Re: Add secondary CSS to DR site for failover - Page 4

wilson_1234_2 · ‎05-30-2007

I have a CSS configured for web server failover.

We have two servers providing different fuctions that failover to backup servers at the DR site if one or the other server fails.

This is all working fine.

We want to add a second CSS at the DR site to provide access to our web servers if the Main site gets wiped out.

The DR site would also provide connectivty to the web servers if there is a loss of Internet connectivity at the main site.

How much configuration would be needed to my existing config to allow for this?

I would also have to configure the secondary CSS to be the failover unit.

Are there any examples on how to do this?

acomiskey · ‎06-13-2007

Do you want to see the config's with rules based dns? That's the only one I have working right now.

prakashj · ‎06-13-2007

Hi,

This is regarding GSS,Since I am new to GSS,I am not able to config the same,Can you share the GSS knowledge with some sample config.

Regds

saji k.s

acomiskey · ‎06-13-2007

Wilson, here are my config's for the rules based dns. I have also included towards the bottom the records I have at my hosted dns.

prakashj, I have no experience with GSS sorry.

wilson_1234_2 · ‎06-13-2007

Thanks,

I appreciate it

acomiskey · ‎06-13-2007

No problem, hope they help and don't confuse you further.

Just to add, the 'A' records I keep referring to, which are the ip addresses returned from the CSS's which equate foo.mydomain.net to an ip address, are the "vip address x.x.134.112" statements.

wilson_1234_2 · ‎06-13-2007

If the rule based DNS is working, why not use that?

Is there an added benifit to using the Zone based DNS?

And why wont gilles add some input to this?

We too, spent almost $12,000 on just the Advanced Feature Licensing for the two CSS devices.

I don't know how much on the oCSSs themselves, I think it should work the way it is.

Not to mention I be the GSS or whatever it is, is another ton of money.

Not confusing at all, I think I am the one that confuses people all the time.

You have been a great help.

acomiskey · ‎06-13-2007

"If the rule based DNS is working, why not use that?"

The only existing issue I have is this.

My CSS currently sits in a dmz off of an asa. I need to add another server to the css but have it located inside of the asa. Therefore this becomes a one-armed config.

To do this correctly you have to do source natting of the client address so the reply from the server gets routed back through the CSS.

Ok, fine, so I decided to try that, the only problem is you have to have the translation in the asa point to the css, not to the server directly.

If you can find my other posts here you can read what gilles has commented on. The way he explains it is the client will request for example 1.1.1.1, this is translated to the css in the asa. The css then nat's the clients source address and translates the request to the server. The server then replies back to the css where it untranslates and replies back to the client.

I was told for this part to work, I had to go to zone based dns becuase it allows you to put specific 'A' records and the 'A' records are not the vip addresses. Unfortunately, after implementing zone based it appears the acl in the backup css has no effect which I talked about before.

"Is there an added benifit to using the Zone based DNS?"

-Not sure, I wish I knew.

"We too, spent almost $12,000 on just the Advanced Feature Licensing for the two CSS devices."

-I feel your pain.

"And why wont gilles add some input to this?"

-I probably wouldn't be reading through 50+ responses either =)

wilson_1234_2 · ‎06-13-2007

hey man,

I contacted our Cisco rep for this area.

I am going to throw this scenario at him and a design engineer he has access to.

I am going to see what they say and I will let you know.

Ill tell them about the access-list not working.

wilson_1234_2 · ‎06-14-2007

acomiskey,

Did you say the rule based scenario works for you?

If both of my CSS devices are going to sit on the outide interface subnet of my PIX firewalls, is this considered a one armed config and I need to be aware of the problems associated??

It is working for the standalone CSS now.

Also, I should be able to set up the mail server on the CSS devices also?

acomiskey · ‎06-14-2007

"Did you say the rule based scenario works for you?"

-Yes. The configs I posted before are working.

"If both of my CSS devices are going to sit on the outide interface subnet of my PIX firewalls, is this considered a one armed config and I need to be aware of the problems associated??"

-From my understanding, the traffic between the clients and the servers must pass thru the CSS. A one armed conifguration would be if this was not the case, for examaple, the CSS in the dmz and the server on the inside.

"Also, I should be able to set up the mail server on the CSS devices also?"

-I don't see why not.

Any word from cisco yet?

wilson_1234_2 · ‎06-14-2007

As clarification of my question:

I have the CSS device on the outside interface and server on the inside network, is this considered "passing through" the CSS?

As far as Cisco goes, this is from one Engineer"

Could you please forward show tech from both the CSS. I would need to check the configs.

The preferlocal is for CSS to forward its local VIP for the relevant content rule.

So when you configure preferlocal on primary CSS it replies with its own VIP, however DNS requests which are sent to Secondary CSS are not being sent to primary CSS. But instead secondary CSS replying with its own VIP? Is that correct?

Or does Secondary CSS once replies with primary CSS vip and next time with its own vip?

acomiskey · ‎06-14-2007

"I have the CSS device on the outside interface and server on the inside network, is this considered "passing through" the CSS?"

-You tell me, is the CSS sitting on an internet switch or is it directly connected between an outside router and your pix? Or something like that?

"Could you please forward show tech from both the CSS. I would need to check the configs."

-As to not get confused here, what exactly is the question he is trying to answer?

acomiskey · ‎06-14-2007

wilson, I will answer the following questions assuming we are talking about rules based dns.

"So when you configure preferlocal on primary CSS it replies with its own VIP"

-Yes, if the service is alive.

"however DNS requests which are sent to Secondary CSS are not being sent to primary CSS. But instead secondary CSS replying with its own VIP? Is that correct?"

-No, if the primary service is alive it will reply with primary vip. If primary service is down it will reply with its own VIP.

Just to add, there is no "show tech" on the CSS, haha.

wilson_1234_2 · ‎06-14-2007

Are you serious, no "sh tech"

That figures.

wilson_1234_2 · ‎06-14-2007

The device is sitting on an Internet switch, so I guess I have the one -armed config, but it works fine.

As far as what was asked, I just copied him what you posted, along with some information in the behavior of the two devices that you posted:

Per the basic Global server Load Balancing, there is an acl in the

document which says

"If the primary site is up, then this ACL will tell requests landing on

this site to prefer the Primary site.

clause 10 permit any any destination content owner_backup/WWW-backup

prefer hacked_redirectt

clause 99 permit any any destination any

apply circuit-(VLAN1)

apply dns

Once I implemented a dns-server zone, this acl no longer has an effect.

The requests are round robbining unless I set the dns-server zone to

preferlocal. Unfortunately this does not solve my problem, if the main

site is up both css's should prefer the main site.

How is this same thing accomplished with zone based dns, or is it even

possible?