Re: Pings work but not the content

mchockalingam · ‎04-04-2005

Hi All,

I have a server 10.56.3.40 trying to access a page 10.56.10.11 which is the VIP address for the content delivered by 10.56.3.50, 60 and 70.

I can ping 10.56.10.11 from 10.56.3.40 but when I access the webpage www.net.com (DNS resolves this to the VIP address 10.56.10.11), I cannot access it.

I have the load balancer sitting in between a firewall and the server vlan203 (10.56.3.x).

The VIP address for the contents are 10.56.10.x. The CSS has 2 interfaces (one to fw with ip 10.56.10.3 and one to server vlan 203 with ip 10.56.3.3.). I have the following config

!************************* INTERFACE ********

interface 1/1

bridge vlan 999

description "Failover link to secondary"

interface 2/1

bridge vlan 210

description "Link to VIP vlan (firewall)"

interface 2/2

bridge vlan 203

description "Link to dmz servers"

!************************** CIRCUIT *********

circuit VLAN999

ip address 10.56.99.3 255.255.255.0

redundancy-protocol

circuit VLAN210

redundancy

ip address 10.56.10.3 255.255.255.0

circuit VLAN203

redundancy

ip address 10.56.3.3 255.255.255.0

!************************** SERVICE **************

service 10.56.3.50-443

ip address 10.56.3.50

port 443

keepalive frequency 10

keepalive type ssl

keepalive port 443

active

service 10.56.3.50-80

ip address 10.56.3.50

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

keepalive uri "/lbcheck.asp"

active

service 10.56.3.60-443

ip address 10.56.3.60

port 443

keepalive frequency 10

keepalive type ssl

keepalive port 443

active

service 10.56.3.60-80

ip address 10.56.3.60

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

keepalive uri "/lbcheck.asp"

active

service 10.56.3.70-443

ip address 10.56.3.70

port 443

keepalive frequency 10

keepalive type ssl

keepalive port 443

active

service 10.56.3.70-80

ip address 10.56.3.70

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

keepalive uri "/lbcheck.asp"

active

!*************************** OWNER ****************

content www.net.com

add service 10.56.3.50-80

vip address 10.56.10.11

add service 10.56.3.60-80

add service 10.56.3.70-80

protocol tcp

port 80

active

!**************************** ACL ***********

acl 1

clause 1 bypass any 10.0.0.0 255.0.0.0 destination 10.56.3.0 255.255.255.0

clause 2 bypass any 192.168.0.0 255.255.0.0 destination 10.56.3.0 255.255.255.0

clause 100 permit any any destination any

apply circuit-(VLAN210)

acl 2

clause 10 permit tcp 10.16.3.0 255.255.255.0 destination 10.16.10.0 255.255.255.0 eq 80

clause 20 permit tcp 10.56.3.0 255.255.255.0 destination 10.56.10.0 255.255.255.0 eq 443

clause 30 bypass any 10.56.3.0 255.255.255.0 destination any

clause 25 permit tcp 10.56.3.0 255.255.255.0 destination 10.56.10.0 255.255.255.0 eq 25

apply circuit-(VLAN203)

acl 3

clause 1 permit any any destination any

I do not see any asymetric routing. But not sure why port 80 traffic is not accessible from vlan203.

Gilles Dufour · ‎04-04-2005

classic nat issue.

When x.x.3.40 goes to the vip, the destination address is changed to one of the servers ie: x.x.3.50.

Now, the response from x.x.3.50 must be sent to....x.x.3.40

They are on the same subnet, so x.x.3.50 responds directly to x.x.3.40, bypassing the CSS.

You need to do client naton the css to nat request from the servers.

service servicex40

ip address 10.56.3.40

active

!

group servernat

vip address 10.56.10.11

add service servicex40

active

If more addresses need to be nated, you may want to use acl to do this.

This has been discussed many times, so you should be able to find sample configs and documentation.

Regards,

Gilles.