02-06-2013 03:13 AM - edited 03-07-2019 11:32 AM
Hello Everybody,
I have an issue with the device in subject.
I need that some server, listed as service on CSS, can contact a content VIP on the same subnet......To allow that traffic I configured grouping on CSS (group 1) with vip address and an ACL that allow traffic from subnet 10.1.1.0/24 toward same subnet 10.1.1.0/24 and I have bound this ACL with sourcegroup 1.
The nat and portmap works but never at first attempt, instead since second attemps it works......Seem like a CSS require to much time to create nat entry, have you advice for me ?? Someone has experienced the same issue ??
Tnx
02-06-2013 05:45 AM
Please post your configuration. Sounds like a SNAT issue.
Regards
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful
02-06-2013 07:06 AM
Hi Stephen,
below the configuration :
circuit VLAN905 (vlan Server)
ip address 10.1.1.132
ip virtual-router 2 preempt
ip redundant-interface 10.1.1.129
group 1
flow-timeout-multiplier 38
vip address 10.1.1.142
active
acl 10
clause 20 permit any any destination any
clause 1 permit any 10.1.1.128 255.255.255.192 destination 10.1.1.128 255.255.255.192 sourcegroup 1
apply circuit-(VLAN905)
This is the content where server with ip address 10.1.1.1.x attempt the connection :
content EIMMWBV1-80
add service MWB01 (10.1.1.137)
add service MWB02 (10.1.1.139)
add service MWB03 (10.1.1.150)
add service MWB04
vip address 10.1.1.145
port 80
protocol tcp
02-06-2013 07:29 AM
I think it may be an ARP issue. If the hosts trying to reach the NAT'd address of 10.1.1.142 dont have an arp entry of it, tehy will arp out for it, and this is the delay i think. Next time check your arp tables before you try to connect and see if you hosts have an ARP entry for it. Try to connect and check again
Regards
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful
02-08-2013 03:20 AM
Hi Stepen,
I thought so, already I checked on destination server if it had an arp entry for VIP address and also when it has an ARPentry for group VIP address( Group Vip address has mac-address of CSS interface dedicated to Vlan 905) the first attempt fails.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide