Load balanced web site with CSS 11050 shows own LB IP in IIS logs.

Discussion in 'Cisco' started by njohn, Aug 19, 2004.

  1. njohn

    njohn Guest

    I have a CSS 11050 running version 5.01 that I'm using for simple Web
    site load balancing. My problem is that the IP address of the load
    balancer shows up in my IIS logs as the requesting client and I can
    not run site reports. Is there any way around this?
    Many Thanks,
    Nate
    njohn, Aug 19, 2004
    #1
    1. Advertising

  2. Re: Load balanced web site with CSS 11050 shows own LB IP in IISlogs.

    njohn wrote:
    > I have a CSS 11050 running version 5.01 that I'm using for simple Web
    > site load balancing. My problem is that the IP address of the load
    > balancer shows up in my IIS logs as the requesting client and I can
    > not run site reports. Is there any way around this?
    > Many Thanks,
    > Nate


    By default, a CSS only NATs the destination IP (and port, if necessary)
    from the VIP to the origin server (real server). To convert the source
    address, which obviously happens in your installation, a source group
    must be configured. You see something like this:

    group <groupname>
    ip address <ip-address>
    add destination service <service>
    add des....
    active

    This means that for all the services defined in this source group, the
    source IP of the request packed is NATed to the IP address specified in
    the source group.

    You might consider removing this group but be careful. The source group
    is sometimes used to force returning traffic through the CSS to do the
    packet adjustments for the flow.
    Igi.
    Ignaz Kraehenmann, Aug 19, 2004
    #2
    1. Advertising

  3. njohn

    dmcknigh Guest

    (njohn) wrote in message news:<>...
    > I have a CSS 11050 running version 5.01 that I'm using for simple Web
    > site load balancing. My problem is that the IP address of the load
    > balancer shows up in my IIS logs as the requesting client and I can
    > not run site reports. Is there any way around this?
    > Many Thanks,
    > Nate


    AFAIK, this is not the default behavior of the CSS (at least not in
    6.x) code. The only time I've seen this is when the requests are
    loadbalanced through SSL accelerators acting as proxies before being
    "re-loadbalanced" to web servers via HTTP. Are you using any other
    devices in client-to-server path that act as proxies?
    Also, don't forget that if your using keepalive method "GET" on the
    services defined in the CSS, you will see requests in your log that
    correspond to the CSS checking the servers for "aliveness". These
    checks will be logged as coming from the CSSes IP address.
    -dmcknigh-
    dmcknigh, Aug 19, 2004
    #3
  4. njohn

    njohn Guest

    Ignaz Kraehenmann <> wrote in message news:<412458a2$>...
    > njohn wrote:
    > > I have a CSS 11050 running version 5.01 that I'm using for simple Web
    > > site load balancing. My problem is that the IP address of the load
    > > balancer shows up in my IIS logs as the requesting client and I can
    > > not run site reports. Is there any way around this?
    > > Many Thanks,
    > > Nate

    >
    > By default, a CSS only NATs the destination IP (and port, if necessary)
    > from the VIP to the origin server (real server). To convert the source
    > address, which obviously happens in your installation, a source group
    > must be configured. You see something like this:
    >
    > group <groupname>
    > ip address <ip-address>
    > add destination service <service>
    > add des....
    > active
    >
    > This means that for all the services defined in this source group, the
    > source IP of the request packed is NATed to the IP address specified in
    > the source group.
    >
    > You might consider removing this group but be careful. The source group
    > is sometimes used to force returning traffic through the CSS to do the
    > packet adjustments for the flow.
    > Igi.


    I do have a group configured, but I believe I need this to do load
    balancing on a single network correct? But its true that if I wanted
    the actual client IP to show up in the logs, I could create multiple
    networks?
    Many thanks!
    Nate
    njohn, Aug 19, 2004
    #4
  5. njohn

    njohn Guest

    (dmcknigh) wrote in message news:<>...
    > (njohn) wrote in message news:<>...
    > > I have a CSS 11050 running version 5.01 that I'm using for simple Web
    > > site load balancing. My problem is that the IP address of the load
    > > balancer shows up in my IIS logs as the requesting client and I can
    > > not run site reports. Is there any way around this?
    > > Many Thanks,
    > > Nate

