Can a Sorry server be a content rule?

Similar Messages

• CSS and a Sorry Server

  I have been trying to get my CSS 11506 to redirct to a Sorry Server when our content servers go offline. We thought that we had it working, but after some downtime it turned out that our configuration did not work.
  After extensive reading I can't figure out what is wrong with my config, or if the problem lies else where. I am attaching my config below, can anyone tell me if they see any problems with what I have or if there is something that I need to do in addition to what I have. Thank you for you help, here is the config:
  *************************** GLOBAL ***************************
  no restrict web-mgmt
  no restrict xml
  bypass persistence disable
  snmp community ******read-write
  snmp name "******"
  snmp contact "*******r"
  snmp location "CSS11056"
  snmp trap-host 10.20.1.4 ******
  dns primary 10.20.1.2
  ftp-record ******10.20.1.17 *** des-password
  ibfebcgg6aheuc4h1hfcqhpcubwdxcjb cssgui
  ip route 0.0.0.0 0.0.0.0 10.20.1.1 1 !
  *************************INTERFACE*************************
  interface 1/1
  phy 1Gbits-FD-sym !
  **************************CIRCUIT**************************
  circuit VLAN1
  router-discovery lifetime 1000
  ip address 10.20.1.4 255.255.255.0
  router-discovery
  **************************SERVICE**************************
  service Blade01
  ip address 10.20.1.60
  active
  service Blade02
  ip address 10.20.1.61
  active
  service Blade03
  ip address 10.20.1.62
  active
  service Blade04
  ip address 10.20.1.63
  active
  service sorry
  ip address 10.20.1.41
  active
  !*************************** OWNER***************************
  owner ***
  email-address ******
  content Content1
  vip address 10.20.1.80
  balance aca
  add service Blade01
  add service Blade02
  no persistent
  primarySorryServer sorry
  active
  content Content2
  vip address 10.20.1.81
  add service Blade03
  add service Blade04
  balance aca
  active
  !*************************** GROUP***************************
  group content1nat
  vip address 10.20.1.80
  add destination service Blade01
  add destination service Blade02
  add destination service sorry
  group content2nat
  add destination service Blade03
  add destination service Blade04
  vip address 10.20.1.81
  !**************************** ACL ****************************
  acl 10
  clause 5 permit any 10.20.1.60 destination content ****
  sourcegroup ****
  clause 6 permit any 10.20.1.61 destination content ICC/flippid
  sourcegroup Content1
  clause 99 permit any any destination any
  clause 2 permit any 10.0.0.0 destination content ****
  sourcegroup ****
  apply circuit-(VLAN1)
  clause 7 permit any 10.20.1.41 destination content ****
  sourcegroup Content1

  One problem I can see is that you don't have any keepalives configured under the services, so they will default to a Ping. As long as they respond to ping, it will keep traffic going to those servers.
  What services run on these Servers? We generally recommend you use as higher layer keepalive as possible, so if it is a web server for example, use a HTTP keepalive.
  Have a look here for more info:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/KAL.html

• Defining virtual servers using content-rules

  Can multiple virtual servers be "bound" to a single real server when all of the virtual servers have the same ip address and port, with the only difference between each virtual server being a unique content rule applied to each? (This is more of a migration issue, than a load-balance issue)

  I assume you are saying Web(HTTP) and the answer is yes.
  1. Your server should has name-based virtual hosting enabled if your server only use 1 IP address.
  2. In CSS, you can use single service for this server or use different services with different keepalive uri for each service.
  3. You can use a number of unique Content rules (same VIP, TCP 80 with different URLs) and add the service to it.
  Remarks: If you want to use unique Content rules, you should make them difference with URL, otherwise all the content rules are the same and you can't activate all.
  Another suggestion: If your server already support Name-VHOST, you can use just single L4 Content rule and all the traffic would be handled by that server (service).

• ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

  Hi All,
  I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
  The customer wants the following:
  They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
  So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
  The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
  I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
  For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
  The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
  Anyone have an idea how to build this?

  Hi,
  It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
  In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
  As per the below example:
  I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
  serverfarm host 1313-GIN-GWAP-SDC-80
    rserver RSERVER1
      backup-rserver test1
      inservice
    rserver test1
      inservice standby
    rserver test2
      inservice standby
  regards,
  Ajay Kumar

• Content rule Content CSS 11 500 question

  I have the following question, the port number in a content rule is this the port to witch the content switch forwards or to witch he listens on.
  Suppose i have an url www.myname.org
  when i receive this on the content switch i want to redirect it to the backend on port 8080. How can i do this.

  Frederik,
  Your content rule is what we call a Layer 5 Content Rule since it has a HTTP URL field in its matching criteria.
  This means the CSS will be listening for traffic that is heading towards VIP Address 10.5.1.1 on port 40918 AND that it matches a certain URL. This URL in your case is "//domain.be/*".
  When traffic is initiated to VIP 10.5.1.1, the CSS will use Layer 5 information such as the URL included in the client requests to match the traffic to this content rule.
  When you use a browser to access this desired page, your DNS will probably return 10.5.1.1 for domain.be, telling your browser to make a request to VIP 10.5.1.1 and URL "//domain.be/*".
  Please take a look at this link for more information.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_820/cntlbgd/contrule.htm#wp1037654
  Hope it helps.

• Port 443 content rule, can the CSS see inside the cookie ?

  Hi Gilles/everyone,
  With a content rule using port 443, can we use cookie based stickiness or is the cookie also encrpyted ?
  cheers,
  Mike

  also encrypted.
  No way to see it without an SSL module to decrypt.
  Gilles.

• Sorry Server Config for 11503

  I have added a service for the sorr server and I have added the name of the server SorryServer1 to the content rule. However when I suspend the content rule I get a Page Not diplayed instead of the redirect to the Sorry Server.
  The config has mulitple Content rules, I am currently only testing on one.
  Thanks

  Hi,
  if you suspend the whole content rule the sorry server can not do it's action as the rule is "down" you need do suspend all services except the sorry server.
  Kind Regards,
  Joerg
  PS
  For a HowTo and recommendations refer to http://www.cisco.com/en/US/partner/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801579f2.html#1038009

• CSS Sorry server requirements

  Folks,
  The documentation says that the sorry server concept will only work if the loadbalancing is done at layer 7. My question is why, why can't i see the sorry server redirect if all services are down when doing load balancing at Layer 3 or Layer 4?

  Hi,
  Can you point me to those docs. I believe sorry server should work regardless of which layer is the content rule configured to check.
  Actually this doc's example is layer 3:
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093de8.shtml
  I will build a working config at layer 3 for you soon.

• Sorry server redirect

  is it possible to confider the css so that is one of the servers goes down that it will redirect the request to the sorry server, as per the documentation all servers have to be done, i want it to go to sorry server if one of the servers goes down. any ides?

  so, you have multiple servers assigned to a content rule, and if one of them goes down, you want the traffic to be redirected to a sorryserver. Is that correct ?
  The only solution would be to create a probe that would bring all servers down at the same time. You can create a global keepalive that uses a script probe that does check each server and assign this same global keepalive to all server. Like this, they will all go down at the same time and your sorryserver will be used.
  Gilles.

• Using a content rule for port translation.

  If I set up a content rule to grab traffic on a VIP on port 81, can I then send it to a server that is configured for port 80 ?
  cheers,
  Mike

  If I receive a udp packet with the sourse port 123. Can CSS forward this packet to the Server, but replace sourse port to something greater than 1023 ???
  As I know CSS doesn't NAT for udp ports less than 1023.

• I am not able to telnet my content rule VIP address

  I am not able to telnet my content rule VIP address and port number. But I am able to direct to telnet to service servers, which are added into the content rule set. Can anyone tell me why. I have update the latest WEBOS 5.00 Build 69. The content switch model is 11050. thank you very much .

  Is possible one armed and in line in the same content switch ?
  Currently I have some content rule are using one armed solution, there is only one rule I need to make the server see the original IP. I guess my question is , can I have this rule use in -line solution only, so I will not have to impact other rules set.
  The other question since this content rule's service sever have only one interface only, Can I have this in-line solution go in the content switch and come out content switch in the same server farm switch ? Thank you for all the help.

• ACE - Sorry Server

  Here is a description of the problem I am having:
  I have a VIP configured  using 2 serverfarms. ServerFarm-A as the primary and ServerFarm-B as the backup.
  Serverfarm-A (Primary) contains 2 webservers hosting the website
  Serverfarm-B (BackUp) contains 1 server simply hosting a sorry page
  When  Serverfarm-A (Primary) fails, I recieve the sorry page hosted on Serverfarm-B (Backup)
  This action works fine with no issues. I simply click the refresh button on my browser and get the sorry page.
  When Serverfarm-A (Primary) comes back on-line I still recieve the sorry page hosted on Serverfarm-B (Backup)
  The only way I do not recieve the sorry page is if the client deletes its cache from the browser. (This issue occurs in both IE and FireFox)
  I am assuming that since this action does not occur when ServerFarm-A goes down why would it happen the opposite way.
  I have tried several differnt configs recommended by TAC and still no luck.
  I am hoping someone has come across this issue and can help.

  Larry,
  Have you compared the headers that are being sent by the servers in the primary farm with those of the sorry serverfarm? If the sorry servers are marking the content as cacheable but the primary servers are not then you could perhaps configure the sorry servers with the same settings.
  Is the sorry server giving actual application content or just a sorry page telling the user the site is unavailable?
  Also when you refresh is the browser making a new tcp connection to the vip or is it just sending a get on the existing tcp conversation? A wireshark trace on the client would show if it is a new connection or a continuation of the existing one. If the connection is still established and you are just sending another get on the same tcp stream you may want to try and disable connection keepalive on the web server. When the primary farm comes back up only new tcp connections should be sent there. The existing connection will stay on the server they were initially sent to.

• Sorry server - different replies

  We have CSS 11000 that provides load balancing between several servers with configured max-session .
  How to configure that sorry server sends different reply:
  1) if all servers are down, it has redirect to page "sorry, server is down"
  2) in case of overload, it it has to redirect to page "sorry, server is bussy, try later"
  Can you advise how it possible to configue this?
  thanks in advance,
  Natalia

  there is no direct way of doing this.
  However, my solution is to do this :
  service sorry_down
  service sorry_overloaded
  keepalive type script check_service_down use-output
  owner mycompany
  content www
  vip ...
  add service ...
  primarysorryserver sorry_overloaded
  secondarysorryserver sorry_down
  active
  The script check_service_down, will do a 'show service ' grep -u Alive to detect if a service is alive or just not used because down.
  Or you could also simply do ap-kal-pinglist and ping the services.
  Anyway, the idea for the kal for the service sorry_overloaded is to check the status of the other services and detect if they are down or just overloaded.
  Gilles.

• Sorry Server for CSS 11500

  Hi,
  I have a question regarding sorry server configuration on the CSS 11500 series.
  Is there a way for the sorry server to ignore the URL path and always send the user traffic to the "root" page (e.g. index.html) of the sorry server web server?
  The problem I have is the redirection of the "root" page (url "/") that is configured for the normal traffic is causing the sorry page not to work since the URL path ("/psp/CUSTOMER1/?cmd=login") does not exist on the sorry page web server:
  service Sorry-Server
    protocol tcp
    port 8000
    keepalive type tcp
    ip address 192.168.2.254
    active
  service server1
    ip address 192.168.2.101
    protocol tcp
    keepalive type tcp
    port 8080
    active
  service server2
    ip address 192.168.2.102
    protocol tcp
    keepalive type tcp
    port 8080
    active
  owner Customer1
    content Content1
      vip address 192.168.1.101
      port 80
      protocol tcp
      url "/*"
      balance aca
      advanced-balance arrowpoint-cookie
      flow-timeout-multiplier 6
      add service server1
      add service server2
      primarySorryServer Sorry-Server
      active
    content Content1-Redirect
      redirect "/psp/CUSTOMER1/?cmd=login"
      vip address 192.168.1.101
      port 80
      protocol tcp
      url "/"
      active
  Thanks in advance for your help!
  Best regards,
  Harry

  Hi again,
  During a maintenance window I made the following change and that made things a bit better:
  service Sorry-Server
    type redirect
    keepalive type none
    redirect-string "192.168.2.254:8000"
    active
  However, since the redirect string points to a private address, Internet users are not able to access the URL.
  As a work-around I sent the redirect to a new content rule with a public address and then configured a second sorry page server:
  service Sorry-Server
    type redirect
    keepalive type none
    redirect-string "sorry.example.com:8000"
    active
  service Sorry-Server-2
    ip address 192.168.2.254
    protocol tcp
    port 8000
    keepalive type tcp
    active
  owner Customer1
    content Content2
      vip address x.x.x.x
      add service Sorry-Server-2
      port 8000
      protocol tcp
      active
  Is there a better way to do this?
  Best regards,
  Harry

• Sticky sessions across multiple content rules

  Hi,
  If a client PC initiates two requests which match different content rules on a CSS (first request http port 80 to CSS VIP downloads a small application. This application then sends a second request to the VIP, on tcp port 8085) can sticky rules be configured on the CSS content rules, so that they hit the same destination server, given that both content rules contain the same services, and hence be considered part of the same session?
  Thanks

  there is no sitcky accros content rules option on the CSS.
  But there are solutions to this problem.
  First, are you doing anything special with your HTTP content rule ? Like cookies or url inspection ?
  If not, you can group the 2 content rules into a single one. You will have 1 Layer3 rule instead of 2 Layer 4 rules.
  If you have L5-7 rules [http inspection], the previous solution is not possible.
  You will need to maintain 2 rules.
  You could then use a 'balance srcip' balancing method on both rules.
  This algorithm is deterministic.
  The same client will always go to the same server.
  Hope this helps.
  Regards,
  Gilles.
  Thanks for rating.