CSS 11050 Sniffer trace

I'm trying to use a sniffer to capture traffic that is hitting my CSS and what services are requested/handled inside the CSS network. I have redundant CSS with 2 LAN switches (cat.2924XL) behind it. I'm running port monitor on all the internal connections (CSS, web servers, etc), but I'm not seeing any real user traffic inbound or outbound on these connections. All I'm seeing is broadcast traffic inside the network from the css and web servers. Any suggestion or document on this problem will be appreciated.

My assumption here is that you are seeing spoofed information from the CSS as the only way you will see incoming user data is from the outside network where the user comes in. Most often in troubleshooting the CSS we require back and front end traces to understand the traffic flow.
Regards
Pete Knoops
Cisco Systems

Similar Messages

Load Balancing Linux servers with CSS 11050 series

We would like to load balance Linux FTP and Web servers with a CSS 11050 series device. Does the content switch use SNMP to load balance the servers? If so, which MIBs need to be loaded on the servers?

I dont believe that the CSS supports any SNMP load balancing mechanism.
There is basically two factors involved in load balancing. One: the state of the servers which can be done via a range of mechanisms including ping, TCP connection, Application request, etc. Two: the way a server is chosen when a request comes in including round-robin, least connections, ACA etc.
Checkout these links:-
http://www.cisco.com/warp/customer/117/basic_css_lb_config.html
http://www.cisco.com/warp/customer/117/methods_load_bal.html

CSS 11050 Load Balancing with Single VLAN (no NAT)

We have several CSS 11050's in use on our network, cheifly for load-balancing web servers. In a test network I've set up, I've configured our test servers' IP addresses and our load-balanced IP address to be on the same subnet. This way our developers can easily check both single servers as well as the LB configuration. This got me thinking...
All the config documentation I've seen on the CSS seems to assume that you are putting the VIP for the content rule on a different VLAN than the IPs for the services. Is there any particular need for this? I'm in the process of setting up another network that will have its services NATed behind a PIX. There are some services (WWW) that I want load balanced and some services (passive FTP with one server) where there's really no need. Would I do any harm by putting the content rules' VIPs on the same subnet as the servers themselves? I can still plug the servers into the other ports on the CSS so that I'm not really doing a "one-arm" configuration.
-Mark Romer

You shouldn't have any problem doing this. In addition to load balancing web servers we've also balanced terminal servers that are configured to be accessed by remote users through VPN connections. Because we have over 90 remote locations, I didn't want the services and the VIP addresses to be on different VLAN's because I'd have to reconfigure the routers in all the remote locations. I was in the same position you're in, all the documentation indicated different VLAN's but I thought it would be a worth a try. Everything works perfectly...
Cody Rowland

CSS 11050 NAT problem

Hi, I have a problem with the NAT group intercepting connections to a PIX on the local VLAN. VLAN1 on the LB is the outside internet connection, VLAN2 is internal, at 10.0.10.0/24. The PIX IP is 10.0.10.254. If a webserver at 10.0.10.5 tries to connect to a server behind the PIX, the PIX logs a connection not from 10.0.10.5, but from the NAT group, which has an external IP address. Not only does this slow things down, but confuses the ACL config on the PIX. Any way to force devices to directly connect on the local VLAN, as one would normally expect? Thanks!

What happens is the traffic that will use the group will need to match the source/dest configured in the ACL, but more importantly, the VLAN you apply to the ACL itself will determine what traffic is even looked at in the ACL itself. So if you apply vlan1 to the ACL, then only traffic coming into the CSS via VLAN1 will use the acl (assuming it matches the clause criteria configured).
By using the ACL approach, you could put those ip addresses you want to NAT in the first clauses, and then leave out the ones you do not want to NAT. If there is no ACL match, then there will be no NAT.
Instead of specifying all the ip addreses in separate ACLs, you can use the subnet mask to create a range of addresses.
Hope this help. I do agree that this can be a bit of a maint challenge having to do this, but I'm not sure any other option exists unless there is something different about the way you have your source groups configured.
Regards
Pete..

Sniffer Trace on ACE w/VACLs and One-Arm Design

Wow...that was a mouthful of a title!
Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
interface GigabitEthernet x/xx
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport capture
switchport capture allowed vlan 3002
no ip address
no cdp enable
Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
bc

This can be done by setting up a monitor session on the Sup, with the
TenGig/1 as SPAN
source, and a trunk port as SPAN destination.
For example, if the ACE is in slot X, the configuration would be:
monitor session 10 source interface TeX/1
monitor session 10 destination interface Giy/z
The configuration for this port would be:
int giy/z
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
Syed Iftekhar Ahmed

Monitoring services in CSS 11050 using SNMP

Has anyone implemented SNMP monitoring of services for CSS?
How do i go about doing it using HP Openview as the SNMP manager?
I have read the SNMP configuration for CSS but still quite confused about setting the threshold for the RMON alarm. How do you determine what threshold to set to indicate that the service is alive or down??
You might want to refer to the RMON guide for CSS below:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/rmon.htm#35012

Hi Matthew,
actually for monitoring services via SNMP you dont need to configure
alarms on the CSS. First, there are default traps generated by the CSS
MIBs. Information can be found here:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/snmp.htm#xtocid1874327
There are two traps "Service Down" and "Service Suspended" send to
the preconfigured mgmt station. This can be used to indicate whether
a service is down or not.
Secound, you can poll the state of the existing services by the mgmt
station using the CSS MIBs, this is described here:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/snmp.htm#xtocid1874330
Use the svcExt.apSvcState variables to get the states.
If you have any further questions ...
cheers
rene

VIP ping no response on a CSS 11050

Our management system pings devices to verify they are active. The VIP often drops pings (mostly in the morning) and then recovers after a few minutes. The web load balancing never stops and the services are always active. The real addresses on the CSS never drop pings.

Both TAC and local Cisco people have told us that VIPs do not reliably respond to ICMP, which is exactly what you describe.
If I were you, try to change your test so that it executes a script (perl maybe) that does a tcp connection rather than relying on icmp.
Good luck,
Dennis

CSS 11050 5.03(15) Log Message (?)

Does anyone know what this log event means? I've tried a few searches on CCO and came up empty.
MAR 11 13:07:28 5/1 319 NETMAN-1: TRAP:Authentication:Generated by: x.x.x.x
MAR 11 13:07:29 5/1 320 NETMAN-1: TRAP:Authentication:Generated by: x.x.x.x
MAR 11 13:07:31 5/1 321 NETMAN-1: TRAP:Authentication:Generated by: x.x.x.x

NETMAN-1: TRAP:Authentication:
is a log statement which states that someone with that IP address is trying to access the SNMP agent on the CSS with a invalid or incorrect
community name.

CSS 11050 SYN Attacks and auto-reboot

Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!

First, you should definitely upgrade.
5.0(2) is VERY VERY OLD.
Next, a box never reload by itself on purpose or because it reached a certain threshold.
If there is an auto-reboot, this means the box crash and this is not normal.
Gilles.

Problem with ACL in CSS-to-CSS redundancy configuration

I have two CSSes - first is master, second is backup. When I enable ACL on master CSS, it can't see more the backup CSS. My first rule is to allow all traffic between both CSSes. I have CSS 11050 with 4.10 Build 10.
Here is a part of my config:
--- begin ---------------------------------------------------
!************************* INTERFACE *************************
interface e8
bridge vlan 254
description "css1 <-> css2 (net 192.168.254.0/30)"
!************************** CIRCUIT **************************
circuit VLAN254
ip address 192.168.254.1 255.255.255.252
redundancy-protocol
!**************************** NQL ****************************
nql n_csw_to_csw
ip address 192.168.254.1 255.255.255.255
ip address 192.168.254.2 255.255.255.255
!**************************** ACL ****************************
acl 1
clause 1 bypass any nql n_csw_to_csw destination nql n_csw_to_csw
apply circuit-(VLAN254)
--- end ---------------------------------------------------
Where is the problem? Is it a bug in my current version or an error in my configuration?
Thanks
Thomas Kukol

at first step read http://www.cisco.com/warp/customer/117/css_packet_trace.html
and trace your unworking configuration
if you give flow option 0xffffff you should see why ACL didn't pass app traffic..
second idea is to use normaln acls w/o nql....
with permit keyword...
share expirience here again 8-)

CSS VIP Issues (Source Group with 'add destination service')

I have a pair of Cisco CSS 11503 boxes with a ap-kal-pinglist applied to both virtual routers, as a Critical Service, on the Primary CSS. When a link goes down, the VRRP fails over all traffic to the Secondary, as expected, but there is an issue with two particular VIPs. These VIPs have Source Groups configured, like below:
group WEBSITE_ABC
add destination service XYZ_Server_1
add destination service XYZ_Server_2
vip address 10.10.3.25
active
group WEBSITE_XYZ
add destination service ABC_Server_1
add destination service ABC_Server_2
vip address 10.10.3.24
active
Once a failover occurs, the VIPs are unreachable via a browser. I have also seen 1 VIP OK and 1 VIP not, but never both working. At times, when I failback to the Primary, the VIPs are OK again. The services are reachable via a browser during this issue.
any ideas?

You need to check if during the failover the css sends a G-ARP to inform that the arp associated with the nat ip address now belongs to the secondary css.
Get sniffer trace during failver and check if this g-arp is sent.
If not, this is a bug and you need to report it.
If yes, then the problem is not the CSS but another device on the path...did the switch correctly learned the new path ? Does the server have the correct arp table ?
Gilles.

CSS Load Balancing with Cookies

We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
Restrictions
ServerA is unable to accept cookies generated from ServerB.
ServerA and ServerB are generating random cookies
Unable to modify cookie string with a constant.
How can we load balance based on cookies considering the above restrictions?
We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
The configuration we tried is written below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSIONID="
advanced-balance cookies
port 80
add service ServerB
string skip-length 5
string process-length 16
string operation hash-xor
protocol tcp
vip address 172.16.32.1
active
Can we change the string prefix to JSESSION instead of JSESSIONID= ?
The only place the app guys can add a constant string to match on is before the = sign.
Is it possible for CSS to match on a constant string before = sign e.g below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
string id567=
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
string id123=
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSION"
advanced-balance cookies
port 80
add service ServerB
string skip-length 0
string process-length 6
protocol tcp
vip address 172.16.32.1
active

It should work.
There is no reason for it not to work...
This is the best method you can have on the CSS for stickyness.
Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
also send me the config so I can verify everything is ok.
If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
Gilles.

CSS newbie - 8.10 upgrade problem

I typed the config from our working 11503 7.10 CSS into a new 11503 8.10 CSS. Show Run for each is identical (see attached). When I swap-in the new CSS I get "Page not found" from the VIP, and all the 8.10 CSS will do is bridge me to the real server addresses. What have I missed?
NB 8.10 CSS has SSL module and license.

I have seen this kind of things in the past.
Often it is cable misconnected or arp table of gateways/servers still pointing at the previous CSS even if disconnected.
So, clear all arp table on gateways and servers.
Then verify they learn the new CSS mac address correctly.
Then verify connectivity using ping.
Then use a browser.
If it still does not work, capture a sniffer trace in front of the CSS.
Gilles.

CSS 11506 problem

Hi All,
I have two portals which are located behind the load balancer (client side), the configuration is basic.
I have faced a problem on accessing these protal via SSL port (HTTPS) using the virtual Ip address which represents them, knowing that the SSL sessions are terminated on the portals not on the CSS.
any help please.
thank alot.
Mo

what kind of problem ???
Get a sniffer trace on client and server and see what is going on.
We'll also want to see the config even if basic.
Gilles.

CSS 11800 show many server up/down message in log file

My customer use css 11800 running 6.10 Build 304 software for server load-blance
I config default http keepalive to probe the server status like below.
service WWW2
ip address 163.29.x.x
keepalive type http
active
service WWW3
ip address 163.29.x.x
keepalive type http
active
Since last week,I found many server up/down message in sys.log file
SEP 20 01:22:36 7/1 1145 NETMAN-2: Enterprise:Service Transition:dpsvr2 -> down
SEP 20 01:22:41 7/1 1146 NETMAN-2: Enterprise:Service Transition:amd52 -> down
SEP 20 01:24:26 7/1 1147 NETMAN-5: Enterprise:Service Transition:amd52 -> alive
SEP 20 01:24:56 7/1 1148 NETMAN-5: Enterprise:Service Transition:dpsvr2 -> alive
SEP 20 03:20:06 7/1 1149 NETMAN-2: Enterprise:Service Transition:WWW3 -> down
SEP 20 03:20:16 7/1 1150 NETMAN-5: Enterprise:Service Transition:WWW3 -> alive
SEP 20 07:00:57 7/1 1151 NETMAN-2: Enterprise:Service Transition:www5 -> down
SEP 20 07:01:11 7/1 1152 NETMAN-5: Enterprise:Service Transition:www5 -> alive
The server status change down to up,almost during 20 sec only,and We can access the server without any problem at the same time
Does this is a software bug.If not,How do I trace this problem,thks!!

capture a sniffer trace to see exactly what's going on.
Going to the server with a browser may work because using GET/POST method, but the CSS configured the way you did will use a HEAD method which could be a problem for your server.
The server could be slow to respond as well.
Try to increase the keepalive frequence since the timeout is linked to the frequency.
Finally, you may want to configure a url to poll with the command 'keepalive uri .....'
Once again, by simply sniffing between the CSS and the server, you will know exactly where is the problem.
Gilles.

CSS 11050 Sniffer trace

Similar Messages

Maybe you are looking for