Css excessive arp requests

Similar Messages

• Solaris 9 and ARP request

  Hello
  my server is sending a lot of arp requests "who is ..." at first sight it looks quite ok, but ttl in arp cache is set on 20 min, but my server doesn't care he after getting an answer "...ip.ip.ip.ip is et.et.et.et.et.et..." is still asking " who is...."
  is it ok?
  and another wierd think: - maybe I am not smart enough but - shouldn't those two commends give the the same (+-) answers:
  # arp -a
  # ndd -get /dev/arp arp_cache_report
  thenks for help
  Agie

  Solaris 9 - 9/05 HW (Update 9) is supported on SunFire V215, if you have a support contract you might will be able to download it from www.sun.com/OSC .
  .7/M.

• STB Sending ARP requests every 9 minutes

  IS there a particular reason that I keep getting ARP requests from the STB even though it has been assigned an IP?
  Solved!
  Go to Solution.

  So there is no way to route that correctly?
  I mean, I havent blocked any of that traffic.
  I used to use a different router with my old service and well you guys supply one.
  Since I have a new router now, I wanted to check how well the firewall was set up and if there was any automatic anti-spoofing on the router or if I had to set it up myself.
  So with feeling insecure I turned my personal Outpost firewall back on on my computer.
  Which is catching that as a spoofing attack of course.
  But now my question is, couldnt that traffic be routed appropriately?
  IT doesnt seem like a big deal, just a little messy.
  And this thread is easily applying to FIOS INTERNET more and more as we talk.
  Form what I get its the STB's looking for the DVR.
  What would happen if you blocked that info coming across the bridge or routed the info appropriately vs blocking it.
  Does it have to come across the bridge and if so why?
  Form the looks of things I could definitely keep that on the coax side of things vs having it run across the bridge.
  My comp recognizes it as spoofing but the router doesnt of course because its all behind the router.
  Maybe you could help me further or someone else in defining the design of that communication.
  Again its harmless and not a big deal its more curiosity than anything else at this point.

• 6500 IOS HSRP Gateway not responding to ARP requests

  WS-C6509, running Native IOS version 12.2(33)SXH4. Pair of 6500 configured with HSRP serving as Gateway to down stream clients
  Ping requests from clients not having a Default Gateway (AIX Server Team recommendation) failing.
  Packet capture show ARP requests being received by Gateway 6500, but Gateway will not respond for up to 30 seconds at which point ping requests will start working. But after a period of inactivity, the cycle starts over again - 30 second delay before traffic starts flowing.
  Having a Default Gateway is a separate discussion. I'm just interested in being able to provide technical reason why this is occuring.
  Anyone experience this?
  Any suggestions for addtional troubleshooting measures?
  Thanks in advance.

  Looks to me like a timer problem - maybe a ARP timer on the clients? Check the ARP tables of your clients during your tests.
  HTH

• Why the debug arp output the follow imformation "IP ARP throttled out the ARP Request for 10.170.254.13"

  In the network,sometimes,I can't ping some servers,the getway is in the switch 4507,if I connect my computer in the vlan what the servers in,I will not ping the getway successful,and the computer can't learn the getway's MAC.In the same time I debug arp in the 4507,the output is :
  "Jun 20 07:36:21.225: IP ARP throttled out the ARP Request for 10.170.254.46
  Jun 20 07:36:21.225: IP ARP throttled out the ARP Request for 10.170.254.13
  Jun 20 07:36:21.227: IP ARP: sent req src 10.170.252.30 b838.6168.3c7f,
                   dst 10.170.252.82 0000.0000.0000 Vlan252"
  If I reload the 4507,I could ping the getway ,and the servers.
  I think it's ARP attack,the machine who was the question one  is  send a lot of ARP request ,that let the 4507's ARP cache full ,and than overflow. My computer wants to request the getway's MAC ,the message is discard.SO my computer can't ping the getway.
  Can someone tell me, am I right? It's very important for me.
  and tell me ,how can i do ? I'll wait online.
  thank you very very much. 

  Have a look at this document for troubleshooting ARP throttled issues
  http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/17812-cef-incomp.html
  HTH

• CSM reporting failed ARP request

  Hi!!
  We have a CSM on Catalyst 6509 SUP720, the IOS is 12.2(18)SXD7b.
  We have a problem with load-balanced portal servers with the CSM. Checking Catalyst log we see the following messages:
  Jun 7 06:17:42.145 UTC: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: Server [ip address] failed ARP request
  Jun 7 06:17:43.505 UTC: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: Server [ip address]now responding to ARP requests
  Jun 7 06:19:23.445 UTC: %CSM_SLB-6-GATEWAYSTATE: Module 4 gateway state changed: SLB-NETMGT: Gateway [ip address]failed ARP request
  Jun 7 06:24:12.241 UTC: %CSM_SLB-6-GATEWAYSTATE: Module 4 gateway state changed: SLB-NETMGT: Gateway [ip address]now responding to ARP requests
  At the begining, the message were on refer to failed ARP for the real servers, but now the CSM reports failed ARP request on the Gateways (Vlan Interfaces) too.
  Any idea?? We don?t now if the problem is the network, or is the CSM Card or the IOS version.
  The Catalyst 6500 is on Distribution Layer, connecting 4 Access switches (Enterasys) and 2 Core Cat6500 switches. The balanced servers are on a Access Enterasys N7 Switch.
  Thanks in advance...
  Pedro

  Hi Gilles, thanks for your quick response.
  But, as well as the problem with missing ARP?s, we have very slow responses and sites pages are shown with missing objets every time we point to the CSM virtual address with 2 internet proxi servers on a CSM Serverfarm, while if we point to the Real IP Address of any proxi-sever, all is fine and fast.
  Now we are pointing directly to real servers (not to the CSM virtual), and all is fine, but it is not the final idea.
  It sounds like a problem with the Channel betwen the CSM and the Switch.
  We made traces monitoring the PortChannel 260, and we saw very ARP request but just a few replys.
  Is very strange that also the CSM is reporting missing ARP?s on Gateways, because this gateway is an interface Vlan into the MSFC!! The only way to disappear the log missing ARP messages is configuring static arp on CSM.
  What you think about?.
  The version on CSM is 4.2(2)
  Thanks!!
  Pedro.

• A question about ARP request?

  Does a device refer to its ARP table to send ARP reply when it get ARP request?
  Sent from Cisco Technical Support Android App

  Thanks for all the replies.
  However, actually I wannted to know that when ARP request/reply packet is encapsulated, how it happen and what is reffered to.
  For IP packet, ARP table is reffered to look up the IP packet's destination MAC address to encapsulate the IP packet into Ethernet frame.
  I know ARP is a protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks, but I am just wondering if ARP request/reply itself also refer its ARP table as ARP looks protocal for Later 3, network layer.
  Say, there are Host A, Host B and SW1 on the same local network, and let me explain ARP process untill the Host B sends ARP reply to Host A.
  Host A
  1. Host A ping Host B
  2. Ping process creates an ICMP Echo Request and IP packet is made by the Echo Request.
  3. Destination IP of the IP packet is in the same subnet, and is a unicast IP packet.
  4. ARP process on the Host A looks up the IP packet's destination MAC address from its ARP table to encapsulate the IP packet into Ethernet frame, but it is not in the ARP table. So the ARP process try to send ARP request after buffering the IP packet.
  5. ARP process creates ARP requet.
  6. The host A encapsulate the ARP request packet into Ethernet frame with FFFF.FFFF.FFFF for its destination MAC address.
  7. The Host A sends out the Ethernet frame .
  SW1
  8. The SW1 recieves the ethernet frame.
  9. The frame's source MAC address does not exist in the SW1's MAC table, so the SW1 adds the MAC address to its MAC table.
  10. The SW1 sends out the frame to all ports in the same VLAN except the receiving port as the frame's MAC address is FFFF.FFFF.FFFF.
  Host B
  11. The host 2 recieves the frame and decapsulates it.
  12. The decapsulated frame is ARP request packet, so the ARP process on Host B processes it.
  13. The Host B determines that the destination IP address in the ARP request packet matches its own IP address, and adds the IP to its own ARP table.
  14. The Host B creates ARP reply packet.
  15. The Host B encapsulates the ARP reply packet into Ethernet frame.
  16. The Host B sends out the Ethernet frame.
  So again, what I want to know are between item number 5 and 6, 15 and 16.

• Nexus-switches issues no arp-requests.

  Hallo all,
  I see a very strange behavior on my two nexus switches.
  Both are Nexus 5548 with L3-daughter-cards. Both do l2 and l3-switching, ACL-filtering and other things. Furthermore I have a set of servers connected to both switches in a vPC-setup. All in all I do nothing special.
  After reloading the primary switch (vpc-primary, root-bridge for all vlans and hsrp-active with preemption for all SVIs) the switche comes back online and after getting up all links and reconverging everthing the network breaks. After a lot of debugging and curses and connection tries and a few additional gray hairs later I have got it to work by pinging all ip-addresses from the switch that I have previously rebooted.
  Later I do some tests to find out what was going wrong. I found out that if I clear the arp-cache I will get the same issue. Pinging from server A in one subnet to server B in another subnet doesn't lead to success, because the switch issues no arp-requests. To make it work just ping server B from the switch and all works fine. The switch does arp, the arp-table is updated and the pings from the server A will reach the server B.
  Any ideas?
  Regards
  Thomas
  ^^°-°^^

