does the message "Health Monitor quiet mode: output error messages" mean, and how can i make those messages visible?
    TIA, Stephan

    Hi Gilles,
    I was reading that CSM only supports on a HTTP Probes the request methods like "GET", "HEAD" and "URL", Not "POST".
    It is possible to configure in a TCL script a HTTP Probe with "POST"?
    I see in the manual (4.2(x) Release)that does not appears the generic tcl command "POST".
    I will really appreciate your help.
    Thanks
    Hugo Rivas
    Network Services
    Data Center Triara

  • Cisco Security Manager (CSM) License Problem

    Hi All,
    We have CSM V3.2 with Professional license edition and support 50 devices. It's installed properly in the Cisco Security Manager client as appeared in the attachement but the problem is in the server administration- license management which doesn't include any records for license (see attachment).
    I tried to upload the .lic file by clicking the Update button in server administration but an error message appeared stated that the license file is corrupted although it's installed properly in CSM client!!!
    Could you please advise what's the problem and what should I do?
    Thanks in Advance!

    Sorry but Cisco seems to have removed that product bulletin from cisco.com.
    Your reseller can use Cisco Commerce Workspace (CCW) to order the correct part number for your CSM installation. There is a unique number for each licensing level and/or upgrade.
    For instance, for a 10-device standard license, the support would be part number CON-SAS-CSMST10K.
    For the 100-device Pro license, the support would be CON-SAS-CSMPR4K9.
    The reseller needs to adjust the support term (12-60 months) to suit when ordering.

  • CSM HTTP problem

    Hello
    Just came across a problem we are facing and thought to share it.
    wondering about the feasibility on the CSM to forward HTTP requests to a "Service not available" web page (which could be available on a web server located on the same server(s), i.e. front-end web server) when a particular threshold is reached on the Load-Balancer that control access to web services. This way, the user does not start the process of generating myKey then fails due to busy system (congestion of resources), as the clean-up process is pretty heavy.
    Thanks for the help!

    Hi Aser,
    I think you ned to configure backup serverfarm so that in case of primary server unavailable the backup servers can process further requests.
    Whenever the primary serverfarm is down (all its vservers have failed or are down), the CSM will start using the sorry serverfarm servers to serve requests to the vserver.
    new connection will use the backup serverfarm but existing active connection will try to use the old serverfarm.
    You need to configure a 'failaction [purge|reassign]' to change this behavior.
    The CSM only allow 1 backup server. When a client is connected to a server, it stays connected to that server even if a new server goes up. Only new connections from the client would be sent to a different server.
    Please read my previous matching post for more info:
    https://supportforums.cisco.com/thread/2056310?tstart=0
    HTH
    Sachin Garg

  • CSM Probes went down for 15 minutes

    Hi all,
    This morning all the probes went down on the csm module for exactly 15 mins and then came back up. There has been nothing else in the logs to indicate whey the went down. I have found a watchdog process which i think might have started back up the process for SLB. Has anyone ever come across this and what was the reason that the probes stayed down for exactly 15 mins.
    Cheers
    Kev

    A possible workaround is to reset the card from the SUP console.
    Try:
    http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a00800fe64c.html

  • CSM Probe Question

    Hello,
    We are currently running an http probe on the CSM which accepts a return code of 200 and 401 (because this application is single sign on and CSM does not have a user defined for it).
    This application is having an issue where the web application is available and returning a 401 code, however in some cases the actual application instance is not available.
    The only way we can see that is by looking at the HTTP stream:
    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: NTLM
    Content-Length: 0
    Date: Thu, 05 Jul 2007 16:29:22 GMT
    Server: Apache-Coyote/1.1
    Connection: close
    This connection close is the only value by which we can tell whether the application is working.
    My question is there anyway we can use this value in the probe. I am quiet sure that its not possible but if anyone can confirm that will be great.
    Thanks

    Hi Gilles,
    I was reading that CSM only supports on a HTTP Probes the request methods like "GET", "HEAD" and "URL", Not "POST".
    It is possible to configure in a TCL script a HTTP Probe with "POST"?
    I see in the manual (4.2(x) Release)that does not appears the generic tcl command "POST".
    I will really appreciate your help.
    Thanks
    Hugo Rivas
    Network Services
    Data Center Triara

