08-26-2004 08:23 AM
I'm having a problem with outbound connections from hosts located on the server side of a CSM. These hosts do not have any associated "real" configuration, so are not actively known by the CSM.
We have the CSM installed in a "CSM Inline and MSFC Not Involved" topology. The client vlan is connected directly to a firewall via the CSM "gateway" command. The firewall has a route statement to the CSM server vlan. We've also tested with a normal router in place of the firewall with the same result. We've produced the problem "test production" environment as well as in the lab. The problem occurs in CSM v 4.1(2) and also 3.2(3) as well as with a Sup II and Sup 720.
Inbound connections to the CSM server segment to configured "real" servers and other hosts, not known to the CSM, work fine. Connections to vservers also work fine.
My problem occurs when hosts not actively known to the CSM on the CSM server side try to initiate an outbound connection. Without an entry in the CSM arp cache or in the CSM connection table, the outbound connection fails. For instance, there is a host at 10.230.177.99 that can't get outbound unless an inbound connection occurs. Once the inbound connection populates the CSM arp cache, the outbound connection may proceed. Any ideas?
My configuration is as follows:
module ContentSwitchingModule 5
vlan 176 client
ip address 10.230.176.254 255.255.255.0
gateway 10.230.176.248
!
vlan 177 server
ip address 10.230.177.254 255.255.255.0
!
serverfarm FISCOREFARM
nat server
no nat client
real 10.230.177.100
inservice
real 10.230.177.101
inservice
!
serverfarm ROUTERTO177
no nat server
no nat client
predictor forward
!
vserver FISCOREVIRT
virtual 10.230.176.101 any
serverfarm FISCOREFARM
persistent rebalance
inservice
!
vserver ROUTER-TO177
virtual 10.230.177.0 255.255.255.0 any
serverfarm ROUTERTO177
persistent rebalance
inservice
!
08-26-2004 08:38 PM
Hi,
in my opinion you have to add a Vserver which allows the routing comming from the server vlan towards the firewall. I think the following vserver will do its job (lines starting with a ! are comments for the previous line):
vserver route_2_firewall
virtual 0.0.0.0 0.0.0.0 any
! acceppt traffic to any destination and port may be
! you can minimize this
vlan 177
! only servers located in vlan 177 will be forwarded
serverfarm ROUTERTO177
!just use the serverfarm with predictor forward
inservice
Cheers,
Joerg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide