03-20-2006 01:32 AM
Hi,
I've got an issue with outbound connections from directly connected servers on my CSM.
The vserver/serverfarm setup as below, to allow routing via the CSM and I've an arp entry for the source address on the CSM.
vserver ROUTE_ALL
virtual 0.0.0.0 0.0.0.0 any
serverfarm FORWARDER
persistent rebalance
inservice
serverfarm FORWARDER
no nat server
no nat client
predictor forward
!
Incoming traffic using the forwarder is working fine.
To assist faulting I've added a new vserver with just the destination address and I can see drop's.
vserver TEST_CD
virtual 14x.14y.168.196 any
serverfarm FORWARDER
persistent rebalance
inservice
AP001DSW01#sh mod csm 3 vservers name TEST_CD det
TEST_CD, type = SLB, state = OPERATIONAL, v_index = 27
virtual = 14x.14y.168.196/32:0 bidir, any, service = NONE, advertise = FALSE
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4
max parse len = 2000, persist rebalance = TRUE
ssl sticky offset = 0, length = 32
conns = 0, total conns = 91
maxconn drops = 0, total drops = 91
Default policy:
server farm = FORWARDER, backup = <not assigned>
sticky: timer = 0, subnet = 0.0.0.0, group id = 0
Policy Tot matches Client pkts Server pkts
-----------------------------------------------------
(default) 91 91 0
The routing on CSM vlans is as follow's and I've got a arp entry for the gateway.
vlan 402 client
ip address 10.81.24.36 255.255.255.240 alt 10.81.24.37 255.255.255.240
gateway 10.81.24.35
alias 10.81.24.38 255.255.255.240
vlan 406 server
ip address 10.81.24.129 255.255.255.192 alt 10.81.24.130 255.255.255.192
alias 10.81.24.131 255.255.255.192
The routing is server, CSM, interface on Cat and then firewall but when doing a tcpdump on firewall I can't see anything when the server starts a connect but I can ping the destination server from the cat and see that on the firewall.
The SW on the CSM is vers 4.2.3 and I've done a tcpdump from the server and it looks like the CSM is resetting the connection.
This is working ok on other CSM's in the platform but they have SW vers 4.2.2.
Thanks
03-20-2006 01:44 AM
we'll have to see where the csm forwards the packets.
We can see from your show command that there is packet coming in [client] but no response from the destination [server].
This is why after 10 sec the CSM will RESET the connection and mark it as fail/drop.
You can siff the csm etherchannel and you should see where the csm forwards the packet.
Another thing you can try is create a new serverfarm with 1 real being your firewall ip address.
Configure 'no nat server'.
Use this serverfarm in your vserver with the specific destination.
This should guarantee that the CSM forwards your traffic to the firewall and not to some incorrect route.
Regards,
Gilles.
03-20-2006 06:57 AM
Gilles,
Thanks for the info, I also noticed that we were having issues with another vserver, that was being routed via the gateway address. It was marked as OOS even with no probe (arp) but the gateway address was in the CSM's arp table. I reset the CSM and this cleared both issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide