Cisco CSS 11501 - High-Availabilty

Similar Messages

• Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

  Hi ,
  Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
  04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
  04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
  04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
  Thanks
  Manish

  Hi Nicolas,
  Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
  Can you help me troubleshooting the issue?
  I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
  We  have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE  servers.Now Client calls to FE VIP and LB forwarding it to server and  then FE server calls the BE VIP which goes through the same LB and  forward to BE server under the VIP.When we start load test, we have  observed after 2 hour test, application team getting HTTP timeout.As  this application is used by Call center so getting timeout is bad.
  Need to troubleshoot this issue if there is any problem from LB End.
  Please find the attached file for VIP configs.

• How to reset password on Cisco CSS 11501?

  Hi,
  I have changed the password for the Admin user (which was SuperUser) but when I changed it I forgot to add "SuperUser" at the end, now I don't have SuperUser access to the CSS 11501.
  Can anyone shade some light on this problem and explain how can I reset the password for a SuperUser?
  Thanks in Advance,
  Shai

  Hi Shai,
  You need to reboot the CSS. When prompt, hit any key to go into the Offline Diagnostic Menu.
  When you get in the menu, you will go to Administrative options and create an additional Admin user. When you do this, DO NOT use "admin", use something totally different.
  Get out of the Offline DM and reboot the CSS. When the CSS comes up, login as the new user (which will have Superuser rights) and run the "username" cli to change the password of "admin" and add the superuser part this time.
  Regards
  Pete Knoops
  Cisco Systems

• Cisco CSS 11501 Capacity Planning

  We have a pair of CSS 11501 units which currently have one VIP in front of two servers. Hence they are not being utilised at all.
  I've been asked about putting some additional services on these but have no idea what sort of capacity they could take, i.e. max servers, max VIPs, max users/connections.
  I've looked around but cannot find any documentation that helps. The following: http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html document states it has a '6Gbps Bandwidth Aggregate', which is strange as it doesn't even have that physical capacity?
  Any help appreciated.

  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html
  No limit for vip and server (except you need to keep your conig under 10k lines)
  Number of concurrent connections is 200k per module and there is only 1 module in the 11501
  Gilles.

• Cisco CSS 11501

  As part of my testing for a resilient pair of CSS11501's, I want to "shutdown" a service rather than just suspend it.   Is this possible from the command line of this content switch, or is my only option to use a weighted "graceful" shutdown which obviously could take quite some time.
  many  thanks

  Due to the following route statements on your CSS the servers response traffic is getting sent to IP/device 213.139.46.0.
  ip route 213.139.46.35 255.255.255.255 213.139.46.0 1
  ip route 213.139.46.36 255.255.255.255 213.139.46.0 1
  Are the servers suppose to send their traffic to the 213.139.46.0 IP address? Or are they setup to use the 213.139.46.19 IP address as their gateway? If so, then the additional route statements should not be needed.
  Also, have you verified the services have passed their keepalive check? Even though you have a URI of "/" and a keepalive port of "9080" on the services there is no keepalive type specified in the service configuration. The CSS should have defaulted to using ICMP keepaive check for the services.
  - Jason

• Cisco CSS 11501 Service Redirection

  Hi,
  We have kept CSS 1 & CSS 2 in DMZ zone & servers are kept at LAN segment. Proxy, DNS & OID (Oracle Instance ID) services are created at these CSS. I want users coming from outside will hit CSS at DMZ zone & based upon access requirement he will be redirected to the LAN servers for proxy , dns or OID access. Whether it is possible? If so then please guide me with the config...

  you have to be careful when using the term redirect.
  redirect is a possibility with HTTP.
  For other protocols, there is no concept of redirect. But you can forward the traffic from the CSS in the DMZ to a server on the internal network.
  The only thing to remember is that the CSS, like a firewall, needs to see all traffic from client to server and from server to client.
  So, in your setup, since the CSS will not be inline between client-server, you have to find a way to force the traffic to go back to the CSS.
  The easiest solution is to nat traffic going through the CSS.
  The drawbacks is that the servers do not see the real client ip address. They just see the nated ip address.
  Another solution, more complex is to use policy routing to intercept traffic and forward when need to the CSS.
  Regards,
  Gilles.

• CSS 11501 Load Balancing Issue

  Hi,
  We are facing some issue in load balancing in cisco CSS 11501 as we are not able to access the application  through virtual IP. Below is the ruuning configuration of the CSS:
  CSS11501# sh running-config
  !Generated on 10/06/2010 16:51:34
  !Active version: sg0810106
  configure
  !*************************** GLOBAL ***************************
    ip route 0.0.0.0 0.0.0.0 132.186.199.1 1
  !************************** CIRCUIT **************************
  circuit VLAN1
    ip address 132.186.199.145 255.255.255.0
  !************************** SERVICE **************************
  service Server1
    ip address 132.186.199.243
    port 5001
    protocol tcp
    keepalive port 5001
    active
  service Server2
    ip address 132.186.199.246
    protocol tcp
    port 5001
    keepalive port 5001
    active
  !*************************** OWNER ***************************
  owner L5_Owner
    content L3_Rule
      vip address 132.186.199.146
      protocol tcp
      port 5001
      add service Server1
      add service Server2
      active
    content L5_Rule
      vip address 132.186.199.146
      add service Server1
      add service Server2
      protocol tcp
      port 5001
      url "//132.186.199.146:5001/emi"
      active
  CSS11501#
  Observation : We are able to telnet on VIP: 132.186.199.146 on port 5001,  but not able to access the application.
  In Actual scenarion customer access  application by accessing URL: http://132.186.199.243:5001/emi and once he enter this URL in web browser the request redirects ( by server itself)  to URL: https://132.186.199.44:6002/cas/login?service=http%3A%2F%2F132.186.199.243%3A5001%2Femi%2Findex.jsp&acceptStrength=BASIC on backend server for user authenticaton and once user is authenticated then it again redirect to main URL ( http://132.186.199.243:5001/emi ) to access the application but when we are trying to access the application through VIP ( URL: http://132.186.199.146:5001/emi) we are not getting the login page as the request is not gettting redirected to backend server for user authentication.
  Please suggest a solution here.

  The problem is that you are in one-armed mode.
  So you need to configure client nat.
  Without nating the client ip address, the server response goes back directly to the client and bypasses the CSS.
  Therefore the client receives a response from an unknown server ip address (not the vip).
  So configure a group.
  For example
  group Client
      vip address 132.186.199.146
      add destination service Server1
       add destination service Server2
      active
  Also, remove the url command from your content rule.
  It is useless in your case and will just make performance worst.
  Gilles.

• Security on the Cisco CSS

  I have a Cisco CSS 11501s attached to a Cisco 6000. I am using the CSS in an on arm design, which is basically a router on a stick. The Cisco 6000 only provides layer 2 switching. It utilizes 1 Ethernet interface on a single vlan.
  I configure 3 VIPs for client connection.
  - VIP 1 for SSL
  - VIP 2 is for the clear text traffic from the
  VIP1/proxy list.
  - VIP 3 is for redirecting clear text traffic from
  the client.
  - All VIPs use the same address, but differing
  ports.
  I have a source group for all outbound traffic to the server farm. I tried to block traffic to the clear text interface, but I blocked all traffic. Is there an issue with one security of VIPs in a one-arm design?
  Any design ideas?
  Thank you

  Hi,
  If I understand correctly, you want to block the traffic destined to the VIP which is actually meant for the back-end traffic with the server once it is off the proxy-list. I understnad you use the VIP2 for this purpose as per your question and is same as the client side IP range.
  Here is the solution just use a config what is known as "full-proxy" configuration by Cisco on the CSS. To do this you would need two different IP ranges. One would be for your client side (the one resolved by dns) and the other could be a different IP range preferably the non-routable private ip rnage like 192.168.x.x for the back-end server segment. You will now pick-up a VIP from server segment and assign it in the proxy-list with the 'cipher' specs.
  In essence, this way you wouldn't be forced using the same VIP range for the servers and for the clients as well. You can have a private range on the back-end. This prevents traffic being targeted to your server segment from the client segment in the clear http in your case.
  thanks

• CSS 11501S GSLB DNS

  Hi
  I am in the process of planning for a GSLB failover solution for a web site. I have attached a very basic diagram showing an example of the topology.
  The aim is to have two sites. A primary site and a DR site to be used as a failover solution.
  The main site has two web servers that will need to be load balanced and the failover DR site will only have 1 web server.
  My initial plan was to use 2 Cisco CSS 11501S devices as I believe this would provide the load balancing and GSLB functionality I require.
  To achieve this I was going to use the CSS's as the primary and secondary name servers for the domain. This has raised a few question marks….
  Both of our sites are connected to a private WAN (with private IP ranges). See attached diagram. Our internet access is provide through a third party “Firewall Port” directly off the WAN. We don't manage the firewall that connects to the internet. This third party firewall provides the NAT for our public facing services (web servers, mail servers, ftp servers etc).
  So my questions are…
  * Because the CSS's and web servers are located on a private network will the CSS's be able to respond to the DNS requests with the PUBLIC IP address (as seeen from the internet) of the servers as apposed to the private IP address of the servers? If the firewall in front of the CSS's was connected to the internet this could be done via DNS doctoring but our firewall is on a private subnet!
  * Is it possible to get the CSS's to respond to DNS requests for other domain devices that do not reside behind the CSS - E.g. a MX record for a mail server that resides on another 'private' network?
  *Is there a better way to achieve this?
  Any assistance would be much appreciated!!

  Thanks for the reponse Gilles. When you say
  "If you configure the css to answer with the public ip address, you can't access your vip from the internal network anymore."
  Do you mean that you will only get the public ip address from a DNS query and therefore this won't work locally?
  If I have a host file entry providing the private address resolution for my internal hosts will this work?
  "Also, be aware we do not support GSLB on the CSS anymore.
  So, if this is a new install, it is better to start with a solution that we support - GSS"
  Why is this no longer supported? Are there a lot of problems with GSLB on the CSS? It is pretty hard to justify the cost of a solution including 2 GSS's for GSLB and 1 CSS for server load balancing when comapred to the price of 2 CSS's with the enhanced license for both GSLB and server load balancing.
  I have one client that wants to use their existing CSS's for a solution like this and another that is starting from scratch.
  Thanks

• High CPU utilization on CSS 11501 version sg0750303

  Hi everyone,
  I have the problem about High CPU utilization on CSS 11501 version sg0750303.
  Our customer has used one pair of CSS 11501 (active-standby).
  As a matter of convenience, called "Old CSS" after here in this post.
  However traffic via Old CSS had been increasing so customer decided to add one more
  pair (active-standby) of CSS to separate traffic.
  Yesterday we installed new two CSS 11501 version sg0750303 (active-standby).
  As a matter of convenience, called "New CSS" after here in this post.
  Today, active CSS 11501 and standby CSS 11501 which were installed yesterday (New CSSs)
  indicates High CPU utilization.
  Active CSS 11501:
  Peak CPU utilization: about 85%
  Average CPU Utilization: about 60%
  Standby CSS 11501:
  Peak CPU utilization: about 40%
  Average CPU Utilization: unknown
  I do not understand why CPU utilization of both New CSSs become high.
  The traffic pass through New CSS less than Old CSS, because the traffic is separated into
  Old CSS and New CSS.
  And CSS's configuration parameters (service, content, access-list) also less than Old CSS,
  because real servers are also separated into Old CSS and New CSS.
  Old CSS indicated average of CPU utilization about 20% before installing New CSSs yesterday,
  in spite of all traffic pass through Old CSS only.
  I wrote "New CSS remains High CPU utilization", however end users do not feel the
  performance issue (e.g., performance delay, communication failure and so on) and
  the traffic pass through New CSS normally.
  So I have the question "CSS 11501 sg0750303 remains High CPU utilization on normal situation ?"
  And customer uses MTRG to poll SNMP for Old CSSs and New CSSs.
  So I have the question "CSS 11501 sg0750303 become High CPU utilization in case of receiving
  SNMP polling ?".
  Or if this situation is abnormal we need to start investigation.
  Would you please let me know how do we investigate this situation.
  I found the DDTS CSCek57080 "Performance issue using arrowpoint-cookie with ASR".
  Release note of this DDTS says that
  A customer was using a CSS pair configuration where arrowpoint-cookie
  is being used along with a redundant-index on many content rules. When
  the flow rate increased to a few hundred flows/sec, the peer message
  queue of the CSS receiving ASR related message began to fill up.
  When the peer message queue became over subscribed, the CPU increased
  and the CSS became unstable.
  New CSSs have configured redunrant-index on two content rules, and end users do not feel the
  performance issue (e.g., performance delay, communication failure and so on) and
  the traffic pass through New CSS normally.
  So I think this DDTS does not related to this case.
  Your information would be greatly appreciated.
  Best regards,

  Gilles,
  Thank you very much for your cooperation.
  I got the capture you instructed us.
  The following are additional information from our customer.
  At time user traffic path through the active CSS, active CSS indicates;
  CPU utilization always range of 30% - 40%
  Peak CPU utilization about 60% - 80%
  At time there is no user traffic pass through active CSS, active CSS indicates;
  CPU utilization always range of 0% - 5%
  Attached files are named "Active CSS.log" and "Standby CSS.log".
  "Active CSS.log" is captured on active CSS and "Standby CSS.log" is captured on
  standby CSS.
  I found the following process is using resource by looking the output of
  "shell 1 1 spyReport" command.
  On active CSS,
  tFlowMgrPktR 8ba24070 50 26% ( 1469) 20% ( 26)
  On standby CSS,
  fmPeerMsgTas 8a511510 50 16% ( 176) 10% ( 7)
  Your comment would be greatly appreciated.
  Best regards,

• CSS 11501 StartUp Problem

  Hi all,
  After i boot up for the first time, the CSS asked for change User/Pass, wich i perform a well known ones.
  After that it's always impossible to login.
  Is there any way of return to factory default Settings?
  or
  Is there any password recovery procedure?
  or
  What are the default User/Pass of the equipment?
  I already done a Power Off/On on it with no results.
  Best Regards,
  Petr?nio

  Hi,
  I perform the password recovery, as it was documented and then its always getting the "CSS 11501 Offline Diagnostic Monitor menu (OffDM)" Menu, even if i dont press the Y key in the bootup question "Would you like to access the Offline Diagnostic Monitor? (Y)"
  Any ideias?
  How can i test the login i changed before?
  Here is the bootup logging that appear's.
  I'm not pressing any key.
  ******** Boot UP ********
  CSS 11501 Offline Diagnostic Monitor menu (OffDM)
  Version: 08.10.1.06
  M A I N M E N U
  Enter the number of a menu selection:
  1* Set Boot Configuration
  2. Show Boot Configuration
  3* Advanced Options
  4. Reboot System
  > 4
  Are you sure you want to reboot? (y/n) [n] y
  Rebooting....
  BootRom...booting
  Copyright (1998-2002), Cisco Systems, Inc
  Locked boot flash.
  Validating operational boot flash, please wait...
  Operational boot flash valid. Jumping to operational boot flash.
  Copyright (1998-2002), Cisco Systems, Inc
  Operational boot flash.
  Attaching interrupt handlers...Done.
  Built Mar 9 2006 @ 17:56:32
  Version 08.10.1.06
  Press to enter the Diagnostic Monitor
  Ran 1 times, 24 tests. Detected 0 errors.
  Booting OffDm @ 0xbff00000
  SCM:MASTER Other:NOT-PRESENT
  Initializing the disk...OK
  Reading configuration records...
  No Primary or Secondary Boot Record Found
  FAILED
  MGMT disabled, network port not active
  Would you like to access the Offline Diagnostic Monitor? (Y)
  Booting(-) ...
  Transferring to menu...
  Waiting for commands..
  CSS 11501 Offline Diagnostic Monitor menu (OffDM)
  Version: 08.10.1.06
  M A I N M E N U
  Enter the number of a menu selection:
  1* Set Boot Configuration
  2. Show Boot Configuration
  3* Advanced Options
  4. Reboot System
  >

• PRIME LMS 4.2 + High Availabilty

  Hi all,
    Does LMS 4.2 support Microsoft cluster solution for High Availabilty ?
  I understand from Cisco Documentations that they use Veritas Cluster solution as well as Vmware Vmotion/HA for high available configuration of LMS.
  But i would like to know if we can achieve this using Microsoft Cluster and if then, can some please share any documents/details pertaining to same ?
  Sankar

  Besides the supported Veritas method, the second best solution would be to snapshot your VM regularly and practice restore from that. A Microsoft Cluster solution would be an unsupported kludge.
  You could also perform a system (application level) backup on a regular basis and restore from that.

• CSS 11501 Trouble shooting data throughput

  I have two groups of servers that talk to each other through the Load Balancer. It appears that on certain transactions where there is a "get", "head" or "trace" in the actual http data, the transaction is not forwarded through the CSS 11501. This happens maybe once in 11,000 transactions. It appears the word get, head or trace has to be in a certain part of the data payload to cause this problem too occur. Has anybody heard of such an issue? If so, do you have a work around? If not, any suggestion on how I can further isolate the issue. FYI I have a TAC case open but it does not appear to be going any where any time soon.

  is it happening in the middle of a persistent connection or with the first request ?
  There are 2 possibilities I can think off.
  First one would be a flow timeout and the next request is just dropped because the css reclaim the fcb.
  The 2nd option is that by default the CSS does not support the "TRACE" http method.
  It must be enabled.
  See info at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008040c3cf.html
  So, configure a flow-timeout-multiplier and enable parsing of rfc2518 methods.
  Gilles.

