05-07-2004 07:38 AM
I have a need to use the one armed load balance for some servers. I have 4 contens setup using this and I have the four corresponding Groups setup. Two of the contents work fine they are using SSL. The other 2 fail and they are both using FTP. It looks like it is failing on the data channel connection because I can login to the server but cannot get any data. Is there a way to correct this.
05-07-2004 08:33 AM
check the following URL:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093de6.shtml
it explains you need a source group for the ftp data connection.
Since you also need a group to nat client ip address, you have a problem since you can't do both at the same time.
The solution is to use ACL and the 'sourcegroup option'.
So you keep your group but you removed all the service attach inside it.
Then you create an ACL like this one
acl 1
clause 10 permit tcp any destination
apply circuit(VLAN-client)
acl2
clause 1o permit tcp
apply circuit(vlan-server)
This should work.
If not, make sure to try both passive and active ftp to see if at least one works.
Gilles.
05-07-2004 12:43 PM
I have a question in regards to the acl's. Are they the same as a cisco acl in the explicit deny because I have many other servers and content rules on the same vlan of the css. Want to make sure I do not stop other traffic through the css.
05-07-2004 11:56 PM
indeed, this is the same as IOS.
You need a clause 99 permit any any destination any at the end.
Another point is that as soon as you enable acl processing 'acl enable', there is a deny all on all circuits. So, even if you don't need an acl on a specific circuit, you will have to create one with permit any any.
Gilles.
05-10-2004 08:38 AM
I am using 4 circuit vlans on this css. So I would only need the any to any on the other 3 circuits and use the destination sourcegroup and the ant to any on the other circuit. One other thing I have read is that acl's are not supported on the Ethernet_Mgmt interface. I control the css over this interface will it not be affected.
05-10-2004 11:00 PM
the ethernet management interface will not be affected.
Gilles.
05-11-2004 07:12 AM
I enabled acl's and tested ftp to the one-armed vip and it did not work. I get the same error on my client "502 Illegal Port". I tested both passive and active.
Also though my current ftp content and groups that are not one-armed failed with the acl's enabled.
I have attached a portion of the configuration pertaining to ftp if this helps.
I also do have SSL content and groups working with a one-armed vip.
07-12-2004 04:23 AM
Did you solve your problem ?
I have the same one with my CSS11501 and SCA11000.
If yes, is possible for you to send me the configuration.
Regards
Eduardo MET : equintana@met.wallonie.be
08-29-2012 06:24 AM
Hi,
just wanted to ask if you might know, does the applying of the ACL have any impact over the production traffic going through the load balancer?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide