Csm probe problem

Similar Messages

• PIX loadbalancing woth CSM - probe problem

  2 CSM/CATs on one side (FT)
  2 CSM/CATS on other (also FT)
  load balancing 2 PIX 535.
  probing icmp pings only "direct" pix interface
  the opposite interface will never answer to ping.
  So switching off int in one pix make real FAILED on one side but other side still have working real and sends traffic to one leg PIX.
  How to solve that ?

  I thinking about that:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm_3_2/icn/fwldbal.htm#1037625
  when Firewall 1 and Firewall 2 are pinged on directly connected interfaces then directly connected probe detect pix problem. But problem with whole PIX device is less typical than one of his interfaces down (ie. fiber patchcord unplug) than one (opposite/working) interface answers with ping and CSM sends traffic to that "real".
  Great solution will be pinging opposite pix interface
  but this isn't supported by PIX ASA. So i have tried
  ping "any" ip behind pix which is currentl ip address of CSM VLAN.
  When you had one PIX there is no a problem... but when you had two of them you need check both of them.. you defining static route:
  ip_behind_pix VIA ip_pix_direct_int
  Then thing not only about ECHO REQ but also on ECHO REPLY - there is no way to put static routing for those devices what active and standbys on both sides will detect pix interface errros...
  There is no way to put REPLY on different gate than ECHO REQ...
  Think of it drawing 6 icons, giving them 10 ip (2 for pix inside and outside, one for every CSM) adds
  and then try set up static route that ping REQ and reply will go the same way. There is no such way...
  IMHO 8-)

• Redundant CSM probes not working using OneArmedMode+PBR

  In a redundant configuration: 2xCat6500 with one CSM each, using One Armed Mode when we use Policy Based Routing for return traffic the redundant CSM probes fail. If we use Source NAT instead everything works fine (both Active and Standby ok).
  The problem is that we need to user PBR because the servers need to know the source IP and we want to assure a quick failover.

  I'm pointing to the alias address. I didn't mention before but both C6500 have an IP interface configured in the Server Side VLAN and are using HSRP. I think the problem is related with that - when the redundant CSM sends the probe request, the response is routed to the active CSM. Maybe I need to define a specific PBR to the probes.

• Identity firewall NetBIOS Probe problem

  Hi,
  I've setup an Identity Firewall on a ASA5510 version 8.4.5 (inside interface). ADAgent is installed and configured on an Windows 2003 server and connected to the DC (Windows 2008 server). Everything works fine except the NetBIOS Probe function.
  The NetBIOS probe function is active and configured as below.
  user-identity domain TEST aaa-server LDAP_Identity
  user-identity default-domain TEST
  no user-identity action mac-address-mismatch remove-user-ip
  user-identity inactive-user-timer minutes 120
  user-identity logout-probe netbios local-system
  user-identity poll-import-user-group-timer hours 1
  user-identity ad-agent aaa-server adagent
  user-identity user-not-found enable
  The problem is following message...
  "746013 user-identity: Delete IP-User mapping 192.168.3.61 - TEST\Peter Succeeded - Netbios probing failed"
  I've never seen an NetBIOS probe successful message
  Can anyone help me with this issue?
  Thanks

  Hi,
  Could you please run some of these debug commands:
  debug user-identity user
  debug user-identity user-group
  debug user-identity ad-agent
  debug-user-identity ldap
  debug user-identity logout-probe
  debug user-identity acl
  debug user-identity tmatch
  debug user-identity fqdn
  debug user-identity process
  debug user-identity debug
  debug user-identity error
  debug ldap 255
  Also here is a guide that may provide some direction -
  https://supportforums.cisco.com/docs/DOC-20366
  Tarik Admani
  *Please rate helpful posts*

• CSM probe debugging

  Hi,
  i've tried to debug a non-scripted probe on my csm, but i can't see any output. What does the message "Health Monitor quiet mode: output error messages" mean, and how can i make those messages visible?
  TIA, Stephan

  Hi Gilles,
  I was reading that CSM only supports on a HTTP Probes the request methods like "GET", "HEAD" and "URL", Not "POST".
  It is possible to configure in a TCL script a HTTP Probe with "POST"?
  I see in the manual (4.2(x) Release)that does not appears the generic tcl command "POST".
  I will really appreciate your help.
  Thanks
  Hugo Rivas
  Network Services
  Data Center Triara

• Cisco Security Manager (CSM) License Problem

  Hi All,
  We have CSM V3.2 with Professional license edition and support 50 devices. It's installed properly in the Cisco Security Manager client as appeared in the attachement but the problem is in the server administration- license management which doesn't include any records for license (see attachment).
  I tried to upload the .lic file by clicking the Update button in server administration but an error message appeared stated that the license file is corrupted although it's installed properly in CSM client!!!
  Could you please advise what's the problem and what should I do?
  Thanks in Advance!

  Sorry but Cisco seems to have removed that product bulletin from cisco.com.
  Your reseller can use Cisco Commerce Workspace (CCW) to order the correct part number for your CSM installation. There is a unique number for each licensing level and/or upgrade.
  For instance, for a 10-device standard license, the support would be part number CON-SAS-CSMST10K.
  For the 100-device Pro license, the support would be CON-SAS-CSMPR4K9.
  The reseller needs to adjust the support term (12-60 months) to suit when ordering.

• CSM HTTP problem

  Hello
  Just came across a problem we are facing and thought to share it.
  wondering about the feasibility on the CSM to forward HTTP requests to a "Service not available" web page (which could be available on a web server located on the same server(s), i.e. front-end web server) when a particular threshold is reached on the Load-Balancer that control access to web services. This way, the user does not start the process of generating myKey then fails due to busy system (congestion of resources), as the clean-up process is pretty heavy.
  Thanks for the help!

  Hi Aser,
  I think you ned to configure backup serverfarm so that in case of primary server unavailable the backup servers can process further requests.
  Whenever the primary serverfarm is down (all its vservers have failed or are down), the CSM will start using the sorry serverfarm servers to serve requests to the vserver.
  new connection will use the backup serverfarm but existing active connection will try to use the old serverfarm.
  You need to configure a 'failaction [purge|reassign]' to change this behavior.
  The CSM only allow 1 backup server. When a client is connected to a server, it stays connected to that server even if a new server goes up. Only new connections from the client would be sent to a different server.
  Please read my previous matching post for more info:
  https://supportforums.cisco.com/thread/2056310?tstart=0
  HTH
  Sachin Garg

• CSM Probes went down for 15 minutes

  Hi all,
  This morning all the probes went down on the csm module for exactly 15 mins and then came back up. There has been nothing else in the logs to indicate whey the went down. I have found a watchdog process which i think might have started back up the process for SLB. Has anyone ever come across this and what was the reason that the probes stayed down for exactly 15 mins.
  Cheers
  Kev

  A possible workaround is to reset the card from the SUP console.
  Try:
  http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a00800fe64c.html

• CSM Probe Question

  Hello,
  We are currently running an http probe on the CSM which accepts a return code of 200 and 401 (because this application is single sign on and CSM does not have a user defined for it).
  This application is having an issue where the web application is available and returning a 401 code, however in some cases the actual application instance is not available.
  The only way we can see that is by looking at the HTTP stream:
  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: NTLM
  Content-Length: 0
  Date: Thu, 05 Jul 2007 16:29:22 GMT
  Server: Apache-Coyote/1.1
  Connection: close
  This connection close is the only value by which we can tell whether the application is working.
  My question is there anyway we can use this value in the probe. I am quiet sure that its not possible but if anyone can confirm that will be great.
  Thanks

  Hi Gilles,
  I was reading that CSM only supports on a HTTP Probes the request methods like "GET", "HEAD" and "URL", Not "POST".
  It is possible to configure in a TCL script a HTTP Probe with "POST"?
  I see in the manual (4.2(x) Release)that does not appears the generic tcl command "POST".
  I will really appreciate your help.
  Thanks
  Hugo Rivas
  Network Services
  Data Center Triara

• Csm log problem

  below log is generated with csm
  server is correct.(normal)
  csm is correct.(normal)
  service is correct.(normal)
  why below log was contiuned with csm ?
  Mar 7 05:20:13: %CSM_SLB-6-RSERVERSTATE: Module 3 server state changed: SLB-NETMGT: Got different MAC address from server 100.8.50.34 in response to ARP
  Mar 7 05:20:13: %CSM_SLB-6-RSERVERSTATE: Module 3 server state changed: SLB-NETMGT: Got different MAC address from server 100.6.50.34 in response to ARP

  The message is just informing you that the CSM is getting a different mac address each time it does an arp request.
  So, you have either duplicate ip, or a device doing proxy-arp, or sth similar.
  Gilles.

• Recommended CSM Probe Timers

  Looks like 4 timer commands you can use on probes:
  1) Interval - How often to normally Probe
  2) Retries - How many consecutive normal interval probes have fail before marking server as failed
  3) Failed - How often to probe after a server is failed to determine if it should be brought back online
  4) Open - For TCP probes, how long to wait for a TCP socket to open.
  What do you guys recommend for timer values.
  Currently we're using 5-3-60-10
  But, I'm wondering about the 10-second Open timer. 10 seconds for a TCP socket to open? That seems insanely long. I'm tempted to change it to 1 second.

  The default interval is 120 seconds and it would take 3 probes to fail before it would bring down the server. You can lowering this and also using the command "fail action purge" so when a server fails it forces the user to disconnect.

