1. Home
  2. Cisco Systems
  3. CIsco CSS and ISA 2004 Problem

CIsco CSS and ISA 2004 Problem

Hi everyone,

I'm looking for some advice on a problem i have with a Cisco CSS and a ISA 2004 server, the CSS is load balancing a web farm but one of the servers is always getting hit and its not the same one after some investigations we traced it back to the ISA and the VPN users that are accessing the website.

The CSS seems to see the ISA server as one connection and as a result whatever server it gets connected to by the CSS then gets the full load of all the VPN clients users.

So my question is can I get the CSS to see this as not just one client connecting but many so that it balances the load or some how just split the load so that one web server is not always killed.

Any advice is welcome.

Jack

Reply to
Jack Daniels
Loading thread data ...

I could think of one possibility:

Your ISA server is NAT'ing the VPN users traffic, if you did not NAT the VPN users traffic, then the CSS device would see the IP address of the VPN client, not the IP address of the ISA server that is 'proxying' the traffic for your VPN users?

Just a thought....

Reply to
artie lange

Just thinking about this a little more, can you not set the CSS device to round robin connections to the web farm? Or is it that the CSS sees all traffic as one session even though it is from multiple users?

Reply to
artie lange

Info on your config on the CSS would help.

I presume the ISA is translating to all users appear to have the same source address? Do you have sticky configured on the CSS? If you have sticky set by source address, it is behaving exactly as it should. You could try other options for stick, or even remove it entirely if the application does not need it.

P.

Reply to
Paul Matthews

All traffic is being translated by the ISA server so the CSS see it as one IP connecting and one connection.

!*************************** CIRCUIT

************************** circuit vlan1 ip address 10.10.10.5 255.255.255.0 no redirects !*************************** SERVICE ************************** service 1 ip address 10.10.10.2 active service 2 ip address 10.10.10.3 active service 3 ip address 10.10.10.4 active !*************************** OWNER **************************** owner cisco_systems content One-Arm-rule vip address 10.10.10.6 add service 1 add service 2 add service 3 active !*************************** GROUP **************************** group Servers vip address 10.10.10.6 add destination service 1 add destination service 2 add destination service 3 active
Reply to
Jack Daniels

All traffic is being translated by the ISA server so the CSS see it as one IP connecting and one connection.

!*************************** CIRCUIT

************************** circuit vlan1 ip address 10.10.10.5 255.255.255.0 no redirects !*************************** SERVICE ************************** service 1 ip address 10.10.10.2 active service 2 ip address 10.10.10.3 active service 3 ip address 10.10.10.4 active !*************************** OWNER **************************** owner cisco_systems content One-Arm-rule vip address 10.10.10.6 add service 1 add service 2 add service 3 active !*************************** GROUP **************************** group Servers vip address 10.10.10.6 add destination service 1 add destination service 2 add destination service 3 active
Reply to
Jack Daniels

This may need a little trial and error

The options to look at are:

balance roundrobin balance aca

Under the content rule. Basically RR says as you would expect, ACA watches response times and passes more load to quicker responding swervers.

The sticky is set by the advanced balance command. Options are:

sip-call-id wap-msisdn arrowpoint-cookie sticky-srcip sticky-srcip-dstport cookies url cookieurl ssl none

Of those, I would suggest trying cookies first. Some are obviously irrelevant - sip-call-id, wap-msisdn and ssl. Others will be ineffective.

Another thing to check - is there any possibility that the servers in the farm are redirecting directly to themselves?

P.

Reply to
Paul Matthews

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.