CSM-BridgeMode redundancy... Help

Similar Messages

• CSM Load Balancer Help

  Hey,
  Just a quick question....
  Does anyone know a) if it's possible and b) how to have two servers off the CSM but instead of load-balancing between them make them a failover pair i.e. if server A goes down server B will take over - done using the same VIP?? It's needed because the application on the servers can't do load-balancing yet but can work in a failover way.
  I'm reading the book trying to work it out but if someone has done this before that would be great!
  Thanks
  Anthony

  Thanks for the responses.
  I'm using CSM 4.6(6) and have given what you suggested a go but have run into problems.
  When I disconnect the primary server I see that go out of service but that also knocks out the VIP and it never fails over to the second server. Am I missing something? I've attached the relevant parts of the config and would be greatful for any advice.
  serverfarm FARM1
  nat server
  nat client WEB
  real 10.2.250.10
  inservice
  probe HTTP
  serverfarm FARM2
  nat server
  nat client WEB
  real 10.2.250.11
  inservice
  probe HTTP
  vserver WEBTRAFFIC
  virtual 10.2.250.100 tcp www
  vlan 250
  serverfarm FARM1 backup FARM2
  persistent rebalance
  inservice
  I also had a go at creating that variable but it wouldn't let me...just said variable not configurable - but I'll play with that and see if I can work it out...I'm not so bothered as long as the backup part works.
  Thanks guys...
  Anthony

• CSM-S SSL card redundancy

  We have 2 Catalyst 6500s with CSM-S cards installed. The CSMs are in redundant configuration already. The SSL offloading is configured in bridged mode. CSM provides redundancy for the client VLAN. How do we provide redundancy for the SSL cards? Do we use HSRP for the bridged VLAN that exists in the SSL? Do we use HSRP for the SSL admin VLAN? Is there a document the references redundancy configuration specifiacally for the CSM-S (SSL daughter cards)? Thanks.

  I guess you can use the HSRP and CSM-S failover configuration to provide redundancy. The following document presents a scenario similar to yours. Hope this helps.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csms211/icn/redun.htm#wp1037494

• Fault Tolerance not working between CSMs

  I have two CSM modules in two differnt switches (Bridge mode) configured for high availability. After noticing one of the CSM modules was in failed mode, I reset the module. While the module reboots I get the following messages: %CSM_SLB-4-REDUNDANCY_WARN: Module 3 FT warning: LRP: no ACK from standby.. standby may be down
  %CSM_SLB-4-TOPOLOGY: Module 3 warning: IP address conflict: ARP frame from 170.41.228.10 with MAC 00:01:64:f9:
  1a:07 received on VLAN 2.
  With both online a "show mod csm 3 ft" shows both modules active.
  I can no longer access the real servers.
  When I remove the module that I reset (Primary) I can access the servers using the backup CSM.
  Whe I remove the backup CSM and insert the Primary, I cannot acces the servers once again.
  The FT vlan is VLAN 7 configured on both switches and is the only allowed VLAN on the trunk.
  The config for the Primary CSM is:redundancy
  mode sso
  main-cpu
  auto-sync running-config
  spanning-tree mode pvst
  module ContentSwitchingModule 3
  ft group 7 vlan 7
  priority 30
  preempt
  vlan 2 client
  ip address 170.41.228.20 255.255.255.192
  gateway 170.41.228.1
  vlan 8 server
  ip address 170.41.228.20 255.255.255.192
  probe CARMENWEBPROBE tcp
  interval 10
  failed 100
  probe HTTPS tcp
  interval 10
  failed 100
  port 443
  serverfarm CARMENWEBFARM
  nat server
  no nat client
  real 170.41.228.15
  inservice
  real 170.41.228.16
  inservice
  probe HTTPS
  vserver CARMENVSERVER
  virtual 170.41.228.10 tcp 0
  serverfarm CARMENWEBFARM
  persistent rebalance
  inservice
  Trunk for VLAN 7 config :
  interface GigabitEthernet4/2
  switchport
  switchport trunk encapsulation isl
  switchport trunk allowed vlan 7
  switchport mode trunk
  no ip address
  logging event link-status
  logging event spanning-tree status
  logging event trunk-status
  Has anyone had this problem?
  Thanks, Donald

  The plan is to take a working CSM from a DR site with the same config to try in place of the not working active. I did not want to risk taking the working stanby and moving it and possibly having an outage at this time since this is a production switch being heavily utilized at the moment. I wanted to verify there was not something in the config that was not configured properly.

• Working with CSM 3.1

  It is impossible to delete a device because it says:
  Device is locked by a VPN topology (pruebaVPN) modified by user (admin) and can not be deleted.
  However in the site-to-site Management there is no VPNs defined. What can i do?

  Pls send a detailed email to [email protected] or [email protected] and CSM team can help you with this issue.

• CSM login Steps and Important thing to be observed

                     I need to Know about some basics of CSM. I am working network security part, i am new to this, as per my team i need to login CSM frequently. But still now i am not able to login. how to login it please provide me with snaps.. Actually i am login from my PC through Remote desktop--> then clicking CSM icon--> Page is opened in internet explorer to enter the credential--> once entered i am  receiving error as HTTP 500 status error. Please help me what is the error and also advantages of CSM will be helpful to me..

  Cisco Security Manager can do many many things. A full overview of its capabilities is best referenced on the product's home page:
  http://www.cisco.com/en/US/products/ps6498/index.htmlhttp://www.cisco.com/en/US/products/ps6498/index.html.
  An expired license would normally only be seen of one was using an evaluation license. the normal CSM product licenses dont expire.

• CSM vs CSS11000

  We have a webserver farm working very well since two years in a CSS11000. Now we are changing to the CSM. We have deployed the scenario with the CSM exactly the same as the CSS11000 to test it before production. When we compare the download speed from both installations we see that the server farm in the CSS11000 is a little faster than the CSM.
  We are traying to figure out what is going on, the network topology is the same to both, the only diference is the destination of traffic, to the CSS1100 or the CSM. The upstream neighbor to both is the same MSFC2 from the Cat 6500.
  Any ideas in how to troubleshooting using the commands of the CSM or the CSS1100 (preferly from the CSM).
  Any help will be more than welcome.
  Best Regards

  It is just L4.
  We have noticed that the time to received the first byte is faster in the CSS than in the CSM. Then, the time to download the rest of the page is the same (or even better in the CSM) in both. We have times for the CSS to download the First Byte around 3 seconds while the CSM takes 6 seconds. The rest of the page is download in .1 seconds in both equipment.
  I do not know if the problem is a fine tunning of the serverfarm/vserver in the CSM or a problem in how the webservers are getting the information that is delivered in the webpages that we are cheking to compare.
  Thanks
  -as

• Orphan Device in CSM

  I have an orphan device in CSM 3.2 that is associated with a predefined policy object, specifically the TACACS+ object. How can I break this association? I have tried adding a new device with the same display name but get an error the device does not exist in ACS. I added the device in ACS but still get the same error. I then tried cloning a dvice and giving it the same display name but get an error the device already exists in CSM.
  Any help on how to clear this orphan device would be greatly appreciated.

  Hi,
  You might want to follow these steps
  1- if not in workflow mode, switch to workflow mode
  Tools -> Admin -> Workflow
  2- open the activity manager
  3- make sure that ALL the activities are either discarded or approved
  4- disable workflow mode
  5- try to delete the device
  Hope this helps :-/
  Stefano

• Can - one trunk the Fault Tolerant VLAN used by CSM.

  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csm_4_2/config/wp1037240
  We were pointed to the above document saying that the FT VLAN used by two CSM for redundancy cannot be trunked between the TWO CAT 6500 that the TWO CSMs are installed in. This is like saying the two CAT6500 cannot be in two different sites and must be near each other, because intersite links are generally trunk links carrying multiple VLANs including the FT VLAN used by the two CSMs in the two sites. Three of our customers are doing this and we want to be sure before telling them that they cannot trunk the FT VLAN.

  technically you can do it.
  However this is not recommended.
  If your trunk link gets overloaded with data, you may lose or delay CSM FT heartbeat and get failover or worst, 2 CSM active at the same time.
  It is even worst if you are doing connection replication as this requires a good amount of bandwidth already.
  Regards,
  Gilles.

• CSM SW upgrade

  Hello,
  I'd like upgrade too old CSM SW release 3.1(4) to current 4.2(7). I didn't found any dependencies, or other restrictions and therefore I think it's possible to upgrade directly to this 4.2 SW release. I'm sure? (CSM in redundant configuration is located in heavy production traffic and I'd like upgrade without any surprise:)
  step-by-step SW upgrade:
  0. save and sync configuration
  1. upgrade SW on the standby module
  2. restart standby module
  3. upgrade SW on the active module
  4. restart active module (stateful (sure?, because different SW releases on the active and standby CSM module) switchover to standby module)
  5. after reboot, switchover to this module (preempt)
  6. on both modules is new SW release
  Regards,
  Martin

  of course, preempt will be turned off. thanks.
  my primary question was, if it's possible to do direct upgrade from 3.1(4) to 4.2(7). I think yes. I'm sure?
  m.

• Help required with CSM config?

  1. I request help on some pointers to URLs where I could find answers to my questions.
  2. Also I request for some CSM specialists to please look at the attached document and comment whether the config looks right for what the customer wants to achieve.
  3. I am not sure why the customer wants the .51 server never to be accessed when .50 is up and running. He wants .51 server to be accessed if and only if .50 server is down.

  you said the csm is not connected to the server vlan. So, you should not configure a vlan 12 on the CSM. Especially if you want your traffic to go through a firewall. Connecting the csm to vlan 12 would be a way to bypass the firewall.
  So, what you need is a route on an existing csm vlan to reach the servers via the firewall.
  Then, your customer clearly asked to have .51 as a backup of .50.
  So you need 2 serverfarms.
  One with onle server .50 and one with only server .51.
  You then configure the serverfarm .50 with serverfam .51 as backup.
  The 2nd would kick in only if .50 is down.
  You need predictor leastconn or roundrobin so destination nating can occur.
  The 'replicate' commands are used when you need stateful redundancy. They tell the CSM to replicate the information to the standby.
  Finally, bridge mode is not related to the ip addresses used for vip and real.
  You are in bridge mode when the CSM is configured with the same ip on 2 different vlans. In this case, the CSM will BRIDGE between those 2 vlans.
  The only url pointer I could give is the csm documentation guide. You may want to read it through to get yourself familiar with all the possible functions like backup serverfarm or replicate.
  Gilles.

• Help - "Cannot copy file: Data error (Cyclic Redundancy Check)"

  Hey there,
  I'm having problems with my Zen Mosaic EZ00. Up until a few weeks ago it has been working fine however, since then, has begun to show the error message? "Cannot copy file: Data error (Cyclic Redundancy Check)" whenever I try to copy files on to it. I have tried the recovery software available and it only updated the firmware. Some files do occasionally (and very occasionally) copy but usually it shows the error message and cancels the copy.
  I would really appreciate if anyone could help me with this?
  Many thanks :smileytongue:

  sorry for the double post!
  ive just realised that my ipod isnt actually charging, its just got the orange light blinking!
  not too sure what is going on now!
  lol

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• Help me to avoide redundancy in the  following code

  hi ,
  for selecting req fields from tables vbap,vbak n makt, i use the following inner join
  but it takes many duplicate records from the table.. pls correct the following coding
  SELECT VBAK~KUNNR
  VBAK~VBELN
  VBAK~AUDAT
  VBAK~VBTYP
  VBAP~MATNR
  VBAP~ZMENG
  VBAP~NETPR
  VBAP~NETWR
  MAKT~MAKTX
  INTO TABLE IT_OUTPUT
  FROM VBAK
  INNER JOIN VBAP ON VBAKVBELN EQ VBAPVBELN
  INNER JOIN MAKT ON VBAPMATNR EQ MAKTMATNR
  WHERE VBAKVBELN IN SALESDOC AND VBAKAUDAT IN DOCDATE
  AND VBAPMATNR IN MATNR AND VBAPZMENG IN TRGQTY.
  thanks n regards,

  Hi experts.. i am having the same problem regarding data redundancy when i use the following codes:
  PARAMETERS: P_IORDER LIKE EKKN-AUFNR.
  SELECT-OPTIONS S_JORDER FOR EKKN-EBELN.
  TYPES: BEGIN OF t_output,
           EBELN  LIKE EKKN-EBELN,
           SAKTO  LIKE EKKN-SAKTO,
           EBELP  LIKE EKPO-EBELP,
           TXZ01  LIKE EKPO-TXZ01,
           PACKNO LIKE EKPO-PACKNO,
           SUB_PACKNO LIKE ESLL-SUB_PACKNO,
         END OF t_output,
         BEGIN OF t_output2,
           PACKNO LIKE ESLL-PACKNO,
           SRVPOS LIKE ESLL-SRVPOS,
           KTEXT1 LIKE ESLL-KTEXT1,
           MENGE LIKE ESLL-MENGE,
           MEINS LIKE ESLL-MEINS,
           TBTWR LIKE ESLL-TBTWR,
         END OF t_output2.
  DATA: i_output TYPE STANDARD TABLE OF t_output WITH HEADER LINE,
             i_output2 TYPE STANDARD TABLE OF t_output2 WITH HEADER LINE WITH
                 KEY PACKNO.
  IF S_JORDER = 0.
      SELECT aEBELN aSAKTO bEBELP bTXZ01 cPACKNO cSUB_PACKNO
      INTO CORRESPONDING FIELDS OF TABLE i_output
      FROM EKKN AS a
      INNER JOIN EKPO AS b ON aEBELN = bEBELN
      LEFT OUTER JOIN ESLL AS c ON bPACKNO = cPACKNO
      WHERE aAUFNR = P_IORDER AND BEBELN = '4500006740'.
      SELECT
          PACKNO
          SRVPOS
          KTEXT1
          MENGE
          MEINS
          TBTWR
      FROM ESLL
      INTO TABLE i_output2
      FOR ALL ENTRIES IN i_output
      WHERE PACKNO = i_output-sub_packno.
  ENDIF.
  LOOP AT i_output.
  READ TABLE i_output2 WITH TABLE KEY PACKNO = i_output-SUB_PACKNO.
  *Declare PACKNO as your table key
  IF SY-SUBRC EQ 0.
    WRITE: / i_output-EBELN,
         15  i_output-EBELP,
         25  i_output-TXZ01,
         55  i_output2-SRVPOS,
         65  i_output2-KTEXT1,
         82  i_output2-MENGE,
         105 i_output2-MEINS,
         112 i_output2-TBTWR,
         130 i_output-SAKTO.
  today is just my 3rd week of being an abap developer and everything is still new to me and I am still not that familiar with it.. that's why i need your help. Thanks!

• CSM-S connections under Redundancy

  We have installed two redundant Catalyst 6506E with CSM-S modules.
  Now I can see that CSM-S #1 is active and CSM-S #2 is standby. Nevertheless I can see with "show mod csm 3 vserver" that there are a number of connections on the vservers on CSM-S #2, while there are no connections on the CSM-S #1.
  Can anyone explain this behavior?
  Thank you.
  Martin Funke.

  You probably have 'replicate csrp' configured on 1 or more Vservers. If that is true, the connections you are seeing are the result of session replication - i.e. the primary CSM telling the standby CSM what load balancing decisions he has made. In the event of a primary CSM failure, your standby CSM has all of the replicated sessions ready to go.