11-09-2006 04:21 PM
It seems that CSS doesn?t answer arp requests for the VIP addresses it has configured. I wasn?t able yet to sniffer the traffic in order to confirm this suspicion but the fact is that I have to add a static route destined to the VIP address in a Firewall-1 that is before the CSS11150 to make things work. The Firewall-1 and the CSS have interfaces in the same IP network and the static route added in Firewall-1 has the a real IP address of the CSS as its gateway.
Does it make any sense that CSS doesn?t answer arp requests for VIP addresses?
11-10-2006 01:16 AM
the CSS does answer arp request for vip address.
It will respond with its own physical address or virtual mac address if you have configured redundancy.
Are you sure the vip address is part of the subnet ?
No arp request are sent for addresses outside the subnet.
Gilles.
11-10-2006 11:39 AM
Gilles,
first of all, thank you very much for your response. Well, I'm not sure if understood your question so I can?t assure whether vip address is part of the subnet or not. Anyway, if you could take a look at the configuration of my CSS maybe you can identify it. The vip address is 200.152.40.29 and the ip address of Firewall-1 is 200.152.40.1. There?s a circuit vlan1 with ip address 200.152.40.231/24. In another subnet (10.121.0.0/23) resides the server for which CSS directs traffic that comes to vip address. Here is the config of my CSS:
!************************** CIRCUIT ***********
circuit VLAN1
redundancy
description "Rede 1"
ip address 200.152.40.231 255.255.255.0
circuit VLAN3
redundancy
description "VLAN 3 - DMZ X"
ip address 10.121.2.231 255.255.255.0
circuit VLAN4
redundancy
description "VLAN 4 - DMZ XPTO"
ip address 10.121.0.231 255.255.254.0
circuit VLAN8
description "HeartBeat"
ip address 172.16.1.1 255.255.255.0
redundancy-protocol
!************************** SERVICE **************************
service XPTO
ip address 10.121.0.29
keepalive type tcp
keepalive port 25
active
!*************************** OWNER ***************************
owner SMTP
content SMTP
vip address 200.152.40.29
add service XPTO
protocol tcp
port 25
active
!*************************** GROUP ***************************
group SMTP
vip address 200.152.40.29
add service XPTO
active
11-12-2006 12:14 AM
The css should answer for arp request sent in vlan 1 for the vip address. No need of static route.
Capture a sniffer trace in this vlan to verify that the arp request comes in [to force a request, clear the arp entry on the firewall].
If you don't want to disrupt traffic, attach a pc in vlan 1 and try to access the vip.
Take a sniffer trace on the same pc.
Gilles.
11-13-2006 04:24 PM
I took a sniffer trace as you recommended and I could see that CSS answer arp requests for vip addresses. Well, I will continue investigating why the static route in the firewall is necessary. If I get anything new, I will let you know.
Thank you very much for you help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide