Cisco CSS 11501 Service Redirection

Hi,
We have kept CSS 1 & CSS 2 in DMZ zone & servers are kept at LAN segment. Proxy, DNS & OID (Oracle Instance ID) services are created at these CSS. I want users coming from outside will hit CSS at DMZ zone & based upon access requirement he will be redirected to the LAN servers for proxy , dns or OID access. Whether it is possible? If so then please guide me with the config...

you have to be careful when using the term redirect.
redirect is a possibility with HTTP.
For other protocols, there is no concept of redirect. But you can forward the traffic from the CSS in the DMZ to a server on the internal network.
The only thing to remember is that the CSS, like a firewall, needs to see all traffic from client to server and from server to client.
So, in your setup, since the CSS will not be inline between client-server, you have to find a way to force the traffic to go back to the CSS.
The easiest solution is to nat traffic going through the CSS.
The drawbacks is that the servers do not see the real client ip address. They just see the nated ip address.
Another solution, more complex is to use policy routing to intercept traffic and forward when need to the CSS.
Regards,
Gilles.

Similar Messages

Cisco CSS 11501 - High-Availabilty

We have a single CSS 11501 and were thinking about just buying a new one and putting it online as the standby with statefull (hopefully) failover, but weren't sure that this would work.
Does anyone know what is needed to create a high-availability Cisco CSS 11501 environment?
Do you only need 2 CSS 11501 and then configure them with one being active and the other being in a standby mode, like a PIX?
Is there a HA Cable that would need to be connected between the 2 CSS's?
Thanks in Advanced.
Joe

Daniel,
There is a new stateful failover mechanism for the Cisco CSS 11500.
This description is a bit "salesy" I know, but it covers the question asked :-)
The Cisco CSS 11500 delivers ASRthe industry's first stateful Layer 5 session redundancy feature that enables failover of important flows while maximizing performance. Some flowssuch as a long-lived File Transfer Protocol (FTP) or a database session may be mission critical, but many are not. Most solutions on the market today require all trafficimportant or notto be backed up from one box to another. If the majority of flows are not critical, then most of system performance is wasted on unnecessary back
ups. With ASR, the Cisco CSS 11500 may be configured so critical flows are marked as replication worthy, whereas others do not need to be so marked. ASR focuses traffic management resources precisely where needed.
Better yet, have a look at the following link focusing on the section on Stateless Redundancy.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/redndncy.htm
Regards
Pete..

Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

Hi ,
Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
Thanks
Manish

Hi Nicolas,
Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
Can you help me troubleshooting the issue?
I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
We have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE servers.Now Client calls to FE VIP and LB forwarding it to server and then FE server calls the BE VIP which goes through the same LB and forward to BE server under the VIP.When we start load test, we have observed after 2 hour test, application team getting HTTP timeout.As this application is used by Call center so getting timeout is bad.
Need to troubleshoot this issue if there is any problem from LB End.
Please find the attached file for VIP configs.

Cisco CSS 11501 Capacity Planning

We have a pair of CSS 11501 units which currently have one VIP in front of two servers. Hence they are not being utilised at all.
I've been asked about putting some additional services on these but have no idea what sort of capacity they could take, i.e. max servers, max VIPs, max users/connections.
I've looked around but cannot find any documentation that helps. The following: http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html document states it has a '6Gbps Bandwidth Aggregate', which is strange as it doesn't even have that physical capacity?
Any help appreciated.

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html
No limit for vip and server (except you need to keep your conig under 10k lines)
Number of concurrent connections is 200k per module and there is only 1 module in the 11501
Gilles.

How to reset password on Cisco CSS 11501?

Hi,
I have changed the password for the Admin user (which was SuperUser) but when I changed it I forgot to add "SuperUser" at the end, now I don't have SuperUser access to the CSS 11501.
Can anyone shade some light on this problem and explain how can I reset the password for a SuperUser?
Thanks in Advance,
Shai

Hi Shai,
You need to reboot the CSS. When prompt, hit any key to go into the Offline Diagnostic Menu.
When you get in the menu, you will go to Administrative options and create an additional Admin user. When you do this, DO NOT use "admin", use something totally different.
Get out of the Offline DM and reboot the CSS. When the CSS comes up, login as the new user (which will have Superuser rights) and run the "username" cli to change the password of "admin" and add the superuser part this time.
Regards
Pete Knoops
Cisco Systems

Cisco CSS 11501

As part of my testing for a resilient pair of CSS11501's, I want to "shutdown" a service rather than just suspend it. Is this possible from the command line of this content switch, or is my only option to use a weighted "graceful" shutdown which obviously could take quite some time.
many thanks

Due to the following route statements on your CSS the servers response traffic is getting sent to IP/device 213.139.46.0.
ip route 213.139.46.35 255.255.255.255 213.139.46.0 1
ip route 213.139.46.36 255.255.255.255 213.139.46.0 1
Are the servers suppose to send their traffic to the 213.139.46.0 IP address? Or are they setup to use the 213.139.46.19 IP address as their gateway? If so, then the additional route statements should not be needed.
Also, have you verified the services have passed their keepalive check? Even though you have a URI of "/" and a keepalive port of "9080" on the services there is no keepalive type specified in the service configuration. The CSS should have defaulted to using ICMP keepaive check for the services.
- Jason

CSS 11501 Load Balancing Issue

Hi,
We are facing some issue in load balancing in cisco CSS 11501 as we are not able to access the application through virtual IP. Below is the ruuning configuration of the CSS:
CSS11501# sh running-config
!Generated on 10/06/2010 16:51:34
!Active version: sg0810106
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 132.186.199.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 132.186.199.145 255.255.255.0
!************************** SERVICE **************************
service Server1
ip address 132.186.199.243
port 5001
protocol tcp
keepalive port 5001
active
service Server2
ip address 132.186.199.246
protocol tcp
port 5001
keepalive port 5001
active
!*************************** OWNER ***************************
owner L5_Owner
content L3_Rule
    vip address 132.186.199.146
    protocol tcp
    port 5001
    add service Server1
    add service Server2
    active
content L5_Rule
    vip address 132.186.199.146
    add service Server1
    add service Server2
    protocol tcp
    port 5001
    url "//132.186.199.146:5001/emi"
    active
CSS11501#
Observation : We are able to telnet on VIP: 132.186.199.146 on port 5001, but not able to access the application.
In Actual scenarion customer access application by accessing URL: http://132.186.199.243:5001/emi and once he enter this URL in web browser the request redirects ( by server itself) to URL: https://132.186.199.44:6002/cas/login?service=http%3A%2F%2F132.186.199.243%3A5001%2Femi%2Findex.jsp&acceptStrength=BASIC on backend server for user authenticaton and once user is authenticated then it again redirect to main URL ( http://132.186.199.243:5001/emi ) to access the application but when we are trying to access the application through VIP ( URL: http://132.186.199.146:5001/emi) we are not getting the login page as the request is not gettting redirected to backend server for user authentication.
Please suggest a solution here.

The problem is that you are in one-armed mode.
So you need to configure client nat.
Without nating the client ip address, the server response goes back directly to the client and bypasses the CSS.
Therefore the client receives a response from an unknown server ip address (not the vip).
So configure a group.
For example
group Client
    vip address 132.186.199.146
    add destination service Server1
     add destination service Server2
    active
Also, remove the url command from your content rule.
It is useless in your case and will just make performance worst.
Gilles.

Security on the Cisco CSS

I have a Cisco CSS 11501s attached to a Cisco 6000. I am using the CSS in an on arm design, which is basically a router on a stick. The Cisco 6000 only provides layer 2 switching. It utilizes 1 Ethernet interface on a single vlan.
I configure 3 VIPs for client connection.
- VIP 1 for SSL
- VIP 2 is for the clear text traffic from the
VIP1/proxy list.
- VIP 3 is for redirecting clear text traffic from
the client.
- All VIPs use the same address, but differing
ports.
I have a source group for all outbound traffic to the server farm. I tried to block traffic to the clear text interface, but I blocked all traffic. Is there an issue with one security of VIPs in a one-arm design?
Any design ideas?
Thank you

Hi,
If I understand correctly, you want to block the traffic destined to the VIP which is actually meant for the back-end traffic with the server once it is off the proxy-list. I understnad you use the VIP2 for this purpose as per your question and is same as the client side IP range.
Here is the solution just use a config what is known as "full-proxy" configuration by Cisco on the CSS. To do this you would need two different IP ranges. One would be for your client side (the one resolved by dns) and the other could be a different IP range preferably the non-routable private ip rnage like 192.168.x.x for the back-end server segment. You will now pick-up a VIP from server segment and assign it in the proxy-list with the 'cipher' specs.
In essence, this way you wouldn't be forced using the same VIP range for the servers and for the clients as well. You can have a private range on the back-end. This prevents traffic being targeted to your server segment from the client segment in the clear http in your case.
thanks

CSS 11501S GSLB DNS

Hi
I am in the process of planning for a GSLB failover solution for a web site. I have attached a very basic diagram showing an example of the topology.
The aim is to have two sites. A primary site and a DR site to be used as a failover solution.
The main site has two web servers that will need to be load balanced and the failover DR site will only have 1 web server.
My initial plan was to use 2 Cisco CSS 11501S devices as I believe this would provide the load balancing and GSLB functionality I require.
To achieve this I was going to use the CSS's as the primary and secondary name servers for the domain. This has raised a few question marksâ¦.
Both of our sites are connected to a private WAN (with private IP ranges). See attached diagram. Our internet access is provide through a third party âFirewall Portâ directly off the WAN. We don't manage the firewall that connects to the internet. This third party firewall provides the NAT for our public facing services (web servers, mail servers, ftp servers etc).
So my questions areâ¦
* Because the CSS's and web servers are located on a private network will the CSS's be able to respond to the DNS requests with the PUBLIC IP address (as seeen from the internet) of the servers as apposed to the private IP address of the servers? If the firewall in front of the CSS's was connected to the internet this could be done via DNS doctoring but our firewall is on a private subnet!
* Is it possible to get the CSS's to respond to DNS requests for other domain devices that do not reside behind the CSS - E.g. a MX record for a mail server that resides on another 'private' network?
*Is there a better way to achieve this?
Any assistance would be much appreciated!!

Thanks for the reponse Gilles. When you say
"If you configure the css to answer with the public ip address, you can't access your vip from the internal network anymore."
Do you mean that you will only get the public ip address from a DNS query and therefore this won't work locally?
If I have a host file entry providing the private address resolution for my internal hosts will this work?
"Also, be aware we do not support GSLB on the CSS anymore.
So, if this is a new install, it is better to start with a solution that we support - GSS"
Why is this no longer supported? Are there a lot of problems with GSLB on the CSS? It is pretty hard to justify the cost of a solution including 2 GSS's for GSLB and 1 CSS for server load balancing when comapred to the price of 2 CSS's with the enhanced license for both GSLB and server load balancing.
I have one client that wants to use their existing CSS's for a solution like this and another that is starting from scratch.
Thanks

CSS 11501 redirect string

I have a CSS with services set up for a Primary/Failover scenario with our web servers.
The primary server takes all requests on port 80, if that service dies, the inbound requests go to the secondary server.
The content rule is set up as:
Content = myweb.com
primarySorryServer = myweb_DR.com
secondarySorry = redirect to a third server
The CSS is only doing DNS name resolution for the third server, basically just pointing to a url.
The Content and PrimarySorryserver are working ok.
The secondarySorryserver is working ok as well.
I need to know if I do not have the SSL module in the CSS, will it point the requests to an https web page?
I would like to redirect this page to a s
The

I couldn't understand clearly what your question is.
If you are asking if its possible to redirect an HTTP request to HTTPS request without SSL module then yes you can do it. SSL module is only needed when you need to offload SSL on CSS.
If you have a Layer 4 rule configured that listens on port 443 and and only your servers are doing the SSL offloading then you dont need SSL module. In this case you can redirect hhtp requests to HTTPS without SSL module
an example would be
service http-to-https-APP1
keepalive type none
type redirect
no prepend-http
domain https://www.App1.com
active
content APP1-redirect
vip address 10.10.10.111
protocol tcp
port 80
url "/*"
add service http-to-https-APP1
active
You should have a Layer4 content rule waiting for these https://www.app1.com requests.
HTH
Syed Iftekhar Ahmed

Cisco CSS HTTP Redirects

All,
I have a number of web sites that are currently being load balanced by CSS 11503s runninng 8x code. I was recently requested to configure HTTP --> HTTPS redirects on the CSS for every site. In the past, I have only configured the redirects for sites that had a requirement. Now it appears that the server teams want all content encrypted.
1) What impact will this have on the CPU?
2) What impact will this have on Memory utilization?
3) Is there a maximum nubmer on redirects?
4) Are there other things I should be concerned about?
Thanks!

Hi Kevin,
As I mentioned there are two ways of doing redirects with the CSS, first is using services type redirect as you're doing and the second is using a redirect as a default action under a L5 content rule (this is where you would save some config lines).
i.e Let's say you have the site www.abz.com with 1 URI www.abz.com and www.abz.com/news; where news is balanced to a different server cluster.
In this case the configuration would look like this:
    content ABZ
      port 80
      protocol tcp
      vip address 192.168.10.10
      add service Web-1
      add service Web-2
      url "/*"
      active
    content ABZ-News
      port 80
      protocol tcp
      vip address 192.168.10.10
      add service Web-3
      add service Web-4
      url "/news/*"
      active
Now if you want to redirect all the content to HTTPS regardless of the URI to the main site https:///www.abz.com then you can just do a single content rule like this:
    content ABZ
      port 80
      protocol tcp
      vip address 192.168.10.10
      url "/*"
      redirect "https://www.abz.com"
      active
If you do need to keep the URI after the redirection; for example the new request to be like https://www.abz.com/news/ then you would do it with the type service redirect and the domain option as you're currently doing it.
HTH
Pablo

CSS 11501 Load Balancing with X-forwarded-for

Hi,
We have a pair of CSS 11501,
Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .
This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
This way we are able to also send it back to the same server when it uses SSL.
I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
Regards

Hi,
Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
content HTTP-HTTPS
    vip address 10.198.44.70
    advanced-balance sticky-srcip
    add service server1
    add service server2
    add service server3
    add service server4
    add service server5
    protocol tcp
    active
Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
Thanks,
Rodrigo

CSS 11501 DNS

Do I need a live internet/DNS environment to test this switch? I have bridged vlan2 to e1. my VIP is set to X.X.X.47 and I have to services set to X.X.X.45 and .46. They both say active. The e1 port is up but my vlan2 is down. I am assuming that the circuit is my problem.
When you define a vlan IP address, the manual says that this is the IP address that the CSS will recieve traffic from, so that would be the virtual IP .47 that links to either .45 or .46 right?
I am suppose to configure 1 web server ip per port on the CSS switch? I currently connect the 2 web servers to a 8 port 10/100 switch and I have a straight ethernet cable from that 10/100 switch to port 1 (e1) on the css Switch.
Are all my port numbers suppose to be configured to 80 since they are being used for HTTP? Am I to use the HTTP keepalive function as well?
I guess any additional info would be great. I guess this isn't a click, click, and go switch like someone said.

Ok. Thanks for the tip on the examples. I have tried to follow them as much as possible and have made progress, but I am still having problems with a few things that i can;t seem to find answers for.
CSS 11501 = IP 10.0.0.49 Subnet 255.255.255.0 Gateway 10.0.0.1
Srv01 = IP 10.1.0.45 Subnet 255.255.255.0 Gateway NONE
Srv02 = IP 10.1.0.46 Subnet 255.255.255.0 Gateway NONE
Dell 2708 = IP 10.0.0.13 subnet 255.255.255.0 Gateway 10.0.0.1
Client = IP 10.0.0.113 subnet 255.255.255.0 Gateway 10.0.0.1
I have Srv01 and Srv02 plugged into the CSS 11501 with IP address listed above. They reside in e7 and e8.
I have a cable from e1 to the dell 2708.
I have a laptop with a cable to the dell 2708.
I have configured a vlan (VLAN10) which includes ports e7 and e8 with an IP interface of 10.1.0.1. Status is active (GREEN)
I have configured two services with Srv01 and Srv02 and the status of both are active (Green)
I have created a content rule which includes both srv01 and srv02 with a VIP of 10.1.0.25. Status is active (green)
So I go to one of the web servers that is plugged into e7 or e8 and I can ping 10.1.0.25 sucessfully on both boxes. But I can only ping each servers IP address on its own box. In otherwords I can't ping cross server. When I try to access 10.1.0.25 from the servers the page doesn't come up. I know the VIP works because I can ping it.
I have also configured a VLAN (VLAN5) for e1 which goes to the dell 2708 with an IP of 10.0.0.48. But the status is down.
I am doing something wrong and can't seem to figure it out. any suggestions? I can diagram a picture in visio if you need a visual aid. I might consider Cisco University after all this.

Load Balance TMG with Cisco CSS

I am working with a Customer that is using Cisco CSS to load balance Microsoft TMG 2010.
From the Microsoft TMG, I can see the https probes hitting the TMG Servers. The TMG 2010 recongnizes that the Cisco is trying to establish a 3-way handshake and is dropping every 3rd connection with the following error: "non-SYN packet was dropped because it was sent by a source that does not hane an established connection with the Forefron TMG computer." Since the Microsoft Forefront TMG 2010 Server is Stateful packet inspection firewall, what is the best load balance method for this service? TCP or even worst ICMP.
Below is a snipet of the configuration:
Thank You
Avery
CSS-A# show service Server1-ssl
Name: Server1-ssl Index: 70
Type: Local            State: Alive
Rule ( x.x.x.x TCP 443 )
Session Redundancy: Enabled
Redundancy Global Index: 206
Redirect Domain:
Redirect String:
Keepalive: (SSL-443   5   3   5 )
Keepalive Encryption:      Disabled
Last Clearing of Stats Counters: 03/05/2012 16:33:14
Mtu:                       1500        State Transitions:            4
Total Local Connections:   0           Total Backup Connections:     0
Current Local Connections: 0           Current Backup Connections:   0
Total Connections:         0           Max Connections:              65534
Total Reused Conns:        0           Weight Reporting:             None
Weight:                    1           Load:                         2
CSS-A#
CSS-A# show service Server2-ssl
Name: Server2-ssl Index: 71
Type: Local            State: Alive
Rule ( x.x.x.x TCP 443 )
Session Redundancy: Enabled
Redundancy Global Index: 207
Redirect Domain:
Redirect String:
Keepalive: (SSL-443   5   3   5 )
Keepalive Encryption:      Disabled
Last Clearing of Stats Counters: 03/05/2012 16:53:49
Mtu:                       1500        State Transitions:            6
Total Local Connections:   0           Total Backup Connections:     0
Current Local Connections: 0           Current Backup Connections:   0
Total Connections:         0           Max Connections:              65534
Total Reused Conns:        0           Weight Reporting:             None
Weight:                    1           Load:                         2

Hi,
It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.
The CSS is going to use it's vlan IP to generate this keepalive.
So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.
ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.
Thanks!

Cisco css http keepalive is not working with GET command

Dear all
i have Cisco Css connected to Dell Server (via switch)
Cisco CSS - 192.168.1.3 and Dell Server - 192.168.1.5
Dell server is setup with windows 2009R2 and Apache HTTPD is version 2.2
This server is dedicated to host multiple doamins with Apache lik
www.abc.co.uk
www.xyz.co.uk
Now the clinet wants to setup the http keepalive with specfic web page like /testpage.html for all these domains. i have teseed with single URI. it is working the comamnds are
config)# service serv1
(config-service[serv1])# ip address 192.168.1.5
(config-service[serv1])# keepalive type http
(config-service[serv1])# keepalive method head    ( get i have not used due to hash mismatch with apche server, if i use GET it is not working)
(config-service[serv1])# keepalive uri "/testpage.html"
(config-service[serv1])# active
It is working with single URI. but how can i do the same thing for multiple doamins ?
for multiple doamins do i need use script ? or can i use with commands ?
if i need to use script the script is
!no echo
! Filename: httptag-test
! Parameters: HostName WebPage HostTag
! Description:
!       This script will connect to the remote host and do an HTTP
!   GET method upon the web page that the user has asked for.
!   This script also adds a host tag to the GET request.
! Failure Upon:
!   1. Not establishing a connection with the host.
!       2. Not receiving an HTTP status "200 OK"
if ${ARGS}[#] "NEQ" "3"
        echo "Usage: httptag-test \'Hostname WebPage HostTag\'"
        exit script 1
endbranch
! Defines:
set HostName "${ARGS}[1]"
set WebPage "${ARGS}[2]"
set HostTag "${ARGS}[3]"
! Connect to the remote Host
set EXIT_MSG "Connection Failure"
socket connect host ${HostName} port 80 tcp
! Send the GET request for the web page
set EXIT_MSG "Send: Failed"
socket send ${SOCKET} "GET ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
! Send the HEAD request for the web page
set EXIT_MSG "Send: Failed"
socket send ${SOCKET} "HEAD ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
! Wait for a good status code
set EXIT_MSG "Waitfor: Failed"
socket waitfor ${SOCKET} "200 OK"
no set EXIT_MSG
socket disconnect ${SOCKET}sh w
exit script 0
in the script i have not used GET becasue, when CSS send GET request to apache it use hash, but apache is not able to respond with same hash and it shows that website is down. more information- click below url
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdKeepC.html#wp1139668
(config-keepalive) method
I have uploaded in CSS with httptag-test file and applied these commands
service comp.brit.co.uk-80
keepalive port 80
ip address 192.168.1.5
keepalive frequency 10
keepalive maxfailure 2
keepalive retryperiod 10
keepalive type script httptag-test "192.168.1.5 /testpage.html www.abc.co.uk
keepalive type script httptag-test "192.168.1.5 /testpage.html www.xyz.co.uk
but this script is not working
my question is:
1.do i need use script only to setup http keepalvie with webpage for multiple domains ?
2.with out using script is there any solution like CICSCO CSS commands to setup http uril for multiple domains which are on 1 singl server.
please help me asap

Hello Muhammad,
If you wish to use multiple domains for a URI keep-alive check, and perform a HEAD request what Daniel mentioned is correct. You have to use a scripted keep-alive check on the service. However, you should not use the default "ap-kal-httptag" script to do so as it's limited to only 1 website (unless you modify the script). You're best bet would be using the "ap-kal-httplist" script on the CSS as it allows the checking of 2 different websites along with a webpage to check for each site using HTTP HEAD method.
!no echo
! Filename: ap-kal-httplist
! Parameters: Site1 WebPage1 Site2 WebPage2 [...]
! Description:
!    This script will connect a list of sites/webpage pairs. The
!   user must simply supply the site, and then the webpage and
!   we'll attempt to do an HTTP HEAD on that page.
! Failure Upon:
!   1. Not establishing a connection with the host.
!   2. Not receiving a status code 200 on the HEAD request on any
!      one site. If one fails, the script fails.
! Make sure the user has a qualified number of arguments
if ${ARGS}[#] "LT" "2"
        echo "Usage: ap-kal-httplist \'WebSite1 WebPage1 WebSite2 WebPage2 ...'"
        exit script 1
endbranch
while ${ARGS}[#] "GT" "0"
        set Site "${ARGS}[1]"
    var-shift ARGS
    if ${ARGS}[#] "==" "0"
        set EXIT_MSG "Parameter mismatch: hostname present but webpage was not"
        exit script 1
    endbranch
    set Page "${ARGS}[1]"
    var-shift ARGS
    no set EXIT_MSG
    function HeadUrl call "${Site} ${Page}"
endbranch
exit script 0
function HeadUrl begin
! Connect to the remote Host
set EXIT_MSG "Connect: Failed to connect to ${ARGS}[1]"
socket connect host ${ARGS}[1] port 80 tcp 2000
! Send the head request
set EXIT_MSG "Send: Failed to send to ${ARGS}[1]"
socket send ${SOCKET} "HEAD ${ARGS}[2] HTTP/1.0\n\n"
! Wait for the status code 200 to be given to us
set EXIT_MSG "Waitfor: Failed to wait for '200' on ${ARGS}[1]"
socket waitfor ${SOCKET} " 200 " 2000
no set EXIT_MSG
socket disconnect ${SOCKET}
function HeadUrl end
Rather then modify the default "ap-kal-httplist" script on the CSS I would simply define the arguments within the service configuration itself.   Something like the following (using your service example):
service dell-192.168.1.5
ip address 192.168.1.5
keepalive type script ap-kal-httplist "www.abc.co.uk /testpage.html www.xyz.co.uk /testpage.html"
active
As long as the server is configured to reply to host headers, and the page is configured to retuen a "200 OK" the above service configuration should work. If there are any errors simply run "show service " to view why there was a failure. If there is a failure, and the output from the command specified shows a line number run the following command against the script to view at what point (line) did the failure occur:
show script ap-kal-httplist line-numbers
Hope this helps!
- Jason Espino

Cisco CSS 11501 Service Redirection

Similar Messages

Maybe you are looking for