Re: CSM with FWSM problem

anthony.baker · ‎09-18-2007

Afternoon,

I'm struggling trying to get my CSM module to work in conjunction with my FWSM. I've done a lot of reading through the forums and have managed to get things configured as most documentation suggests (I think) but it still doesn't seem to work.

Basically I have a client that makes a connection to a VIP on the CSM. That then has two real servers that hang off the FWSM that it load-balances to.

If I open a web page to the VIP I can see a translation built on the FW for my PC to VIP but then I get the error Deny TCP (no connection) from ?whichever of the real servers it's chosen? to ?my client ip? The good news is that I know it's not bypassing the FWSM but as I say only see hits on my outside access-list to the VIP and not the individual real servers.

Now, this looks like the FW thinks there's no relevant connection to reply to as the original conversation had the VIP in the packet and not the real server IP. Am I right? If I am does anyone know how to change that or what I need to do?

My basic config is the following:

module ContentSwitchingModule 12

vlan 250 client

ip address 10.2.250.3 255.255.255.0

gateway 10.2.250.1

!

vlan 105 server

ip address 10.2.250.3 255.255.255.0

!

serverfarm FARM1

nat server

no nat client

real 10.2.250.10

inservice

real 10.2.250.11

inservice

!

vserver WEBTRAFFIC

virtual 10.2.250.100 tcp www

vlan 250

serverfarm FARM1

persistent rebalance

inservice

VLAN250 is the one that holds the real servers and is on the FWSM. There is no interface on the MSFC for that.

Thanks in advance for any help!

Anthony

steve-hong · ‎09-18-2007

are you reals on the server side vlan105? they need to be.

anthony.baker · ‎09-19-2007

Hey Steve,

Thanks for the reply. They weren't but I tried changing that round and it made no difference. Still can't get to the page.

The FW still sees a connection from my client PC to the VIP (10.2.250.100) instead of the actual ip of the real server (10.2.250.10 or 11) so when they reply to the connection the FW can't find one and drops it.

Am open to any other ideas you have as I'm stuck!

steve-hong · ‎09-19-2007

You can use a nat client in the serverfarm. that should work.

nat web 10.2.250.100 10.2.250.100 netmask 255.255.255.0

serverfarm websrv

nat client web

send me the fw log. I curious about the error message. you only use the nat client when the real is not local or to hide the source ip.

Steve

steve-hong · ‎09-19-2007

the reals needs to be on the server side VLAN. Also, check the default gateway on the real. It should point to the FW, not the CSM interface.

Steve

anthony.baker · ‎09-19-2007

Steve, thanks for your time.

Ok, I think I have done everything you've asked now and have the following configuration:

firewall vlan-group 50 15,16,250

module ContentSwitchingModule 12

vlan 105 client

ip address 10.2.250.3 255.255.255.0

!

vlan 250 server

ip address 10.2.250.3 255.255.255.0

!

natpool WEB 10.2.250.100 10.2.250.100 netmask 255.255.255.0

!

serverfarm FARM1

nat server

nat client WEB

real 10.2.250.10

inservice

real 10.2.250.11

inservice

!

vserver WEBTRAFFIC

virtual 10.2.250.100 tcp www

vlan 105

serverfarm FARM1

persistent rebalance

inservice

So now the servers are in the 250 VLAN, which is the server VLAN.

I've also added the client NAT as suggested.

I now don't get the same error on the FW - I just see %FWSM-6-302013: Built inbound TCP connection 219025342 for faddr 10.1.230.250/2841 gaddr 10.2.250.100/80 laddr 10.2.250.100/80 and then %FWSM-6-302014: Teardown TCP connection 219025342 faddr 10.1.230.250/2841 gaddr 10.2.250.100/80 laddr 10.2.250.100/80 duration 0:00:20 bytes 18 (FIN Timeout)

The IP's in there are still the 10.2.250.100/80 rather than the actual IP of the real servers? Is this ok? How would the servers answer to that?

Cheers,

Anthony

anthony.baker · ‎09-19-2007

Right, it works now once I take out

vlan 105 and replace with vlan 250 in vserver WEBTRAFFIC

Is this correct, it doesn't really go alongside what's in the cisco docs that I've seen which seem to say that this should be the client vlan?

At least I'm getting somewhere now so thanks for all the help!

Anthony

steve-hong · ‎09-19-2007

Anthony,

Instead of changing the vlan in the vserver, add vl105 to the fw group and change the FW vlan interface to v105.

the flow should look like this:

client->FW(vl105)->CSM-Client<->SRV->reals

By default the CSM hides the reals (nat server) so it's normal to see only the VIP as the destination.

hope this helps.

Steve