topic Re: CSS11501 and DNS server loadbalancing in Application Networking

CSS11501 and DNS server loadbalancing

richardmcmahon — Fri, 12 Nov 2004 16:50:58 GMT

Hi,

We have the following config

PIX

CSS

DNS Boxes

The pix has valid internet visable ip's on the outside and the CSS does routing between two internal address ranges.

Everything works fine and the dns servers merrily answer queries but every now and again for a period of about 2-5 minutes they stop. I can still see the queries hitting the server's logs but no reply is seen be the client.

Config is shown below.

!************************* INTERFACE *************************

interface e1

bridge vlan 4

interface e2

bridge vlan 3

interface e8

bridge vlan 99

!************************** CIRCUIT **************************

circuit VLAN4

redundancy

ip address 10.2.0.2 255.255.0.0

circuit VLAN3

redundancy

ip address 10.1.0.2 255.255.0.0

service rbdns1

ip address 10.1.1.221

keepalive type script dnscheck "10.1.1.221"

keepalive port 53

active

service rbdns2

ip address 10.1.1.42

keepalive type script dnscheck "10.1.1.42"

content rbdns

vip address 10.2.1.100

add service rbdns1

add service rbdns2

balance leastconn

active

!*************************** GROUP ***************************

group rbdns

add destination service rbdns1

add destination service rbdns2

vip address 10.2.1.100

active

Any ideas much appreciated.

Thanks,

Richard

Re: CSS11501 and DNS server loadbalancing

seilsz — Sat, 13 Nov 2004 17:54:33 GMT

Richard,

Your configuration looks correct. Can you take a sniffer trace between the DNS servers and the CSS while you are having the problem?

~Zach

Re: CSS11501 and DNS server loadbalancing

Gilles Dufour — Mon, 15 Nov 2004 10:19:46 GMT

your config is actually incorrect.

You have to replace the 'add destination service rbdns#'

command with 'add service rbdns#'.

The command you have configured is for client nat when traffic goes from client to server.

What I suggested is client nat when traffic goes from server to client.

And this is required for udp traffic.

Regards,

Gilles.

Re: CSS11501 and DNS server loadbalancing

seilsz — Mon, 15 Nov 2004 13:45:12 GMT

Gilles,

Section #2 at the following location:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801e05ee.shtml#topic1b

seems to indicate that this configuration will work.

Is your recommendation because the initial post is using the same IP address for the VIP and the source group?

Thanks,

Zach

Re: CSS11501 and DNS server loadbalancing

Gilles Dufour — Mon, 15 Nov 2004 15:12:24 GMT

Zach,

you're right.

It can actually work like this.

[there was some bugs previously so it wasn't working in this configuration but now it should].

Good catch.

Let's see if the sniffer trace brings anything interesting.

Gilles.

Re: CSS11501 and DNS server loadbalancing

seilsz — Mon, 15 Nov 2004 17:14:32 GMT

This brought up another question in my mind ...

If you use the same IP in the content rule and the source group, what prevents the return traffic from matching the content rule? Is it because the flow-table is checked first?

What is the "Note" under Section #2 of the link I sent you trying to say?

Thanks,

Zach

Re: CSS11501 and DNS server loadbalancing

richardmcmahon — Tue, 16 Nov 2004 11:15:56 GMT

Thanks for your input. I will endevor to get traces for these. They are in a remote site and I dont have a machine in place to sniff the traffic on the contentswitch/firewall side of the network.