CSS 11503 persistence
We have a web app that still uses frames. The web URL is HTTPS, but 1 of the frames uses HTTP. I need for a user to stick to the same server for both frames or it screws up the application.
I am load balancing to 2 servers over HTTP and HTTPS using a group for client NATing. I have tried the advanced-loadbalancing ssl on both HTTP and HTTPs services, and I tried advanced-loadbalancing arrowpoint-cookie. on both. Neither way worked.
How do i get the CSS to stick to 1 server for both frames?
If you have 2 rules, this is not going to be possible unless you terminate SSL traffic on the CSS SSL module.
If you do not terminate SSL traffic on the CSS, I would suggest to combine your HTTPS and HTTP rule into a single one.
Simply remove one of the rule and in the remaining one, remove the port command.
All traffic will be handled by that single rule.
You can then implement 'advanced-balance srcip'
Gilles.
Similar Messages
-
The senerio contains a PIX 515 E firewall,4507R Chassis switch and a CSS 11503. The servers in inside zone of the PIX is load balanced using a vip with default route specified in the CSS is the inside zone interface IP of the PIX
Now I would like to load balance the servers in the DMZ zone of the PIX with a separate vip(from DMZ zone) in the same CSS. Since the default route in CSS is towards the inside zone of the PIX, I am unable to see the load blanced pages from dmz. Is there any solution to load balance the servers of the 2 zones with 2 different vip's using a single css ?The default behavior is to use the calling device's CSS for the redirected calls. In your case it sounds like you want to use the redirecting device's CSS. I haven't tried this myself but I believe you will need to change the following registry entry on your PGs. You will want to use option 2 (ROUTEADDRESS_SEARCH_SPACE).
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco
Systems,Inc.\ICM\IPCCL\PG1B\PG\CurrentVersion\JGWS\jgw1\JGWData\Dynamic
"UseRouteAddressSearchSpace"=dword:00000000
- Used to control behavior on CTI Route Points for Route Selects.
UseRouteAddressSearchSpace can be to set 0, 1, or 2 where :
DEFAULT_SEARCH_SPACE = 0
CALLINGADDRESS_SEARCH_SPACE = 1
ROUTEADDRESS_SEARCH_SPACE = 2 -
CSS 11503 load-balancing with MS Print Servers
We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.
Pete- Here is our config. See any problems?
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
!************************* INTERFACE *************************
interface 1/2
bridge vlan 2
!************************** CIRCUIT **************************
circuit VLAN1
ip address 1.100.101.110 255.0.0.0
circuit VLAN2
ip address 10.100.249.1 255.255.255.0
!************************** SERVICE **************************
service ps01
ip address 10.100.249.5
active
service ps02
ip address 10.100.249.6
active
!*************************** OWNER ***************************
owner printserver
content L3_Basic
add service ps01
add service ps02
vip address 1.100.100.35 -
CSS 11503 - question on version
We're about to do an annual OS update to our CSS 11503, and I noticed that there are two current versions of WebNS, both released in the same month: 8.10.4.01 and 8.20.2.01. Could anyone outline for me the differences between the two (or point me to the right release notes)? I usually upgrade to the latest release, but having two at the same time is awfully confusing.
Thank you!They are essentially the same.
We always port all fix to both of them.
Release notes are here :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/release/note/RN810_X.html
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/release/note/RN820_X.html
Gilles. -
CSS 11503 in Active Active mode
Can we configure CSS 11503 in Active/Active mode, means can multiple context would be configured?
Thanks & Regards,
Shahzad.Here you go
Assumptions:
VIP 10.10.10.100 is Master on the CSS 2 and backup on the CSS1
VIP 10.10.10.101 is Master on the CSS1 and backup on the CSS1
Vlan 10 is the Server Vlan (Redundant Interfaces here)
Vlan 20 is the Client vlan (Redundant Vips here)
Services for VIP 10.10.10.100 (real server) have default gateway pointing to redundant interface 172.20.40.253
Services for VIP 10.10.10.101 (real server) have default gateway pointing to redundant interface 172.20.40.254
CSS #1
circuit VLAN10
ip address 172.20.40.1 255.255.255.0
ip virtual-router 1 priority 101 preempt
ip virtual-router 2
ip-redundant-interface 1 172.20.40.253
ip-redundant-interface 2 172.20.40.254
Circuit VLAN20
ip address 10.10.10.1 255.255.255.0
ip virtual-router 3 priority 101 preempt
ip virtual-router 4
ip redundant-vip 3 10.10.10.101
ip redundant-vip 4 10.10.10.100
CSS #2
circuit VLAN10
ip address 172.20.40.2 255.255.255.0
ip virtual-router 1
ip virtual-router 2 priority 101 preempt
ip-redundant-interface 1 172.20.40.253
ip-redundant-interface 2 172.20.40.254
Circuit VLAN20
ip address 10.10.10.2 255.255.255.0
ip virtual-router 3
ip virtual-router 4 priority 101 preempt
ip redundant-vip 3 10.10.10.101
ip redundant-vip 4 10.10.10.100
More details at
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1112245
Syed Iftekhar Ahmed -
I currently have a CSS 11503 LB that I am using to balance 443 and 80 traffic and I have it working but my question is if a users are coming from a proxy should I continue to use Layer 3 LB technique? Also is it possible to see the real IP address instead of the IP of the proxy server?
the problem with proxy is if you use some form of stickyness like sticky src ip.
Since the src ip is always the proxy, you end up with all your traffic going to a single server.
If you are doing sticky src ip, I would suggest to use arrowpoint-cookie instead.
To see the real-ip you need your proxy to insert in the http header a 'x-forwarded-for' line with the client ip.
Your servers can then extract this value to determine the client ip.
On the CSS you won't be able to see the client-ip.
Gilles. -
Global Cerificate on CSS 11503
Hi
I am planning to enable https for few web servers behind a CSS 11503. I have tested the functionality with the trial cert every thing works as desired.
Now I need to buy a certificate from Verisign to make it work in production.
At verisign they offer two different certs (Secure Site --40 bits encryption) and (Secure Site Pro -- 128 bit encryption).
1. Is this 128 bit cert a "global cert"? and I need to concatenate the "intermediate cert" and "server cert" to make it work?
2. If all my users are in USA then does it make sense to buy this 128 bit certificate?
3. Verisign website also asks for "server Platform" and cisco is not mentioned as an option (I can see other LB as F5 in the list). What should I select for the server Platform when I am requesting it for CSS 11503 (I have generated the CSR on CSS 11503).
Thanks in advance
Glenn1.The guy who picked the phone at verisign had no clue.Verisign website says the following
Secure Site Certificate (40bit minimum)- SSL Certificates without SGC
To install your SSL Certificate, go to the instructions below for your server software. If your server is not listed or you need additional information, refer to your server documentation or contact your server vendor
Secure Site Pro Certificate(128bit minimum) - SSL Certificates with SGC
If you are installing an SSL Certificate with SGC, you need to copy an Intermediate CA Certificate before proceeding to the installation instructions for your server software.
2.My understanding was that 40 bit is minimum encryption level and only old browsers (exported ones) will us 40/56 bit ciphers. Other wise even with 40 bit certificate the new browsers will establish a 128 bit session.
Verisign says about their 40 bit certificate
"40-Bit to 256-Bit SSL Encryption Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption. Site visitors using certain older browsers and many Windows 2000 users will only receive 40- or 56-bit encryption unless they’re connecting to an SGC-enabled SSL Certificate"
I found a document on net in favor of buying 40 bit certs.
http://www.whichssl.com/myths_about_sgc.html
Gilles I am a bit confused here.Need HELP :) -
Routing non-TCP/UDP traffic while using FWLB on CSS 11503s
Hello all,
I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
Thanks in advance.
(sorry for the dots in the drawing but the spaces kept getting deleted)
.| Internet |
..........|
.| CSS-outside |
.............|
........|...............|
.| FW1 |.....| FW2 |
.......|................|
............|
.| CSS-inside |
............|
.| Intranet |for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
So, it's not per packet loadbalancing.
The same source/destination ip/port will always go to the same firewall.
Gilles. -
Remove Health Care (keepalives) CSS 11503
Hi,
We normally distribute the load between two servers by checking if the server its active (using TCP 80), yesterday, we want to remove the Health Care (keepalives) due to a maintenance test, to sent the traffic direct to the server, but the service stop working.
We think we didn’t remove the health care properly, could anybody please help me to know hoe to remove it?
We are using CSS 11503, I’m adding the config.
ThanksCSS11503-2(config)# service Linux2
CSS11503-2(config-service[Linux2])# ip add 192.168.20.41
CSS11503-2(config-service[Linux2])# active
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (ICMP 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:29:24
Mtu: 1500 State Transitions: 0
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
CSS11503-2(config-service[Linux2])# keepalive type none
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (NONE 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:29:24
Mtu: 1500 State Transitions: 1
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
CSS11503-2(config-service[Linux2])#
Same if the service is down before disabling the keepalive.
CSS11503-2(config-service[Linux2])# keepalive type icmp
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Down
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (ICMP 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:31:42
Mtu: 1500 State Transitions: 4
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 255
Weight Reporting: None
CSS11503-2(config-service[Linux2])# keepalive type none
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (NONE 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:36:08
Mtu: 1500 State Transitions: 5
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
Gilles. -
Installing an SSL certificate for a CSS 11503
I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!Allen,
The portion of the configuration guide related to SSL certificates and keys can be found here:
http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
~Zach -
To set enable password for CSS 11503
We need to set enable password on CSS 11503.
Can we do this.If yes how we can do this?there is no enable password on the CSS.
The user is a privilege user or not.
If you login as a privilege user, you get full access. No need to enable anything.
CSS11503-2> en
enable Authenticate for SuperUser mode
endbranch End a branching command
CSS11503-2> enable
Username:
As you can see above, if you type enable you have to re-login with a superuser account.
Gilles. -
CSS 11503 does not ask confirmation
Hi,
Our CSS 11503 does not ask confirmation when I want to delete or add a service, owner or group.
Here is the log of some deletion and addition a service:
11503_Master(config)# sh run ser mtsopa01-9700
service mtsopa01-9700
ip address A.B.C.D
protocol tcp
port 9700
keepalive type http
keepalive port 9700
active
11503_Master(config)# no service mtsopa01-9700
11503_Master(config)# (As you see there is no confirmation)
11503_Master(config)# service mtsopa01-9700
11503_Master(config-service[mtsopa01-9700])# (As you see there is no confirmation)
11503_Master(config-service[mtsopa01-9700])# ip address A.B.C.D
11503_Master(config-service[mtsopa01-9700])# protocol tcp
11503_Master(config-service[mtsopa01-9700])# port 9700
11503_Master(config-service[mtsopa01-9700])# keepalive type http
11503_Master(config-service[mtsopa01-9700])# keepalive port 9700
11503_Master(config-service[mtsopa01-9700])# active
Have you any idea?
PS:
Version: sg0750103 (07.50.1.03)
Product Name: CSS11503-AC J0do a 'show profile'
You are probably in expert mode.
CSS11503-2# sho prof
@no terminal more
@prompt CSS11503-2
@expert <=====
do 'no expert' to revert to normal mode and don't forget to do a save profile.
Gilles. -
Cisco CSS 11503 Arrowpoint/Load Balance question
I am troubleshooting an issue with my 11503. I am running version 07.40.0.04. I have it configured as follows:
content upcadtoa-rule
add service cadtoa-wls1-e0
add service cadtoa-wls1-e1
add service cadtoa-wls2-e0
add service cadtoa-wls2-e1
add service cadtoa-wls3-e0
add service cadtoa-wls3-e1
add service cadtoa-wls4-e0
add service cadtoa-wls4-e1
add service cadtoa-wls5-e0
add service cadtoa-wls5-e1
add service cadtoa-wls6-e0
add service cadtoa-wls6-e1
arrowpoint-cookie expiration 00:00:15:00
protocol tcp
port 8001
advanced-balance arrowpoint-cookie
redundant-index 2
vip address 172.30.194.195 range 2
arrowpoint-cookie name TOA
active
However, the load-balancing across the servers does not seem to be doing much balancing. One of those servers is getting hit with 5 times as much traffic as another and another server is lucky to get a connection at all. With the cookie expiration set, one would think that this would all balance out over time.
I just came across this information from Cisco and I am wondering if it is relevant:
If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.
In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.
content testing
vip address 192.168.128.131
add service s1
balance url
active
The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.
In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.
content testing
vip address 192.168.128.131
add service s1
advanced-balance arrowpoint-cookie
active
The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.
Thanks in advance for any help you can give. The thing is not down, it is just balancing strangely causing application performance issues.
JamesHey James,
You will need to suspend the content rule in order to add the url statement. This will cause a quick downtime until the content rule is activated again. I have shown below the commands to add the statement. Perhaps you can create your commands in a Notepad file, then paste them all in so they execute quickly to minimize your downtime:
content MY-SITE
vip address 10.201.130.140
port 80
protocol tcp
add service MY-SERVER
active
CSS11503# config t
CSS11503(config)# owner TEST
CSS11503(config-owner[TEST])# content MY-SITE
CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
%% Attribute may not be modified on active rule
CSS11503(config-owner-content[TEST-MY-SITE])# suspend
CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
CSS11503(config-owner-content[TEST-MY-SITE])# active
CSS11503(config-owner-content[TEST-MY-SITE])# exit
CSS11503(config-owner[TEST])# exit
CSS11503(config)# exit
CSS11503# show run
content MY-SITE
vip address 10.201.130.140
add service MY-SERVER
port 80
protocol tcp
url "/*" <--------
active
Hope this helps,
Sean -
CSS 11503 Load Balancing Verification
Alright, so I have toiled long and hard to get this right. I think I have the config down but I am unsure on how to verify how this load balancing is working.
Here is the Content Config that I am speaking of:
content cad-rule
add service wls1-e0
add service wls1-e1
add service wls2-e0
add service wls2-e1
add service wls3-e0
add service wls3-e1
add service wls4-e0
add service wls4-e1
add service wls5-e0
add service wls5-e1
add service wls6-e0
add service wls6-e1
arrowpoint-cookie expiration 00:00:15:00
advanced-balance arrowpoint-cookie
redundant-index 2
vip address 172.30.194.195 range 2
arrowpoint-cookie name TOQ
protocol tcp
port 8001
url "/*"
active
Each service in the rule above is configured as follows:
service wls1-e1
port 8001
protocol tcp
strin ags001-e1
ip address 172.30.193.81
keepalive type http
keepalive uri "/cad/index.html"
redundant-index 12
keepalive frequency 20
keepalive maxfailure 10
keepalive retryperiod 2
active
I am using the advanced arrowpoint cookies because I need some stickiness here. Straight round-robin would not have done what I needed it to do.
Now, when I go to my show summary, this is what I see for this rule:
cad-rule Master wls1-e0 84274
wls1-e1 13144
wls2-e0 96884
wls2-e1 26374
wls3-e0 71145
wls3-e1 16592
wls4-e0 76403
wls4-e1 8657
wls5-e0 118623
wls5-e1 22760
wls6-e0 30836
wls6-e1 20464
The far right column indicates the services hits. I originally had the E1's suspended and activated them later on. So if this was true round robin, all the E0's should have the same number of service hits and all the E1's should have the same number of service hits. But as you can see, the wls5 server is getting hit the most while the wls6 server is sitting there twiddling its thumbs.
Now understanding how the arrowpoint cookies do their load balancing (inserting a cooking into the flow and then timing out after 15 mins as configured above) I would not expect a 1:1 ratio of load balancing between servers. But the distribution above seems rather extreme.
Does anyone have any suggestions on how to both A) verify that this is the right config and B) suggest to my boss that this is working the way it should be working?
Thanks!
JamesHi James,
There are several reasons of the uneven load balancing that you are seeing (based on the show summary). First
of all, the CSS is configured to do stickiness (advance-balance).
With arrowpoint-cookies (for HTTP only) method for stickiness, only the requests coming with the same cookie
are going to get stuck to the same server, since the cookie is
lost when the browser is closed (or based on the expiration), then the stickiness is going to be session
based and if the same client open a new session is going to be load balanced.
Is important to understand that when using stickiness, no real even load balancing is
going to happen since we are sticking new flows to the same server; even when layer 5 stickiness would
permit more even balancing than layer 3 stickiness (source IP based).
Also consider that the "show summary" is a command to see the hits (requests) being balanced to an specific
server, this is a good command to see the load balancing, anyway since the CSS balance
connections (flows), a persistent connection could have a lot of requests, so all those requests are
always going to the same server (incrementing the amount of hits in the counter) while a non-persistent
connection would be just one request (refer to HTTP persistence).
Also keep in mind that if a service is take out for maintenance, or is added to the load balancing later
than another, or if goes down for a period of time, then the CSS will be balancing among the remaining alive
servers. When you add the server again, the another servers are going to have connections
already established, so since the CSS is doing round robin, the server last added will
never have the same amount of connections (nor hits) that the other ones, because while one could
have 55 for example, the new one will have it first connection, and when the first one
gets the 56, the another will get the second, and so on.
Please let me know if this makes any sense.
Diego M -
CSS 11503 - SSl - Unable to clear/delete rsakey
Hi,
We have recently configured an ssl redirect service on the CSS11503. This works great.
The css was then cleared of all configuration including all ssl cert/key associations inorder to test recovery.
The problem we are experiencing is that there is a rsakey file that is shown as existing but cannot be used or deleted.
Can anyone explain this?
Also when the generated digital certificates have been authenticated by Verisign. When trying to download to cisco a vendor code is required which we do not have?
Has anyone had similar problems?Ravi,
There are multiple types supported by the CSS SSL Module and WebNS.
If you select apache, you will get a PEM certificate.
WIN2000 IIS 5 uses PKCS12, and NT IIS4 uses DER
PEM, DER, and PKCS12 is supported by the CSS.
This info can be found at
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080157875.html#1063169
I generally tell people to select apache, but the others should work. I agree, Cisco should be listed at the Apache website.
Maybe you are looking for
-
Can't open CR2 files in photoshop and camera raw
This weekend I rented a Canon 5D Mark iii. I have downloaded the files and all of the thumbnails in camera raw say CR2 and when I try to open Photoshop does not recognize this product. I have: Photoshop CS4 Camera Raw CS4 Canon 5D Mark ii I have chec
-
Hi All, I have creating a PO of Subcontracting and in that I am exploading BOM which is containing two materials, but on exploading BOM it is picking the material defined on line item 1 by default, But I want That it will pic material on line item 2.
-
How can I get the entire PS cc 2014 software to be visible on Mac 30" with OS Maverick?
I have tried reopening software, looked in preferences, tried changing screen resolution, etc. This situation suddenly happened and is the only cc software affected in this manner.
-
I succeeded in directing my personal domain to be hosted with Mobileme. However, when I access my site, my address is duplicated. For instance, it is reading as follows: "www.example.com/www.example.com/Welcome.html" when it should only be "www.examp
-
HT1695 my iphone cannot connect to any wifi. I have tried everything, please help!
My phone has suddenly stopped connecting to any WiFi. does anyone have any tips I can try? I've tried everything like switching it off and on, and switching off wifi and back on again, re-setting everything. HELP!