CSS 11501 and SSL

Hi,
I have a few questions regarding the CSS and SSL certificates.
I have 2 CSS 11501 and 3 web servers, how many SSL certificates do I need?
I want to configure the CSS as active - active, is this supported using the SSL accelleration module? If it is, is it configured the same way as a standalone CSS. The documentation only mentions configurations using single module and 2 modules in the same CSS.
And a clarificacion: Does the term Backend in the CSS SSL config refer to servers on a different subnet (in our case physically separated). Our config is 2 FW -> 2 CSS -> 3 Web servers -> 2 backend FW -> 6 Backend servers (app and DB). Am I correct in assuming that Backend refer to this backend? (This might seem like a silly question but the documentation has me confused)
Any help is much appreciated.
Thanks,
Niels

Niels,
there is currently an ASK THE EXPERT event.
Please join us if you have more questions.
Regarding the certificate, you could just use one.
Get 1 certificate for your VIP and upload it on both SSL module.
However, you might have to get 2, because certificate providers usually say it's one per physical device.
If you plan on doing SSL on the servers as well, you need 3 more certificates. Or you coul use a single certificate if this is allowed by the company that will give it to you.
Backend refers to server behind the CSS.
Like a firewall defines inside and outside interfaces, the CSS define the frontend and the backend.
The frontend is the client side and the backend the server side.
When you say active/active, what do you want to achieve exactly ?
You can indeed have 2 Vip and one is active on CSS1 while the other is active on CSS2.
However, if the CSS shares the same set of servers, you need to be careful that the return traffic from the server to the client goes back to the same server. This may require client nat (group config).
Regards,
Gilles.

Similar Messages

11501s and SSL termination

We have several 11501. Some of them have a module CSS501-SSL-INT listed when a show module is issued. Others don't have this module listed and a search on CCO for "CSS501-SSL-INT" came up blank. Is this module required to terminate SSL on a 501? Can it be added? Is this the only thing required to terminate SSL?

Yes, you need this module to terminate SSL traffic on the CSS.
No, this module can't be added to a CSS11501.
You can buy such module for CSS11503 or CSS11506 but not for the CSS11501.
The 11501 with SSL module is a CSS11501S.
Once you have the module you nede to install at least 1 key and 1 certificate and then configure the module.
Here is the configuration guide should you need it.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a11.html
Regards,
Gilles.

CSS 115xx and SSL module.

Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
thx
-Rich

Check the URL: Overview of CSS SSL:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
Examples of CSS SSL Configurations:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html

CSS 11150 and SSL module function

Hi, Pro:
There is any way I could find what ssl module could be used on CSS11150?
Thanks,

there is none.
The css111xx and css110xx are not modular so you can't add or remove anything from it.
You will need a CSS115xx.
Regards,
Gilles.

CSS 11501 and GRE

Greetings:
I have a 3550-48 EMI switch sitting behind a CSS and I need to establish a GRE tunnel to another switch on the other side of the CSS. In the end configuration it will not be possible to bypass the CSS to establish the tunnel.
I have successfully established the GRE tunnel between the two switches around the CSS in my lab environment, so I know the basic configuration is correct.
I have a feeling that the problem lies in the layer-3 translation at the CSS (since GRE uses a different protocol ID than IP).

I actually have been attempting to NAT. Unfortunately, in my configuration the systems on the "unauthorized" side of the CSS don't know about the internal address of the 3550.
Can you send me the configuration you used in your lab?
We currently use the same technique using a PIX as the edge device and it works fine (and I know that the CSS performs a different type of service and is not a firewall by nature).

Cisco CSS 11501 - High-Availabilty

We have a single CSS 11501 and were thinking about just buying a new one and putting it online as the standby with statefull (hopefully) failover, but weren't sure that this would work.
Does anyone know what is needed to create a high-availability Cisco CSS 11501 environment?
Do you only need 2 CSS 11501 and then configure them with one being active and the other being in a standby mode, like a PIX?
Is there a HA Cable that would need to be connected between the 2 CSS's?
Thanks in Advanced.
Joe

Daniel,
There is a new stateful failover mechanism for the Cisco CSS 11500.
This description is a bit "salesy" I know, but it covers the question asked :-)
The Cisco CSS 11500 delivers ASRthe industry's first stateful Layer 5 session redundancy feature that enables failover of important flows while maximizing performance. Some flowssuch as a long-lived File Transfer Protocol (FTP) or a database session may be mission critical, but many are not. Most solutions on the market today require all trafficimportant or notto be backed up from one box to another. If the majority of flows are not critical, then most of system performance is wasted on unnecessary back
ups. With ASR, the Cisco CSS 11500 may be configured so critical flows are marked as replication worthy, whereas others do not need to be so marked. ASR focuses traffic management resources precisely where needed.
Better yet, have a look at the following link focusing on the section on Stateless Redundancy.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/redndncy.htm
Regards
Pete..

CSS 11501 VTP

Hi all,
I have a CSS 11501 and want to make a trunk with it. I believe it can do this but I'm wondering wether it knows vtp
(and I don't want to add a vtp-server to our network)
Can't find anything about vtp-settings in the documentation.
regards,
Radboud

once again, thanks alot Gilles
grtz
Radboud

High CPU utilization on CSS 11501 version sg0750303

Hi everyone,
I have the problem about High CPU utilization on CSS 11501 version sg0750303.
Our customer has used one pair of CSS 11501 (active-standby).
As a matter of convenience, called "Old CSS" after here in this post.
However traffic via Old CSS had been increasing so customer decided to add one more
pair (active-standby) of CSS to separate traffic.
Yesterday we installed new two CSS 11501 version sg0750303 (active-standby).
As a matter of convenience, called "New CSS" after here in this post.
Today, active CSS 11501 and standby CSS 11501 which were installed yesterday (New CSSs)
indicates High CPU utilization.
Active CSS 11501:
Peak CPU utilization: about 85%
Average CPU Utilization: about 60%
Standby CSS 11501:
Peak CPU utilization: about 40%
Average CPU Utilization: unknown
I do not understand why CPU utilization of both New CSSs become high.
The traffic pass through New CSS less than Old CSS, because the traffic is separated into
Old CSS and New CSS.
And CSS's configuration parameters (service, content, access-list) also less than Old CSS,
because real servers are also separated into Old CSS and New CSS.
Old CSS indicated average of CPU utilization about 20% before installing New CSSs yesterday,
in spite of all traffic pass through Old CSS only.
I wrote "New CSS remains High CPU utilization", however end users do not feel the
performance issue (e.g., performance delay, communication failure and so on) and
the traffic pass through New CSS normally.
So I have the question "CSS 11501 sg0750303 remains High CPU utilization on normal situation ?"
And customer uses MTRG to poll SNMP for Old CSSs and New CSSs.
So I have the question "CSS 11501 sg0750303 become High CPU utilization in case of receiving
SNMP polling ?".
Or if this situation is abnormal we need to start investigation.
Would you please let me know how do we investigate this situation.
I found the DDTS CSCek57080 "Performance issue using arrowpoint-cookie with ASR".
Release note of this DDTS says that
A customer was using a CSS pair configuration where arrowpoint-cookie
is being used along with a redundant-index on many content rules. When
the flow rate increased to a few hundred flows/sec, the peer message
queue of the CSS receiving ASR related message began to fill up.
When the peer message queue became over subscribed, the CPU increased
and the CSS became unstable.
New CSSs have configured redunrant-index on two content rules, and end users do not feel the
performance issue (e.g., performance delay, communication failure and so on) and
the traffic pass through New CSS normally.
So I think this DDTS does not related to this case.
Your information would be greatly appreciated.
Best regards,

Gilles,
Thank you very much for your cooperation.
I got the capture you instructed us.
The following are additional information from our customer.
At time user traffic path through the active CSS, active CSS indicates;
CPU utilization always range of 30% - 40%
Peak CPU utilization about 60% - 80%
At time there is no user traffic pass through active CSS, active CSS indicates;
CPU utilization always range of 0% - 5%
Attached files are named "Active CSS.log" and "Standby CSS.log".
"Active CSS.log" is captured on active CSS and "Standby CSS.log" is captured on
standby CSS.
I found the following process is using resource by looking the output of
"shell 1 1 spyReport" command.
On active CSS,
tFlowMgrPktR 8ba24070 50 26% ( 1469) 20% ( 26)
On standby CSS,
fmPeerMsgTas 8a511510 50 16% ( 176) 10% ( 7)
Your comment would be greatly appreciated.
Best regards,

NAT and Servers behind CSS 11501

All,
Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
Everything works inbound no problem.
What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
Is this possible with our setup? Does anyone have some code examples?
Thanks in advance.
Addresses changed to protect the innocent:
Load Balancer 1:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.252
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Primary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Primary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.251 255.255.255.0
ip virtual-router 1 priority 254 preempt
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.2 255.255.255.0
ip virtual-router 2 priority 254 preempt
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content
Load Balancer 2:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.251
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Secondary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Secondary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.252 255.255.255.0
ip virtual-router 1
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.3 255.255.255.0
ip virtual-router 2
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content.

Gilles,
I added the following commands, and things seem to be working.
To circuit VLAN1
ip redundant-vip 1 1.1.1.80
!*************************** GROUP ***************************
group natout
vip address 1.1.1.80
add service nat_web_servers
active
service nat_web_servers
ip address 192.168.1.10 range 3
active
I do have a question about the above service commands.
I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
Otherwise, I think you have resolved this problem for us. Thank you.

CSS 11501 Load Balancing with X-forwarded-for

Hi,
We have a pair of CSS 11501,
Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .
This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
This way we are able to also send it back to the same server when it uses SSL.
I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
Regards

Hi,
Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
content HTTP-HTTPS
    vip address 10.198.44.70
    advanced-balance sticky-srcip
    add service server1
    add service server2
    add service server3
    add service server4
    add service server5
    protocol tcp
    active
Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
Thanks,
Rodrigo

CSS restore sticky ssl

Hi everyone,
I am facing a strange issue. I have a SSLv3 service running on two servers behind a pair of(active-standby) CSS 11501, wich do advance-balance ssl. Few days ago I noticed that the CSS stopped the LB and start sending he request to only one server( both alive). I think that is hapening due to the SSL-layer 4 fallback. How do I verify it , and restore stickyness with session ID?
Thanks in advance
David

Further observations:
issueing the commnd ssl-l4-fallback disable, restores the load balance. This means, I think, that the l4-fallback was activated. The questions remaiins, why, if we are using ssl v3? why the l4 sticky table has no entries. Here is a ssldump example:
New TCP connection #2: 172.16.20.1(46311) <-> 172.26.80.1(3034)
2 1 0.0011 (0.0011) C>SV3.0(95) Handshake
ClientHello
Version 3.0
random[32]=
46 8a 31 6f 87 94 35 a8 30 16 42 5e e9 6e 31 c0
d6 17 ac eb 92 9c 53 db 85 92 df 30 0e 67 90 90
cipher suites
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
SSL_DHE_DSS_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_RC2_56_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_EXPORT_WITH_RC4_40_MD5
compression methods
NULL
2 2 0.0025 (0.0014) S>CV3.0(74) Handshake
ServerHello
Version 3.0
random[32]=
46 8a 19 d6 a8 f5 88 8e d4 d5 16 06 df 1e 8e e5
0e 7c 1b f2 f8 bb b9 c8 7d c6 e2 f8 fe e6 7f b0
session_id[32]=
db 23 61 fa 35 5a ef 0e da 3d be b0 c2 85 39 9f
4d b1 75 5d 5b ef c8 46 bc 4d db ab 31 23 d6 d4
cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA
compressionMethod NULL
2 3 0.0025 (0.0000) S>CV3.0(1147) Handshake
Certificate
2 4 0.0025 (0.0000) S>CV3.0(4) Handshake
ServerHelloDone
2 5 0.2346 (0.2320) C>SV3.0(260) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[256]=
1b a5 47 46 7b 9a 8b 84 88 d4 54 ba 23 c7 7a 31
db 8a 74 c2 02 3b 8b 50 75 c3 c8 c0 38 4c 18 e8
0a e8 c8 47 39 ff 9b 3c 6a cc d3 21 78 69 e6 50
88 55 e8 b3 d3 b1 2a 04 b3 ba 66 e4 c8 49 f4 8e
a0 bd 74 60 e9 f2 0c a1 25 47 03 4e 6c ed 96 52
de 2a 9a 60 29 c5 f6 21 c8 3e 58 ef af 3f 12 b2
ee 34 c0 70 12 d0 64 30 28 65 ed fb ff 65 f2 de
d0 bf cd e6 26 79 6f 3c 61 5f df da bf ac 4a cf
4c 0e 0c 66 44 e1 b2 a3 34 f2 27 75 f0 e4 e7 a4
48 06 76 93 73 0d 09 75 35 ea a1 91 d9 c8 ad 58
b9 1f 45 bf c6 09 61 cb 2d 75 4a ba ed 45 15 44
0f fc 9e 5b 90 e7 b2 86 15 1c 43 a5 52 0d c7 1e
d8 81 42 db 77 35 99 4d 0d 5b 20 e6 dd c5 a1 7d
64 9a 13 d2 99 b7 1d 94 a7 fe ce b6 67 7d df b9
25 fb 27 d2 6e 90 49 54 b9 c1 10 32 eb 42 df 43
b6 1c 94 4e ee 0b ca 29 27 8a 3d b8 fe 59 00 f4
2 6 0.2346 (0.0000) C>SV3.0(1) ChangeCipherSpec
2 7 0.2346 (0.0000) C>SV3.0(64) Handshake
2 8 0.2708 (0.0362) S>CV3.0(1) ChangeCipherSpec
2 9 0.2708 (0.0000) S>CV3.0(64) Handshake
2 10 0.3074 (0.0365) C>SV3.0(40) application_data
2 11 7.9036 (7.5961) S>CV3.0(24) application_data
2 12 7.9036 (0.0000) S>CV3.0(104) application_data
2 13 7.9036 (0.0000) S>CV3.0(24) Alert
2 7.9036 (0.0000) S>C TCP FIN
2 14 7.9464 (0.0427) C>SV3.0(24) Alert
2 7.9524 (0.0059) C>S TCP FIN
As you can see session ID is sent correctly.
David

CSS 11501 using wildcard certificates

Hello,
I'm about to switch to wildcard certificates in a CSS 11501, however there are some doubts that I would like to clarify:
- When generating the CSR can i use *.mycompany.com for CN ?
- Should the CSR be generated only once or every time i need to create a new content rule i need to generate it?
- If only once can I associate multiple filenames with only one certificate?
ssl associate cert myrsacert1 certificate.pem; ssl associate cert myrsacert2 certificate.pem...
Thanks for your help,
Best regards,
Claudio

Hello Claudio,
- When generating the CSR can i use *.mycompany.com for CN?
Yes that will take care of any subdomain you need... something that you need to consider is that this wilcard will cover site like cars.mycompany.com or shop.mycompany.com but if you have a site that looks like ftp.shop.mycompany.com then you'll need a wildcard that looks like *.*.mycompany.com.
The CSR is generated only once and from there you send it to your CA to have signed off.
Not sure I fully understood your second question, once you received the cert and key whether in PFX or PEM format from your CA, you'll upload these to your CSS using FTP and then associate the file(s) to a name that is only meaningful to the SSL proxy list within your CSS.
HTH
Pablo

Renew certificate CSS 11501

I have a CSS 11501 running 08.10.1.06. Is there a way to renew the existing SSL certificate on the box or must I create a new one? All the doc I've read basically treats renewing the same as creating a new cert. Thanks for your help.

Hi,
In the world of SSL certificates the concept of renewing doesn't exist. You always need to create a new certificate and import it to replace the old one.
To generate this new certificate, you can either use the old private key or create a new one. If you use a new one, then, make sure to also import it along with the new certificate.

How to reset password on Cisco CSS 11501?

Hi,
I have changed the password for the Admin user (which was SuperUser) but when I changed it I forgot to add "SuperUser" at the end, now I don't have SuperUser access to the CSS 11501.
Can anyone shade some light on this problem and explain how can I reset the password for a SuperUser?
Thanks in Advance,
Shai

Hi Shai,
You need to reboot the CSS. When prompt, hit any key to go into the Offline Diagnostic Menu.
When you get in the menu, you will go to Administrative options and create an additional Admin user. When you do this, DO NOT use "admin", use something totally different.
Get out of the Offline DM and reboot the CSS. When the CSS comes up, login as the new user (which will have Superuser rights) and run the "username" cli to change the password of "admin" and add the superuser part this time.
Regards
Pete Knoops
Cisco Systems

CSS 11501 StartUp Problem

Hi all,
After i boot up for the first time, the CSS asked for change User/Pass, wich i perform a well known ones.
After that it's always impossible to login.
Is there any way of return to factory default Settings?
or
Is there any password recovery procedure?
or
What are the default User/Pass of the equipment?
I already done a Power Off/On on it with no results.
Best Regards,
Petr?nio

Hi,
I perform the password recovery, as it was documented and then its always getting the "CSS 11501 Offline Diagnostic Monitor menu (OffDM)" Menu, even if i dont press the Y key in the bootup question "Would you like to access the Offline Diagnostic Monitor? (Y)"
Any ideias?
How can i test the login i changed before?
Here is the bootup logging that appear's.
I'm not pressing any key.
******** Boot UP ********
CSS 11501 Offline Diagnostic Monitor menu (OffDM)
Version: 08.10.1.06
M A I N M E N U
Enter the number of a menu selection:
1* Set Boot Configuration
2. Show Boot Configuration
3* Advanced Options
4. Reboot System
> 4
Are you sure you want to reboot? (y/n) [n] y
Rebooting....
BootRom...booting
Copyright (1998-2002), Cisco Systems, Inc
Locked boot flash.
Validating operational boot flash, please wait...
Operational boot flash valid. Jumping to operational boot flash.
Copyright (1998-2002), Cisco Systems, Inc
Operational boot flash.
Attaching interrupt handlers...Done.
Built Mar 9 2006 @ 17:56:32
Version 08.10.1.06
Press to enter the Diagnostic Monitor
Ran 1 times, 24 tests. Detected 0 errors.
Booting OffDm @ 0xbff00000
SCM:MASTER Other:NOT-PRESENT
Initializing the disk...OK
Reading configuration records...
No Primary or Secondary Boot Record Found
FAILED
MGMT disabled, network port not active
Would you like to access the Offline Diagnostic Monitor? (Y)
Booting(-) ...
Transferring to menu...
Waiting for commands..
CSS 11501 Offline Diagnostic Monitor menu (OffDM)
Version: 08.10.1.06
M A I N M E N U
Enter the number of a menu selection:
1* Set Boot Configuration
2. Show Boot Configuration
3* Advanced Options
4. Reboot System
>

CSS 11501 and SSL

Similar Messages

Maybe you are looking for