Hello Daniel,

thank you for quick response. I worked some years ago very intensive with CSM, but I forgot some special configurations. In attachement is one of them. In this topology is are two vservers on LB1 and LB2 configurad and operational. Both LBs are in bridged mode. Interface vlan100 configuration has default gateway (gateway configured in csm) GW:A and interface vlan101 has default gateway GW:B. This is very simple, historical and operational customer's cofiguration.

Now I added some service (smtp gateway ironport ESA) between vlan100 and vlan101. both directions are load-balanced and there is used routed mode. LB can 'route' non-load-balanced traffic (using predictor forward). As I wrote, I'm very familiar with cisco's load-balancers and configuration is ok. I have only one problem and I'd like discuss it.

Please check connection between ironport and internet. Ironport ESA has default gateway GW:C (GW:D is gateway for internal subnets). LB2 (as a part of configuration of vservers) forwards this traffic over routed mode and translate ironport's source IP address to IP address from vlan100. It works. Problem is, that this traffic goes to MSFC over vlan101 and not to vlan100 (I checked sh mod csm X conn and did packet captures), because CSM has access to all configured VLAN's and major problem is, it has two 'default gateways'. In final, traffic from ironport goes from vlan120 and LB2 (including snat to IP from vlan100), then to GW:B (vlan101) to internet. response from Internet goes to vlan100 (correct), but tcp is not established, because it is asymetric routing from msfc point of view.

I'm not sure if it's clear for you. Let me know, or ask me for details.

Previous configuration with two default gateways (from CSM point of view) was configured and I'm not sure, if it's clear or necessary for two bridged configurations to use two default gateways. I know, this configuration is problematic for new routed LB configuration (LB3 and LB4). When I add static route to some host in Internet to vlan100, it works (packet trace is ok, sh mod csm X conn is correct, tcp connection is established).

Now I have question, or I'd like discuss about solution/workaround. I preffer clear 'default route' for vlan101 (in CSM config) and replace it with some necessary static routes to internal network. This can be helpful for connections to internet. What do you mean?

Thanks for reading. I hope, it can be clear if you check attached topology.

--

martin

Hi Martin,

I'm afraid that, what you are describing is a limitation of the CSM. If more than one default gateway is configured, there is no way to predict which one will be taken by the traffic, so, it could happen, as you mentioned, that traffic is going to the MSFC on the wrong vlan. Still, I don't see why this should be a problem if the MSFC is just routing traffic, it would only care about it if you are doing some kind of TCP inspection (which I would expect from a FW but not a MSFC)

The easiest solution would be what you already proposed. Removing one of the default gateways and replacing it with more specific routes (these are applied per-vlan)

Regards

Daniel

Hi Daniel,

thank you for clarify. I have the same opinion. I think, it will be not possible change one default gw to more specific route, because both vlan's communicates to Internet. I will discuss any possibilities with customer.

Last question(s):

1. Is there any possibility to use something like source routing on CSM's side? (maybe this can solve this routing issue)

2. For communication between Ironport and Internet over CSM I configured serverfarm using predictor forward. As I read in documentation, predictor forward uses internal CSM's routing table (and this is the reason of this issue). Even though, source IP address of Ironport is translated (sNAT using nat client NAT_POOL). Do you think, this sNAT can be a reason of this routing issue, or not?

Attached is the same topology with data flows. Green for bridged mode, Red for routed mode with asymetric routing (step 2).

--

martin