• Ace HTTP Probe expect regex

  Hi,
  I have a question about the config of the ACe probe.
  I have the following probe defined :
  probe http P_HTTP_TEST
  interval 5
  passdetect interval 2
  passdetect count 2
  request method get url /test
  expect status 200 200
  expect regex trululu
  I would like to use the regex just like the expect string on the csm probe...
  The regex doesn't seem to work as the strin trululu is not on the page tested.
  I guess the expect status override the regex but without the expect status it doesn't work either.
  Anyone know how exactly the probe expect works for http ?
  Another question, on the CSM module, the tcp probe by default use the real port for the probe, not the default port of the probe type, is it possible to change that so it mimmicks the CSM way of working ?
  Thanks a lot ;-)

  This seems to be bug related to some version of ACE software as HTTP return code overrides missing regexp. For sure this bug is present in:
  system:    Version A2(2.0) [build 3.0(0)A2(2.0)]
  Notice the difference between 192.168.1.1 (is missing regex in HTTP response) and 192.168.1.2 (sends regexp in HTTP response). Both are successful and as addition 192.168.1.1 (missing regexp) is showing last status code 200 which seems to be sufficient for probe to pass. 192.168.1.2 (which sends expected regexp) doesn't show last status code.
  probe       : tw2_http_81
  type        : HTTP
  state       : ACTIVE
  description :
     port      : 81      address     : 0.0.0.0         addr type  : -
     interval  : 30      pass intvl  : 30              pass count : 1
     fail count: 1       recv timeout: 10
     http method      : GET
     http url         : /knowtw2-f/livelink.exe?func=ll&objtype=142&bypass
     conn termination : GRACEFUL
     expect offset    : 0         , open timeout     : 10
     expect regex     : lbmonitor
     send data        : -
                         --------------------- probe results --------------------
     probe association   probed-address  probes     failed     passed     health
     ------------------- ---------------+----------+----------+----------+-------
       real      : 192.168.1.1[81]
                         192.168.1.1    2          0          2          SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 1         No. Failed states : 0
     No. Probes skipped  : 0         Last status code  : 200
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Nov  7 12:38:42 2011
     Last fail time      : Never
     Last active time    : Mon Nov  7 12:38:22 2011
       real      : 192.168.1.2[81]
                         192.168.1.2    2          0          2          SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 1         No. Failed states : 0
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Nov  7 12:38:27 2011
     Last fail time      : Never
     Last active time    : Mon Nov  7 12:37:58 2011

• ACE how to debug probes

  Hi,
  We have several probes configured for our serverfarms. Some of the probes and rservers are alerting for timeouts or regex's not found etc.
  What's the best way to check if this is a rserver or probe problem ? Using captures ?
  Or is it possible to debug the probes ?
  Regards,
  Sebastian

  Hi Gilles,
  I am trying to capture the packets but i run into a problem :
  I create an access-list :
  access-list CAPTURE1 line 8 extended permit ip any host 172.30.9.101
  access-list CAPTURE1 line 16 extended permit ip host 172.30.9.101 any
  The I create the capture :
  capture CAPTURE all access-list CAPTURE1 bufsize 5000 circular-buffer
  Start the capture :
  capture CAPTURE start
  Make some bogus connection :
  telnet 172.30.9.101 80
  Trying 172.30.9.101...
  Connected to 172.30.9.101.
  Escape character is '^]'.
  HTTP/1.1 400 Bad Request
  Server: Microsoft-IIS/5.0
  Date: Tue, 15 Apr 2008 11:44:35 GMT
  Content-Type: text/html
  Content-Length: 87
  ErrorThe parameter is incorrect. Connection closed by foreign host.
  Stop the capture :
  capture CAPTURE stop
  Then when i want to display the results, nothing is displayed :
  sh capture CAPTURE
  What am I doing wrong here ?
  Regards,
  Sebastian

• CSM - show run module # - diagnostic not supported

  Hi, I´d like to know why show run module # (where is CSM) doesn´t show anything that I´ve configured before. I have CSM 3.1(5) and IOS 12.1(19)E1 with SUP2 MSFC2. Is this supported or a Bug ?
  I also would like to know if it´s normal to appear not supported CSM module (6) when I use the command show module. This is because I can use CSM without problems. Is this supported or a Bug ?
  Router#show module
  Mod Online Diag Status
  1 Pass
  3 Pass
  4 Pass
  6 Not Supported
  Thank you !!

  Hi Joerg,
  There´s no problem with show run if you want to see CSM configuration, but if you use IOS 12.2(14)SX1 with SUP720 you can use the command show run module # (where is CSM) and appears what you want.
  I ´d like to know if this command is not supported with SUP2 and IOS 12.1(19)E1 or if it is a cosmetic Bug. I was searching in the Bug Toolkit and Release Notes and I didn´t find anything about it.
  Could you give me a link where I can see "online diagnostics are not supported for CSM" ?.
  Thank you.

• Moved CSM's from 6509 to 6513

  I just upgraded to a 6513 with sup720's. I moved both csm's and config info to the new config. Everything is working but before the move I could see both csm probe details and they were both operable. Now after the move only the active say's operable and the standby says failed. How do I get this back so that both are operable?

  you will have to do some troubleshooting.
  Get on the standby.
  See if it can ping the server.
  'ping mod csm X x.x.x.x'
  Check csm arp table.
  Check L2 mac-address table between CSM and server.
  finally, sniff on the server to see if it gets the probe and if it does send a response.
  Once you know exactly why it fails, you'll know how to fix it.
  Gilles.