Cisco C6500 CSM - Real server cannot ping its VIP.

jsterck · ‎10-26-2011

I've been running into an issue with Cisco CSM for a number of years, but always found a way around it. Im attempting to get to the bottom of this to find out once and for all, if this is infact a limitation of the device, or a config issue/work around is possible.

Here is my situation. My CSM's are configured in bridging mode. Traffic works great, traffic bridges across vlans correctly. Everything works and have many instances of smilar configurations running in production. Every once and a while, a client requests that a "real" server (ie LWCMW-021)

cannot ping its VIP address (10.95.88.68). I am assuming this is related to the NAT Server, but not 100% sure. Clients have requested this functionality for some type of application based purpose, but Im unaware if CSM in bridging mode can provide this or not.

Any suggestions?

real LWCMW-021

address 10.95.88.59

inservice

!

real LWCMW-022

address 10.95.88.60

inservice

serverfarm LWCMW-80

nat server

no nat client

real name LWCMW-021 80

inservice

real name LWCMW-022 80

inservice

probe HTTP-80 (defined elsewhere)

vserver LWCMW-80

virtual 10.95.88.68 tcp WWW

vlan 120

serverfarm LWCMW-80

persistent rebalance

inservice

Daniel Arrondo Ostiz · ‎10-27-2011

Good afternoon,

I see from your configuration that you are using the command "vlan 120" under the vserver. With this command what you are doing is allowing connection arriving to the CSM on that vlan.

From what you are describing, I assume that the server is on a different vlan, in which case, connections (even ping) would not be allowed.

Please, remove the vlan command and see if it works

Daniel

ajayku2 · ‎10-27-2011

It is limitation of most of the device. It is more the way packet goes through the device. Normally in case of firewall we use to put a loop back nat policy which redirect packet back to server.

In case of ACE we can put the service policy in server side vlan. i think we can do similar think in case of CSM as well.

If you take a packet capture on any client in the client side you will notice lot of ARP request for the VIP which never get a response also the source of ARP request would be MAC address of the server.

jsterck · ‎10-27-2011

Ajay,

Thanks for you're response. Can you possibly give me an idea of what you mean putting the service policy on server side vlan?

Jeff

ajayku2 · ‎10-27-2011

Sorry for giving false hope. It is only possible in ACE module. In case of CSM I believe we can only use workaround.

In case of ACE we can bind the Virtual IP to mutliple vlan. In that case we see a ARP entry like this.

10.10.10.111 e0.5f.b9.a1.72.2b vlan345 VSERVER LOCAL _ up

10.10.10.111 e0.5f.b9.a1.72.2b vlan346 VSERVER LOCAL _ up

As Virtual IP is not bound to a particular vlan in case of CSM it does not work here, but I can say for sure it is expected behavior.

The logic would be that the server tries to resolve the ARP for Virtual IP and it does not get a response.

In my case virtual ip is 10.10.10.111 before applying policy on ACE you can see that it is exhibiting the same behaviour.

Time | Vmware_b4:72:11 | 10.0.0.0 | 10.10.10.4 |

| | | Broadcast | | 224.0.0.1 | | 224.0.0.22 |

| |(0) ------------------> (0) | | | | |

| |(0) ------------------> (0) | | | | |

| | | | | |(0) ------------------> (0) |

| |(0) ------------------> (0) | | | | |

| |(0) ------------------> (0) | | | | |

| |(0) ------------------> (0) | | | | |

Hope that helps.

Daniel Arrondo Ostiz · ‎10-28-2011

Hi Jeff,

Did you try my suggestion? Removing the "vlan 120" command from the vserver configuration should do the trick. It's the equivalent on the CSM to what Ajay was mentioning for the ACE

Daniel