topic Re: CSS in Application Networking

CSS

jcarvalh — Tue, 01 Apr 2008 16:45:43 GMT

I have a CSS 11506. I have one content rule with two services. If I try to access the servers directly (via real IP address) all goes well and I get access to the web page, if I try to access the web page via the CSS VIP I dont see the web page. You can see the config that I am using at the end of this post; I think there is no problem with it but I just want to make sure.

Thanks in advance,

Joao Carvalho

Config:

!*************************** GLOBAL ***************************

date european-date

cdp run

no restrict web-mgmt

dns secondary 192.168.40.254

dns primary 192.168.40.5

ip route 0.0.0.0 0.0.0.0 192.168.12.1 1

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 3

vlan 12

interface 1/2

trunk

vlan 12

!************************** CIRCUIT **************************

circuit VLAN12

ip address 192.168.12.22 255.255.255.0

!************************** SERVICE **************************

service www-hux1

ip address 192.168.12.26

keepalive frequency 20

port 80

protocol tcp

active

service www-hux2

ip address 192.168.12.25

keepalive frequency 20

port 80

protocol tcp

active

!*************************** OWNER ***************************

owner HS

billing-info "ahp"

content rule1

vip address 192.168.12.21

add service www-hux1

add service www-hux2

port 80

url "/*"

protocol tcp

active

Re: CSS

Gilles Dufour — Wed, 02 Apr 2008 13:32:02 GMT

you have only 1 vlan on the CSS.

Therefore, this is called one-armed and precautions need to be taken to guarantee that the response from the server will not go directly to the client - which will break the setup since the client expect a response from the css not the server.

If the CSS is not the default gateway of the server, you need to configure client nat.

ie:

group clientnat

vip address 192.168.12.21

add destination service www-hux1

add destination service www-hux2

active

Gilles.

Re: CSS

jcarvalh — Wed, 02 Apr 2008 14:20:56 GMT

I tried your solution and it worked just fine.

I also tried another thing that worked; I changed the default gateway of the real server to 192.168.12.22 (IP address of vlan circuit in CSS). Is this a commom solution? Are there any known problems with this aproach?

Joao

Re: CSS

Gilles Dufour — Wed, 02 Apr 2008 15:35:33 GMT

the problem with the client nat solution is that the server loses the information about client ip address.

The problem with the gateway pointing to the CSS is one the server opens a connection directly to the outside, the response will go back directly to the server, bypassing the server....same problem as before but the other way around.

And if you send all traffic to the CSS, you take the risk to lose in performance if you have a lot of traffic that normally does not require loadbalancing.

The best solution is to put the CSS inline with the servers.

Gilles.