CSS 11503 adv-bal-stcky-srcip and failover question

Similar Messages

• Two Wireless controllers load balance and failover question

  I have two 4404 controllers and each can take 100 APs. I have 140 APs in total. With the default settings (no master controller, no configuration of Prime, secondary controller on APs), each controller will take 70 APs, right?
  Then I will need to configure each AP with an IP address, name ...etc. My question is, when one Controller failed, these 70 APs will try to associate with another controller, right? However only 30 APs can because another controller can maximum manage 100 APs. Then in this case, will these 30 APs lose their static IP addresses and names? When the failed controller came back online, will the 70 APs automatically go back to this controller and have their IP, name configuration back?
  Thanks!

  With default setting you have no control how many ap's go to what wlc. It doesn't matter, because you will need to specify the primary and secondary. You might as well stage all the ap's you want on one wlc first and set that wlc to master, then when you have finished that, set the other wlc to master and have the ap's join that wlc which will be the primary fro those ap's.
  You only can support 100 ap's so depending what code you use, 30 ap's that are not able to join will just keep trying. If you run 5.2 (I think is buggy) you can set the priority on the ap's so that ap's that you set up with a higher priority will be able to join and the others will again sit there until the othe wlc comes back up. Static IP address will not dissapear because the wlc doesnt' accept any more connections. Once both wlc are up, the ap's will go back to their primary wlc as long as ap fallback is enabled and mobility is configured right.

• Routing issue with CSS 11503

  The senerio contains a PIX 515 E firewall,4507R Chassis switch and a CSS 11503. The servers in inside zone of the PIX is load balanced using a vip with default route specified in the CSS is the inside zone interface IP of the PIX
  Now I would like to load balance the servers in the DMZ zone of the PIX with a separate vip(from DMZ zone) in the same CSS. Since the default route in CSS is towards the inside zone of the PIX, I am unable to see the load blanced pages from dmz. Is there any solution to load balance the servers of the 2 zones with 2 different vip's using a single css ?

  The default behavior is to use the calling device's CSS for the redirected calls. In your case it sounds like you want to use the redirecting device's CSS. I haven't tried this myself but I believe you will need to change the following registry entry on your PGs. You will want to use option 2 (ROUTEADDRESS_SEARCH_SPACE).
  HKEY_LOCAL_MACHINE\SOFTWARE\Cisco
  Systems,Inc.\ICM\IPCCL\PG1B\PG\CurrentVersion\JGWS\jgw1\JGWData\Dynamic
  "UseRouteAddressSearchSpace"=dword:00000000
  - Used to control behavior on CTI Route Points for Route Selects.
  UseRouteAddressSearchSpace can be to set 0, 1, or 2 where :
  DEFAULT_SEARCH_SPACE = 0
  CALLINGADDRESS_SEARCH_SPACE = 1
  ROUTEADDRESS_SEARCH_SPACE = 2

• CSS 11503 load-balancing with MS Print Servers

  We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.

  Pete- Here is our config. See any problems?
  configure
  !*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
  !************************* INTERFACE *************************
  interface 1/2
  bridge vlan 2
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 1.100.101.110 255.0.0.0
  circuit VLAN2
  ip address 10.100.249.1 255.255.255.0
  !************************** SERVICE **************************
  service ps01
  ip address 10.100.249.5
  active
  service ps02
  ip address 10.100.249.6
  active
  !*************************** OWNER ***************************
  owner printserver
  content L3_Basic
  add service ps01
  add service ps02
  vip address 1.100.100.35

• CSS 11503 - question on version

  We're about to do an annual OS update to our CSS 11503, and I noticed that there are two current versions of WebNS, both released in the same month: 8.10.4.01 and 8.20.2.01. Could anyone outline for me the differences between the two (or point me to the right release notes)? I usually upgrade to the latest release, but having two at the same time is awfully confusing.
  Thank you!

  They are essentially the same.
  We always port all fix to both of them.
  Release notes are here :
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/release/note/RN810_X.html
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/release/note/RN820_X.html
  Gilles.

• CSS 11503 stickyness weightedrr problem

  Hello,
  i have a small problem with three web servers balanced by CSS.
  The servers are weighted and source ip stickyness is enabled. But as soon as i activate "balance weigtedrr" in the content rule, i recieve no awnsers from the CSS, although the servers are alive.
  When i switch back to "no balance" in the content rule, everthing works fine.
  I am not sure, if i really need the "balance weigtedrr" command
  to activate the weigted round robin, because i have no equipment to test it.
  config:
  service www1
  ip address 10.160.1.176
  port 9090
  keepalive type http
  weight 2
  active
  service www2
  ip address 10.160.1.186
  port 9090
  keepalive type http
  weight 4
  active
  service www3
  ip address 10.160.1.182
  port 9090
  keepalive type http
  weight 4
  active
  content WWW
  vip address 10.160.1.121
  add service www1
  add service www2
  add service www3
  advanced-balance sticky-srcip
  sticky-inact-timeout 1440
  balance weightedrr
  port 80
  protocol tcp
  active
  Software version is sg0750103
  thank you
  juergen

  Hi Juergen,
  If using the balance weightedrr, you actually need to specify the weight when adding the services to the content rule itself.
  So in your case, when in config mode on the "content WWW" you would then type in "add service www1 weight 4" instead of using it in the service itself. You would remove it from the service.
  The reason it is done this way is because you can then use that same service in a different content rule and actually specify a different weight, or no weight at all. There is more flexibility with this option.
  Regards
  Pete..

• CSS 11503 in Active Active mode

  Can we configure CSS 11503 in Active/Active mode, means can multiple context would be configured?
  Thanks & Regards,
  Shahzad.

  Here you go
  Assumptions:
  VIP 10.10.10.100 is Master on the CSS 2 and backup on the CSS1
  VIP 10.10.10.101 is Master on the CSS1 and backup on the CSS1
  Vlan 10 is the Server Vlan (Redundant Interfaces here)
  Vlan 20 is the Client vlan (Redundant Vips here)
  Services for VIP 10.10.10.100 (real server) have default gateway pointing to redundant interface 172.20.40.253
  Services for VIP 10.10.10.101 (real server) have default gateway pointing to redundant interface 172.20.40.254
  CSS #1
  circuit VLAN10
  ip address 172.20.40.1 255.255.255.0
  ip virtual-router 1 priority 101 preempt
  ip virtual-router 2
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.1 255.255.255.0
  ip virtual-router 3 priority 101 preempt
  ip virtual-router 4
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  CSS #2
  circuit VLAN10
  ip address 172.20.40.2 255.255.255.0
  ip virtual-router 1
  ip virtual-router 2 priority 101 preempt
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.2 255.255.255.0
  ip virtual-router 3
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  More details at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1112245
  Syed Iftekhar Ahmed

• CSS 11503 Users using a proxy

  I currently have a CSS 11503 LB that I am using to balance 443 and 80 traffic and I have it working but my question is if a users are coming from a proxy should I continue to use Layer 3 LB technique? Also is it possible to see the real IP address instead of the IP of the proxy server?

  the problem with proxy is if you use some form of stickyness like sticky src ip.
  Since the src ip is always the proxy, you end up with all your traffic going to a single server.
  If you are doing sticky src ip, I would suggest to use arrowpoint-cookie instead.
  To see the real-ip you need your proxy to insert in the http header a 'x-forwarded-for' line with the client ip.
  Your servers can then extract this value to determine the client ip.
  On the CSS you won't be able to see the client-ip.
  Gilles.

• Global Cerificate on CSS 11503

  Hi
  I am planning to enable https for few web servers behind a CSS 11503. I have tested the functionality with the trial cert every thing works as desired.
  Now I need to buy a certificate from Verisign to make it work in production.
  At verisign they offer two different certs (Secure Site --40 bits encryption) and (Secure Site Pro -- 128 bit encryption).
  1. Is this 128 bit cert a "global cert"? and I need to concatenate the "intermediate cert" and "server cert" to make it work?
  2. If all my users are in USA then does it make sense to buy this 128 bit certificate?
  3. Verisign website also asks for "server Platform" and cisco is not mentioned as an option (I can see other LB as F5 in the list). What should I select for the server Platform when I am requesting it for CSS 11503 (I have generated the CSR on CSS 11503).
  Thanks in advance
  Glenn

  1.The guy who picked the phone at verisign had no clue.Verisign website says the following
  Secure Site Certificate (40bit minimum)- SSL Certificates without SGC
  To install your SSL Certificate, go to the instructions below for your server software. If your server is not listed or you need additional information, refer to your server documentation or contact your server vendor
  Secure Site Pro Certificate(128bit minimum) - SSL Certificates with SGC
  If you are installing an SSL Certificate with SGC, you need to copy an Intermediate CA Certificate before proceeding to the installation instructions for your server software.
  2.My understanding was that 40 bit is minimum encryption level and only old browsers (exported ones) will us 40/56 bit ciphers. Other wise even with 40 bit certificate the new browsers will establish a 128 bit session.
  Verisign says about their 40 bit certificate
  "40-Bit to 256-Bit SSL Encryption Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption. Site visitors using certain older browsers and many Windows 2000 users will only receive 40- or 56-bit encryption unless they’re connecting to an SGC-enabled SSL Certificate"
  I found a document on net in favor of buying 40 bit certs.
  http://www.whichssl.com/myths_about_sgc.html
  Gilles I am a bit confused here.Need HELP :)

• Routing non-TCP/UDP traffic while using FWLB on CSS 11503s

  Hello all,
  I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
  Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
  Thanks in advance.
  (sorry for the dots in the drawing but the spaces kept getting deleted)
  .| Internet |
  ..........|
  .| CSS-outside |
  .............|
  ........|...............|
  .| FW1 |.....| FW2 |
  .......|................|
  ............|
  .| CSS-inside |
  ............|
  .| Intranet |

  for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
  So, it's not per packet loadbalancing.
  The same source/destination ip/port will always go to the same firewall.
  Gilles.

• Installing an SSL certificate for a CSS 11503

  I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
  I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!

  Allen,
  The portion of the configuration guide related to SSL certificates and keys can be found here:
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
  To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
  ~Zach

• CSS 11503 does not ask confirmation

  Hi,
  Our CSS 11503 does not ask confirmation when I want to delete or add a service, owner or group.
  Here is the log of some deletion and addition a service:
  11503_Master(config)# sh run ser mtsopa01-9700
  service mtsopa01-9700
  ip address A.B.C.D
  protocol tcp
  port 9700
  keepalive type http
  keepalive port 9700
  active
  11503_Master(config)# no service mtsopa01-9700
  11503_Master(config)# (As you see there is no confirmation)
  11503_Master(config)# service mtsopa01-9700
  11503_Master(config-service[mtsopa01-9700])# (As you see there is no confirmation)
  11503_Master(config-service[mtsopa01-9700])# ip address A.B.C.D
  11503_Master(config-service[mtsopa01-9700])# protocol tcp
  11503_Master(config-service[mtsopa01-9700])# port 9700
  11503_Master(config-service[mtsopa01-9700])# keepalive type http
  11503_Master(config-service[mtsopa01-9700])# keepalive port 9700
  11503_Master(config-service[mtsopa01-9700])# active
  Have you any idea?
  PS:
  Version: sg0750103 (07.50.1.03)
  Product Name: CSS11503-AC J0

  do a 'show profile'
  You are probably in expert mode.
  CSS11503-2# sho prof
  @no terminal more
  @prompt CSS11503-2
  @expert <=====
  do 'no expert' to revert to normal mode and don't forget to do a save profile.
  Gilles.

• RE: Hard Failures, KeepAlive, and Failover --Follow-up

  Hi,
  It's a really challenging question. However, what do you want to do after
  the network crash? Failover or just stop the service? Should we assume
  that when the network is down, and so do your name service?
  One idea is to use externalconnection to "listen" to your external non-forte
  alarm, so do "whatever" after you receive the alarm instead of letting the
  "logical connection" to time out or hang.
  Regards,
  Peter Sham.
  -----Original Message-----
  From: Michael Lee [SMTP:[email protected]]
  Sent: Wednesday, June 16, 1999 12:44 AM
  To: [email protected]
  Subject: Hard Failures, KeepAlive, and Failover -- Follow-up
  I've gotten a handful of responses to my original post, and the suggested
  solutions are all variations on the same theme -- periodically ping remote
  nodes/partitions and then react when the node/partition goes down. In
  other circumstance this would work, but unless I'm missing something this
  solution doesn't solve the problem I'm running into.
  Some background...
  When a connection is set up between partitions on two different nodes,
  Forte is effectively establishing two connections: a "physical
  connection"
  over TCP/IP between two ports and a "logical connection" between the two
  partitions (running on top of the physical connection). Once a connection
  is established between two partitions Forte assumes the logical connection
  is valid until one of two things happen:
  1) The logical connection is broken (by shutting down a partition from
  Econsole/Escript, by killing a node manager, by terminating the ftexec,
  etc.)
  2) Forte detects that the physical connection is broken (via its KeepAlive
  functionality).
  If a physical connection is broken (via a cut cable or power-off
  condition), and Forte has not yet detected the situation (via a KeepAlive
  failure), the logical connection is still valid and Forte will still allow
  method calls on the remote partition. In effect, Forte thinks the remote
  partition is still up and running. In this situation, any method calls
  made after the physical connection has been broken will simply hang. No
  exceptions are generated and failover does not occur.
  However, once a KeepAlive failure is detected all is made right.
  Unfortunately, the lowest-bound latency of KeepAlive is greater than one
  second, and we need to detect and react to hard failures in the 250-500ms
  range. Using technology outside of Forte we are able to detect the hard
  failures within the required times, but we haven't been able to get Forte
  to react to this "outside" knowledge. Here's why:
  Since Forte has not yet detected a KeepAlive failure, the logical
  connection to the remote partition is still "valid". Although there are a
  number of mechanisms that would allow a logical connection to be broken,
  they all assume a valid physical connection -- which, of course, we don't
  have!
  It appears I'm in a "Catch-22" situation: In order to break a logical
  connection between partitions, I need a valid physical connection. But
  the
  reason I'm trying to break the logical connection in the first place is
  that I know (but Forte doesn't yet know) that the physical connection has
  been broken.
  If anyone knows a way around this Catch-22, please let me know.
  Mike
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>-
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

  Make sure you chose the right format, and as far as partitioning in concerned, you have to select at least one partition, which will be the entire drive.

• How to find out the primary and failover DNS name

  Hi;
  This sounds very stupid, but could some one please tell me how to find out the name/dns name of the primary and failover server without using the CDS console.
  any help is appreciated

  Is this what you want?
  $ /usr/lib/ldap/ldap_cachemgr -g
  cachemgr configuration:
  server debug level 0
  server log file "/var/ldap/cachemgr.log"
  number of calls to ldapcachemgr 12729
  cachemgr cache data statistics:
  Configuration refresh information:
  Previous refresh time: 2005/08/07 23:54:59
  Next refresh time: 2005/08/08 00:55:00
  Server information:
  Previous refresh time: 2005/08/14 15:15:00
  Next refresh time: 2005/08/15 03:15:00
  server: ldap1.example.com, status: UP
  server: ldap2.example.com, status: UP
  server: ldap3.example.com, status: UP
  Cache data information:
  Maximum cache entries: 256
  Number of cache entries: 0
  Gary

• Failover clusterign... How similar do the primary and failover instance need to be in a failover cluster?

  How similar do the primary and failover instance need to be in a failover cluster?
  Does the number of database have to match, naming, general config etc...
  Mr Shaw

  In failover clustering, you use shared storage so the number of databases is irrelevant since only one node can see/access the shared storage at any given point in time. Ideally, the server configuration should be the same on all of the nodes to minimize
  potential issues that may impact downtime. However, you need to consider licensing/# of CPU-cores and implementation cost, especially if you are only using the other nodes as standby. As far as licensing is concerned, the standby has to have the same or fewer
  number of CPU-cores as the primary node to be covered by licensing. Besides, you don't want your standby node to be more powerful than your primary node. This is why the option to have a hybrid deployment of having a physical server as the primary node and
  virtual machine for standby nodes is now supported.
  Edwin Sarmiento SQL Server MVP | Microsoft Certified Master
  Blog |
  Twitter | LinkedIn
  SQL Server High Availability and Disaster Recover Deep Dive Course