CSS 11506 running 08.20.2.01

Similar Messages

• CSS 11506 / install Disclaimer page

  We have a CSS 11506.  Our public portal web servers are behind that CSS 11506.  How to configure the CSS so that when people click on some external websites URLs on the public portal,  there will be a disclaimer / exit page shows up first.  

  The CSS is only loadbalancing the http traffic to the public portal web servers and does not run an http stack itself. As such the CSS is incapapble of presnting any http content to the client . Any disclamer / exit pages would need to be programmed into the content of the page the public portal server presents to the client. There is not a way to accomplish this on the css.

• Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior

  Dear experts
  I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
  content mysite-SSL
  vip address 10.0.0.1
  add service s01
  add service s02
  add service s03
  port 443
  protocol tcp
  advanced-balance ssl
  application ssl
  flow-timeout-multiplier 225
  active
  If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
  However, my stats show:
  Sticky Statistics - SFM Slot 1, Subslot 1:
  Total number of new sticky entries is 4937735
  Total number of sticky table hits is 33476045
  Total number of sticky rejects (no entry) is 0
  Total number of sticky collision is 0
  Total number of available sticky entries is 0
  Total number of used sticky entries is 131071
  Total L3 sticky entries are 131
  Total L4 sticky entries are 0
  Total SSL sticky entries are 130940
  Total WAP sticky entries are 0
  Total number of SIPCID sticky entries is 0
  So, why don't I see anything in the L4 sticky entries?
  Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
  Your thoughts and suggestions are highly appreciated.
  John.

  Hi Gilles
  Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
  "Cisco Content Services Switch
  Content Load-Balancing
  Configuration Guide
  Software Version 8.20
  November 2006
  page 11-14
  Configuring SSL-Layer 4 Fallback
  Insertion of the Layer 4 hash value into the sticky table occurs when more than
  three frames are transmitted in either direction (client-to-server, server-to-client)
  or if SSL version 2 is in use on the network. If either condition occurs, the CSS
  inserts the Layer 4 hash value into the sticky table, overriding the further use of
  the SSL version 3 session ID."

• CSS 11506 page requests not directed properly

  CSS 11506 sitting in front of mainframe and
  two Windows 2003 servers
  content rule3056gif
  add service web1
  add service web2
  vip address 10.10.200.252
  balance aca
  url "/IMAGE_DIRECTORY_NAME/*.gif"
  port 3056
  active
  A small number of page requests, that do not match the above pattern, are passing to the content servers web1 or web2 instead of the mainframe.
  Any ideas appreciated.

  when a connection comes in and matches the rule above, a flow is created to switch all traffic between client and server.
  If inside this same flow a new request comes in for a different content rule, the flow needs to be remapped to the new server.
  This works fine except when the flow stays idle.
  A flow that was idle can't be remapped.
  All new requests will be sent to the current/last server even if the request does not match the rule.
  The solution is to increase the idle timeout.
  You can do this with a 'flow-timeout-multiplier'.
  A large value will reduce a lot the chance to see the problem but it also means the amount of resources being used will increase as each flow will remain longer in memory.
  It's up to you to find the right balance.
  You can do a 'flow stat' from llama mode to see number of free flows and active flows.
  I would say you start with a flow-timeout-multiplier of 100 and reduce or increase it if necessary.
  Regards,
  Gilles.
  - please take a moment of your time to rate this answer.

• Etherchannel to CSS 11506

  i'm looking at doing a etherchannel/channel group to CSS 11506 for greater bandwidth on the front of the CSS.. clinets>chan-group>vip>CSS >servers.
  has anyone else done this?
  reason i ask if this can be done is that the backup (ASR) CSS vir-peer shows as master(backup router) state. i didn't see any commands on css for etherchan, pagp or lacp

  HI,
  etherchannel is not supported on the CSS from my knowledge. Furthermore you should avoide any spanningtree issue on the CSS. If you need more throughput than 1 GIG think about splitting the VIPs so that one CSS is active for the first half of the VIPS and the otherone for the 2nd part. Be aware that the Gateway on both VIP-pars need to be active on the correct box.
  Kind Regards,
  Joerg

• CSS 11506 - Locked up but cannot find why

  I have had a CSS 11506 lock up with no access or activity. From the syslog logs I cannot see any error messages reporting a failure, just a hole. During the lockup I had no access to the equipment.
  Any suggestions on how to investigate the lock up ?
  Thank you in advance.
  Roger.

  Hi Roger,
  Based on the symptons I guess CSS did not save any core, can you double check.
  I would say that we have no enough evidence to say what caused the outage, actually I would need to see the showtech and look for some evidence but I can tell you for sure that your code needs to be upgraded.
  7.50 train is not getting new releases since new tains are 8.10 and 8.20 and also 7.50.103 is a early release on that train and many defects were addressed on newer codes, some of them related to crash and hung issues.
  Hope it helps!!

• CSS 11506

  I configured VIP on my CSS 11506. I created a content rule and a service, which will be used by the content rule. Both have been activated. However, when I do "show service summary", the new service created is not coming up, it's showing down. I removed the service and re-created it and still down. My VIP won't work if the service remains down. Please help if you experience this before. Thanks so much !!

  Collin,
  You are the man! I removed th keepalive by typing "keepalive type none" initially it was "keepalive type tcp" and now the service is up and I can get to my VIP. Thanks so much! I appreciated. How should I give you a credit ?

• CSS divs running into each other 4x3 screens but not widescreen

  I am trying to develop a site:
  http://www.poweredupgamers.com.
  Everything looks great on a widescreen monitor, but when I view it
  on older 4x3 monitors the divs run into each other and the spacing
  gets all messed up. This occurs regardless of the resolution the
  monitors are using.
  I thought by setting up margins with % (5% left margin for
  left div, etc.) that the divs would change in size to fill the
  pages regardless of the resolution the monitor is set at. The divs
  do seem to adjust for the resolution, but the monitor format
  appears to be a different issue. Do I need to set fixed div
  positions or widths to fix this issue? If so, how do I set them to
  ensure the page is filled properly (as little blank space as
  possible) regardless of the monitor's resolution?
  Does it have anything to do with fixed sizes for certain
  images inside divs sizes based on % margins?
  Thanks very much for any help!

  Resolution is not the critical issue. Browser viewport width
  is. To make
  your decision you need to have some ideas about the following
  issues -
  1. What is the primary target demographic for this site?
  2. What are the browsing habits of that demographic? Do they
  normally have
  their browser window maximized on the screen?
  3. If they usually have their browser maximized, what is the
  typical screen
  width?
  4. If they usually do NOT have their browser maximized, what
  is the MINIMUM
  screen width in that demographic.
  5. How do I want to build the page?
  a. Fixed width and left aligned?
  b. Fixed width and centering?
  c. Flexible to fill whatever width from left to right?
  d. Flexible (within limits) and left aligned?
  e. Flexible (within limits) and centering?
  As you can see, this decision is probably much more complex
  than you
  thought, and will require that you know quite a bit about
  your intended
  target visitor and their browsing habits.
  If you elect to go with 5a, or 5b, then your decision would
  be - 'what is
  the mimimum browser width I want to support without
  horizontal scrolling?'.
  Once you have determined that minimum supported width, all of
  your decisions
  are made. That's how wide you want your page to be.
  If you elect to go with 5c, then you just build your page
  within a flexible
  container (the simplest example - although an obsolet one -
  would be to use
  a 100% width table to hold the entire page). Be aware that
  pages with
  limited text content can look VERY sparse and empty on wide
  viewports when
  built in this way.
  If you elect to go with 5d, or 5e, then you would add this
  sophistication to
  your decision matrix -
  'what is the greatest width I want to allow the page and its
  contents to
  become?'
  In this case, you would use the CSS styles - 'min-width' and
  'max-width' on
  the primary page container. Just so you'll know, although
  these styles are
  well supported *now*, earlier versions of IE (and some other
  browsers) will
  not support them so reliably.
  So - which is it? 8)
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  ==================
  "juxtafras" <[email protected]> wrote in
  message
  news:[email protected]...
  >I am trying to develop a site:
  http://www.poweredupgamers.com.
  Everything
  > looks great on a widescreen monitor, but when I view it
  on older 4x3
  > monitors
  > the divs run into each other and the spacing gets all
  messed up. This
  > occurs
  > regardless of the resolution the monitors are using.
  >
  > I thought by setting up margins with % (5% left margin
  for left div, etc.)
  > that the divs would change in size to fill the pages
  regardless of the
  > resolution the monitor is set at. The divs do seem to
  adjust for the
  > resolution, but the monitor format appears to be a
  different issue. Do I
  > need
  > to set fixed div positions or widths to fix this issue?
  If so, how do I
  > set
  > them to ensure the page is filled properly (as little
  blank space as
  > possible)
  > regardless of the monitor's resolution?
  >
  > Does it have anything to do with fixed sizes for certain
  images inside
  > divs
  > sizes based on % margins?
  >
  > Thanks very much for any help!
  >

• CSS - 11506 - Adding New SSL Services on Single SSL Modules

  Hi,
  We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
  Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

  Hi Sean,
  Thanks for replying back just want few clarifcations in configuration part.
  1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
  2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
  1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
  /home/johndoe
  2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
  Connecting
  Completed successfully
  3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
  Connecting
  Completed successfully
  4.Enter configuration mode.
  # config
  (config) #
  4. To use RSA public key exchange and authentication:
  a. Associate the imported RSA certificate with a file.
  (config) # ssl associate cert myrsacert1 rsacert.pem
  b. Associate the imported RSA key pair with a file.
  (config) # ssl associate rsakey myrsakey1 rsakey.pem
  5. Compare the public key in the associated certificate with the public key
  stored with the associated private key and verify that they are identical.
  (config) # ssl verify myrsacert1 myrsakey1
  Certificate mycert1 matches key mykey1
  ssl associate rsakey NEWKEY newkey.pem
  ssl associate cert NEWCERT newcert.pem
  !************************* INTERFACE *************************
  interface 3/3
  description "****WEB SIDE****"
  bridge vlan _ID_X.X.X.X
  bridge port-fast enable
  interface 3/4
  bridge vlan_ID_Y.Y.Y.Y
  bridge port-fast enable
  description "****PIX SIDE****"
  !************************** CIRCUIT **************************
  circuit VLAN_ID_X
  ip address A.A.A.A B.B.B.0
  ip virtual-router 2 priority 101 preempt
  ip redundant-interface 3 C.C.C.C
  ip critical-service 3 chk-con-pix_Y.Y.Y.Y
  ip critical-service 3 chk-con-web_X.X.X.X
  circuit VLAN_ID_Y
  ip address D.D.D.D E.E.E.0
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 4 F.F.F.F
  ip critical-service 4 chk-con-pix_Y.Y.Y.Y
  ip critical-service 4 chk-con-web_X.X.X.X
  !*********************** SSL PROXY LIST ***********************
  ssl-proxy-list NEW
  ssl-server 20
  ssl-server 20 vip address F.F.F.F
  ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
  ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
  ssl-server 20 rsacert NEWCERT
  ssl-server 20 rsakey NEWKEY
  active
  !************************** SERVICE **************************
  service FRONT_SSL
  type ssl-accel
  slot 4
  keepalive type none
  add ssl-proxy-list NEW
  active
  service WEBSERVER-03
  ip address G.G.G.G
  redundant-index 3
  protocol tcp
  port 80
  active
  service WEBSERVER-04
  ip address H.H.H.H
  redundant-index 4
  protocol tcp
  port 80
  active
  service chk-con-pix_Y.Y.Y.Y
  keepalive type script ap-kal-pinglist "N.N.N.N"
  ip address J.J.J.J
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  service chk-con-web_X
  ip address K.K.K.K
  keepalive type script ap-kal-pinglist "P.P.P.P"
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  !*************************** OWNER ***************************
  owner NEW
  content BACKNEW_HTTP
  vip address F.F.F.F
  add service WEBSERVER-03
  add service WEBSERVER-04
  protocol tcp
  port 81
  url "/*"
  redundant-index 5
  no persistent
  active
  content FRONTENDNEW_SSL
  vip address F.F.F.F
  protocol tcp
  port 443
  application ssl
  add service FRONT_SSL
  active
  content NEW
  url "//www.ABC.com/*"
  vip address F.F.F.F
  protocol tcp
  port 80
  redundant-index 4
  redirect "https://ABC.com"
  active
  your reply on this would be highly appericated.

• CSS 11506 Help

  We just bought a 11506. I have a few questions
  - One requirement we have is that I need to direct https web requests to the CSS public IP and then have it redirect that web request over tcp 80 to one of our internal web servers.
  Do I need to purchase on SSL module for this ?
  Can someone direct me to the support link for the 11506. Looking for setup and support docs.
  Cheers
  Dave

  In order to do SSL offloading you need to buy SSL module CSS5-SSL-K9.
  You can find lots of CSS config examples
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
  & Supporting documents at
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/tsd_products_support_series_home.html
  Syed Iftekhar Ahmed

• CSS not running in windows 7

  Hello, I have a friend who just got a new windows 7 laptop and he installed counterstrike source on it. Whenever he tries to run it, it crashes with the message "hl2.exe has stoppped working". I know hl2 is a refrence to the game engine and this has happened to me, but only when it fails to load some content and then tries to run through the game.any idea on how to fix this? or maybe whats causing this?

  This is the wrong forum for this type of issue.
  Try using the steam forums -
  http://store.steampowered.com/forums/

• CSS 11506 problem

  Hi All,
  I have two portals which are located behind the load balancer (client side), the configuration is basic.
  I have faced a problem on accessing these protal via SSL port (HTTPS) using the virtual Ip address which represents them, knowing that the SSL sessions are terminated on the portals not on the CSS.
  any help please.
  thank alot.
  Mo

  what kind of problem ???
  Get a sniffer trace on client and server and see what is going on.
  We'll also want to see the config even if basic.
  Gilles.

• Capture Traffic on Css 11506

  Hello,
  I am trying to troubleshoot all traffic related to backend servers (behind CSS) from input and output interfaces of CSS, could anybody help my in capturing this kind of traffic? with support guide or commands?
  Thanks,
  Mo

  You can use a CSS port as Span port. Connect a sniffer at that port and you will get the packets.
  Command to use
  setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly
  More details at
  http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.20/configuration/administration/guide/Intface.html#wp1099686
  Syed Iftekhar Ahmed

• HTTP and terminal services connection intermittently for CSS 11506

  I am configuring a client/server CSS configuration. I am facing an intermittent of http connection. The browser will require to refresh 3 times before the web page is seen. I am also facing the connection to the real server behind the CSS using the terminal services in Windows server 2003. I am using ML330 to connect to the real server through their VIP address. The connection is sometime successful but most of the time is not. I had attach the network diagram and the config for reference. Please advice!

  This is the kind of thing that you need a sniffer trace on both sides of the CSS to determine what the problem is.

• CSS 11506 Default "Site is down" Page

  The Company that I work for needs to bring down our servers for some hardware upgrades for a period of time. Is it possible to configure the CSS so that it will display an HTML page any time that it cannot find one of the servers that it should be looking for? If it is possible, how would I go about doing that,or where would I look for directions on setting that up? Thank you very much for any help provided.

  Another question, we've brought down our content servers and the sorry server is sending out the sorry page that we have set up. I added all the settings indicated in the link about you gave me, and based on some of the other articles that I have seen while troubleshooting I have changed some of the persistence settings. Here are my configurations, any ideas?
  !*************************** GLOBAL ***************************
  no restrict web-mgmt
  no restrict xml
  dns primary 10.20.1.2
  ip route 0.0.0.0 0.0.0.0 10.20.1.1 1
  !************************* INTERFACE *************************
  interface 1/1
  phy 1Gbits-FD-sym
  !************************** CIRCUIT **************************
  circuit VLAN1
  router-discovery lifetime 1000
  ip address 10.20.1.4 255.255.255.0
  router-discovery
  !************************** SERVICE **************************
  service Blade01
  ip address 10.20.1.60
  active
  service Blade02
  ip address 10.20.1.61
  active
  service Blade03
  ip address 10.20.1.62
  active
  service Blade04
  ip address 10.20.1.63
  active
  service sorry
  ip address 10.20.1.41
  active
  !*************************** OWNER ***************************
  owner OWNER
  email-address
  content server1
  vip address 10.20.1.80
  balance aca
  add service Blade01
  add service Blade02
  primarySorryServer sorry
  no persistent
  active
  content server2
  vip address 10.20.1.81
  add service Blade03
  add service Blade04
  balance aca
  active
  !*************************** GROUP ***************************
  group server1
  vip address 10.20.1.80
  add destination service Blade01
  add destination service Blade02
  add destination service sorry
  group server2
  add destination service Blade03
  add destination service Blade04
  vip address 10.20.1.81