CSM and RLB

Can CSM do Radius Load Balancing? Seems to be no!!!! if no is there a workaround for this?

Nope. this is not possible.

Similar Messages

  • Cisco CSM and WCS on same server

    Hi,
    Currently we are running Cisco CSM and Cisco WCS applications on different servers.
    Please let me know can it possible to install Cisco CSM and Cisco WCS on one server.
    Regards,

    As per their datasheet, both CSM and WCS support VMware or can run as virtual servers. So it should be possible to implement both as virtual servers and run on the same physical server.

  • CSM and SLB

    I'm trying to put together some plans for a design that requires some type of server load balancing and I'm hoping some body could clarify a few things for me.
    I plan to run a 6506 w/Sup720 with Cisco IOS. No Cat OS and MSFC IOS (hybrid).
    1) To do SLB you do not need a CSM correct? The CSM is a device with enhancements?
    2) Is IOS SLB supported on Sup720 running Cisco IOS on the supervisor?
    Daniel

    Hi Daniel
    1) yes and no the CSM has some features I'm not aware that the MSFC SLB knows about (i.e scripted keepalives) and vs (i.e. CSM is not able to to Radius Load Balancing (RLB))
    2) Yes Sup720 can do SLB (got this information by using the feature navigator www.cisco.com/go/fn) with IOS 12.2(18)SXD.
    regards,
    Joerg

  • General query on CSM and CSS flow timeout values

    Hi all,
    i have a SLB Application Processor Complex module on my Cisco 6504 which basically does some load balancing work. I am pretty new to this device but the configurations and setup looks somewhat similar to the Cisco ACE but i only have some experience with the Cisco CSS.
    What i would like to know is what the equivalent command to the CSS "flow timeout" is on the CSM. Would that be the "idle timeout" command? I understand that the "pending timeout" is more to governing how long it takes to setup a 3 way handshake from client to server and the "idle timeout" is what i am looking for. Please correct me if i am wrong...
    On the CSS, a flow timeout is on 16secs for most standard ports and 8 secs for HTTP. I would like to know what the default setting is for the CSM idle timeout?? Thanks alot!!
    Daniel

    Hi Daniel,
    For Idle Timeout the the default is 1 hour/ 3600 sec.
    As you know for Cicso CSM thare are 2 timers per vserver.
    Idle timeout
    Pending timeout.
    If a connection is timed out it's because of one of these timers.
    Idle timeout per vserver - If there is no traffic neither from client nor server. Idle connection timer duration in seconds; the range is from 0 (connection remains open indefinitely) to 13500000. The default is 1 hour. If you do not specify a duration value, the default value is applied.
    Examples
    This example shows how to specify an idle timer duration of 4000:
    Cat6k-2(config-slb-vserver)# idle 4000
    Pending timeout per vserver - is the max time allowed to complete the 3-way handshake.The default is 30 sec.Range is from 1 to 65535. This is a SLB virtual server configuration submode command. The pending connection timeout sets the response time for terminating connections if a switch becomes flooded with traffic. If the 3-way handshake does not complete within this time, the connection is dropped.
    The CSM expect to see 2-way traffic within the pending timeout. If no traffic is received from the server, the session is removed.
    Examples
    This example shows how to set the number to wait for a connection to be made to the server:
    Cat6k-2(config-slb-vserver)# pending 300
    These are not counted as failures.
    A failure is when the server does not respond or respond with a reset.
    The CSM can hold 1 million connections in memory at the max.
    So, if you set the idle timeout to 10 hours, your max connection rate is 1 M / 10 * 3600 = ~250 conn/sec.
    Assuming they would all be open and then idle.
    When the number of pending connections exceeds a configurable threshold, the CSM begins using the SYN cookies feature, encrypting all of the connection state information in the sequence numbers that it generates. This action prevents the CSM from consuming any flow state for pending (not fully established) TCP connections. This behavior is fully implemented in hardware and provides a good protection against SYN attacks.
    Generic TCP termination
    Some connections may not require TCP termination for Layer 7 load balancing. You can configure any virtual server to terminate all incoming TCP connections before load balancing those connections to the real servers. This configuration allows you to take advantage of all the CSM DoS features located in Layer 4 load-balancing environments.
    To select the traffic type and appropriate timeout value, use the unidirectional command in the SLB virtual server submode.
    [no | default] unidirectional
    some protocol automatically set the 'unidirectional' function.
    For example : UDP.
    You can see if a vserver is unidirectional or bidirectional by doing a 'sho mod csm X vser name detail'
    When a virtual server is configured as unidirectional, it no longer uses the pending timer. Instead, the idle timer will determine when to close idle or errant flows. Because the idle timer has a much longer default duration than the pending timer, be sure to set the idle timer to an appropriate value.
    Use the command  "show module csm slot# stats" to get the details of connection.
    The statistics counters are 32-bit. Totals are accumulated since the last time the counters were cleared.
    Examples
    This example shows how to display SLB statistics:
    Cat6k-2# show module csm 4 stats
    Connections Created:       180
    Connections Destroyed:     180
    Connections Current:       0
    Connections Timed-Out:     0
    Connections Failed:        0
    Server initiated Connections:
          Created:0, Current:0, Failed:0
    L4 Load-Balanced Decisions:180
    L4 Rejected Connections:   0
    L7 Load-Balanced Decisions:0
    L7 Rejected Connections:
          Total:0, Parser:0,
          Reached max parse len:0, Cookie out of mem:0,
          Cfg version mismatch:0, Bad SSL2 format:0
    L4/L7 Rejected Connections:
          No policy:0, No policy match 0,
          No real:0, ACL denied 0,
          Server initiated:0
    Checksum Failures: IP:0, TCP:0
    Redirect Connections:0,  Redirect Dropped:0
    FTP Connections:           0
    MAC Frames:
          Tx:Unicast:1506, Multicast:0, Broadcast:50898,
              Underflow Errors:0
          Rx:Unicast:2385, Multicast:6148349, Broadcast:53916,
              Overflow Errors:0, CRC Errors:0
    Table mentioned below describes the fields in the display.
    Table for "show module csm stats" Command Field Information
    Field
    Description
    Connections Created
    Number of connections that have been created on the CSM.
    Connections Destroyed
    Number of connections that have been destroyed on the CSM.
    Connections Current
    Number of current connections at the time the command was issued.
    Connections Timed-Out
    Number of connections that have timed out, which can occur for the following reasons:
    •connection has been idle (in one or both directions) for longer than the configured idle timeout.
    •TCP connection setup not completed successfully.
    Connections Failed
    Number of connections failed because the server did not respond within the timeout period, or the server replied with a reset.
    Server initiated Connections
    Number of connections created by real servers, the number of current connections, and the number of connections that failed (because the destination is unreachable).
    L4 Load-Balanced Decisions
    Number of Layer 4 load-balancing decisions attempted.
    L4 Rejected Connections
    Number of Layer 4 connections rejected because no real server was available
    L7 Load-Balanced Decisions
    Number of Layer 7 load-balancing decisions attempted.
    L7 Rejected Connections: Total
    Number of Layer 7 connections rejected.
    L7 Rejected Connections: Parser
    Number of Layer 7 connections rejected because the Layer 7 processor in the CSM ran out of session buffers to save the parsing state for multi-packet HTTP headers. The show module csm tech-support proc 3 command will show detailed buffer usage.
    L7 Rejected Connections: Reached max parse len
    Number of Layer 7 connections rejected because the HTTP header in the packet is longer than max-parse-len. When a virtual server is configured with HTTP persistent rebalancing or cookie matching/sticky, the CSM must parse to the end of HTTP header. The default max-parse-len value is 2000 bytes.
    L7 Rejected Connections: Cookie out of mem:
    Number of Layer 7 connections rejected because of no memory to store cookies. When a virtual server is configured with cookie matching, the CSM must save the cookie contents in memory.
    L7 Rejected Connections: Cfg version mismatch
    Number of Layer 7 connections rejected because part of the request was processed with an older version of the configuration. This counter should only increase after configuration changes.
    L7 Rejected Connections: Bad SSL2 format:
    Number of Layer 7 connections rejected because the request is using an unsupported SSL format or the format is not valid SSL.
    L4/L7 Rejected Connections
    Number of Layer 4 and Layer 7 connections rejected for policy related reasons:
    No policy: connection rejected because the request matched a virtual server, but this virtual server did not have a policy configured.
    No policy match: connection rejected because the request matched a virtual server, but the request did not match any policy configured on the virtual server.
    No real: connection rejected because no real server was available to service the request
    ACL denied: connection rejected because a request matched a policy with a client-access-list entry and the entry is configured to deny the request.
    Server Initiated: connection initiated by a real server is rejected.
    Checksum Failures
    Number of checksum failures detected (there are separate counters for IP and TCP failures).
    Redirect Connections
    Number of connections redirected, and the number of redirect connections dropped.
    FTP Connections
    Number of FTP connections opened.
    MAC Frames
    Number of MAC frames received and transmitted on the CSM backplane connection.
    For getting details on all of these commands kindy refer Catalyst 6500 Series Switch Content Switching Module Command Reference, 4.2 URL mentioned below:
    http://cisco.biz/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/command/reference/cmdrfIX.html
    Kindly Rate.
    HTH
    Sachin Garg

  • Using CSM and FWSM together

    We are a hosting company looking to implement a Blade server/6500 solution.
    We are looking to use a 6500 with an FWSM and loadbalancing between servers on a per customer/context basis.
    All the examples on cisco.com support suggest CSM before and after firewall contexts however is it possible to move traffic in the following order on a single 6500?
    Outside -> FWSM -> CSM -> Customer server farm?
    Would this be done utilising 3 VLANs?

    Are you doing firewall loadbalancing or server loadbalancing ?
    FW loadbalancing needs 2 CSM because you first need to select which firewall to use on the way out -> in and you also need to guarantee to use the same Fw on the way in -> out for the same connection.
    The 2nd CSM can learn what FW was used and guarantee that the server response will use the same one.
    This can however be done with a single CSM - just a little bit more complicated to configure.
    I wrote a document about this @
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008020cd7c.shtml
    I also would like to mention that nowadays the prefered loadbalancer would be the application control engine (ACE).
    This device will defintely replace the CSM in a near future.
    Gilles.

  • CSM and ACS upgrade

    1.       Cisco ACS /Solution Engine I think, the dedicated appliance, unknown version)
    2.       Cisco Security Manager 3.1
    Are upgrades possible, or purchase of lastest version of the product is the only way out?
    What do we need for upgrading?
    Are there specific codes or new need to buy new products?
    In case of buying new products, which are the configurations?
    Your response will be appreciated.

    The ACS appliance has been released with at least three different major releases - 3.x, 4.x, and 5.x. If you have ACS 4.2 on an 1120 appliance, you can upgrade to the latest (5.3) on the same hardware. Anything else will require a new appliance (or use a VM solution).
    Please refer to the ordering guide and the migration guide for this information.
    For CSM, to upgrade you would need to go to 3.3. first and then to the current (4.2) CSM release. The necessary licenses are described in this product bulletin.
    It would probably be easier and cleaner to just build a new installation in both cases. Both products' architecture and db schema have changed significantly. The upgrade SKUs will probably save you some in licensing costs although both products have undergone changes in how they are licensed.
    Note that CSM will be coming out with a new version 4.3 later this spring.

  • CSM and MARS syslog

                       Hi i have CSM 3.3.1 and MARS, all devices syslog are pointing to them.
    I want to see live syslog messages , just like what kiwi do, is this applicable ??? how ??

    Hi Alkabeer,
    You can view real time syslog via ASDM. ( For PIX, ASA, or FWSM in the Security Manager device inventory).
    In an ASDM device manager launched from Security Manager, you can monitor system log messages in the Real-time Log Viewer window and the Log Buffer window. You can select a syslog message displayed in either window and navigate to the access-control rule in Security Manager that triggered the message, where you can update the rule as necessary.
    The Real-time Log Viewer is a separate window that lets you view syslog messages as they are logged. The separate Log Buffer window lets you view messages present in the syslog buffer.
    For IOS Router syslog, You can use SDM.
    In an SDM device manager launched from Security Manager, you can view a log of events categorized by security level under the Syslog tab of the Logging window. You can select a syslog message and navigate to the access-control rule in Security Manager that triggered the message, where you can update the rule as necessary.
    The Monitor > Logging option in SDM offers four log tabs; Syslog is the only one of these offering the Security Manager access-rule look-up option. The router contains a log of events categorized by severity level. The Syslog tab displays the router log, even if log messages are being forwarded to a syslog server.
    And
    In CS-MARS, You can generate reports to see devices syslogs.
    Keep Smiling, Peace

  • CSM and FWSM

    Hello all,
    Would appreciate some insight on a issue I'm facing when trying to configure a CSM in a 6513 with a Firewall Module.
    The FWSM has IPs in all vlans and is in routing mode, also it is the default gateway for servers in all VLANs.
    There is also the MSFC in the same 6513 with interfaces on all vlans.
    I've done a lot of research but could not yet figure out what is the best topology for this implementation.
    Some places say it is best to do routing in the FWSM and bridging in the CSM.
    The problem I'm facing with the CSM in routing mode and the FWSM in routing mode is that servers from a certain vlan need to access application servers in other vlan on the same 6513, but the application servers don't point to the CSM as Def gateway but point directly to the Firewall Module.
    Any help is greatly appreciated.
    Marcio

    Hello Gilles,
    I have tried the configuration you advised and something strange is happening. I can access the servers directly, but not via VIP (I can ping the VIP). The config follows:
    module ContentSwitchingModule 7
    vlan 14 client
    ip address 10.200.240.54 255.255.255.0
    gateway 10.200.240.1
    vlan 50 server
    ip address 10.200.240.54 255.255.255.0
    probe TESTE1 http
    request method get
    interval 3
    failed 3
    port 80
    real LAPTOP
    address 10.200.240.230
    inservice
    real TESTE1
    address 10.200.240.12
    inservice
    serverfarm TESTE1
    nat server
    no nat client
    real name TESTE1
    inservice
    real name LAPTOP
    inservice
    probe TESTE1
    vserver TESTE1
    virtual 10.200.240.231 tcp www
    serverfarm TESTE1
    persistent rebalance
    inservice
    gateway 10.200.240.1 is the FWSM.
    I have captured packets with a sniffer on the server LAPTOP and the packets that reach the server come from IP 10.200.240.54 (the CSM interface on the client vlan). Shouldn't they come directly from the origin client?
    If I create a interface vlan on the MSFC for vlan 50 it works. Could you explain?
    Thanks,
    Marcio

  • CSM and ASA firmware 8.3

    Can someone explain how to make CSM work with newer versions of the ASA firmware releases.
    I have upgraded the version to 3.3.1 service pack 1 and under the target os version does not show anything for the 8.3 product line.
    It also doesn't show anything newer that 8.0(3) when we are running 8.0(4) and 8.0(5) on some of our firewalls. The same applies to the 8.2 release kit - yes I know I need to align all the firewalls on the same platform for ease of use.
    If I check in the ciscoworks side (CSM Tools -> Device OS Managment -> Software repositry) then the 8.0(5) firmware is visible...
    Rather puzzled by this and not sure the best way to go.
    Giles

    Ok two questions then.
    1. Is there a planned release date for the new version so we can upgrade the firewalls (will this be a free upgrade or a paid for one?)
    2. Is it possible to upgrade the supported firmware in the 3.3.1 version i.e. have it understand 8.0.5 or 8.2.2 firmware levels?
    Thanks
    Giles

  • Virtual Webserver Hosting on CSS / CSM and ACE

    Hello,
    i've a big project on my company.
    There shoul'd b e set up about 8 Servers, with 14 virtual Servers on each machine.
    Each virtual webserver shout get it's own IP Address.
    But this is not the end, they would need more virtual Servers over time.
    So the we will use 112 IP Adresses the first time, and about up to 200 for later use.
    There shoul'd be implemented many domains. Each Domain should be hostet on 2-8 virtual Webservers depending on the load of the site.
    I've read about the Virtual Web Hosting Application Guide:
    http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_tech_note09186a0080094b4d.shtml
    As i understand, i can configure the 8 Servers with an IP Addressrange of 20
    10.1.1.10 - 10.1.1.29 for Server 1
    10.1.1.30 - 10.1.1.49 for Server 2
    and so on....
    code:
    service web1
    ip address 10.1.1.10 range 20
    And i can configure a content rule with an VIP Range of 20
    10.1.255.10 - 10.1.255-39
    content L4_HTTP
    vip address 10.1.255.10 range 20
    port 80
    So as i understand, if client requests virtual IP 10.1.255.10 it will be directed to the Server1 with 10.1.10 or Server 2 with 10.1.1.30.
    Or with by requesting 10.1.255.12 it will be directed to Server 1 with 10.1.1.12 or Server 2 10.1.1.32.
    As i read, only the first IP Adress will be used for Keepalive checks. How can i check if all virtual Servers are operating? May, there will be shut down only one virtual webserver on a machine and not all.
    Is it also possible to do such things on CSM or ACE?
    Also my CSS is not directly connected to the Servernet. Does this configuration work if there is a router between the CSS and the Server?
    Is there another solution for such things? What would you recommend?
    Sven

    Sven,
    I would not go with the range option.
    You should looks each ip as a separate server weither this is a virtual or real server.
    Configure a service for each ip with its own keepalive and configure a content rule for each domain and assign the services accordingly.
    The config will be bigger but it is easier to see what's going on and to do modification and to troubleshoot.
    Maybe you could use CVDM for operating the config and do modification.
    Gilles.

  • RPC Load Balancing on CSM and SSL

    We are load-balancing SSL successfully but the Exchange people want to use RPC to access
    mailboxes using CSM.
    We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

    Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
    serverfarm EXCH-CAS
    nat server
    no nat client
    real x.x.248.100
      inservice
    real x.x.248.101
      inservice
    probe EXCH-CAS
    serverfarm EXCH-CAS-SSL
    nat server
    no nat client
    real x.x.254.60
      inservice
    real x.x.254.61
      inservice
    probe SSL-FARM
    ! vserver EXCH-CAS
      virtual x.x.254.154 tcp www
      vlan 460
      serverfarm EXCH-CAS
      sticky 1440 group 152
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    vserver EXCH-CAS-S
      virtual x.x.214.139 tcp https
      vlan 400
      serverfarm EXCH-CAS-SSL
      sticky 5 group 252
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    vserver EXCH-CAS-TEST-S
      virtual x.x.214.139 tcp 0
      vlan 400
      serverfarm EXCH-CAS
      sticky 5 group 252
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    Thanks,
    Mohamad

  • CSM and router configurations

    Hello friends,
    I discovered policies from a couple 7200 routers and Cisco Security Manager recommended several changes, but when deployed it deployed different ones (No additional modifications were done. Just discovery and immediate deployment). For example it removed some lines (ip route-cache flow, and access lists) without adding equivalent ones, and didnt respect what the preview file showed it would deploy.
    Is this a common behaviour?
    thanks

    It looks like an ugly bug. I have tested it with several 7200 routers, and the preview shows the configuration modifications completely inaccurately. For example, changes meant to interface 1/0 are shown under interface 2/0.290 etc. All the configs look really messed, and deployed differently.

  • Looking for documentation for CSM and the Lync 2010

    hi experts,
    Does anybody knows have Cisco any good documentation for the Lync 2010?
    We have to setup the CSM for the load balancing as we are not able to use DNS load balanbing method. Or we have done so, but we need to very if things are correct.
    Pepi

    Hello Dunc_F,
    Is this what you were looking for?
    http://a248.e.akamai.net/pix.crutchfield.com/Manuals/472/472RADIO2.PDF
    B-rock

  • FWSM and CSM (Load Balance) in the same chassi

    Folks,
    Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?
    PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ
    PATH:
    (outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM  , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM
    My main doubts:
    1) FWSM using multi-context, Is there any integration problem with CSM ?
    2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?
    3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?
    Cisco Says:
    "The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,
    Cisco recommends forcing the FWSM to operate in bus mode using the
    fabric switching-mode force bus command. When service modules such as the CSM and the FWSM
    operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."
    In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.
    Tks !!!

    Luis-
    You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP.  On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.
    Regards,
    Chris

  • CSM-S and Servers On same 6500

    Is it possible to have the servers you are trying to load balance connected directly into the same chasis as the csm-s is in? Or do I have to run policy routing or what is the best design for this? Thanks.

    As Gilles wrote earlier, it is very important is to guarantee that the response from the server goes through the CSM-S and not directly to the client. If you are using CSM-S in onearm mode then you can introduce PBR to make sure that the return traffic from servers passes through the CSM-s
    client vlan10 (1.1.1.0)
    |
    |
    V
    MSFC-------------->CSM-S (vlan30 3.3.3.1)
    |
    |
    V
    Vlan20 (2.2.2.0)
    |
    |
    V
    Server (2.2.2.100)
    For the above topology you will need to use following on MSFC.
    route-map xyz permit 100
    match ip address xyz-acl
    set ip next-hop 3.x.3.x
    ip access-list extended xyz-acl
    permit tcp host 2.2.2.100 eq www any
    interface Vlan20
    ip policy route-map xyz
    You need to create seperate vlan between CSM and SSL daughter card.
    You can find details at
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csms/icn/ssl_srvc.htm
    Thanks
    Syed Iftekhar Ahmed

Maybe you are looking for

  • New to mac, problem in iphoto

    hi, i copied my photos from an external hard drive, and now every time i open the Iphoto a messege comes that says: a photo has been found in the iphoto library that was not imported would you like to import it? when i press yes, a recovery folder wi

  • Questionnaries in supplier registration

    Hi, We have a problem implementing scenario of supplier registration. When registration system sends to the supplier questionnaries, these are transferred as attachment html in email. These situation is different from what SAP suggests in configurati

  • Problem Connecting Two Monitors

    Just set up a new HP Mini 300-30 with two monitors. Monitor connection is through a device I bought that has HDMI cable connecting to back of HP Mini and two outlets on device to connect two monitors using VGA cables that came with each monitor. Moni

  • Is airport admin needed, is it available?

    I recently purchased an Airport Extreme on E-Bay which only came with the unit and power cord. I believe it is still set up for a previous network. I have no experience with airport. The middle light is on and the two side lights are flashing. It sho

  • $60 for reset cd!!!

    Hello Bought the Ideapad N586 about a month ago and updated to Windows 8 with the upgrade special.  I am not liking it and am about to start a graduate online class.  One key reset is not working nor is hitting F11 while turning on computer.  Called