  • Csm log problem

    below log is generated with csm
    server is correct.(normal)
    csm is correct.(normal)
    service is correct.(normal)
    why below log was contiuned with csm ?
    Mar 7 05:20:13: %CSM_SLB-6-RSERVERSTATE: Module 3 server state changed: SLB-NETMGT: Got different MAC address from server 100.8.50.34 in response to ARP
    Mar 7 05:20:13: %CSM_SLB-6-RSERVERSTATE: Module 3 server state changed: SLB-NETMGT: Got different MAC address from server 100.6.50.34 in response to ARP

    The message is just informing you that the CSM is getting a different mac address each time it does an arp request.
    So, you have either duplicate ip, or a device doing proxy-arp, or sth similar.
    Gilles.

  • Recommended CSM Probe Timers

    Looks like 4 timer commands you can use on probes:
    1) Interval - How often to normally Probe
    2) Retries - How many consecutive normal interval probes have fail before marking server as failed
    3) Failed - How often to probe after a server is failed to determine if it should be brought back online
    4) Open - For TCP probes, how long to wait for a TCP socket to open.
    What do you guys recommend for timer values.
    Currently we're using 5-3-60-10
    But, I'm wondering about the 10-second Open timer. 10 seconds for a TCP socket to open? That seems insanely long. I'm tempted to change it to 1 second.

    The default interval is 120 seconds and it would take 3 probes to fail before it would bring down the server. You can lowering this and also using the command "fail action purge" so when a server fails it forces the user to disconnect.

  • PIX 515e VPN Host Connectivity Problem

    I am having an issue with a VPN connection that I have.. I have a VPN set up to allow all hosts in a /24 subnet to work across from a single host on my side. From the host on my side, I am able to ping to and access some of the hosts on the other side. I have however, one host that is not allowing me to ping to it. We have verified firewall on the far end is allowing all but I can't make any kind of connection. We have verified that the machine on the far end is pingable and accessible from other networks. It is almost like the host on my side doesn't even try to connect across the tunnel. I have verified in my logs that when I do a ping from my host, it shows it building and tearing down a connection on the firewall for NAT so I know that traffic is at least getting to the firewall but it looks like it is not getting any farther. Has anyone seen any strange behavior like this before? I know that ACLs and such are correct on both ends due to the tunnel coming up when I try to access another host. The tunnel doesn't come up though when I try to ping the problem machine.
    Thanks,
    Brandon

    Also, we have tested from the far end of the tunnel and when I attemp a ping to the problem machine, they don't see any traffic hitting thier VPN endpoint. They do however see traffic to all the other hosts that I attemp to access on thier network.

Maybe you are looking for

  • PPC all of the sudden will not file share, what can I do?

    I have a PPC G5 OSX 10.4.11 all of the sudden I went to connect to my MacBook Pro with file sharing and I can not. I can see the MacBook in my network area and when I hit connect it lets me put in my password and then I try to click on the folder to

  • SIGSEGV on linux

    We have a stand alone Java application that is a J2ee client. The client runs on a linux box running the 2.2.18 kernel. We are using the IBMJIT for 1.3.0 I have the ulimit -s 2048 set in the shell script that launches the java app. I am running it wi

  • No text wrapping in text indicator

    If a line is too long to be displayed in a text indicator it wraps to the next line...is there a way to prevent this and rather have a horisontal scrollbar? At first I though this would be pretty elementary, but it seems not... One alternative is to

  • Strange Wi-Fi issue in Mountain Lion

    Hello Mountain Lion Gurus/Users/All, Just yesterday I upgraded my 2009-mid-MacBook Pro to Mountain Lion (from Lion) I have this strange issue. I turn on my Wi-F Selected my home network from the list of all the networks Mac could find. (Actually this

  • Pre ordering iphone with other lines upgrade

    How would I go about pre ordering the iPhone 4s using another lines upgrade on my plan? Would I be forced to activate in store when the phone arrives? Basically what I mean, is if I pre-order at Apple.com (there is a form you fill out which takes you