cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
808
Views
0
Helpful
4
Replies

Cisco Css 11501 and Nat

n.calabria
Level 1
Level 1

Hello Everybody,

I have an issue with the device in subject.

I need that some server, listed as service on CSS, can contact a content VIP on the same subnet......To allow that traffic I configured grouping on CSS (group 1) with vip address and an ACL that allow traffic from subnet 10.1.1.0/24 toward same subnet 10.1.1.0/24 and I have bound this ACL with sourcegroup  1.

The nat and portmap works but never at first attempt, instead since second attemps it works......Seem like a CSS require to much time to create nat entry, have you advice for me ??  Someone has experienced the same issue ??

Tnx

4 Replies 4

stephen.stack
Level 4
Level 4

Please post your configuration. Sounds like a SNAT issue.

Regards

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Hi Stephen,

below the configuration :

circuit VLAN905                             (vlan Server)

ip address 10.1.1.132

ip virtual-router 2 preempt

ip redundant-interface 10.1.1.129

group 1

flow-timeout-multiplier 38

vip address 10.1.1.142

active

acl 10

  clause 20 permit any any destination any

  clause 1 permit any 10.1.1.128 255.255.255.192 destination  10.1.1.128   255.255.255.192 sourcegroup 1

  apply circuit-(VLAN905)

This is the content where server with ip address 10.1.1.1.x  attempt the connection :

  content EIMMWBV1-80

    add service MWB01  (10.1.1.137)

    add service MWB02   (10.1.1.139)

    add service MWB03    (10.1.1.150)

    add service MWB04   

    vip address 10.1.1.145

    port 80

    protocol tcp

I think it may be an ARP issue. If the hosts trying to reach the NAT'd address of 10.1.1.142 dont have an arp entry of it, tehy will arp out for it, and this is the delay i think. Next time check your arp tables before you try to connect and see if you hosts have an ARP entry for it. Try to connect and check again

Regards

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Hi Stepen,

I thought so, already I checked on destination server if it had an arp entry for VIP address and also when it has an ARPentry for group VIP address( Group Vip address has mac-address of CSS interface dedicated to Vlan 905) the first attempt fails.