CSS 11500 sending RST

I recently replaced a Local Director with a CSS 11500 (v 8.2). I have an application that uses port 80 to send SOAP heartbeats at 1 minute intervals to a web server to maintain state. For some reason the CSS randomly decides to send RST to the client even though the backend service is active. In other words the the web server is not sending a RST. Is this an issue with flows? Load balancing schema? I did not have this issue with the Local Director.

no. This is not possible.
Gilles.

Similar Messages

Sorry Server for CSS 11500

Hi,
I have a question regarding sorry server configuration on the CSS 11500 series.
Is there a way for the sorry server to ignore the URL path and always send the user traffic to the "root" page (e.g. index.html) of the sorry server web server?
The problem I have is the redirection of the "root" page (url "/") that is configured for the normal traffic is causing the sorry page not to work since the URL path ("/psp/CUSTOMER1/?cmd=login") does not exist on the sorry page web server:
service Sorry-Server
protocol tcp
port 8000
keepalive type tcp
ip address 192.168.2.254
active
service server1
ip address 192.168.2.101
protocol tcp
keepalive type tcp
port 8080
active
service server2
ip address 192.168.2.102
protocol tcp
keepalive type tcp
port 8080
active
owner Customer1
content Content1
    vip address 192.168.1.101
    port 80
    protocol tcp
    url "/*"
    balance aca
    advanced-balance arrowpoint-cookie
    flow-timeout-multiplier 6
    add service server1
    add service server2
    primarySorryServer Sorry-Server
    active
content Content1-Redirect
    redirect "/psp/CUSTOMER1/?cmd=login"
    vip address 192.168.1.101
    port 80
    protocol tcp
    url "/"
    active
Thanks in advance for your help!
Best regards,
Harry

Hi again,
During a maintenance window I made the following change and that made things a bit better:
service Sorry-Server
type redirect
keepalive type none
redirect-string "192.168.2.254:8000"
active
However, since the redirect string points to a private address, Internet users are not able to access the URL.
As a work-around I sent the redirect to a new content rule with a public address and then configured a second sorry page server:
service Sorry-Server
type redirect
keepalive type none
redirect-string "sorry.example.com:8000"
active
service Sorry-Server-2
ip address 192.168.2.254
protocol tcp
port 8000
keepalive type tcp
active
owner Customer1
content Content2
    vip address x.x.x.x
    add service Sorry-Server-2
    port 8000
    protocol tcp
    active
Is there a better way to do this?
Best regards,
Harry

CSS 11500 url path rewrite and NAT

Hi,
We are evaluating a CSS 11500 and try to configure url path rewrite and NAT, but we have some problems.
What we would like to do is the following:
http://www.example.com/path1 -> http://host1:80
http://www.example.com/path2 -> http://host1:8080
http://www.example.com/path3 -> http://host2:80
The address www.example.com is resolving to a valid internet address, whereas host1 and host2 resolves to private IP addresses.
The client should always see the external url (e.g. http://www.example.com/path1/...) and the CSS should do the necessary translation.
Any help would be very much appreciated!
Regards,
Harald

Hello Experts, I'm new with this cisco stuff too(just got it 3 weeks ago), but here is some of my experience with cisco css 11501.
First : Service ServerName, there is a port setting here, but from my experience, I think it is related with KeepAlive option, so, port is alternate way to know if the server alive or not.
Second : When you send request to cisco css, the port option in content port will be the cisco css port to accept request, so, if you send a request to http://vip:8080/, all service must be in the same port too to balance the request, in this case, port 8080, if one service port 80, i'm sure the css will not hit the server.
Third : To solve your problem...
http://www.example.com/path1 -> http://host1:80 (ipA)
http://www.example.com/path2 -> http://host1:80 (ipB)
http://www.example.com/path3 -> http://host2:80
if you are lazy to buy new nic, just set subinterface/ip alias on the host1, and make the webserver only bind to specific address, not to all interface...
O yea, about your path1/path2/path3 -> /, hmm, i'm still asking in this forum about path changing cause until now, i haven't know how to do this, i know about apache rewrite module, and success do this, if only i know about this in cisco css too :-(
I'm sorry if I make mistake, I'm just telling my experience...

Services with different IP address subnets over CSS 11500 series

Hi all folks!
I have two CSS 11500 series...
In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.
So then the doubt i arises is:
Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?
This would be so....
             ________________LAN to LAN_____________________
             |                                                                                |
             |                                                                                |
|------SITE A------|                                                        |------SITE B------|
     [Firewall] ===============IPSEC============= [Firewall]
           |                                                                                |
           |                                                                                |
[CSS-A]-[CSS-B]                                                            [SWITCH]
       |          |                                                                     |         |
     [SWITCH]                                                                    |         |
[srvA] [srvB] [srvC]                                                          [srvD] [srvE]
So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.
So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.
This should be seen as well:
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]
ip route SITE B [IP FIREWALL]
!************************** SERVICE **************************
service srvA
ip address A.A.A.x
port 8080
service srvB
ip address A.A.A.x+1
port 8080
service srvC
ip address A.A.A.x+2
port 8080
service srvD
ip address B.B.B.y
port 8080
service srvE
ip address B.B.B.y+1
port 8080
I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work
Within their experiences that they say? Will operate?
Thanks in advance!
Regards!
Esteban =)

Daniel!
Sorry by delay!
Thank you so much for you time for reply.
You have given me a great help to this doubt!
But..using "source group" let me know..
I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)
and
this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)
where the NAT is configured under a method different from the previous one..
So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?
Thanks in advance again!!!
Have nice day!
Regards.
Esteban.

What is the appropriate product name for CSS 11500 on Bug Toolkit

Today I tried to search DDTs of CSS 11500 on Bug Toolkit (http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl), however I can not find out appropriate product name corresponding to CSS 11500.
Before I had searched DDTs of CSS 11500 on Bug Toolkit many times, at that time, if my memory correct..
I selected "Cisco CSS 11500 Series Content Services Switches" in the list of "Search for bugs in other Cisco software and hardware products" on Bug Toolkit.
But I can not find this product name today.
Do you know what product name appropriate for CSS 11500 on Bug Toolkit ?
Your information would be appreciated.
Best regards,

Hi Gilles,
Thank you for your cooperation.
Today, I can find the CSS at "new Bug Toolkit".
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Select Product Category: Application Networking Services
Select Product: Cisco CSS 11000 Series Content Services
So I understand I should go "new Bug Toolkit" instead of old "Bug Toolkit" to
search any DDTs for CSS 11500.
Many thanks.
Best regards,

Multihoming with CSS 11500?

Can I do load balancing between two internet ISP's (multihoming), from Internet to Web Server (inside traffic) and from Internal network to Internet (outside traffic) with a Cisco CSS 11500?

you can connect the CSS to multiple ISP.
With the ECMP feature, the CSS will forward the response back to where the connection came from.
However, for outgoing connection, the CSS can't do loadbalancing over multiple ISP.
Regards,
Gilles.

Load balancing PPTP (Windows 2003) behind CSS 11500

I am wondering if you can load balance PPTP service (TCP port 1723 and GRE) behind CSS 11500, please let me know if anyone as experience with this setup.
Irfan
[email protected]

No. I dont think you can load balance PPTP service behind CSS 11500.

Cisco CSS 11500 and RDP

Dear NetPros:
Does anyone know that does Cisco CSS 11500 Series Content Services Switch support 'Session Caching of RDP Clients? session for roaming of disconnected sessions' features?
Thanks
Bernard

The Cisco CSS 11500 is a compact modular platform, specifically designed to provide robust Layer 4-7 traffic management services for e-business applications in Internet and intranet data centers.
This URl should help you:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns254/networking_solutions_package.html

CSS 11500 - Change name device

Hi,
I need to change the device name (hostname) of my CSS 11500. How I can do that? I'm searching since some hours without result.

to avoid having to retype the name after each reboot, you have to do a save_profile.
Gilles.

Do CSS 11500 series allow remote SPAN?

Hi,
I found SPAN (Switch port analyzer) is available on CSS 11500 series, but could only found destination must be local. Is it possible to do remote SPAN and make the destination be in another remote switch?
And how many local span sessions are allowed?
Thanks,
Rgds
Jorge

Cisco WebNS Software Version 7.20 delivers support for a new Cisco CSS 11501 model and Cisco WebNS Software 7.20 supports SPAN the features.
Switched Port Analyzer (SPAN) or port mirroring is useful for network analysis?a copy of the packets received or transmitted by a source port is sent to a designated destination port.
Kindly go through these links to get detailed information:
http://www.provantage.com/cisco-systems-css11503-ac~7CSCO288.htm
http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_release_note09186a008077c440

CSS 11500 Series Query

Hi
I have 2 CSS 11500 series units working in a master / slave configuration.
Both units are identical in regards to hardware, IOS, etc.
1 unit allows the running config to be saved by the ' copy run start' command where the other goes through the motions of saving, but a 'show startup-config' shows nothing.
This unit seems to be operational in every other regard. Is this a hardware fault or am I missing a software command somewhere along the way ?
Thanks
Ian

You get such problems when the device is running short of memory. Try increasing the DRAM because what is happening is that the device saves the config in the NVRAM but it does not have enough DRAM to display the configuration when the "sh startup-config" command is executed. A temporary solution is to restart the device, if the problem persists then you have to upgrade the memory.

CSS 11500 Certificate Signing Request (CSR)

Would any of you know if and how to configure / general a wildcard or multi-domain SSL certificate on a CSS 11500 appliance? The "SSL gencsr ..." command doesn't seem to allow me to add more than one domain name during the information gathering.
Any help or input would be greatly appreciated.
Thanks,

WildCard certs are supported on CSS.
The only thing that makes it a CSR for a wildcard certificate would be that the common name would be something like "*.yourdomain.com".
Since a wildcard certificate represents multiple domains, it can be re-used on the
multiple https content rules of different IPs.
The CSR procedure for a wildcard certificate on the CSS is not different than the CSR
procedure for a regular certificate (You just need to put something like "*.yourdomain.com" in front of common name):
CSS11506(config)# ssl gencsr app1key
Country Name (2 letter code) [US]US
State or Province (full name) [SomeState]CA
Locality Name (city) [SomeCity]San Jose
Organization Name (company name) [Acme Inc]Yourdomain Inc.
Organizational Unit Name (section) [Web Administration]SSL Admin
Common Name (your domain name) [www.acme.com]*.yourdomain.com
Syed

Edge Server send RST packet to Client

Hi all,
I'm meeting an issue, please help me!
I'm setting up a testing LAB. After I deployed Edge Server, everything may be fine. But Client connects to Edge server, after TLS handshake, the server send RST packet to
Client. Please refer picture below.
I used CA built on Domain Controller server to assign Cert to internal and external interface of Edge server. I know I should use a public CA on Internet to assign Cert to external interface, but I'm setting LAB for testing, so I used internal CA. And my
domain internal and external are the same (e.g: internal is edge.sip96x2.com and external is access.sip96x2.com). From Client, I installed Root CA Cert downloaded from CA on Domain Controller. Client from external doesn't
have DNS server, instead of using Hosts file, the Host file includes:
"100.20.252.12 access.sip96x2.com"
I don't know what is information need to show here, if you required any information, please let me know, thanks so much!

To work with your Lync Client from External over the edge, the Lync Client has to reach
Access Edge, Audio/Video Edge and Web Edge IP.
To login to your Lync Edge you can use the lync Manual Configuration access.sip96x2.com:443.
You should use the host fqdn for internal Connection and the three needed External FQDN for the edge.
To use a private CA ist allways possible for a Lab.
http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/
regards Holger Technical Specialist UC

CSS 11500 Series LOGs

Hi everyone,
I need some help about one type of CSS 11500 LOG messages:
OCT 12 07:47:03 1/1 273 WCC-6: Computing slow start parameters for newly activated service index 4
OCT 12 10:25:05 1/1 274 WCC-6: Computing slow start parameters for newly activated service index 3
OCT 12 11:19:49 1/1 275 WCC-6: Computing slow start parameters for newly activated service index 3
OCT 12 11:26:33 1/1 276 WCC-6: Computing slow start parameters for newly activated service index 3
OCT 12 12:20:37 1/1 277 WCC-6: Computing slow start parameters for newly activated service index 3
OCT 12 14:04:32 1/1 278 WCC-6: Computing slow start parameters for newly activated service index 4
OCT 12 14:04:53 1/1 279 WCC-6: Computing slow start parameters for newly activated service index 5
OCT 12 14:05:01 1/1 280 WCC-6: Computing slow start parameters for newly activated service index 4
I was trying to find some explanation about these LOGs, but I didn’t have any success.
My questions are:
1. What does this LOG type mean?
2. Does it signalize some issue on the service?
Thanks a lot for the help!
Regards,
Marko

Hi Marko,
Please go through the below link:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/ContRule.html#wpmkr1150644
Just pasting some content. Read the details please.
Slowly Starting Connections on a Service
When you configure a content rule with the least connection (leastconn) load-balancing method, a service on the rule with the fewest connections receives the next request. If you activate a service on this rule, the service may become flooded with requests.
To prevent the flooding of connections on a newly activated or reactivated service, you can enable the slow-start feature on a content rule configured with the leastconn load-balancing method. Through this feature, you can configure:
•The rate that an activated service receives connections. The slow-start rate is applied globally to all leastconn content rules on the CSS. By default, the rate is enabled with a default value of 3. If you disable the rate by setting it to 0, the slow-start feature is disabled on all leastconn content rules configured on the CSS.
Note We recommend that you do not change the slow-start rate default value.
•The maximum time that the service remains in the slow-start process. The slow-start timer sets the number of seconds that the service on a leastconn content rule is in the slow-start process. The timer is applied to a leastconn content rule. By default, the timer is disabled. If the timer is disabled, the slow-start feature is disabled on the rule.
When you enable the slow-start feature on the CSS and a leastconn rule, a service on the rule enters the slow-start process when you:
•Add and activate a service to the rule
•Reactivate a service after suspending it on the rule
•Activate the rule
When you activate a rule, it starts to load balance the connections on its services. The service with the least number of connections is selected to enter the slow-start process.
When a rule has only two services, only one service can enter the slow-start process. When the rule has more than two services, a newly activated service can enter the slow-start process when one of the services is currently in the slow-start process and the other services are out of the slow-start process.
A service in the slow-start process slowly continues to receive connections until either the slow-start timer expires or its connections equal the number of connections on the other active services of the rule. Then, the service exits the slow-start process and starts receiving connections as it normally would.
Regards,
Kanwal

CSS 11500 booting only to Offline DM mode

Hello,
I setup a new CSS 11500 this morning, going through the steps of setting up the administrator password, IP address for the management console etc, but when continuing the CSS went straight to the offline DM menu. Now rebooting the unit it clears all the tests, loads the operational flash but continues to go straight to the DM menu regardless whether you press <y> or not at the prompt.
I also tried connecting via telnet to the management console but get connection refused.
Any ideas on why the CSS boots only to the DM menu?
Thanks in advance,
- Trevor

Trevor,
once if offdm, attached a laptop with FTP Server on it on the management port.
Then from offdm, you can configure the CSS to boot from FTP server.
Once the box is up and running again, make sure you have an image on disk.
Finally, you don't need a PCMCIA flash and no you should no have received one.
Regards,
Gilles.

CSS 11500 sending RST

Similar Messages

Maybe you are looking for