topic CSM Load Balancer Help in Application Networking

CSM Load Balancer Help

anthony.baker — Tue, 08 Apr 2008 09:13:16 GMT

Hey all,

I had a config working for load balancing websites but now need something to work for a flash app that uses port 1935 instead.

Everything worked but I couldn't see the real source IP (which is a requirement of the business). I know that this was because I was taking it from the HTTP header before and it's not HTTP now.

What are my options here? Is there something similar I could do or do I need to change the basic design?

My design at present looks like this:

Client -- CSM -- FWSM -- Real Servers

The servers have a DG of the FWSM and are on VLAN205.

module ContentSwitchingModule 12

vlan 205 server

ip address 10.1.205.5 255.255.255.0

vlan 150 client

ip address 10.1.205.5 255.255.255.0

natpool MAND8 10.1.205.50 10.1.205.50 netmask 255.255.255.0

probe TCP_80 tcp

interval 5

failed 3

port 80

map SOURCEIPHEADER header

insert protocol http header sourceip header-value %is

serverfarm MAND8

nat server

nat client MAND8

failaction reassign

real 10.1.205.209

no inservice

real 10.1.205.219

inservice

probe TCP_80

policy INSERTSOURCEIP

header-map SOURCEIPHEADER

serverfarm MAND8

vserver MAND8

virtual 10.1.205.50 tcp 1935

vlan 205

unidirectional

serverfarm MAND8

advertise active

persistent rebalance

inservice

As I say, the above config works fine, apart from the NAT so if anyone has any ideas that would be great!

Thanks in advance

Anthony

Re: CSM Load Balancer Help

Gilles Dufour — Tue, 08 Apr 2008 10:15:16 GMT

You need to change the design.

Do something like this

client -- FW -- CSM --- servers

Have the same configured in bridge mode so the servers can keep the FW as their DG.

After that you can remove the natpool from the serverfarm and you will see the client ip address on the servers.

Gilles.

Re: CSM Load Balancer Help

anthony.baker — Tue, 08 Apr 2008 10:24:59 GMT

Ok, thanks Gilles...

I'm trying to do what you suggest but what's the main config difference between what I have and what you suggest?

I have the outside FW VLAN as VLAN15 - VLAN205 is one that is off the FWSM and VLAN150 is just on the CSM.

So how do I change what I have to 'bridge'?

Thanks for the help

Anthony

Re: CSM Load Balancer Help

Gilles Dufour — Tue, 08 Apr 2008 10:29:41 GMT

The goal is to have the traffic hit the CSM before it goes to the firewall which could send the traffic back to the client without going through the CSM.

If I understand correctly, the servers are in vlan 205.

So you need sth like this :

vlan15 -- FW ---- vlan150 ---- CSM ----vlan205

Configure the same ip in vlan150 and vlan205 for the CSM.

Use an ip from the servers subnet.

Remove vlan 205 from the FW and replace it with vlan 150.

I hope this makes sense like this.

Don't hesitate to send more questions if you need to clarify something.

Gilles.

Re: CSM Load Balancer Help

anthony.baker — Tue, 08 Apr 2008 13:41:37 GMT

Hey Gilles,

Thanks for the help.

When you say remove 205 from the FW which part do you mean. I thought that all the machines still use the FWSM as their DG or am I wrong -- so I still need to keep the IP, access-lists etc there??

Re: CSM Load Balancer Help

Gilles Dufour — Tue, 08 Apr 2008 14:11:29 GMT

the CSM will bridge between the FW and the servers.

But the FWSM can't have direct access to the server vlan.

So you keep everything the same on the firewall, but you need to remove the server vlan and replace it with a new vlan id that will exist only between the csm and the fwsm.

The fwsm will keep the same ip addresses.

Just the vlan id will change.

The csm takes care of the rest.

Gilles.

Re: CSM Load Balancer Help

anthony.baker — Tue, 08 Apr 2008 15:23:31 GMT

Ok, I think I understand. I've deleted VLAN205 on the FWSM and replaced it with VLAN150 but with the original VLAN205 IP address - to still be used as the DG.

When I try now I can see requests coming into the server from the non-natted address but the page doesn't load.

Should I have a gateway configured on either the server/client VLAN's on the CSM config to sort this problem or is it something else?

Thanks again!

Re: CSM Load Balancer Help

anthony.baker — Tue, 08 Apr 2008 15:44:22 GMT

So now I have:

interface Vlan105

nameif inside

security-level 100

ip address 10.2.250.1 255.255.255.0

firewall vlan-group 50 15,105

and then the same as before in terms of CSM config...

Re: CSM Load Balancer Help

anthony.baker — Thu, 10 Apr 2008 12:23:25 GMT

Hey Gilles,

Thanks for all your help!

I got it working in the end. I kept 205 as the bridged VLAN so that my other servers can stay on that without needing to be changed, then created a new VLAN for the servers that are to be load balanced. I now see the source IP and all is good!

Next problem!!

Do you know if it's possible for a probe script to look inside a text file and look for a certain line of text or if not look for a certain line of text on a webpage i.e. 'ok' or whatever?

I'm reading loads of stuff at the moment but you seem to have the answers so thought I'd ask!!

Cheers,

Anthony