03-12-2012 01:20 AM
There are two physical servers behind the load balancer. These servers are
in VLAN54
SRV212 - 205.190.54.212
SRV213 - 205.190.54.213
Load Balancer VIP for the above servers - 204.190.54.67
Load balancer keep alive port - TCP 9999
Load Balancer VLAN54 IPaddress - 204.190.54.69
mac address of 204.190.54.69 - 000c.abcd.efgh
ARP entries
=======
The FWSM has a static ARP entry for VIP 204.190.54.67 configured with the
mac address of 204.190.54.69.
204.190.54.67 000c.abcd.efgh
Issue
===
The FWSM is the routed interface (with the L3 Gateway) for VLAN54 as well as other server VLANs.
VLAN3 is a point to point vlan that
connects to another L3 boundary, beyond which are located the end users.
These end users are routed via a different L3 gateway and use VLAN3 of the
FWSM to reach the server vlans. The end users routed in different L3
gateways are successfully able to connect to the VIP of the load balancer
and hence connect to the application on the keepalive port of 9999. (a
simple telnet to 204.190.54.67 on tcp port 9999 is opening)
Server VLANs that are routed via the FWSM (with their default gateways set to FWSM) are not able to
connect to the VIP 204.190.54.67 on port 9999. (a ping or a telnet to
204.190.54.67 on tcp 9999 failed.)
Observation
========
server VLANS that are directly routed on the FWSM cannot communicate with the load
balancer VIP 204.190.54.67 where as L3 boundaries that are beyond the FWSM
perimeter can access the VIP (ping and telnet).
Has anyone experienced a similar scenario and if so what should i do to make this work.
Regards
CJ
04-16-2012 11:36 AM
CJ-
Sounds like its asymetric, the firewall is not going to appreciate that and the client will recieve a SYN,ACK from the server directly, not the CSS VIP. Try configuring a group like this for testing:
Group TestNAT
add destination service SRV212
add destination service SRV213
vip address 204.190.54.67
active
Regards,
Chris Higgins
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide