Hi Kanwalsi,

One problem that I have never seen before. I can get to the VIP from outside the network and the external world but can't from the two CAS servers. Have you ever seen this before?

Thanks

Hi Netter,

What do you mean by you cannot get to them? Are you not able to ping them or you are trying to access the URL? You would need proper NAT in place for the server connection to work. But why do you need to access servers via VIP from the servers itself?

Regards,

Kanwal

Hi Kanwal,

I have 3 vlans 62 layer 3 on router, 362 bridged fwsm and 662 bridged ace.

If I put a server in vlan 62 I can telnet to the VIP on port 443. telnet 10.192.228.60 443 and I get a connection fine.

However if I try from a server behind the ace in vlan 662 it doesn't connect.

I have a webtier vip on this same context and that works fine. 

Hi Kanwal,

At the moment it's just to test the slw. You can telnet to vip address on port 80 and 443 from cas servers and other servers in that vlan. But once you move one of these servers behind the ace vlan you can't.

I just don't understand it. Do you think it requires some sort of source nat. Otherwise the config you helped me with seems perfect.

Hi Netter,

Yes you would need source NAT on ACE since you are sitting on the same server which you are trying to access via VIP.

Regards,

Kanwal

Hi Kanwal,

Damn I was afraid you were going to say that. I have never implemented source nat before. Is it hard to do?

My network is 10.192.228.0/25. My rservers are tstcas 10.192.228.44 and testcas2 10.192.228.58. The VIP is 10.192.228.60.

I have implemented the two probes, two server farms and two policies as suggested. Do I just pick a random IP address for 10.192.228.0/25.

Any help greatly appreciated I am really stuck on this.

Hi Netter,

Something like this:

- Clients coming in on VLAN 251 connect to the VIP and are load balanced without source NAT.
- Servers connecting to the VIP on VLAN 451 are load balanced AND source NAT'd because they match both class-maps.



login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all REAL_SERVERS
  2 match source-address 192.168.1.0 255.255.255.0
class-map match-all VIP-30
  2 match virtual-address 172.16.51.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
  class REAL_SERVERS
    nat dynamic 1 vlan 451

interface vlan 251
  description Client vlan
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 451
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1

Regards,

Kanwal

Hi Kanwal,

Nat worked and I'm up and running. Thanks for all your help on this.

Kanwal I forgot to mention its not just the cas servers. If I try telnet to VIP from one of the web tier servers it works fine in vlan 62 but if I move that server to vlan 662 I have the same problem can't telnet to vip on 443 or 80.

You reckon still a source nat problem?

Hi Kanwalsi,

Because now they want the certs on the servers and traffic to reach the servers on 80 and 443 I have enabled the config below. AM I on the right track? I have probe probing the servers in 443 and have a redirect farm enabled as well. Not sure if I should have a https probe and 443 in the serverfarm?

May be I am on the wrong track altogether but this is what I have?

probe https TESTCAS-PROBE

interval 3

passdetect interval 5

expect status 200 200

rserver redirect HTTP-TESTCAS

webhost-redirection https://%h/%p 301

inservice

rserver host TSTCAS

ip address 10.192.168.44

inservice

rserver host TSTCAS2

ip address 10.192.168.58

inservice

serverfarm redirect HTTP-TEST-FARM

rserver HTTP-TEST

inservice

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS 443

inservice

rserver TSTCAS2 443

inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-**-TESTCAS-FARM

timeout 720

timeout activeconns

replicate sticky

sticky ip-netmask 255.255.255.255 address source STICKY-TESTCAS-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm TESTCAS-FARM

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

class-map match-any REDIRECT-HTTPCAS-TEST

2 match virtual-address 10.192.168.60 tcp eq www

policy-map type loadbalance first-match TESTCAS-POLICY

class class-default

sticky-serverfarm STICKY-TESTCAS-FARM

policy-map type loadbalance first-match TESTCAS-POLICY-REDIRECT

class class-default

sticky-serverfarm STICKY-SSL-**-TESTCAS-FARM

policy-map multi-match TESTCASPOLICY

class TESTCAS-VIP

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY

loadbalance vip icmp-reply active

policy-map multi-match TESTCASREDIRECTPOLICY

class REDIRECT-HTTPCAS-TEST

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise

service-policy input TESTCASREDIRECTPOLICY

service-policy input TESTCASPOLICY