Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1182
Views
0
Helpful
5
Replies

Cisco C6500 CSM - Real server cannot ping its VIP.

jsterck
Level 1
Level 1

‎10-26-2011 04:07 PM

I've been running into an issue with Cisco CSM for a number of years, but always found a way around it.  Im attempting to get to the bottom of this to find out once and for all, if this is infact a limitation of the device, or a config issue/work around is possible.

Here is my situation.  My CSM's are configured in bridging mode.  Traffic works great, traffic bridges across vlans correctly.  Everything works and have many instances of smilar configurations running in production.  Every once and a while, a client requests that a "real" server (ie LWCMW-021)

cannot ping its VIP address (10.95.88.68).  I am assuming this is related to the NAT Server, but not 100% sure.  Clients have requested this functionality for some type of application based purpose, but Im unaware if CSM in bridging mode can provide this or not. 

Any suggestions?

real LWCMW-021

address 10.95.88.59

inservice

!

real LWCMW-022

address 10.95.88.60

inservice

serverfarm LWCMW-80

nat server

no nat client

real name LWCMW-021 80

  inservice

real name LWCMW-022 80

  inservice

probe HTTP-80 (defined elsewhere)

vserver LWCMW-80

virtual 10.95.88.68 tcp WWW

vlan 120

serverfarm LWCMW-80

persistent rebalance

inservice

Labels:
0 Helpful
5 Replies 5

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎10-27-2011 07:46 AM

Good afternoon,

I see from your configuration that you are using the command "vlan 120" under the vserver. With this command what you are doing is allowing connection arriving to the CSM on that vlan.

From what you are describing, I assume that the server is on a different vlan, in which case, connections (even ping) would not be allowed.

Please, remove the vlan command and see if it works

Daniel

0 Helpful

ajayku2
Cisco Employee
Cisco Employee

‎10-27-2011 09:45 AM

It is limitation of most of the device. It is more the way packet  goes through the device. Normally in case of firewall we use to put a  loop back nat policy which redirect packet back to server.

In case of ACE we can put the service policy in server side vlan. i think we can do similar think in case of CSM as well.

If  you take a packet capture on any client in the client side you will  notice lot of ARP request for the VIP which never get a response also  the source of ARP request would be MAC address of the server.

0 Helpful

jsterck
Level 1
Level 1
In response to ajayku2

‎10-27-2011 02:54 PM

Ajay,

Thanks for you're response.  Can you possibly give me an idea of what you mean putting the service policy on server side vlan?

Jeff

0 Helpful

ajayku2
Cisco Employee
Cisco Employee
In response to jsterck

‎10-27-2011 04:50 PM

Sorry for giving false hope. It is only possible in ACE module. In case of CSM I believe we can only use workaround.

In case of ACE we can bind the Virtual IP to mutliple vlan. In that case we see a ARP entry like this.

10.10.10.111    e0.5f.b9.a1.72.2b  vlan345   VSERVER    LOCAL     _         up

10.10.10.111    e0.5f.b9.a1.72.2b  vlan346   VSERVER    LOCAL     _         up

As Virtual IP is not bound to a particular vlan in case of CSM it does not work here, but I can say for sure it is expected behavior.

The logic would be that the server tries to resolve the ARP for Virtual IP and it does not get a response.

In my case virtual ip is 10.10.10.111 before applying policy on ACE  you can see that it is exhibiting the same behaviour.

Time     | Vmware_b4:72:11                       | 10.0.0.0                              | 10.10.10.4                            |

|         |                   | Broadcast         |                   | 224.0.0.1         |                   | 224.0.0.22        |                  

|0.000    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11

|         |(0)      ------------------>  (0)      |                   |                   |                   |          |

|0.999    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11

|         |(0)      ------------------>  (0)      |                   |                   |                   |                   |

|         |                   |                   |                   |                   |(0)      ------------------>  (0)      |

|1.998    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11

|         |(0)      ------------------>  (0)      |                   |                   |                   |                   |

|3.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11

|         |(0)      ------------------>  (0)      |                   |                   |                   |                   |

|4.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11

|         |(0)      ------------------>  (0)      |                   |                   |                   |                   |

Hope that helps.

0 Helpful

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to jsterck

‎10-28-2011 12:07 AM

Hi Jeff,

Did you try my suggestion? Removing the "vlan 120" command from the vserver configuration should do the trick. It's the equivalent on the CSM to what Ajay was mentioning for the ACE

Daniel

0 Helpful

Review Cisco Networking for a $25 gift card

Top