CSM - Stcky configurations

Similar Messages

• CSM-S "Configuration Sync is not supported by this card"

  This is the message everytime I try to sync the cards.
  NETCSP01#hw-module contentSwitchingModule 5 standby config-sync
  Configuration Sync is not supported by this card
  NETCSP01#
  The are both installed into the same 6513.
  Here are the configs
  module ContentSwitchingModule 4
  ft group 1 vlan 400
  priority 30 alt 20
  vlan 200 client
  description Client Facing CSM Interface
  ip address 192.168.100.6 255.255.254.0 alt 192.168.100.7 255.255.254.0
  alias 192.168.100.8 255.255.254.0
  vlan 100 server
  description Server Facing CSM Interface
  ip address 172.18.10.6 255.255.254.0 alt 172.18.10.7 255.255.254.0
  alias 172.18.10.8 255.255.254.0
  module ContentSwitchingModule 5
  ft group 1 vlan 400
  priority 20 alt 30
  I am running the following version
  Cisco Internetwork Operating System Software
  IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXE4, RELEASE SOFTWARE (fc2)
  What am I missing?
  Thank you!!

  The configuration synch feature is supported from CSM-S version 2.1.1. I suggest you upgrade your device for using that feature.

• CSM overwrites Configurations

  Hello.
  We have installed CSM 3.2 which we want to use for managing Catalyst 6509 and 3845. We also have a VPN tunnel between 6509 and a Checkpoint Firewall.
  We have find out a problem: if we configure a little thing (e.g. setting snmp-server) on Catalyst 6509 with CSM, then it will overwrite and delete the tunnel between Checkpoint and the catalyst.
  How can we configure CSM that it only deploys the difference betwen the old and the new config. so that CSM doesnt remove any configuraion made manually.
  thanks for help
  markus

  Have a look at this:
  "After configurations are deployed, you should make changes only through Security Manager for configurations that Security Manager controls. This varies based on operating system:
  •ASA, PIX, FWSM, IPS operating systems-Security Manager controls the entire configuration. You should make all changes through Security Manager.
  •IOS Software-You have more control over which aspects of the device configuration Security Manager controls. If you do not create policies for a feature in Security Manager, such as routing policies, Security Manager does not control those features on the device. If you do create policies for these features, Security Manager overwrites the settings on the device with the settings you defined in Security Manager. Through administration settings, you can control the types of policies that will be available for IOS devices, thereby preventing Security Manager from displaying or changing policies for these features. To see the available features for IOS routers and control whether they are available for management in Security Manager, select Tools > Security Manager Administration, then select Policy Management. For IOS devices, Security Manager does manage VPN-related policies. "
  http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.1/user/guide/dpman.html#wp307170
  Regards
  Farrukh

• CSM - serverfarms configured with multiple probes

  Hi - If a serverfarm is configured with multiple probes, do the servers within the farm remain active if they respond positively to both probes or do they just need to respond to one of the configured probes?
  Thanks in advance

  Both probe must respond positively to make the server appears as OPERATIONAL.
  If only one probe is responding positively then the server is considered DOWN
  That is usefull for UDP test :
  you need to check taht you don't have a RST when openning an UDP connection ( the UDP port is not closed) and you need to make ping (in order to be sure that there is a server ;-) )

• Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Configuration

  Hi,
  Need serious help here..
  I'm facing a challenging situation here.
  Customer just purchased a pair of SSLM module for their web server HTTPS termination.
  Here's the situation.
  Currently customer already have a pair of Catalyst 6509 running with MSFC->FWSM<->CSM Bridge Configuration (i.e. client and server vlan on the same subnet).
  I've been assigned the task to deploy SSLSM module seaminglessly onto this existing setup without any other major configuration changes required on their systems by this week.
  My question is currently they doing bridge configuration between FWSM - CSM. How do I transparently deploy SSLM in this situation ? without changing any i.p. addresses which will break their server-to-server communications.
  I read and understand CSM-SSLM bridge configuration but that requires changing their i.p. addressing scheme? hopefully somebody shed some light on this...

  I've attached a logical diagram of the existing setup as well as the SSLM placement (where i think it fits in).
  I've also came up with a draft configuration below, i don't really understand NAT client and NAT server applications:
  module ContentSwitchingModule 7
  ft group 1 vlan 201
  priority 110 alt 100
  heartbeat-time 1
  failover 3
  preempt
  vlan 6 client
  ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
  gateway 192.168.20.1
  alias 192.168.20.6 255.255.255.0
  vlan 60 server
  ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
  vlan 7 client
  ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
  alias 192.168.10.6 255.255.255.0
  vlan 70 server
  ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
  vlan 40 server
  ip address 192.168.60.4 255.255.255.0 alt 192.168.60.5 255.255.255.0
  alias 192.168.60.6 255.255.255.0
  probe ICMP icmp
  interval 3
  failed 5
  probe HTTPWEB http
  interval 3
  failed 5
  probe HTTPSWEB tcp
  interval 3
  failed 5
  port 445
  probe TCP tcp
  interval 2
  failed 3
  serverfarm MOCINT-VIP1
  nat server
  no nat client
  predictor leastconns
  real 192.168.20.71
  inservice
  real 192.168.20.72
  inservice
  probe ICMP
  probe HTTPWEB
  serverfarm MOCWEB-VIP1
  nat server
  no nat client
  predictor leastconns
  real 192.168.10.65
  inservice
  real 192.168.10.66
  inservice
  probe ICMP
  probe HTTPWEB
  serverfarm SSL-MOCINT
  nat server
  no nat client
  real 192.168.60.11 445
  inservice
  real 192.168.60.12 445
  inservice
  probe TCP
  serverfarm SSL-MOCWEB
  nat server
  no nat client
  real 192.168.60.21 445
  inservice
  real 192.168.60.22 445
  inservice
  probe TCP
  sticky 10 netmask 255.255.255.255 timeout 20
  sticky 20 cookie cookie-server timeout 30
  vserver DECRYPT-MOCINT
  virtual 192.168.60.10 tcp 445
  vlan 40
  serverfarm MOCINT-VIP1
  replicate csrp sticky
  persistent rebalance
  parse-length 4000
  inservice
  vserver DECRYPT-MOCWEB
  virtual 192.168.60.20 tcp 445
  vlan 40
  serverfarm MOCWEB-VIP1
  replicate csrp sticky
  persistent rebalance
  parse-length 4000
  inservice
  vserver HTTP-MOCINT
  virtual 192.168.20.70 tcp www
  vlan 6
  serverfarm MOCINT-VIP1
  advertise active
  sticky 20 group 10
  replicate csrp sticky
  persistent rebalance
  parse-length 4000
  inservice
  vserver HTTP-MOCWEB
  virtual 192.168.10.60 tcp www
  vlan 7
  serverfarm MOCWEB-VIP1
  advertise active
  sticky 30 group 20
  replicate csrp sticky
  persistent rebalance
  parse-length 4000
  inservice
  vserver HTTPS-MOCINT
  virtual 192.168.20.70 tcp https
  vlan 6
  serverfarm SSL-MOCINT
  persistent rebalance
  inservice
  vserver HTTPS-MOCWEB
  virtual 192.168.10.60 tcp https
  vlan 7
  serverfarm SSL-MOCWEB
  persistent rebalance
  inservice

• Wrong Load reporting via KAL-AP form CSM to GSS

  When multiple virtual servers are configured on the same VIP (each using another TCP port), the CSM averages all the CAPP load values when reporting the final CAPP load to the GSS.
  Unfortunately, when a redirect vserver is configured on the same VIP (i.e to redirect the user to another TCP port), the CAPP load value sent to the GSS is wrong. This is due to the fact that the redirection vserver has always a load value of 2! Therefore, even if all real servers of the server farm are down, the reported load value to the GSS is (255 + 2) / 2 = 128 instead of 255 (offline).
  Why does the CSM take a redirection server farm into account when reporting the load value to the GSS ? What would be a work-around ?
  Here is an extract of my configuration:
  serverfarm REDIRECTION
  nat server
  no nat client
  redirect-vserver REDIR-1
  webhost relocation 10.10.10.111:26000/irj
  inservice
  serverfarm PORTAL
  nat server
  nat client NAT-MSSRTE
  real 10.10.10.10
  maxconns 200
  minconns 100
  inservice
  real 10.10.10.11
  maxconns 200
  minconns 100
  inservice
  policy PORTAL-POLICY
  sticky-group 1
  serverfarm M-GLOBEPROD
  policy REDIR-POLICY
  url-map URL-1
  serverfarm REDIRECTION
  vserver PORTAL-VSERVER
  virtual 141.122.88.87 tcp 26000
  persistent rebalance
  slb-policy PORTAL-POLICY
  no inservice
  vserver REDIRECT
  virtual 141.122.88.87 tcp www
  persistent rebalance
  slb-policy REDIR-POLICY
  inservice

  Hi Gilles,
  Thank you for your suggestion. I configured KAL-AP by Tag now, but the two VIP answers configured on the GSS remain in offline state. I didn't found any description on how to configure the counterpart tag string in the CSM vserver configuration (I suppose that the same tag must be configured on the GSS and on the CSM ?)
  Can you help me ?

• Two CSM's in single chassis

  hi folks
  if we install two CSM's in the same 6500, can we load balance serverfarmA using CSM1 & serverfarmB using CSM2.
  would the csm's be in csm mode or rp mode? would we need to configure them identically or use hsrp for failover?
  any ideas appreciated since i have 0 experience with content stuff.
  thanks,
  anurag

  there is no more rp mode. Everything must be csm mode nowadays.
  If you put 2 CSM in the same chassis, they can workd independently and therefore be both acitve, or you can have the same config on both and work in active/standby.
  With version 4.2.x and the corresponding ios version, there is a command to sync the config between active and standby so you don't have to configure everything twice. The command is 'hw-module ContentSwitching X standby config-sync'.
  Regarding the serverfarm the question is not really important. You first have to decide if you want to be active/standby or active/active.
  Be aware that if you go for active/active you have no backup [you can't be active and standby at the same time] and you will have to split your traffic between the 2 CSM by configuring different vservers on each.
  Gilles.

• Cannot find SC in Landscape Configurator-Track Data

  I successfully got the Scenario 2+ working and I'm now trying to develop another application.
  I went into my SLD and configured a Product->SC and added all the required build time dependencies.
  When I go into CSM->Landscape Configurator->Track Data and try to add the SC it is no where to be found..
  Anyone know why this happens?
  Jarrod

  Hi,
    we were facing this issue couple of weeks back. but the solution was patience.
    the SC appeared after about 6 - 8 hrs. we really dont understand as to why it takes so long but we were able to get the SC list in the 'Add SC' component list after 6 hrs.
  i would suggest you can wait for 6 - 8 hrs or even some more and then check the SC.
  Hope that helps.
  Regards,
  S.Divakar

• Catalyst 6500 CSM-S Cookie stickiness timout ?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi, anyone able to help with this ?
  We have a CSM-S sitting in a 6513, at the moment we have IP stickiness applied for a Vserver/Serverfarm. The back end product vendor advises that cookie stickiness would be more appropriate for their application.
  I have been scratching my head around the timeout of the inserted cookies; whatever I do they persist seemingly indefinitely, for example:
  Just a test configuration with a 10minute sticky timout.
  serverfarm applicationA
    nat server
    nat client applicationA_pool
    failaction reassign
    real 1.1.1.1
     inservice
    real 1.1.1.2
     inservice
    health retries 1 failed 120
    probe applicationA_probe
  sticky 1 cookie applicationA_sticky insert timeout 10
  vserver applicationA-HTTP
    virtual 2.2.2.10 tcp www
    unidirectional
    serverfarm applicationA
    sticky 10 group 1
    no persistent rebalance
    inservice
  Doing show mod csm 1 sticky
  group   sticky-data              real                  timeout
  1       cookie F5BF7115:F80EA688 1.1.1.1           0
  1       cookie 4AFC972B:BB722437 1.1.1.2           0
  Then a show mod csm 1 sticky config
  Group  NumEntries Timeout  Type
  1             82                           10        cookie-insert applicationA_sticky
  When browsing to the VIP I see the application page via one of the reals. For the sake of the test I am using round-robin. Without cookies applied my browser will bounce between reals (I turned off persistent rebalance during testing) as expected.
  With a sticky cookie inserted the browser stays on one of the real’s, however the timeout which I have applied does not work. The client will stay stuck to the real almost indefinitely (the actual cookie expiry is 2099!).
  The online documentation advised that the method I am using should work as expected:
  Quote
  This example shows how to configure a virtual server named barnett, associate it with the server farm named bosco, and configure a sticky connection with a duration of 50 minutes to sticky group 12:
  Router(config)# mod csm 2
  Router(config-module-csm)# sticky 1 cookie foo timeout 100
  Router(config-module-csm)# exit
  Router(config-module-csm)#
  Router(config-module-csm)# serverfarm bosco
  Router(config-slb-sfarm)# real 10.1.0.105
  Router(config-slb-real)# inservice
  Router(config-slb-real)# exit
  Router(config-slb-sfarm)#
  Router(config-slb-sfarm)# vserver barnett
  Router(config-slb-vserver)# virtual 10.1.0.85 tcp 80
  Router(config-slb-vserver)# serverfarm bosco
  Router(config-slb-vserver)# sticky 50 group 12
  Router(config-slb-vserver)# inservice
  Router(config-slb-vserver)# exit
  Router(config-module-csm)# end
  End Quote
  I am guessing that sticky group 12 / 1 is a typo
  Looking at the documentation, sticky can also be applied not in the vserver config but in a policy (this is how we are doing IP stickiness). I have tried both methods. Same result.
  I am natting the client address to a private pool which then talks to the reals (and back). Would'nt expect this to be any issue.
  The CSM is running Software version: 4.3(5).
  Any help appreciated.

  Good mornign Simon,
  The behavior you are seeing is the expected one.
  When the CSM is configured for cookie insertion, a static cookie value is created in the sticky table for each server. This is the cookie that is being inserted, using as expiration date the one defined in the COOKIE_INSERT_EXPIRATION_DATE variable.
  With this stickiness method, there is no need to use a timeout, because, since the sticky table will only contain one entry for each server, it will never become full.
  Quoting from the documentation:
  Note     The
  configurable timeout values are not applied when using cookie insert. 
  You can adjust the timeout value using the environment variables.
  If you don't want to keep the cookies in the client for that long, another approach you can use is setting an empty date in the COOKIE_INSERT_EXPIRATION_DATE variable. When doing that, the cookie will be inserted without an expiration date, so it will be cleared when the browser is closed.
  I hope this answers your question
  Regards
  Daniel

• CSM - Is it advisable to upgrade to latest version 4.2.(4)?

  Hi Sir,
  I have a pair of Cisco Catalyst 6513 switches; each contains a CSM (WS-X6066-SLB-APC). Both CSMs are configured in a fault tolerant group. Both running software version 4.2.(3).
  Below is latest Field Notice for CSM (DDTS = CSCsd27478):
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_field_notice09186a00806b056a.shtml
  Cisco recommends software upgrade to version 4.2.(3a). I have checked; the latest version is 4.2.(4). Is it advisable to upgrade to 4.2.(4)?
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

  If you are running 4.2.3 it is definitely recommended to upgrade to 4.2.4
  Gilles.

• CSM/SSLM Naming standards

  G'day,
  I'm starting to rollout a largish CSM/SSLM configuration and was wondering if people have any good ideas for naming standards.
  I can envisage configs becoming quite a mess and very confusing if there are not clear naming standards for all the various components.
  Any ideas that others have would be great.
  Cheers
  Andrew

  It's a very good idea to have CSM/SSLM Naming standards

• Direct Server Return on CSM

  i have an CSS11506 where i use the Direct Server return mode
  circuit VLAN19
  description "LOL"
  ip address 192.168.158.39 255.255.255.240
  no redirects
  service WEB_LOL_36
  ip address 192.168.158.36
  keepalive type tcp
  keepalive port 80
  protocol tcp
  port 80
  type nci-direct-return
  active
  service WEB_LOL_37
  ip address 192.168.158.37
  keepalive type tcp
  keepalive port 80
  protocol tcp
  port 80
  type nci-direct-return
  active
  owner LOL
  content WEB_LOL
  vip address 192.168.158.38
  add service WEB_LOL_36
  add service WEB_LOL_37
  protocol tcp
  port 80
  active
  group WEB_LOL
  add destination service WEB_LOL_36
  add destination service WEB_LOL_37
  vip address 192.168.158.38
  active
  I use this config because the ip addresses 192.168.158.37 and 192.168.158.36 are NAT in Router and the default Gw in this router is not the CSS.
  but i cannot find any information about how implement Direct Server mode on CSM
  how configure vserver, serverfarm natpool,etc.
  _If you could help me, i appreciate
  Thanks

  this is a test config that i tried to use on CSM
  vlan 916 server
  ip address 192.168.175.93 255.255.255.248
  alias 192.168.175.94 255.255.255.248
  natpool LOL 192.168.175.91 192.168.175.91 netmask 255.255.255.248
  real LOL_NAT_01
  address 192.168.175.89
  inservice
  real LOL_NAT_02
  address 192.168.175.90
  inservice
  serverfarm LOL_WEB_01
  nat server
  no nat client
  real name LOL_NAT_01
  inservice
  real name LOL_NAT_02
  inservice
  serverfarm LOLOUT
  no nat server
  nat client LOL
  predictor forward
  vserver LOL_WEB_01
  virtual 192.168.175.91 any
  unidirectional
  serverfarm LOL_WEB_01
  persistent rebalance
  inservice
  vserver LOL-SALIDA
  virtual 0.0.0.0 0.0.0.0 any
  vlan 916
  serverfarm LOLOUT
  persistent rebalance
  inservice

• Help required with CSM config?

  1. I request help on some pointers to URLs where I could find answers to my questions.
  2. Also I request for some CSM specialists to please look at the attached document and comment whether the config looks right for what the customer wants to achieve.
  3. I am not sure why the customer wants the .51 server never to be accessed when .50 is up and running. He wants .51 server to be accessed if and only if .50 server is down.

  you said the csm is not connected to the server vlan. So, you should not configure a vlan 12 on the CSM. Especially if you want your traffic to go through a firewall. Connecting the csm to vlan 12 would be a way to bypass the firewall.
  So, what you need is a route on an existing csm vlan to reach the servers via the firewall.
  Then, your customer clearly asked to have .51 as a backup of .50.
  So you need 2 serverfarms.
  One with onle server .50 and one with only server .51.
  You then configure the serverfarm .50 with serverfam .51 as backup.
  The 2nd would kick in only if .50 is down.
  You need predictor leastconn or roundrobin so destination nating can occur.
  The 'replicate' commands are used when you need stateful redundancy. They tell the CSM to replicate the information to the standby.
  Finally, bridge mode is not related to the ip addresses used for vip and real.
  You are in bridge mode when the CSM is configured with the same ip on 2 different vlans. In this case, the CSM will BRIDGE between those 2 vlans.
  The only url pointer I could give is the csm documentation guide. You may want to read it through to get yourself familiar with all the possible functions like backup serverfarm or replicate.
  Gilles.

• CSM, ASDM & FWSM versions

  Hi,
  Can anyone explain the interaction between CSM, ADSM & the FWSM I'm trying to work out if there are incompatible combinations with various versions.?
  It is my understanding that the CSM server makes a connection to port 443 on the FWSM so must be communicating with the installed ASDM version. We have a CSM 3.1.1 server & FWSM 3.1(4) installed, is there a specific ASDM version that should be installed on the FWSM when using CSM or can we just upgrade to the latest - the 6.1(x)F ASDM release notes says it is compatable with FWSM 3.1(4).
  One of the reasons I am checking is that we recently had an issue where an ACL entry was not being match correctly and the packets were being discarded by an entry further down the list. Originally the offending entry had the subnet referenced by IP/netmask, we changed the entry in CSM to use an object group for the same subnet and pushed the policy, the ACL then behaved as expected. We then changed the ACL back to IP/netmask in CSM, pushed the policy and it carried on matching correctly.
  During these changes the ACL order was identical and it wasn't anything complicated - the mask was a simple /24 subnet being referenced to allow a well known service port. We even have a test FWSM that is configured identically to the live one and the ACL worked fine on that during testing, the rules were copy & pasted from the test FWSM to the live FWSM in CSM.
  We are upgrading CSM to 3.3.1 next week so hopefully won't see this issue again.
  Regards
  Mel

  Thanks for the response.
  I fully understand the differences between ASDM & CSM and how they should be used. As it is, we only use CSM to configure the FWSM but we log in using CLI for troubleshooting.
  The question was asking how CSM talks to the FWSM using port 443. I presumed that when you upgraded the ASDM image on the FWSM this contained updates to the code that manages the incoming web connections on the FWSM i.e. fixed bugs, added functionality etc as well as updates to the software client that you can download.
  If I connect to my FWSM from my desktop using https://myfirewall/admin/index.html I get a choice of downloading and installing the ASDM GUI or running the ASDM as a java applet. Either way there is some code installed on the FWSM that these connect to i.e. a server process listening on port 443. I presumed that CSM would use the same management connections to the FWSM that the ASDM GUI does, the only difference being that CSM is intelligent enough to connect to multiple security devices at once. Whether you hit 'Submit & Deploy' or 'Apply' in your chosen GUI front end, the changes are pushed as a group of CLI commands in one go.
  Hence the original question about compatible code versions throughout the whole management chain. We have the FWSM software, we have the installed ASDM image on the FWSM module and we have the CSM software itself. All of which can be various versions and will contain capabilities and bugs pertaining to whatever version they are.
  With the ACL issue that we experienced we probably would not have had an issue if we had used just the CLI to input the changes, or if we used just the ASDM GUI, but a combination of all 3 factors may have created the issue with the dodgy ACL. Currently our FWSM web interface states it has 6.1F installed (since we are due to upgrade to CSM 3.3.1 I will leave it be) but if we were staying at CSM3.1.1 I would probably look at reverting the ASDM image to an earlier version on the FWSM, the FWSM image itself will stay at 3.1(4) and hopefully with that combination not see the ACL issue again.
  Hope that is a little clearer of what I am trying to understand.

• ACL on CSM

  Hi all,
  We use CSM for configuring firewall rules and NAT.
  Is it possible to use ACL created from ACL objects when assigning ACL used for NAT and firewall rules?
  if no, is there a way to change ACL name used for NAT and firewall rules?

  In most cases, the names of imported ACLs are discarded (not preserved) at deploy because Firewall MC takes ownership after importing the ACLs on a device. Ownership in Firewall MC means that whichever entity creates a rule or object can discard that rule or object after it is no longer useful.
  Firewall MC discards the preexisting names of imported ACLs in most cases so that it can rename each such ACL in a predictable and standard way. The naming pattern that Firewall MC applies to imported ACLs follows a kind of logical taxonomy with at least four parts, as follows:
  ACL_MDC__.
  The only scenario in which Firewall MC retains the name of an imported ACL is when, at deploy, the only required change to the ACL structure is that one or more ACEs are appended at the end