CSS 11501 Disable plain HTTP to VIP

Hi,
How does one disable plaintext http access to the VIP of the 11501. In other words, is it possible to have the device listen _only_ on 443 and not on port 80 for incoming requests? We are do not want to provide plain http access to the VIP which is handling SSL encryption/decryption for our backend servers.
thanks,
Matt

Matt,
take a look at the config in my post 'Sticky Situation with CSS-11503'
We are set to only take https traffic inbound and gets routed through the ssl module for decryption, http traffic gets an error msg if it hits the css.
Hope this helps
Mark

Similar Messages

CSS 11501 Not Passing HTTPS or 443

When I go directly to the server address I can resolve both 80 and 443.
When I go via vip I get port 80 but can't connect to port 443.
Simple pass-thru config not terminating the Cert on the CSS or using the SCM.
!*************************** GLOBAL ***************************
ip redundancy
bridge spanning-tree disabled
no restrict web-mgmt
idle timeout web-mgmt 15
app
app session 1.1.1.2 14 authChallenge cisco encryptMd5hash rcmdEnable
dns primary xxx.xxx.13.41
dns secondary xxx.xxx.15.248
ip route 0.0.0.0 0.0.0.0 10.1.104.253 1
-INTERFACE-
interface e1
bridge vlan 10
phy 100Mbits-FD
description "Client-Side VLAN"
interface e4
bridge vlan 20
description "Redundancy Protocol Heartbeat"
phy 100Mbits-FD
interface e8
phy 100Mbits-FD
bridge vlan 30
description "Server-Side VLAN"
interface Ethernet-Mgmt
description "Management"
phy 10Mbits-HD
- CIRCUIT -
circuit VLAN10
description "Client-Side VLAN"
redundancy
ip address 10.1.104.3 255.255.255.0
circuit VLAN20
description "Redundancy Protocol Heartbeat"
ip address 1.1.1.1 255.255.255.252
redundancy-protocol
circuit VLAN30
description "Server-Side VLAN"
redundancy
ip address xxx.xxx.14.52 255.255.255.0
no redirects
- SERVICE -
service Mmobile01
ip address xxx.xxx.14.192
port 80
keepalive type tcp
active
service Mmobile01-443
ip address xxx.xxx.14.192
port 443
keepalive type tcp
active
service Mmobile02
ip address xxx.xxx.14.101
port 80
keepalive type tcp
active
service Mmobile02-443
ip address xxx.xxx.14.101
port 443
keepalive type tcp
active
service Mmobile03
ip address xxx.xxx.14.143
port 80
keepalive type tcp
active
service Mmobile03-443
ip address xxx.xxx.14.143
port 443
keepalive type tcp
active
service Mmobile04
ip address xxx.xxx.14.208
port 80
keepalive type tcp
service Mmobile04-443
ip address xxx.xxx.14.208
port 443
keepalive type tcp
keepalive port 443
service Mmobile05
ip address xxx.xxx.14.169
port 80
keepalive type tcp
active
service Mmobile05-443
ip address xxx.xxx.14.169
port 443
keepalive type tcp
keepalive port 443
active
service UpStreamRouter
ip address 10.1.104.253
type redundancy-up
active
- OWNER -
owner XXXX
content Web-NonProd
vip address xxx.xxx.14.46
add service Mmobile04
add service Mmobile05
balance leastconn
advanced-balance sticky-srcip
protocol tcp
port 80
url "/*"
active
content Web-NonProd-443
vip address xxx.xxx.14.46
balance leastconn
advanced-balance sticky-srcip
protocol tcp
port 443
add service Mmobile04-443
add service Mmobile05-443
content Web-Prod
vip address xxx.xxx.14.39
add service Mmobile01
add service Mmobile02
add service Mmobile03
balance leastconn
protocol tcp
port 80
url "/*"
advanced-balance sticky-srcip
active
content Web-Prod-443
vip address xxx.xxx.14.39
balance leastconn
advanced-balance sticky-srcip
protocol tcp
port 443
url "/*"
add service Mmobile01-443
add service Mmobile02-443
add service Mmobile03-443
active
- GROUP -
group XXXX-NonProd
vip address xxx.xxx.14.46
add destination service Mmobile04
add destination service Mmobile04-443
add destination service Mmobile05-443
add destination service Mmobile05
active
group XXXX-Prod
vip address xxx.xxx.14.39
add destination service Mmobile01
add destination service Mmobile01-443
add destination service Mmobile02
add destination service Mmobile02-443
add destination service Mmobile03
add destination service Mmobile03-443

HI,
During the session of the client, the transition is made to SSL port 443 when the client selects a link on the page that redirects to https. This causes a new content rule to be hit and the client may be load-balanced to another server. As the traffic is now encrypted https (SSL/TLS), the CSS is not able to check above layer 4 (the TCP port number) for cookies, URLs etc., because the requests are encrypted when the information passes the CSS. In order to prevent the occurrence of this issue, configure the redirecting HREF on each server to point back to https at the same servers public address, not the VIP address, as shown here:
https://servers_own_ip_address/path"> secure site If your servers are in a private address space, configure SSL content rules for each server with a HREF on each server that points to the SSL Content rules VIP.
Below is the configuration example for your reference:
!Generated on 10/10/2001 18:12:17
!Active version: ap0500015s
configure
!************************** SERVICE**************************
service s1
ip address 10.10.1.101
active
service s2
ip address 10.10.1.102
active
!*************************** OWNER***************************
owner cookie-ssl
content layer5cookie
vip address 10.10.1.66
protocol tcp
port 80
url "/*"
advanced-balance arrowpoint-cookie
!--- Specify a port in the content rule to use this option.
!--- Port 80 traffic is used here.
!--- All clients must enable cookies on their browser.
add service s1
add service s2
active
content s1-ssl
vip address 10.10.1.88
protocol tcp
port 443
application ssl
add service s1
active
content s2-ssl
vip address 10.10.1.99
protocol tcp
port 443
application ssl
add service s2
active
!--- Use this HREF on server S1 where switching from http to https:
https://10.10.1.101/applicationpath1/"> secure site s1
!--- Use this HREF on server S2 where switching from http to https:
https://10.10.1.102/applicationpath2"> secure site s2
!--- In the example, the addresses for servers s1 and s2 must be
!--- reachable from the client. If this is not the case, you must add a
!--- content rule for each server with a unique publicly routable VIP
!--- address and one service for each SSL server, as shown here:
content s1-ssl
vip address 10.10.1.88
protocol tcp port 443
application ssl
add service s1
active
content s2-ssl
vip address 10.10.1.99
protocol tcp port 443
application ssl
add service s2
active
!--- Use this HREF on server s1 where the switch from http to https occurs:
https://10.10.1.88/applicationpath1/> secure site s1
!--- Use this HREF on server s2 where the switch from http to https occurs:
https://10.10.1.99/applicationpath2> secure site s2
Hope this will help you.
Here are the reference url:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a008009450d.shtml

Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

Hi ,
Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
Thanks
Manish

Hi Nicolas,
Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
Can you help me troubleshooting the issue?
I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
We have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE servers.Now Client calls to FE VIP and LB forwarding it to server and then FE server calls the BE VIP which goes through the same LB and forward to BE server under the VIP.When we start load test, we have observed after 2 hour test, application team getting HTTP timeout.As this application is used by Call center so getting timeout is bad.
Need to troubleshoot this issue if there is any problem from LB End.
Please find the attached file for VIP configs.

NAT and Servers behind CSS 11501

All,
Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
Everything works inbound no problem.
What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
Is this possible with our setup? Does anyone have some code examples?
Thanks in advance.
Addresses changed to protect the innocent:
Load Balancer 1:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.252
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Primary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Primary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.251 255.255.255.0
ip virtual-router 1 priority 254 preempt
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.2 255.255.255.0
ip virtual-router 2 priority 254 preempt
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content
Load Balancer 2:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.251
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Secondary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Secondary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.252 255.255.255.0
ip virtual-router 1
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.3 255.255.255.0
ip virtual-router 2
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content.

