CSS11503 & WebLogic Cluster

admin_2 — Thu, 08 Apr 2004 14:03:30 GMT

Hi,

I'm trying to get a configuration working for our CSS11503 and I'm pretty lost on what I need to do. I'm primarily a application developer/WebLogic admin so I have some understanding of networking but general at best.

What we're trying to accomplish is to establish connectivity through the CSS to a WebLogic cluster. Currently it doesn't look like anything is going through the CSS at all. So, how do I diagnose traffic coming into the CSS? I've turned logging levels to debug-7 and do see some traffic coming in from the outside interface but it shows it as a DOS attack?

Here is our current configuration:

CSS11503(config)# show running-config

!Generated on 04/08/2004 07:51:38

!Active version: sg0710405

configure

!*************************** GLOBAL ***************************

no restrict web-mgmt

sntp server 149.83.131.15 version 1

cdp run

logging subsystem ipv4 level debug-7

logging subsystem syssoft level debug-7

logging subsystem buffer level debug-7

logging subsystem flowmgr level debug-7

logging subsystem radius level debug-7

logging subsystem wcc level debug-7

logging subsystem chassis level debug-7

logging subsystem vlanmgr level debug-7

logging subsystem netman level debug-7

logging subsystem app level debug-7

logging subsystem rip level debug-7

logging subsystem ospf level debug-7

logging subsystem sntp level debug-7

logging subsystem dhcp level debug-7

logging subsystem vrrp level debug-7

logging subsystem redundancy level debug-7

logging subsystem csdpeer level debug-7

logging subsystem portmapper level debug-7

logging subsystem acl level debug-7

logging subsystem circuit level debug-7

logging subsystem security level debug-7

logging subsystem fac level debug-7

logging subsystem vpm level debug-7

logging subsystem publish level debug-7

logging subsystem keepalive level debug-7

logging subsystem urql level debug-7

logging subsystem nql level debug-7

logging subsystem dql level debug-7

logging subsystem pcm level debug-7

logging subsystem proximity level debug-7

logging subsystem hfg level debug-7

logging subsystem replicate level debug-7

logging subsystem boomerang level debug-7

logging subsystem fp-driver level debug-7

logging subsystem flowagent level debug-7

logging subsystem cdp level debug-7

logging subsystem slr level debug-7

logging subsystem natmgr level debug-7

logging subsystem ssl-accel level debug-7

ip route 0.0.0.0 0.0.0.0 206.88.44.254 1

!************************* INTERFACE *************************

interface Ethernet-Mgmt

description "Management Access"

interface 2/1

description "web-cluster-server1"

bridge vlan 10

interface 2/2

description "web-cluster-server2"

bridge vlan 10

interface 2/8

description "Outside-DMZ...206.88.44.225"

bridge vlan 11

!************************** CIRCUIT **************************

circuit VLAN1

ip address 206.88.45.225 255.255.255.0

circuit VLAN10

description "web-cluster"

ip address 10.1.1.254 255.255.255.0

circuit VLAN11

description "Outside-DMZ"

ip address 206.88.44.225 255.255.255.0

ip virtual-router 1 priority 110 preempt

ip redundant-vip 1 206.88.44.226

ip critical-service 1 upstream

ip critical-service 1 webserver1

ip critical-service 1 webserver2

!************************** SERVICE **************************

service upstream

ip address 206.88.44.254

type redundancy-up

active

service webserver1

ip address 10.1.1.1

active

service webserver2

ip address 10.1.1.2

active

!*************************** OWNER ***************************

owner ADP

content RuleForVIP1

vip address 206.88.44.226

balance leastconn

add service webserver1

add service webserver2

active

I should be able to talk to the two servers listening on 10.1.1.1:7003 and 10.1.1.2:7003.

Thanks,

-Brett

Re: CSS11503 & WebLogic Cluster

stevehall — Thu, 08 Apr 2004 17:20:35 GMT

Brett,

Well, first off, if you are going to have a redundant VIP I am assuming there are 2 CSSs here. We need to make sure the server responses come back through the same CSS that is active for the VIP.

We can see who is active the the VIP by typing

"show redundant-vip"

You do not have any redundant IP on the server side, so is the gateway of the servers 10.1.1.254? What is the IP of the other CSSs circuit?

Typically, there is a redundant IP on the server side so we can fail over the server's gateway when we fail over the VIP.

To see connections to that VIP you can see the hits increment by typing "show summary". Show flow will show current flows, but HTTP flows are typically pretty quick and you are likely to miss them.

-Steve

Re: CSS11503 & WebLogic Cluster

Thu, 08 Apr 2004 19:12:12 GMT

Steve,

Thanks for the response. Our eventual configuration will have 2 CSS's but only one today.

show redundant-vip

Redundant-Vips:

Interface Address: 206.88.44.225 VRID: 1

Redundant Address: 206.88.44.226 Range: 1

State: Master Master IP: 206.88.44.225

State Changes: 3 Last Change: 04/07/2004 10:39:01

Show summary does show hits coming in and with debugging turned on I'm seeing messages like the following.

APR 8 12:56:23 1/1 1377 FLOWMGR-7:

DoS SYN attack: 206.88.41.248:2304->206.88.44.226:7003

synCnt: 3, initSeq: 2257383471

Is this dropping/preventing the packets from routing to the 10.1.1.x network?

Default gateway for the webservers is the 10.1.1.254 address.

Thanks,

-Brett

Re: CSS11503 & WebLogic Cluster

Thu, 08 Apr 2004 20:44:45 GMT

Looks like we've gotten this resolved. It was a routing issue on the two webserver machines. Guess I'm still a little confused as to how to monitor traffic leaving the CSS.

Thanks,

-Brett

topic Re: CSS11503 & WebLogic Cluster in Application Networking

CSS11503 & WebLogic Cluster

Re: CSS11503 & WebLogic Cluster

Re: CSS11503 & WebLogic Cluster

Re: CSS11503 & WebLogic Cluster