topic Re: CSS11051 balancing services behind a firewall in Application Networking

CSS11051 balancing services behind a firewall

carsten.otto — Thu, 12 Feb 2004 08:58:36 GMT

Is it possible to configure the CSS11051 to balance http servers behind a firewall cluster?

We put the CSS in a proxy zone of our Symantec Enterprise Firewall Cluster to balance our direct attached SSL Terminators. Now we want to balance the webservers on the internal LAN of the firewall cluster based on Rainwall. It works, but if we shut down the firewall with the virtual IP something strange happens:

1. The services are up and I can see the keepalives going through the other firewall but the packets with the payload still going to the MAC Address of the broken firewall.

Is the service designed to use MAC Adresses and not to look in the ARP Table and why work keepalives different ?

Any Idea how to change this ??

Thanks

Carsten

Re: CSS11051 balancing services behind a firewall

mvoight — Thu, 12 Feb 2004 09:16:53 GMT

Are these new connections? or Do you see the CSS forwarding new SYNs to the old MAC? What version?

Could be:

CSCdy46189 When a Gratuitous ARP (GARP) was received the CSS would not update existing flows with the new MAC and thus existing flows would be sent from the CSS would the incorrect MAC and be dropped. Only new flows and new keepalive requests were using the updated ARP information.

Fixed by 5.00.2.04.

Re: CSS11051 balancing services behind a firewall

carsten.otto — Thu, 12 Feb 2004 09:30:55 GMT

Thank you for the quick response !!!

We are using ap0500045 and I assume that an update will fix our problem. Indeed I can see SYN's to the old MAC.

BTW:Where can I have a look on the notes e.g. CSCdy46189 you send me ?

Thanks

Carsten

Re: CSS11051 balancing services behind a firewall

mvoight — Thu, 12 Feb 2004 09:47:41 GMT

Carsten,

You can see release note info in Bug Toolkit

This is located at

http://www.cisco.com/kobayashi/support/tac/tools.shtml

Go there and select the link for "Software Bug Toolkit" under the "Troubleshooting Tools" section.

Here is the public release note:

The CSS forwards packets to the wrong MAC after receiving gratuitous ARP.

The updated MAC address of a service or next hop used to reach the

service or client is used for new flows only. The existing flows

are not modified and packets are sent to previous MAC address and lost.

Re: CSS11051 balancing services behind a firewall

carsten.otto — Tue, 17 Feb 2004 15:59:14 GMT

Hi,

nice try but

after updating the IOS I can still see the old Mac-Address in the requests to the firewall. Also new connections to the content use the old Mac but the Arptable is up to date and the service checks are positiv. Why are the services alive while connects to the service fail, using the old Mac.

Here is my config for the servicve:

service 1

keepalive type http

port 7777

ip address 10.11.70.11

active

service 2

keepalive type http

port 7777

ip address 10.11.70.12

active

service SSL1

port 443

ip address 10.11.64.11

keepalive type tcp

keepalive port 443

active

service SSL2

port 443

ip address 10.11.64.30

keepalive type tcp

keepalive port 443

active

owner http-server

content http

add service 2

add service 1

vip address 10.11.64.100

balance leastconn

protocol tcp

port 7777

owner SSL

content SSL-Accelerator

balance aca

protocol tcp

port 443

url "/*"

advanced-balance ssl

application ssl

add service SSL1

add service SSL2

vip address 10.11.70.200

active

Do I miss something in my config ?

Thanks

Carsten