CSS11506 - show flows

a.veschak · ‎05-09-2008

Hello all,

I have a CSS11506 with the following config...

!************************** SERVICE **************************

service pas_main_uswrnsa0ptf01_11111

ip address 172.16.25.30

keepalive type tcp

keepalive port 11111

port 11111

active

service pas_main_uswrnsa0ptf02_11111

ip address 172.16.25.31

keepalive type tcp

keepalive port 11111

port 11111

active

service pas_main_uswrnsa0ptf03_11111

ip address 172.16.25.32

keepalive type tcp

keepalive port 11111

port 11111

active

service pas_main_uswrnsa0ptf04_11111

ip address 172.16.25.33

keepalive type tcp

keepalive port 11111

port 11111

active

!*************************** OWNER ***************************

owner PAS

content PAS-pas_main-2008-11111

vip address 123.123.130.222

protocol tcp

port 11111

url "/*"

balance aca

application ssl

add service pas_main_uswrnsa0ptf01_11111

add service pas_main_uswrnsa0ptf02_11111

add service pas_main_uswrnsa0ptf03_11111

add service pas_main_uswrnsa0ptf04_11111

active

!*************************** GROUP ***************************

group PAS-pas_Dgraphs

vip address 172.16.25.11

add destination service pas_main_uswrnsa0ptf01_11111

add destination service pas_main_uswrnsa0ptf02_11111

add destination service pas_main_uswrnsa0ptf03_11111

add destination service pas_main_uswrnsa0ptf04_11111

active

I can access my servers just fine, but when issuing the 'show flows' command, I do not see my traffic... even though I can see my hit counters incrementing.

NOTE: The 'application ssl' command is something new for us, so I thought it may be related to this.

Any ideas?

Thanks,

-Adam

Gilles Dufour · ‎05-09-2008

Try

llama

flow-agent show active_fcbs

exit

Or a

show flows 0.0.0.0

Gilles.

a.veschak · ‎05-09-2008

Gilles,

Still not seeing the flows.

Anything else you could recommend? Could the 'application ssl' config have anything to do with this behavior?

Thanks,

-Adam

Gilles Dufour · ‎05-12-2008

if you do not see any flow, there is no active flows !!

The flow-agent command does look at HW level for connections. If it does not return anything, it means there is no ACTIVE flow.

Gilles.

a.veschak · ‎05-14-2008

Gilles,

The target IP is the content VIP 123.123.130.222 (as shown in my CSS config). However, I am testing from one of the four servers (services) associated with this content rule. Could that be causing the problem with the CSS not seeing these flows?

For example...

I am sitting on server uswrnsa0ptf01 and I test to the content VIP 123.123.130.222... and it works... but I see know flows in the CSS.

I've attached a drawing showing our network topology.

Thanks,

-Adam

Gilles Dufour · ‎05-15-2008

try to open a telnet session to your VIP IP:PORT.

Do not close the telnet session and check with a 'show flows 0.0.0.0' if you see any flow.

It should not matter if you open the connection from the server or not.

G.