Gilles,
I added the following commands, and things seem to be working.
To circuit VLAN1
ip redundant-vip 1 1.1.1.80
!*************************** GROUP ***************************
group natout
vip address 1.1.1.80
add service nat_web_servers
active
service nat_web_servers
ip address 192.168.1.10 range 3
active
I do have a question about the above service commands.
I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
Otherwise, I think you have resolved this problem for us. Thank you.

CSS 11501 Load Balancing with X-forwarded-for

Hi,
We have a pair of CSS 11501,
Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .
This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
This way we are able to also send it back to the same server when it uses SSL.
I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
Regards

Hi,
Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
content HTTP-HTTPS
    vip address 10.198.44.70
    advanced-balance sticky-srcip
    add service server1
    add service server2
    add service server3
    add service server4
    add service server5
    protocol tcp
    active
Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
Thanks,
Rodrigo

CSS 11501 Load Balancing Issue

Hi,
We are facing some issue in load balancing in cisco CSS 11501 as we are not able to access the application through virtual IP. Below is the ruuning configuration of the CSS:
CSS11501# sh running-config
!Generated on 10/06/2010 16:51:34
!Active version: sg0810106
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 132.186.199.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 132.186.199.145 255.255.255.0
!************************** SERVICE **************************
service Server1
ip address 132.186.199.243
port 5001
protocol tcp
keepalive port 5001
active
service Server2
ip address 132.186.199.246
protocol tcp
port 5001
keepalive port 5001
active
!*************************** OWNER ***************************
owner L5_Owner
content L3_Rule
    vip address 132.186.199.146
    protocol tcp
    port 5001
    add service Server1
    add service Server2
    active
content L5_Rule
    vip address 132.186.199.146
    add service Server1
    add service Server2
    protocol tcp
    port 5001
    url "//132.186.199.146:5001/emi"
    active
CSS11501#
Observation : We are able to telnet on VIP: 132.186.199.146 on port 5001, but not able to access the application.
In Actual scenarion customer access application by accessing URL: http://132.186.199.243:5001/emi and once he enter this URL in web browser the request redirects ( by server itself) to URL: https://132.186.199.44:6002/cas/login?service=http%3A%2F%2F132.186.199.243%3A5001%2Femi%2Findex.jsp&acceptStrength=BASIC on backend server for user authenticaton and once user is authenticated then it again redirect to main URL ( http://132.186.199.243:5001/emi ) to access the application but when we are trying to access the application through VIP ( URL: http://132.186.199.146:5001/emi) we are not getting the login page as the request is not gettting redirected to backend server for user authentication.
Please suggest a solution here.

The problem is that you are in one-armed mode.
So you need to configure client nat.
Without nating the client ip address, the server response goes back directly to the client and bypasses the CSS.
Therefore the client receives a response from an unknown server ip address (not the vip).
So configure a group.
For example
group Client
    vip address 132.186.199.146
    add destination service Server1
     add destination service Server2
    active
Also, remove the url command from your content rule.
It is useless in your case and will just make performance worst.
Gilles.

CSS 11501 - Network reconnection issue

Using a CSS 11501 switch to configure both Load balancing and server hot standby between two servers (of same config). Clients are connecting to the server using tcp/ip sessions.
The configuration used is shown below:
=========================================
configure
ip route 0.0.0.0 0.0.0.0 10.167.50.1 1
!************************* INTERFACE
interface e2
bridge vlan 9
interface e3
bridge vlan 9
!************************** CIRCUIT
circuit VLAN1
ip address 10.167.50.108 255.255.254.0
circuit VLAN9
ip address 10.167.70.1 255.255.254.0
!************************** SERVICE
service abc_service1
ip address 10.167.70.2
protocol tcp
port 6300
keepalive type tcp
active
service abc_service2
ip address 10.167.70.3
protocol tcp
port 6300
keepalive type tcp
active
!*************************** OWNER
owner xxxxx
content abc_crule
vip address 10.167.50.109
add service abc_service1
add service abc_service2
protocol tcp
port 6300
balance aca
active
===============================
We conducted three tests to verify the hot standby while client sending the data to server app thro tcp/ip.
1) Brought down the service on one server 2) Restarted the OS (Windows 2003) on one server 3) Removed a network cable of one of the server connecting to CSS.
client app lost the conn to the service/server, but when it tried reconnecting to the alternate server, it was successful.
CSS status reflected the actual status of the service/server.
But in third test (removing network conn) the service state changed from "Alive" to "Down" and client app lost conn to the server. Client app tried reconnecting and it was successful connecting to the alternate server.
But when we connected the network cable back, the CSS state was continue to be in "Down". Also,the network connection between CSS and server was not available after reconnection. Also, the status of alternate server changed to "Down", but still client app was successfully transmitting to the alternate server. Stopping the client app and tried reconnecting,
the connection was not going thro.
The connection could be established between CSS and server boxes only after restarting the OS(running windows 2003).
Issues:
1. Service status in CSS continue to be down even after reconnecting the cable with the service running.
2. CSS status of the first service also went down after reconnecting the other server.
3. Client app could not reconnect to any of the servers.
Are we missing any configuration parameter in CSS which will address the above?
regards
Param

Param,
what software version for the CSS ?
Did you see an ARP entry on the server for the CSS ?
Did you see an ARP entry on the CSS for the server ?
is the server directly connected to the CSS or is there an L2 switch inbetween ?
Could you configure 'bridge spanning-tree disabled' on the CSS and see if this improves the situation.
Regards,
Gilles.

CSS 11501 DNS

Do I need a live internet/DNS environment to test this switch? I have bridged vlan2 to e1. my VIP is set to X.X.X.47 and I have to services set to X.X.X.45 and .46. They both say active. The e1 port is up but my vlan2 is down. I am assuming that the circuit is my problem.
When you define a vlan IP address, the manual says that this is the IP address that the CSS will recieve traffic from, so that would be the virtual IP .47 that links to either .45 or .46 right?
I am suppose to configure 1 web server ip per port on the CSS switch? I currently connect the 2 web servers to a 8 port 10/100 switch and I have a straight ethernet cable from that 10/100 switch to port 1 (e1) on the css Switch.
Are all my port numbers suppose to be configured to 80 since they are being used for HTTP? Am I to use the HTTP keepalive function as well?
I guess any additional info would be great. I guess this isn't a click, click, and go switch like someone said.

Ok. Thanks for the tip on the examples. I have tried to follow them as much as possible and have made progress, but I am still having problems with a few things that i can;t seem to find answers for.
CSS 11501 = IP 10.0.0.49 Subnet 255.255.255.0 Gateway 10.0.0.1
Srv01 = IP 10.1.0.45 Subnet 255.255.255.0 Gateway NONE
Srv02 = IP 10.1.0.46 Subnet 255.255.255.0 Gateway NONE
Dell 2708 = IP 10.0.0.13 subnet 255.255.255.0 Gateway 10.0.0.1
Client = IP 10.0.0.113 subnet 255.255.255.0 Gateway 10.0.0.1
I have Srv01 and Srv02 plugged into the CSS 11501 with IP address listed above. They reside in e7 and e8.
I have a cable from e1 to the dell 2708.
I have a laptop with a cable to the dell 2708.
I have configured a vlan (VLAN10) which includes ports e7 and e8 with an IP interface of 10.1.0.1. Status is active (GREEN)
I have configured two services with Srv01 and Srv02 and the status of both are active (Green)
I have created a content rule which includes both srv01 and srv02 with a VIP of 10.1.0.25. Status is active (green)
So I go to one of the web servers that is plugged into e7 or e8 and I can ping 10.1.0.25 sucessfully on both boxes. But I can only ping each servers IP address on its own box. In otherwords I can't ping cross server. When I try to access 10.1.0.25 from the servers the page doesn't come up. I know the VIP works because I can ping it.
I have also configured a VLAN (VLAN5) for e1 which goes to the dell 2708 with an IP of 10.0.0.48. But the status is down.
I am doing something wrong and can't seem to figure it out. any suggestions? I can diagram a picture in visio if you need a visual aid. I might consider Cisco University after all this.

Cisco CSS 11501 Capacity Planning

We have a pair of CSS 11501 units which currently have one VIP in front of two servers. Hence they are not being utilised at all.
I've been asked about putting some additional services on these but have no idea what sort of capacity they could take, i.e. max servers, max VIPs, max users/connections.
I've looked around but cannot find any documentation that helps. The following: http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html document states it has a '6Gbps Bandwidth Aggregate', which is strange as it doesn't even have that physical capacity?
Any help appreciated.

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html
No limit for vip and server (except you need to keep your conig under 10k lines)
Number of concurrent connections is 200k per module and there is only 1 module in the 11501
Gilles.

CSS 11501 StartUp Problem

Hi all,
After i boot up for the first time, the CSS asked for change User/Pass, wich i perform a well known ones.
After that it's always impossible to login.
Is there any way of return to factory default Settings?
or
Is there any password recovery procedure?
or
What are the default User/Pass of the equipment?
I already done a Power Off/On on it with no results.
Best Regards,
Petr?nio

Hi,
I perform the password recovery, as it was documented and then its always getting the "CSS 11501 Offline Diagnostic Monitor menu (OffDM)" Menu, even if i dont press the Y key in the bootup question "Would you like to access the Offline Diagnostic Monitor? (Y)"
Any ideias?
How can i test the login i changed before?
Here is the bootup logging that appear's.
I'm not pressing any key.
******** Boot UP ********
CSS 11501 Offline Diagnostic Monitor menu (OffDM)
Version: 08.10.1.06
M A I N M E N U
Enter the number of a menu selection:
1* Set Boot Configuration
2. Show Boot Configuration
3* Advanced Options
4. Reboot System
> 4
Are you sure you want to reboot? (y/n) [n] y
Rebooting....
BootRom...booting
Copyright (1998-2002), Cisco Systems, Inc
Locked boot flash.
Validating operational boot flash, please wait...
Operational boot flash valid. Jumping to operational boot flash.
Copyright (1998-2002), Cisco Systems, Inc
Operational boot flash.
Attaching interrupt handlers...Done.
Built Mar 9 2006 @ 17:56:32
Version 08.10.1.06
Press to enter the Diagnostic Monitor
Ran 1 times, 24 tests. Detected 0 errors.
Booting OffDm @ 0xbff00000
SCM:MASTER Other:NOT-PRESENT
Initializing the disk...OK
Reading configuration records...
No Primary or Secondary Boot Record Found
FAILED
MGMT disabled, network port not active
Would you like to access the Offline Diagnostic Monitor? (Y)
Booting(-) ...
Transferring to menu...
Waiting for commands..
CSS 11501 Offline Diagnostic Monitor menu (OffDM)
Version: 08.10.1.06
M A I N M E N U
Enter the number of a menu selection:
1* Set Boot Configuration
2. Show Boot Configuration
3* Advanced Options
4. Reboot System
>

Cisco CSS 11501 - High-Availabilty

We have a single CSS 11501 and were thinking about just buying a new one and putting it online as the standby with statefull (hopefully) failover, but weren't sure that this would work.
Does anyone know what is needed to create a high-availability Cisco CSS 11501 environment?
Do you only need 2 CSS 11501 and then configure them with one being active and the other being in a standby mode, like a PIX?
Is there a HA Cable that would need to be connected between the 2 CSS's?
Thanks in Advanced.
Joe

Daniel,
There is a new stateful failover mechanism for the Cisco CSS 11500.
This description is a bit "salesy" I know, but it covers the question asked :-)
The Cisco CSS 11500 delivers ASRthe industry's first stateful Layer 5 session redundancy feature that enables failover of important flows while maximizing performance. Some flowssuch as a long-lived File Transfer Protocol (FTP) or a database session may be mission critical, but many are not. Most solutions on the market today require all trafficimportant or notto be backed up from one box to another. If the majority of flows are not critical, then most of system performance is wasted on unnecessary back
ups. With ASR, the Cisco CSS 11500 may be configured so critical flows are marked as replication worthy, whereas others do not need to be so marked. ASR focuses traffic management resources precisely where needed.
Better yet, have a look at the following link focusing on the section on Stateless Redundancy.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/redndncy.htm
Regards
Pete..

CSS 11501 and SSL

Hi,
I have a few questions regarding the CSS and SSL certificates.
I have 2 CSS 11501 and 3 web servers, how many SSL certificates do I need?
I want to configure the CSS as active - active, is this supported using the SSL accelleration module? If it is, is it configured the same way as a standalone CSS. The documentation only mentions configurations using single module and 2 modules in the same CSS.
And a clarificacion: Does the term Backend in the CSS SSL config refer to servers on a different subnet (in our case physically separated). Our config is 2 FW -> 2 CSS -> 3 Web servers -> 2 backend FW -> 6 Backend servers (app and DB). Am I correct in assuming that Backend refer to this backend? (This might seem like a silly question but the documentation has me confused)
Any help is much appreciated.
Thanks,
Niels

Niels,
there is currently an ASK THE EXPERT event.
Please join us if you have more questions.
Regarding the certificate, you could just use one.
Get 1 certificate for your VIP and upload it on both SSL module.
However, you might have to get 2, because certificate providers usually say it's one per physical device.
If you plan on doing SSL on the servers as well, you need 3 more certificates. Or you coul use a single certificate if this is allowed by the company that will give it to you.
Backend refers to server behind the CSS.
Like a firewall defines inside and outside interfaces, the CSS define the frontend and the backend.
The frontend is the client side and the backend the server side.
When you say active/active, what do you want to achieve exactly ?
You can indeed have 2 Vip and one is active on CSS1 while the other is active on CSS2.
However, if the CSS shares the same set of servers, you need to be careful that the return traffic from the server to the client goes back to the same server. This may require client nat (group config).
Regards,
Gilles.

CSS 11501 Trouble shooting data throughput

I have two groups of servers that talk to each other through the Load Balancer. It appears that on certain transactions where there is a "get", "head" or "trace" in the actual http data, the transaction is not forwarded through the CSS 11501. This happens maybe once in 11,000 transactions. It appears the word get, head or trace has to be in a certain part of the data payload to cause this problem too occur. Has anybody heard of such an issue? If so, do you have a work around? If not, any suggestion on how I can further isolate the issue. FYI I have a TAC case open but it does not appear to be going any where any time soon.

is it happening in the middle of a persistent connection or with the first request ?
There are 2 possibilities I can think off.
First one would be a flow timeout and the next request is just dropped because the css reclaim the fcb.
The 2nd option is that by default the CSS does not support the "TRACE" http method.
It must be enabled.
See info at :
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008040c3cf.html
So, configure a flow-timeout-multiplier and enable parsing of rfc2518 methods.
Gilles.

CSS 11501: NAT all ports?

Hi, I have just a little experience with a CSS 11501, so this may be a dumb question.
I created a service and content rule for a FTP server behind the CSS.
This works fine, the public address is translated to the private address etc.
But what i really would like is to NAT ALL requests for this public address to the private address, so not just FTP but also Remote Desktop (port 3389) etc.
How can i accomplish this?

be carefull that ftp uses data connections.
By specifying the protocol and port you helped the CSS understand it was ftp traffic and therefore monitor the control session to find data sessions and do nating accordingly.
So, instead of removing protocol and port, I would recommend to create a 2nd content rule with the same vip and the same service but no protocol or port.
The first rule will handle ftp.
The 2nd rule will handle the rest.
Regards,
Gilles.

X-Forwarded-For CSS 11501

I was wondering if someone can tell me if it is possible to utilize X-Forwarded-For on a CSS 11501. We have a pair that is configured in a one-armed mode which prevents us from seeing the client's IP address. I've done it on an F5, but can't find anything for the CSS.
Has anyone done this?
Thanks!

CSS can check for the x-Forwarded-for field and its contents but cannot inject it. It means if you are using source groups (source nat) then its not possible for CSS to insert the client IP in the HTTP header.
Syed

CSS 11501 Disable plain HTTP to VIP

Similar Messages

Maybe you are looking for