    >
    > AFAIK, this is not the default behavior of the CSS (at least not in
    > 6.x) code. The only time I've seen this is when the requests are
    > loadbalanced through SSL accelerators acting as proxies before being
    > "re-loadbalanced" to web servers via HTTP. Are you using any other
    > devices in client-to-server path that act as proxies?
    > Also, don't forget that if your using keepalive method "GET" on the
    > services defined in the CSS, you will see requests in your log that
    > correspond to the CSS checking the servers for "aliveness". These
    > checks will be logged as coming from the CSSes IP address.
    > -dmcknigh-



    No SSL accellerators or proxies. The only odd configuration is that
    the LB and the servers are within the same network.
    njohn, Aug 19, 2004
    #5
  6. njohn

    njohn Guest

    (njohn) wrote in message news:<>...
    > I have a CSS 11050 running version 5.01 that I'm using for simple Web
    > site load balancing. My problem is that the IP address of the load
    > balancer shows up in my IIS logs as the requesting client and I can
    > not run site reports. Is there any way around this?
    > Many Thanks,
    > Nate


    Thanks Ignaz for clue-ing me into the issue here. This is one of the
    listed "disadvatages" of one-armed load balancing.
    http://www.cisco.com/en/US/products...s_configuration_example09186a0080093dff.shtml

    Off I go to re-work my networks... Thanks all.

    Nate
    njohn, Aug 20, 2004
    #6
  7. Re: Load balanced web site with CSS 11050 shows own LB IP in IISlogs.

    njohn wrote:
    > Ignaz Kraehenmann <> wrote in message news:<412458a2$>...
    >
    >>njohn wrote:
    >>
    >>>I have a CSS 11050 running version 5.01 that I'm using for simple Web
    >>>site load balancing. My problem is that the IP address of the load
    >>>balancer shows up in my IIS logs as the requesting client and I can
    >>>not run site reports. Is there any way around this?
    >>>Many Thanks,
    >>>Nate

    >>
    >>By default, a CSS only NATs the destination IP (and port, if necessary)
    >>from the VIP to the origin server (real server). To convert the source
    >>address, which obviously happens in your installation, a source group
    >>must be configured. You see something like this:
    >>
    >>group <groupname>
    >> ip address <ip-address>
    >> add destination service <service>
    >> add des....
    >> active
    >>
    >>This means that for all the services defined in this source group, the
    >>source IP of the request packed is NATed to the IP address specified in
    >>the source group.
    >>
    >>You might consider removing this group but be careful. The source group
    >>is sometimes used to force returning traffic through the CSS to do the
    >>packet adjustments for the flow.
    >>Igi.

    >
    >
    > I do have a group configured, but I believe I need this to do load
    > balancing on a single network correct? But its true that if I wanted
    > the actual client IP to show up in the logs, I could create multiple
    > networks?
    > Many thanks!
    > Nate


    You must make sure returning traffic passes the CSS. On a common
    network, the source group is one option. Another is, to force traffic
    from the servers to the CSS (gateway address of the servers). Make sure
    in this case to turn off redirect messages. These would open a return
    path without passing the CSS.
    Another issue in a single network are clients, directly connected to the
    server segment. It's not easy to have return traffic pass the CSS in
    this case.
    Igi.
    Ignaz Kraehenmann, Aug 21, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike H

    multilink vs load balanced

    Mike H, Dec 16, 2003, in forum: Cisco
    Replies:
    1
    Views:
    553
  2. J Bard
    Replies:
    0
    Views:
    6,088
    J Bard
    Jan 9, 2004
  3. Nikolai Schupbach
    Replies:
    0
    Views:
    3,101
    Nikolai Schupbach
    Feb 23, 2004
  4. mmrvka

    service console on css 11050

    mmrvka, Oct 3, 2006, in forum: Cisco
    Replies:
    1
    Views:
    357
    BSD Johnson
    Oct 4, 2006
  5. Mike Gauthier

    CSS 11050 random RSTs

    Mike Gauthier, Sep 6, 2007, in forum: Cisco
    Replies:
    2
    Views:
    1,105
    Mike Gauthier
    Sep 6, 2007
Loading...

Share This Page