cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3276
Views
0
Helpful
13
Replies

VIP not reachable on CSS.

fariha zain
Level 1
Level 1

Hi Experts,

I have CSS and it was working fine before. For testing purpose I added another CSS for redundancy after which CSS stopped doing load balancing.

Hence I have removed the backup CSS and have only one CSS which is active but still  CSS is not working as expected(i.e no load balancing).

Setup:

CSS--switch-Servers

1) Checked the connectivity CSS are able to ping the servers were as servers not able to ping the VIP of CSS.

2) CSS and Servers are on the same segment.  Content rule is active and services are up and fine but still the issue persists.

I appriciate if someone please help me in resolving this issue?

Thanks in advance,.

REgards,

FAriha

13 Replies 13

Peter Marchand
Cisco Employee
Cisco Employee


Is the VIP not local to the server subnet?

Do the servers route through the CSS?

Is it possible the servers GW bypasses the CSS

Can u ping the VIP from off subnet upstream?

Maybe a quick explaination on the IP's

Peter

busterswt
Level 1
Level 1

- The CSS will ping servers from the IP configured within the circuit VLAN. Are you able to ping that IP from the servers?

- As for pinging a VIP from a server (when the server and VIP are within the same network) -- Do you have a source group rule enabled?

Were there any other changes made *besides* adding a 2nd CSS for redundancy? Did you physically remove the standby CSS without removing the app session from the primary CSS?

James

Hi,

Please find my answers below:-

The CSS will ping servers from the IP configured within the circuit VLAN. Are you able to ping that IP from the servers?

Answer: NO CSS is not pinging the cirtuit vlan ip address.

- As for pinging a VIP from a server (when the server and VIP are within the same network) -- Do you have a source group rule enabled?

Answer: NO  the VIP IP and servers are in the different subnets.

Example:

Servers are in 10.1.1.x

and Content VIP address 10.1.2.X

Were there any other changes made *besides* adding a 2nd CSS for redundancy? Did you physically remove the standby CSS without removing the app session from the primary CSS?

Answer: No changes been made after removing the secondary CSS.

Thanks in advance,.

Regards,

Fariha

What type of redundancy are the CSS running, Box-to-Box or Vip & Interface?

You should check the primary css logs to see if duplicate IPs are shown during that time

& confirm the CSS were configured properly for redundancy.

Hi Peter,

Yes you are correct I saw some duplicate ip address in the logs:-

IPV4-4: Duplicate IP address detected for vip: 10.1.2.1  01-23-65-78-a9-b3.

Okay now I have removed the redundancy box but still I am not able to poing the VIP address fronm the server.

The servers are able to ping the physical address of the CSS box. Can you let me know whats happening and what do i need to change???

Thanks in advance.

How do the servers reach this VIP?  Is the CSS the default GW or is another device?  If another device maybe that is the issue and you should create a route to VIP using the CSS local subnet.

If default GW is NOT the CSS check that other router to see what it has for an ARP address for the CSS to ensure it is correct.  Maybe the Active/Active corrupted the routers ARP table.

Can you get content from these VIPs?

Does a TCP request from the server to the VIP get diff behavior?

Peter

Hello,

When you brought the redundant CSS online, it may have briefly taken active role.  This would account for the duplicate IP address message.  If this happened, then the new standby would've sent out a GARP to let everyone know that he now owns the VIP.  If the original active never went to standby role, then he won't update that GARP.  Bottom line is that you may just have to update your ARP tables manually on the upstream device.  Here's how:

First make sure VIP is active:

CSS# llama
CSS(debug)# find ip address 10.86.178.12

CSS(debug)# exit
CSS#

Then you can send the GARP for the VIP:

CSS# llama
CSS(debug)# arp vip 10.86.178.12
Sending ARP for VIP: 10.86.178.12

CSS(debug)# exit
CSS#

After you have done this on the active CSS, test to see if it works.  Be sure that your pair of CSS are not both in the master state.

Sean

Hi Sean,
Thanks for that information. I tried this and found the rule and its active in the arp.

Secondly I have changed the VIP address but still its not working as expected.

CSS pings the server without any issue. but SErver are not able to reach the VIP nor the CSS box.

Server---df CSS.

Wht next??

My config looks like this:

ip route 0.0.0.0 0.0.0.0 10.20.1.1 1

!************************** CIRCUIT **************************
circuit VLAN60
        
  ip address 172.16.1.1 255.255.255.0
    redundancy-protocol

circuit VLAN70
  redundancy

  ip address 10.20.1.18 255.255.0.0

!************************** SERVICE **************************
service server1
  protocol tcp
  port 80
    ip address 10.20.2.11
  keepalive method get

  keepalive type http
  active

service server2
  protocol tcp
  port 80
  ip address 10.20.2.11
  keepalive method get

  keepalive type http
  active

!*************************** OWNER ***************************
owner vinci

  content webin
    port 80
    protocol tcp
    url "/*"
    add service server1 
    add service server2
    advanced-balance arrowpoint-cookie
    vip address 10.20.1.56
    active

owner redirects

!*************************** GROUP ***************************
group sharepoint.es.ie
  add destination service server1
  add destination service server2
  vip address 10.20.1.60

Server config:

IP address: 10.20.1.x  Default gateway: 10.20.1.1

Regards,

Fariha

I can't tell if your output is truncated, but is the group rule active on your CSS? It would need to be made active to be effective (and it is necessary in your scenario).

James

Hi James,

Yes its active.

Any other steps which need to be checked???? Its very critical please help.

Thanks

Far

Hi,

Can anyone look into this please???

Someone else may chime in, but I can't really tell anything is wrong from the config. You may want to verify that both of services are passing their keepalives. You can also monitor the flows on the CSS to see your incoming connection to the VIP and how it gets balanced:

CSS# monitor
CSS#
                                         DEFAULT:ip route
Enter show sub-command to monitor [HELP: show ?]: flows 64.39.0.40
Enter refresh interval [default:5]: 2

--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address     SPort Dst Address     DPort NAT Dst Address Prt InPort  OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
64.39.0.40      5794  192.168.192.220 80    192.168.192.120 TCP e1        e5
64.39.0.40      9454  192.168.192.3   22    0.0.0.0         TCP e1        Ipv4


*** Iteration: 7 ***

64.39.0.40 is the IP I initiated traffic from. 192.168.192.220 is the VIP, and 192.168.192.120 is the server that it sent traffic to.

You would also be able to tell from the IN/OUT ports whether or not the destination server was in the proper VLAN (ie. frontside or backside).

Good luck,

James

Please clear the mac-address table and also try bouncing your physical interfaces.

Cheers,

DS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: