Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
3
Replies

CSM and Firewall Module

mpocciotti
Level 1
Level 1

‎04-27-2005 06:10 AM

Hello all,

I have configured my 6500 as per Gilles advice (topic CSM and FWSM), and something strange is happening. I can access the servers directly, but not via VIP (I can ping the VIP).

This is a 6513 with one CSM and one FWSM. There are interface-vlans on the FWSM and the CSM is bridging vlans 14 and 50; vlan 50 doesn't have an interface on the MSFC.

The config follows:

module ContentSwitchingModule 7

vlan 14 client

ip address 10.200.240.54 255.255.255.0

gateway 10.200.240.1

!

vlan 50 server

ip address 10.200.240.54 255.255.255.0

!

probe TESTE1 http

request method get

interval 3

failed 3

port 80

!

real LAPTOP

address 10.200.240.230

inservice

real TESTE1

address 10.200.240.12

inservice

!

serverfarm TESTE1

nat server

no nat client

real name TESTE1

inservice

real name LAPTOP

inservice

probe TESTE1

!

vserver TESTE1

virtual 10.200.240.231 tcp www

serverfarm TESTE1

persistent rebalance

inservice

gateway 10.200.240.1 is the FWSM.

I have captured packets with a sniffer on the server LAPTOP and the packets that reach the server come from IP 10.200.240.54 (the CSM interface on the client vlan). Shouldn't they come directly from the origin client?

If I create a interface vlan on the MSFC for vlan 50 it works. Could you explain?

Thanks,

Marcio

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-27-2005 08:12 AM

what you see coming from ip x.x.x.54 is probes from the CSM.

Looks like your traffic is coming in via the msfc and going out via the firewall, which will block it.

I don't think you should have a vlan 14 nor a vlan 50 on the MSFC since the default gateway in this case is the FWSM.

So verify that traffic from clients come through firewall and not via MSFC.

Then check with a 'sho mod csm X vserver name TESTE1 detail' if you have traffic coming in and if the CSM sees the response from the server.

Also capture a 'sho mod csm X conn detail' and check incoming and outgoing vlan and make sure there is no asymetric paths.

Gilles.

0 Helpful

mpocciotti
Level 1
Level 1
In response to Gilles Dufour

‎04-28-2005 05:48 AM

Gilles,

This will follow the topology "CSM inline and MSFC not involved"?

Thanks,

Marcio

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to mpocciotti

‎04-28-2005 11:16 PM

in our documentation, where we rerefence the different designs, we use the MSFC because we need 1 gateway and it makes sense to use the MSFC.

But in your case you have a FWSM, and in this case, it makes more sense to use the FWSM as the gateway since all traffic needs to go through the firewall anyway.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card