[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco CSS Load Balancer issue

Posted on 2009-04-17
9
Medium Priority
?
1,541 Views
Last Modified: 2012-06-27
I am having a issue with cisco css 11000 seris. I have two server farm under two different owner. Member server of one server farm cant brouse/access server in other server farm through VIP. Is there any security setting by default that is blocking my connection.
0
Comment
Question by:formijob
  • 6
  • 3
9 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24184674

Are your servers in rfc1918 space? Try connecting to the real ip? Why are you trying to connect via the VIP from the inside? What is probably happening  here is that traffic from the inside needs to be routed back out the same interface it is received on, the CSS cannot handle that the last time I checked. Again, try using the real. You are trying to do same wire load balancing, is your CSS in routed or bridge mode?

It is hard to visiuallize your settep, do you have a diagram you can share?

harbor235 ;}
0
 

Author Comment

by:formijob
ID: 24187589
In our setup, CSS is connected to core 6500. Server are also connected to core 6500. Client will send request to CSS using VIP from remote branch office. Core and css is connected using 1 gig fibre channel. It is in routed mode. I am trying to load balance to other server farm from web server.Other server will have image files. But i am not getting clue why server of one farm cant get in to other server farm through VIP. If i use real ip i wont get loadbalance in those image server.

Thanks for your response.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24194632


I need a picture of your setup, are you saying that all the servers are physically attached the the smae 6500 but in different vlans/subnets?

Does the traffic from the source server rout into the outside interface of the CSS or are you trying to route traffic through the CSS via multiple inside interfaces?

harbor235 ;}
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 

Author Comment

by:formijob
ID: 24197713
Yes all the server are physically attached to same 6500 but in different subnet/vlan.  I dont understand what you mean my outside and inside interface in CSS. But the traffic from source server will go to the CSS from 6500 core because to route in 6500 to css. AS per diagram if i try to access server farm B from A via VIP, the request should go to css through 6500, then CSS should make a request to server farm B. then it should respond back to server A.

But i dont get  it.

This setup is working perfect if any request come from any other client/server who is not member of server farm.

thanks

Drawing1.jpg
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24197857

So is this a one arm design? Or are there physically more than one interface on the CSS.

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24197886


If you are in routed mode then you must have an internet facing interface and a server farm facing interface?

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24197957



In your config, how many "ip address " or "bridge vlan" statements do you have?

Can you psot your config?

harbor235 ;}
0
 

Author Comment

by:formijob
ID: 24218709
!Generated on 12/30/2008 08:34:33
!Active version: sg0810205

configure


!*************************** GLOBAL ***************************
  ip redundancy  
  sntp primary-server 192.168.230.131 version 1

  app
  app session 172.16.30.1

 
  dns primary 192.168.230.105
  dns secondary 192.168.230.106

 
  ip route 0.0.0.0 0.0.0.0 192.168.230.65 1

!************************* INTERFACE *************************
interface  1/1
  bridge vlan 162

interface  1/2
  bridge vlan 163

interface  2/1
  bridge vlan 162

interface  2/2
  bridge vlan 163

interface  2/4
  admin-shutdown

interface  2/8
  bridge vlan 167

!************************** CIRCUIT **************************
circuit VLAN162
  redundancy

  ip address 192.168.230.66 255.255.255.224

circuit VLAN163
  redundancy

  ip address 192.168.230.145 255.255.255.240

circuit VLAN167

  ip address 172.16.30.2 255.255.255.0
    redundancy-protocol

!************************** SERVICE **************************
service SRV4519
  ip address 192.168.230.153
  active

service SRV4525
  ip address 192.168.230.152
  active

service SRV6349
  ip address 192.168.230.146

service SRV6350
  ip address 192.168.230.147
  active

service SRV6351
  ip address 192.168.230.151
  active

service SRV6352
  ip address 192.168.230.149
  active

service SRV8033
  ip address 192.168.230.150
  active

service SRV8045
  ip address 192.168.230.155
  active

service SRV8046
  ip address 192.168.230.148
  active

!*************************** OWNER ***************************
owner FARM1

  content web-servers
    vip address 192.168.230.81
    port 443
    protocol tcp
    balance aca
    add service SRV6352
    add service SRV6351
    add service SRV6350
    active

owner FARM2

  content dotnet-servers
    vip address 192.168.230.85
    protocol tcp
    port 443
    balance aca
    add service SRV8033
    add service SRV8046
    add service SRV8045
    active

owner testweb

  content test-websrvs
    add service SRV4519
    add service SRV4525
    vip address 192.168.230.84
    balance aca
    protocol tcp
    port 80
    active
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 2000 total points
ID: 24218857


All your servers are int the same subnet, CSS's cannot do same wire load balancing. The VIP is hit from the outside-in not from the inside-in. The CSS doe snot know how to handle a packet received on an interface that the destination is back out the same interface, typical switch behavior is to drop that packet.

I have heard other load balancing solutuions can handle this, I am still unclear why you are trying to do this. You want to balance traffic from the outsid ein, but on the same subnet? What type of traffic needs to be balanced if they are all the same type of server, WEB, APPS, DB, etc .......

Your CSS has 3 interfaces,

I guess you could put the server in different subnets,


harbor235 ;}
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question