CSS 11051 Stateful Failover

We have received a note concerning stateful failover of the CSS series of products, where the CSS 110XX series doesn't support stateful failover, however the CSS 115XXX will. Here is the digest of the message;
On 3/6, Hosting Engineering and Operations issued an alert regarding the
CSS 11000 load balancer. This is an update to that alert.
Since that time, we have experienced another hardware failure of this
model device.
In response to this situation, the following has occured:
* Platform Engineeringis in the process of removing the CSS 11000
from the SOE. Itis on target to be removed in April.
* Operations hasre-inforced our escalation procedures with CISCO.
Qwest is to beissued a RMA immediately for this model.
* For newconfigurations including a CSS 11000, CCAR will require
an Individual CaseBasis (ICB) review and approval.
* For existing premiumand above customers whoes configurations
include a CSS 11000, HostingOperations is planning to replace them with
compatible device. These changes have been pre-approved by CCAR as long
as:
* the networktopology remains the same
* redundancy ispreserved
* CCAR gets notifiedof the replacement model so we can update our
records
* For existing basicand enhanced customers, we are drafting a
communique that alerts them tothe performance issues exerienced by Qwest
and providing suggestedalternative solutions.
In response to recent questions from the field.....
Stateful failover with redundant CSS 11000 Series Load Balancers:
The Bottom Line: Cisco CSS 11000 Series Load Balancers do not support
stateful
failover.
Will Cisco ever support this?: Yes, this is supported in the CSS 11500
Series,
known as Adaptive Session Redundancy (ASR)
I need this today, what can I do?: Choose an alternative product. The
F5 BIG-IP
load balancers support this functionality.
What is stateful failover anyhow?
Stateful failover is a technology that can maintain state information
between
the active load-balancer and the standby load-balancer. This state
information
can include: persistence mapping, telnet sessions, ftp sessions, tcp
session
state, etc...
Why should I be concerned?
Without state synchronization applications can break if there is a
failover from
the active to standby unit. FTP Sessions will be broken, Telnet
sessions will
be broken, and most importantly persistence state mapping will be lost.
What do I need to listen for to determine if stateful failover is
important?
1. E-commerce applications that require persistence mapping.
Persistence
mapping will keep a client session mapped to the same server for a
specified
amount of time. This is often important with shopping cart and other
e-commerce
applications.
2. Long-lived sessions. Whether they are planning to transfer large
files via
FTP or long-lived telnet sessions. Anytime a connection will be
required for a
long time and starting over is not an acceptable condition, then
stateful
failover is important.
Does this sound correct or is this a bunch of hot air?

Yes. Stateful failover, or ASR as it is sometimes called, is available on the CSS 11500 and Catalyst 6500 Content Switch Modules (CSM) load balancing platforms. It is not supported on the CSS 11000 due to architectural limitations of that platform.
Stateful failover is available on these Cisco platforms today.
mikep

Similar Messages

CSS active-active stateful failover

Dear All,
May I confirm if CSS can do active-active stateful failover? If so, is it any restriction? and any Cisco URL I can refer to?
Thanks a lot.
mak

what do you call active-active ?
There different ways to achieve active-active.
What we can do is 1 vip active on 1 CSS-A and standby on CSS-B and a 2nd VIP active on CSS-B and standby on CSS-A.
But do you really need this ?
CSS can handle quite a huge amount of traffic so I never saw the need for active-active.
The failover can be statefull with CSS115xx not with CSS110xx or CSS118xx or CSS111xx.
Here is a sample config for one-armed mode but you can also have multiple vlans.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00802206a3.shtml
Regards,
Gilles

How long I have to wail the Stateful Failover on CSS 11154 ?

Somebody knows when the next Webns release is expected to implent the TCP Stateful Failover on CSS with VIP redundancy configuration.
At the begining of the year, the Product manager said that will be available on the WebNs V6.
For information: Alteon WEBOS v8 has released this feature for more one year ago.
What do cisco ?

Is Adaptive Session Redundancy what you are looking for?
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/vipredun.htm#xtocid24

CSS 11500 Layer4/5 stateful failover

Is this supported on 5.1? Does this actually work? Anyone tried it?
Is the enhanced feature set required to be able to implement this kind of failover?
Regards,
carlos.

Carlos,
L5 only stateful failover is supported in 5.10.
I have personally not seen any cases come in the TAC for this yet. I have not tried it out.
Pete, TAC

Slow stateful failover for mission critical applications

I have two CSS running vip redundancy,ip interface redundancy and redundant-index on a ASR active-backup model.
They are attached to separate 3750 which share vlan info via a port channel.
When the master fails, we see the VRIR negotiation and mastership of VIPs occurs normally but the script that we run to validate our services fails and the services go to a down state.
Since the gateway for the reals is a redundant VIP that stays alive always based on a DUMMY service, we believe this could be a mac address table update on the 3750.
Traffic back from the reals is still sent to the "old" port where the gateway used to live.
Failover takes several minutes and TCP sessions timeout defeting stateful failover.
Any ideas???
Thanks
MANUEL

VLAN1 STP State: Disabled
VLAN1: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-78
Bridge ID: 06-a4-00-11-93-90-61-78
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
VLAN11 STP State: Disabled
VLAN11: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-79
Bridge ID: 06-a4-00-11-93-90-61-79
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
e1 Fwd 06-a4-00-11-93-90-61-79 06-a4-00-11-93-90-61-79 0 19 8001
VLAN211 STP State: Disabled
VLAN211: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-7a
Bridge ID: 06-a4-00-11-93-90-61-7a
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
VLAN222 STP State: Disabled
VLAN222: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-7b
Bridge ID: 06-a4-00-11-93-90-61-7b
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
e3 Fwd 06-a4-00-11-93-90-61-7b 06-a4-00-11-93-90-61-7b 0 19 8003

Problem with redundancy in CSS 11051

I have a problem with redundancy in CSS 11051. I use firewall load balancing and server load balancing. Load balancers which only load balance over 3 firewall switch from primary to master with no problems.
problem is with load balancers which load balance over firewalls and over servers two. whene the master is shutdown, backup keeps master function, all services on backup LB are alive, but it is not possible to display web page on address 10.10.7.16. Even if I try from the network 10.10.7.0/24, so before firewalls. below my config. any help appreciate.
===primary LB=====
!Generated on 10/30/2002 10:42:53
!Active version: ap0500002
configure
!*************************** GLOBAL ***************************
ip redundancy master
no console authentication
restrict ftp
app
app session 10.10.60.13
ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
ip route 0.0.0.0 0.0.0.0 firewall 1 1
ip route 0.0.0.0 0.0.0.0 firewall 2 1
ip route 0.0.0.0 0.0.0.0 firewall 3 1
ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
ip route 10.10.22.0 255.255.255.0 10.10.3.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
bridge vlan 62
interface e2
phy 100Mbits-FD
bridge vlan 7
interface e3
bridge vlan 3
interface e4
phy 100Mbits-FD
bridge vlan 7
interface e5
phy 100Mbits-FD
interface e6
phy 100Mbits-FD
bridge vlan 6
interface e7
phy 100Mbits-FD
interface e8
phy 100Mbits-FD
bridge vlan 6
!************************** CIRCUIT **************************
circuit VLAN62
ip address 10.10.60.14 255.255.255.252
redundancy-protocol
circuit VLAN7
redundancy
ip address 10.10.7.10 255.255.255.0
circuit VLAN3
redundancy
ip address 10.10.3.10 255.255.255.0
no redirects
circuit VLAN6
redundancy
ip address 10.10.6.10 255.255.255.0
!************************** SERVICE **************************
service cc1
ip address 10.10.3.129
keepalive type tcp
keepalive port 443
service cc2
ip address 10.10.3.130
keepalive type tcp
keepalive port 443
active
service ssl1
ip address 10.10.6.131
keepalive port 443
keepalive type tcp
active
service ssl3
ip address 10.10.6.133
keepalive port 443
keepalive type tcp
active
service ssl4
ip address 10.10.6.141
keepalive type tcp
keepalive port 443
active
service ssl6
ip address 10.10.6.143
keepalive port 443
keepalive type tcp
active
service www1
ip address 10.10.6.101
keepalive type tcp
keepalive port 443
weight 2
active
service www3
ip address 10.10.6.103
keepalive type tcp
keepalive port 443
active
service www4
ip address 10.10.6.121
keepalive port 443
keepalive type tcp
active
service www6
ip address 10.10.6.123
keepalive type tcp
keepalive port 443
active
!*************************** OWNER ***************************
owner L5_Owner
content L5_Rule
vip address 10.10.7.6
application ssl
protocol tcp
port 443
url "/*"
add service www1
add service www3
add service www4
advanced-balance sticky-srcip
add service www6
balance weightedrr
active
content L5_Rule_CC
vip address 10.10.3.120
advanced-balance sticky-srcip
add service cc1
add service cc2
active
content L5_Rule_SSL
vip address 10.10.7.16
application ssl
protocol tcp
port 443
url "/*"
add service ssl1
add service ssl3
add service ssl4
advanced-balance sticky-srcip
add service ssl6
active
!*************************** GROUP ***************************
group CC
vip address 10.10.3.120
add destination service cc1
add destination service cc2
active
======
===backup LB=====
!Generated on 10/29/2002 20:47:30
!Active version: ap0503015
configure
!*************************** GLOBAL ***************************
ip redundancy
console authentication primary none
restrict ftp
app
app session 10.10.60.14
ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
ip route 0.0.0.0 0.0.0.0 firewall 1 1
ip route 0.0.0.0 0.0.0.0 firewall 2 1
ip route 0.0.0.0 0.0.0.0 firewall 3 1
ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
bridge vlan 62
interface e2
phy 100Mbits-FD
bridge vlan 7
interface e3
phy 100Mbits-FD
bridge vlan 3
interface e4
phy 100Mbits-FD
bridge vlan 7
interface e5
phy 100Mbits-FD
interface e6
phy 100Mbits-FD
bridge vlan 6
interface e7
phy 100Mbits-FD
interface e8
phy 100Mbits-FD
bridge vlan 6
!************************** CIRCUIT **************************
circuit VLAN62
ip address 10.10.60.13 255.255.255.252
redundancy-protocol
circuit VLAN7
redundancy
ip address 10.10.7.10 255.255.255.0
circuit VLAN3
redundancy
ip address 10.10.3.10 255.255.255.0
no redirects
circuit VLAN6
redundancy
ip address 10.10.6.10 255.255.255.0
!************************** SERVICE **************************
service cc1
ip address 10.10.3.129
active
service cc2
ip address 10.10.3.130
active
service ssl1
ip address 10.10.6.131
keepalive port 443
keepalive type tcp
active
service ssl3
ip address 10.10.6.133
keepalive port 443
keepalive type tcp
active
service ssl4
ip address 10.10.6.141
keepalive type tcp
keepalive port 443
active
service ssl6
ip address 10.10.6.143
keepalive port 443
keepalive type tcp
active
service www1
ip address 10.10.6.101
keepalive type tcp
keepalive port 443
weight 2
active
service www3
ip address 10.10.6.103
keepalive type tcp
keepalive port 443
active
service www4
ip address 10.10.6.121
keepalive port 443
keepalive type tcp
active
service www6
ip address 10.10.6.123
keepalive type tcp
keepalive port 443
active
!*************************** OWNER ***************************
owner L5_Owner
content L5_Rule
vip address 10.10.7.6
protocol tcp
port 443
url "/*"
add service www1
add service www3
add service www4
advanced-balance sticky-srcip
add service www6
balance weightedrr
active
content L5_Rule_CC
vip address 10.10.3.120
advanced-balance sticky-srcip
add service cc1
add service cc2
active
content L5_Rule_SSL
vip address 10.10.7.16
protocol tcp
port 443
url "/*"
add service ssl1
add service ssl3
add service ssl4
advanced-balance sticky-srcip
add service ssl6
active
!*************************** GROUP ***************************
group CC
vip address 10.10.3.120
add destination service cc1
add destination service cc2
active
=======

Please visit the folloiwing page where you can find many configuration examples on configuring CSS for Load Balancing.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_configuration_examples_list.html
Hope it helps.

PO for LAN failover and stateful failover link?

Hi.. We have 2 x ASA 5520s running ver 9.0. We plan to aggregate the 2 interfaces used for LAN failover and stateful failover into a lacp PO. So both the ASAs are connected to each other directly using these 2 interfaces and then we logically make it a one PO. We then assign the PO intface an ip. Is this supported?

You can use any unused interface (physical, redundant, or EtherChannel) as the failover link. (Source)
That said, It would be an uncommon implementation. I almost always see them on separate physical interfaces.

DMVPN and IPSec Stateful Failover?

Will IPSec Stateful Failover work with a DMVPN hub? If I have two 3845 with the proper AIMs, will this work?

Yes it is supported. It is supprted on VAM, VMA2, VAM2+.

Probe on a CSS 11051

Hi,
I'd like to know if it's possible to do port mirroring on a CSS 11051 or if there is a command (a sort of tcpdump) that allows you to analyse traffic?
Best regards,
Olivier GOURANTON.

this feature does not exist on this platform.
You can try the command 'flow options ?' to turn on some packet debugging, but only process-switched traffic will be displayed.
For fast-switched traffic you won't see anything.
Regards,
Gilles.

Is GSS do stateful failover

Hi,
Is GSS cabaple of doing stateful failover. Lets say if i have 2 ACE VIPs configured in GSS in Active-Standby mode. What will happen of existing connections in Active if it goes down?

Good morning,
The GSS is a DNS server, so it makes no sense to talk about connections on it.
In the setup you described, if the primary ACE VIP fails, the GSS will stop returning that VIP in the DNS replies and use the secondary instead.
What will happen to the connections on the ACE will depend on what made the VIP go down (and then we would be getting into the ACE topic), if for example the server went down, then, I'm afraid all connections will break. If however, just connectivity between the ACE and the GSS was lost, then, the connections will continue to work normally.
Regards
Daniel

Adding stateful failover to running configuration

Hi,
I have failover pair of ASA boxes without configuration of stateful failover. There is only basic LAN failover.
I want to add stateful failover configuration using dedicated interface of ASA. Is this with downtime zero when I will add command for stateful failover?
Thanks
Peter

As far as I know it won't affect traffic flow and there's not gonna be any downtime.

Ipsec Stateful Failover issue with Dynamic-Map

Hi all, I have an issue with a couple of Cisco ISR 2921 in Ha Ipsec Stateful Failover configuration.
With static crypto-map, stateful works good, Ipsec sessions are correctly trasmitted from Cisco Active router to Cisco Standby router.
With dynamic-map and profile, stateful fails, Ipsec sessions are not correctly trasmitted from Cisco Active router to Cisco Standby router.
I tried different IOS version:152-1.T3, 152-3.T2 and 153-1.T but I have the same behavior.
Could you help me?
Marco

Yes it is supported. It is supprted on VAM, VMA2, VAM2+.

CBAC Stateful Failover HA: ¿can it be used for three segments?

Hello team.
I need to protect three segments (inside, outside, DMZ) with two routers running CBAC and Stateful Failover High Availability.
I would like to know if the concept shown with two sample segments (inside, outside) in the documentation (http://www.cisco.com/en/US/prod/collateral/routers/ps5855/white_paper_c11_472858.html) can be extended for routers with three interfaces, each one attached to the segments I need to protect.
If this is a supported scenario, I would appreciate your pointing me to a sample configuration.
Thank you very much in advance.
Rogelio Alvez
Argentina

Rogelio,
Basicamente seria HSRP groups asi como el ASA usa el stateful link, el Router establece una asociacion con un IPC group que se configure por HSRP group:
Mira el siguiente link:
Step 6
ipc zone default
Example:
Router(config)# ipc zone default
Configures the interdevice communication protocol, Inter-Process Communication (IPC), and enters IPC zone configuration mode
Use this command to initiate the communication link between the active router and standby routers.
http://www.cisco.com/en/US/prod/collateral/routers/ps5855/white_paper_c11_472858.html
Si tienes alguna duda con mucho gusto.
Mike

CSS 11051: Sorry Server receives request although the normal server is up

Hello,
my customer has configured a sorry for his server. If the normal server is down the Sorry Server receives the requests. That works fine. But if the normal server comes back the Sorry Server still receives some requests( 2 hours and more). Has anybody an idea what might be the reason for that ?
regards
Dietrich Schleyer
content webserver
add service server12
vip address 10.40.52.20
primarySorryServer server13
protocol tcp
port 80
url "/*"
no persistent
active
service server12
ip address 10.40.52.12
port 80
protocol tcp
keepalive type named applicationwww01
active
service server13
ip address 10.40.52.13
protocol tcp
port 80
keepalive type named applicationwww02
active
keepalive applicationwww01
ip address 10.40.52.12
port 80
type http non-persistent
uri "/test.html"
frequency 10
method get
active
keepalive applicationwww02
ip address 10.40.52.13
port 80
uri "/test.html"
frequency 10
method get
type http non-persistent
active

According to: http://www.cisco.com/warp/public/117/css_sorry_server.html After the CSS 11000 directs requests to a primary sorry server, the switch will continue to use the primary sorry server even when the original server becomes functional. To force the connection back to the original server, you must suspend the primary sorry server or wait until the connection is dropped or times out. When a new session is initiated by the CSS 11000, the connection should go back to the original server.

IPSEC Stateful Failover using two 4507RE switches

Hello
I have been trying to find the configuration guides for a cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG, with entservices license.
We have an immediate requirement to build a HA IPSEC VPN from two 4507RE switches, while we wait for new ASA's to be provisioned. I don't think we can do it, in HA setup.
Advice is very welcome.
Thanks
Nick

Nick,
IPsec is not supported at all on cat4500 platform.
We're working on removing IKE/IPsec commands from new parser in IOS XE:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuh60386
M.
(Editted typos)
nicholas boran wrote: HelloI have been trying to find the configuration guides for a cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG, with entservices license.We have an immediate requirement to build a HA IPSEC VPN from two 4507RE switches, while we wait for new ASA's to be provisioned. I don't think we can do it, in HA setup.Advice is very welcome.ThanksNick

CSS 11051 Stateful Failover

Similar Messages

Maybe you are looking for