Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
1
Replies

Outbound connections from server hosts on CSM fail

wandersen
Level 1
Level 1

‎08-26-2004 08:23 AM

I'm having a problem with outbound connections from hosts located on the server side of a CSM. These hosts do not have any associated "real" configuration, so are not actively known by the CSM.

We have the CSM installed in a "CSM Inline and MSFC Not Involved" topology. The client vlan is connected directly to a firewall via the CSM "gateway" command. The firewall has a route statement to the CSM server vlan. We've also tested with a normal router in place of the firewall with the same result. We've produced the problem "test production" environment as well as in the lab. The problem occurs in CSM v 4.1(2) and also 3.2(3) as well as with a Sup II and Sup 720.

Inbound connections to the CSM server segment to configured "real" servers and other hosts, not known to the CSM, work fine. Connections to vservers also work fine.

My problem occurs when hosts not actively known to the CSM on the CSM server side try to initiate an outbound connection. Without an entry in the CSM arp cache or in the CSM connection table, the outbound connection fails. For instance, there is a host at 10.230.177.99 that can't get outbound unless an inbound connection occurs. Once the inbound connection populates the CSM arp cache, the outbound connection may proceed. Any ideas?

My configuration is as follows:

module ContentSwitchingModule 5

vlan 176 client

ip address 10.230.176.254 255.255.255.0

gateway 10.230.176.248

!

vlan 177 server

ip address 10.230.177.254 255.255.255.0

!

serverfarm FISCOREFARM

nat server

no nat client

real 10.230.177.100

inservice

real 10.230.177.101

inservice

!

serverfarm ROUTERTO177

no nat server

no nat client

predictor forward

!

vserver FISCOREVIRT

virtual 10.230.176.101 any

serverfarm FISCOREFARM

persistent rebalance

inservice

!

vserver ROUTER-TO177

virtual 10.230.177.0 255.255.255.0 any

serverfarm ROUTERTO177

persistent rebalance

inservice

!

Labels:
0 Helpful
1 Reply 1

jfoerster
Level 4
Level 4

‎08-26-2004 08:38 PM

Hi,

in my opinion you have to add a Vserver which allows the routing comming from the server vlan towards the firewall. I think the following vserver will do its job (lines starting with a ! are comments for the previous line):

vserver route_2_firewall

virtual 0.0.0.0 0.0.0.0 any

! acceppt traffic to any destination and port may be

! you can minimize this

vlan 177

! only servers located in vlan 177 will be forwarded

serverfarm ROUTERTO177

!just use the serverfarm with predictor forward

inservice

Cheers,

Joerg

0 Helpful
Customers Also Viewed These Support Documents