• CSS 11501 DNS

  Do I need a live internet/DNS environment to test this switch? I have bridged vlan2 to e1. my VIP is set to X.X.X.47 and I have to services set to X.X.X.45 and .46. They both say active. The e1 port is up but my vlan2 is down. I am assuming that the circuit is my problem.
  When you define a vlan IP address, the manual says that this is the IP address that the CSS will recieve traffic from, so that would be the virtual IP .47 that links to either .45 or .46 right?
  I am suppose to configure 1 web server ip per port on the CSS switch? I currently connect the 2 web servers to a 8 port 10/100 switch and I have a straight ethernet cable from that 10/100 switch to port 1 (e1) on the css Switch.
  Are all my port numbers suppose to be configured to 80 since they are being used for HTTP? Am I to use the HTTP keepalive function as well?
  I guess any additional info would be great. I guess this isn't a click, click, and go switch like someone said.

  Ok. Thanks for the tip on the examples. I have tried to follow them as much as possible and have made progress, but I am still having problems with a few things that i can;t seem to find answers for.
  CSS 11501 = IP 10.0.0.49 Subnet 255.255.255.0 Gateway 10.0.0.1
  Srv01 = IP 10.1.0.45 Subnet 255.255.255.0 Gateway NONE
  Srv02 = IP 10.1.0.46 Subnet 255.255.255.0 Gateway NONE
  Dell 2708 = IP 10.0.0.13 subnet 255.255.255.0 Gateway 10.0.0.1
  Client = IP 10.0.0.113 subnet 255.255.255.0 Gateway 10.0.0.1
  I have Srv01 and Srv02 plugged into the CSS 11501 with IP address listed above. They reside in e7 and e8.
  I have a cable from e1 to the dell 2708.
  I have a laptop with a cable to the dell 2708.
  I have configured a vlan (VLAN10) which includes ports e7 and e8 with an IP interface of 10.1.0.1. Status is active (GREEN)
  I have configured two services with Srv01 and Srv02 and the status of both are active (Green)
  I have created a content rule which includes both srv01 and srv02 with a VIP of 10.1.0.25. Status is active (green)
  So I go to one of the web servers that is plugged into e7 or e8 and I can ping 10.1.0.25 sucessfully on both boxes. But I can only ping each servers IP address on its own box. In otherwords I can't ping cross server. When I try to access 10.1.0.25 from the servers the page doesn't come up. I know the VIP works because I can ping it.
  I have also configured a VLAN (VLAN5) for e1 which goes to the dell 2708 with an IP of 10.0.0.48. But the status is down.
  I am doing something wrong and can't seem to figure it out. any suggestions? I can diagram a picture in visio if you need a visual aid. I might consider Cisco University after all this.

• CSS 11501 neighbors

  I note that the CSS 11501 is a CM-supported device. This is according to the Supported Device Table for LMS 3.2.
  My Campus Manager (5.2.1 with the CM6.0 device updates applied) lists my 11501's as unconnected devices even though they and their upstream neighbors are running CDP and seeing each other. I confirmed they are the correct device type (sysObjectID = 1.3.6.1.4.1.9.9.368.4.7). Ciscoview can see and manage them just fine.
  Is there any way to make them properly appear as connected in the Campus Manager topology map?

  The CSS devices all appear in the Unconnnected Devices view of Campus Manager. Walking cdpCacheTable on them returns:
  The following is a SNMP walk of device 10.10.71.252 starting from .1.3.6.1.4.1.9.9.23.1.2.1
  SNMP Walk Output
  .1.3.6.1.4.1.9.9.23.1.2.1
  CISCO-CDP-MIB::cdpCacheTable = No Such Object available on this agent at this OID.
  They are CSS11501R's, each running:
  CSS11501# sh ver
  Version:               sg0810106 (08.10.1.06)
  I have four of them, each with multiple physical connections to a common upstream Catalyst 3560G-24TS. That device does show the CSS's as neighbors, along with its upstream switch. I have attached the switch's cdpCacheTable.
  Here is a screenshot: