CSS11000 and services off-subnet

gmiiller · ‎01-29-2003

I'm having problems with a CSS11000 when we're using it with services that are not located on the same subnet as the L4 switch

The CSS11000 is acting as a default gateway for a subnet that has a number of firewalls connected to it, and there are web servers that we are wanting to define as services behind those firewalls.

When we define the services on the CSS11000, we find that the service status cycles through alive/dying/down and throughput is poor.

We know that L3 routing is okay, and we have ruled out the firewalls as an issue by replacing them with a standard router during testing.

If we place a web server on the same subnet as the L4 and configure it as a service, everything is fine.

Anyone got any ideas as to why the CSS doesn't like services that are off-subnet?

Gilles Dufour · ‎01-30-2003

it should not be a problem.

I have the same thing in my lab and it works.

How did you define your keepalive ?

Just ICMP or TCP or HTTP ?

Try to sniff the keepalive to see if the CSS is getting the replies from the server.

Also, did you open your firewall for the keepalives ?

Gilles.

gmiiller · ‎01-30-2003

Gilles,

Thanks for the reply, we have tried both HTTP and ICMP keepalives, and made the necessary rule changes on the firewalls (and on the router when we swapped it for the firewall)

I'm still stumped for ideas

GM

Gilles Dufour · ‎01-31-2003

can you ping the server from the CSS ?

Could you give us your config ?

What about the sniffer trace ?