CIsco CSS and ISA 2004 Problem
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||||||||
|
Posted by Jack Daniels on May 28, 2008, 4:08 pm
Please log in for more thread options I'm looking for some advice on a problem i have with a Cisco CSS and a ISA 2004 server, the CSS is load balancing a web farm but one of the servers is always getting hit and its not the same one after some investigations we traced it back to the ISA and the VPN users that are accessing the website. The CSS seems to see the ISA server as one connection and as a result whatever server it gets connected to by the CSS then gets the full load of all the VPN clients users. So my question is can I get the CSS to see this as not just one client connecting but many so that it balances the load or some how just split the load so that one web server is not always killed. Any advice is welcome. Jack | |||||||||||||||||||||||||||||||
|
Posted by artie lange on May 28, 2008, 4:22 pm
Please log in for more thread options I could think of one possibility: Your ISA server is NAT'ing the VPN users traffic, if you did not NAT the VPN users traffic, then the CSS device would see the IP address of the VPN client, not the IP address of the ISA server that is 'proxying' the traffic for your VPN users? Just a thought.... | |||||||||||||||||||||||||||||||
|
Posted by artie lange on May 28, 2008, 4:24 pm
Please log in for more thread options Jack Daniels wrote:
> Hi everyone,
> > I'm looking for some advice on a problem i have with a Cisco CSS and a > ISA 2004 server, the CSS is load balancing a web farm but one of the > servers is always getting hit and its not the same one after some > investigations we traced it back to the ISA and the VPN users that are > accessing the website. > > The CSS seems to see the ISA server as one connection and as a result > whatever server it gets connected to by the CSS then gets the full > load of all the VPN clients users. > > So my question is can I get the CSS to see this as not just one client > connecting but many so that it balances the load or some how just > split the load so that one web server is not always killed. > > Any advice is welcome. > > Jack Just thinking about this a little more, can you not set the CSS device to round robin connections to the web farm? Or is it that the CSS sees all traffic as one session even though it is from multiple users? | |||||||||||||||||||||||||||||||
|
Posted by Paul Matthews on May 29, 2008, 3:30 am
Please log in for more thread options Jack Daniels wrote:
>The CSS seems to see the ISA server as one connection and as a result
>whatever server it gets connected to by the CSS then gets the full >load of all the VPN clients users. Info on your config on the CSS would help. I presume the ISA is translating to all users appear to have the same source address? Do you have sticky configured on the CSS? If you have sticky set by source address, it is behaving exactly as it should. You could try other options for stick, or even remove it entirely if the application does not need it. P. -- Paul Matthews CCIE #4063 Please post questions to the NG, NOT by e-mail. | |||||||||||||||||||||||||||||||
|
Posted by Jack Daniels on May 29, 2008, 4:19 am
Please log in for more thread options All traffic is being translated by the ISA server so the CSS see it as
one IP connecting and one connection. !*************************** CIRCUIT ************************** circuit vlan1 ip address 10.10.10.5 255.255.255.0 no redirects !*************************** SERVICE ************************** service 1 ip address 10.10.10.2 active service 2 ip address 10.10.10.3 active service 3 ip address 10.10.10.4 active !*************************** OWNER **************************** owner cisco_systems content One-Arm-rule vip address 10.10.10.6 add service 1 add service 2 add service 3 active !*************************** GROUP **************************** group Servers vip address 10.10.10.6 add destination service 1 add destination service 2 add destination service 3 active | |||||||||||||||||||||||||||||||
| Similar Threads | Posted |
| CIsco CSS and ISA 2004 Problem | May 28, 2008, 4:08 pm |
| Pix515e and ISA 2004 | August 10, 2006, 9:09 am |
| PPTP through ISA 2004 and PIX v7.02 with double NAT | October 12, 2005, 3:41 am |
| Cisco 2970 strange traffic problem - stumped cisco support | February 10, 2005, 12:19 pm |
| Cisco newbie with a routing problem with Cisco 2621 | October 25, 2006, 12:49 pm |
| PIX 501 CISCO vpn problem | August 24, 2005, 4:51 pm |
| Cisco 871 SDM Problem | September 1, 2005, 11:54 am |
| cisco nat problem | September 16, 2005, 9:14 am |
| Cisco 500 CS problem | February 5, 2006, 3:01 am |
| Cisco VPN problem | August 15, 2006, 9:15 pm |
| Cisco ACS 3.1 problem | December 24, 2006, 8:23 am |
| problem with cisco.com | August 8, 2007, 3:45 pm |
| Cisco MDS NTP problem | February 26, 2008, 1:51 am |
| Cisco Pix 501 Problem with Cox Cable | October 4, 2005, 2:11 pm |
| cisco 7206 and IOS 12.4 with nat problem | October 14, 2005, 3:44 am |
>
> I'm looking for some advice on a problem i have with a Cisco CSS and a
> ISA 2004 server, the CSS is load balancing a web farm but one of the
> servers is always getting hit and its not the same one after some
> investigations we traced it back to the ISA and the VPN users that are
> accessing the website.
>
> The CSS seems to see the ISA server as one connection and as a result
> whatever server it gets connected to by the CSS then gets the full
> load of all the VPN clients users.
>
> So my question is can I get the CSS to see this as not just one client
> connecting but many so that it balances the load or some how just
> split the load so that one web server is not always killed.
>
> Any advice is welcome.
>
> Jack