Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
6
Replies

CSS11501 and DNS server loadbalancing

richardmcmahon
Level 1
Level 1

‎11-12-2004 08:50 AM

Hi,

We have the following config

PIX

|

|

CSS

|

|

DNS Boxes

The pix has valid internet visable ip's on the outside and the CSS does routing between two internal address ranges.

Everything works fine and the dns servers merrily answer queries but every now and again for a period of about 2-5 minutes they stop. I can still see the queries hitting the server's logs but no reply is seen be the client.

Config is shown below.

!************************* INTERFACE *************************

interface e1

bridge vlan 4

interface e2

bridge vlan 3

interface e8

bridge vlan 99

!************************** CIRCUIT **************************

circuit VLAN4

redundancy

ip address 10.2.0.2 255.255.0.0

circuit VLAN3

redundancy

ip address 10.1.0.2 255.255.0.0

service rbdns1

ip address 10.1.1.221

keepalive type script dnscheck "10.1.1.221"

keepalive port 53

active

service rbdns2

ip address 10.1.1.42

keepalive type script dnscheck "10.1.1.42"

content rbdns

vip address 10.2.1.100

add service rbdns1

add service rbdns2

balance leastconn

active

!*************************** GROUP ***************************

group rbdns

add destination service rbdns1

add destination service rbdns2

vip address 10.2.1.100

active

Any ideas much appreciated.

Thanks,

Richard

Labels:
0 Helpful
6 Replies 6

seilsz
Level 4
Level 4

‎11-13-2004 09:54 AM

Richard,

Your configuration looks correct. Can you take a sniffer trace between the DNS servers and the CSS while you are having the problem?

~Zach

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-15-2004 02:19 AM

your config is actually incorrect.

You have to replace the 'add destination service rbdns#'

command with 'add service rbdns#'.

The command you have configured is for client nat when traffic goes from client to server.

What I suggested is client nat when traffic goes from server to client.

And this is required for udp traffic.

Regards,

Gilles.

0 Helpful

seilsz
Level 4
Level 4
In response to Gilles Dufour

‎11-15-2004 05:45 AM

Gilles,

Section #2 at the following location:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801e05ee.shtml#topic1b

seems to indicate that this configuration will work.

Is your recommendation because the initial post is using the same IP address for the VIP and the source group?

Thanks,

Zach

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to seilsz

‎11-15-2004 07:12 AM

Zach,

you're right.

It can actually work like this.

[there was some bugs previously so it wasn't working in this configuration but now it should].

Good catch.

Let's see if the sniffer trace brings anything interesting.

Gilles.

0 Helpful

seilsz
Level 4
Level 4
In response to Gilles Dufour

‎11-15-2004 09:14 AM

This brought up another question in my mind ...

If you use the same IP in the content rule and the source group, what prevents the return traffic from matching the content rule? Is it because the flow-table is checked first?

What is the "Note" under Section #2 of the link I sent you trying to say?

Thanks,

Zach

0 Helpful

richardmcmahon
Level 1
Level 1
In response to seilsz

‎11-16-2004 03:15 AM

Thanks for your input. I will endevor to get traces for these. They are in a remote site and I dont have a machine in place to sniff the traffic on the contentswitch/firewall side of the network.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card