I thought I had a pretty simple config on my CSS11501- but have run into an issue I'm having trouble resolving.
I have two unix webservers (IPs are .99 and .100) on ports e1 and e2, and my uplink for the CSS is on port e8.
The CSS has a VIP address (.105) that load balances HTTP requests to .99 and .100.
From .99 and .100 I can ping the VIP address - and from outside the CSS - almost everything works great for the site I'm hosting on .105.
I do have two web pages however that attempt to make calls directly to the VIP address - I noticed I can't load those pages.
Nor can I just browse the website on the VIP address from either of the servers. The webservers can browse their own pages via IP, and each other's pages via IP.
Just not pages on the VIP.
I think it may be a case of the servers thinking that IP spoofing is occurring - or maybe I missed something simple in the config.
Here's what I see in a 'show flows' when I try and browse the VIp address (.105) from the .100 server.
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
65.207.212.100 53758 65.207.212.105 80 65.207.212.100 TCP e2 e2
65.207.212.100 80 65.207.212.100 53758 65.207.212.100 TCP e2 e2
Since it appears that the CSS NATs the request to the same IP the server is using, will the reply from the server ever make it back to the CSS?
Or does it think that it shouldn't need to reply - becauuse it is that IP?
Should I be able to browse the VIP site from the webservers.
Below is the full CSS config if someone can help me figure this out.
Thanks in advnace for any and all help.
Paul
CSS11501# show run
!Generated on 08/30/2005 12:08:11
!Active version: sg0750004
configure
!*************************** GLOBAL ***************************
no restrict web-mgmt
acl enable
logging subsystem acl level debug-7
ip route 0.0.0.0 0.0.0.0 65.207.212.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 65.207.212.104 255.255.255.0
!************************** SERVICE **************************
service www2
keepalive type tcp
keepalive port 80
ip address 65.207.212.99
active
service www3
keepalive type tcp
keepalive port 80
ip address 65.207.212.100
active
!*************************** OWNER ***************************
owner WWW
content rule1
vip address 65.207.212.105
add service www2
add service www3
port 80
protocol tcp
advanced-balance sticky-srcip-dstport
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)
