Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
5
Replies

CSM "no inservice" command issue

amber.chan
Level 1
Level 1

‎01-02-2007 10:42 PM

Hi

I have CSM configuration as below:

!

serverfarm OUTSIDE-SF

no nat server

no nat client

predictor hash address

real xxx.xxx.103.92

no inservice

real xxx.xxx.103.93

inservice

real xxx.xxx.103.91

inservice

probe PING

!

sticky 1 netmask 255.255.255.255 address both

!

vserver OUTSIDE-VS

virtual 172.17.0.0 255.255.0.0 any

vlan 103

serverfarm OUTSIDE-SF

sticky 1440 group 1

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

!

IP xxx.xxx.103.91~93 is firewall ,

I using "no inservice" on real server xxx.xxx.103.92 to

stopping service on firewall 92, but when I using

"sh mod csm 7 serverfarms name OUTSIDE-SF detail"

the firewall 92 still have 5 connection

core# sh mod csm 7 serverfarms name OUTSIDE-SF de

OUTSIDE-SF, type = SLB, predictor = Src/Dest IP

nat = None

virtuals inservice = 2, reals = 3, bind id = 0, fail action = none

inband health config: <none>

retcode map = <none>

Probes:

PING, type = icmp

Real servers:

xxx.xxx.103.92, weight = 8, OUTOFSERVICE, conns = 5

xxx.xxx.103.93, weight = 8, OPERATIONAL, conns = 2975

xxx.xxx.103.91, weight = 8, OPERATIONAL, conns = 59

Total connections = 3039

core#

and I check the firewall 92 connection table,it still receive little

client traffic.

what's happen about that?

Amber

Labels:
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎01-03-2007 04:37 AM

active connections are still being forwarded to the real even if it is down or outofservice.

Only new connections will be sent to the other firewall.

There is a command 'failaction purge' to kill all connections to a real when it does down or out of service. You can configure it under the serverfarm if this is what you want.

Gilles.

0 Helpful

amber.chan
Level 1
Level 1
In response to Gilles Dufour

‎01-03-2007 08:13 AM

Hi Gilles,

But I saw the new "ping" packet passing through the outofservice firewall after issue

the "no inservice" on the real server.

Amber

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to amber.chan

‎01-03-2007 08:43 AM

a ping is an icmp packets - so not really related to a connection. How can you say one ping is new vs another one ?

Anyway, a flow for a non-tcp packet will stay in memory 1 hour by default.

A ping even sent 50 minute after the last one will still go to the same firewall even if down.

You can create special vserver for just icmp and reduce the idle timeout if you do not like the 1 hour flow timeout.

In conclusion my advice still applies.

Gilles.

0 Helpful

amber.chan
Level 1
Level 1
In response to Gilles Dufour

‎01-03-2007 06:07 PM

Hi Gilles,

On the outofservice firewall, I can monitor the packet pass through firewall,I saw the icmp packet log on the firewall after

real server configure to "no inservice" about 2 hours.

by the way, I will try to create new vserver for icmp and monitor it.

Amber

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to amber.chan

‎01-04-2007 05:38 AM

Amber,

ok, 3rd try, the idle timeout is 1 hour, this means if the gap between packets is less than 1 hour the flow is maintainted in memory forever.

And all ping will be sent to the no inservice firewall.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card