  I can post a extraction of the relevant config items.
     - --[ vpc-primary
  cfs01# sh run
  !Command: show running-config
  !Time: Wed Nov 13 08:46:18 2013
  version 5.2(1)N1(1b)
  cfs eth distribute
  vrf context CEPH
  vrf context management
    ip route 172.31.0.0/20 172.31.8.190
  vlan 14
    name 172.31.50.0/26_CN/NN/OSDs@DMZ
  vlan 4080
    name 172.31.48.64/26_NAS.Infrastr@DMZ
  spanning-tree vlan 1-129,131-3967,4048-4093 priority 0
  udld aggressive
  vpc domain 1
    role priority 1
    peer-keepalive destination 172.31.8.179 source 172.31.8.178
    peer-config-check-bypass
    delay restore 150
    peer-gateway
    auto-recovery
    ip arp synchronize
  interface Vlan14
    no shutdown
    mtu 9216
    description CN/NN/OSDs@DMZ
    ip access-group acl-vl14-in in
    vrf member CEPH
    no ip redirects
    ip address 172.31.50.61/26
    no ip port-unreachable
    hsrp version 2
    hsrp 3
      authentication md5 key-string 3-14
      preempt delay minimum 30 reload 60
      priority 255
      ip 172.31.50.62
  interface Vlan4080
    no shutdown
    mtu 9216
    description NAS.Infrastr@DMZ
    ip access-group acl-vl4080-in in
    vrf member CEPH
    no ip redirects
    ip address 172.31.48.125/26
    no ip port-unreachable
    hsrp version 2
    hsrp 3
      authentication md5 key-string 3-4080
      preempt delay minimum 30 reload 60
      priority 255
      ip 172.31.48.126
  interface port-channel7
    switchport mode trunk
    switchport trunk native vlan 991
    spanning-tree port type network
    speed 10000
    vpc peer-link
  interface port-channel100
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14-19,991,4078-4080
    speed 10000
    vpc 100
  interface port-channel102
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14,18,991,1299-1400
    speed 10000
    vpc 102
  interface Ethernet1/1
    no cdp enable
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14-19,991,4078-4080
    channel-group 100 mode active
  interface Ethernet1/3
    no cdp enable
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14,18,991,1299-1400
    channel-group 102 mode active
  interface Ethernet1/29
    description cfs02_Eth29
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface Ethernet1/30
    description cfs02_Eth30
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface Ethernet1/31
    description cfs02_Eth31
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface Ethernet1/32
    description cfs02_Eth32
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface mgmt0
    description oam01_Gi0/19
    ip address 172.31.8.178/26
  cfs01#
     - --[ vpc-secondary
  cfs02# sh run
  !Command: show running-config
  !Time: Wed Nov 13 08:46:05 2013
  version 5.2(1)N1(1b)
  cfs eth distribute
  vrf context CEPH
  vrf context management
    ip route 172.31.0.0/20 172.31.8.190
  vlan 14
    name 172.31.50.0/26_CN/NN/OSDs@DMZ
  vlan 4080
    name 172.31.48.64/26_NAS.Infrastr@DMZ
  spanning-tree vlan 1-129,131-3967,4048-4093 priority 4096
  udld aggressive
  vpc domain 1
    role priority 2
    peer-keepalive destination 172.31.8.178 source 172.31.8.179
    peer-config-check-bypass
    delay restore 150
    peer-gateway
    auto-recovery
    ip arp synchronize
  interface Vlan14
    no shutdown
    mtu 9216
    description CN/NN/OSDs@DMZ
    ip access-group acl-vl14-in in
    vrf member CEPH
    no ip redirects
    ip address 172.31.50.60/26
    no ip port-unreachable
    hsrp version 2
    hsrp 3
      authentication md5 key-string 3-14
      priority 254
      ip 172.31.50.62
  interface Vlan4080
    no shutdown
    mtu 9216
    description NAS.Infrastr@DMZ
    ip access-group acl-vl4080-in in
    vrf member CEPH
    no ip redirects
    ip address 172.31.48.124/26
    no ip port-unreachable
    hsrp version 2
    hsrp 3
      authentication md5 key-string 3-4080
      priority 254
      ip 172.31.48.126
  interface port-channel7
    switchport mode trunk
    switchport trunk native vlan 991
    spanning-tree port type network
    speed 10000
    vpc peer-link
  interface port-channel100
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14-19,991,4078-4080
    speed 10000
    vpc 100
  interface port-channel102
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14,18,991,1299-1400
    speed 10000
    vpc 102
  interface Ethernet1/1
    no cdp enable
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14-19,991,4078-4080
    channel-group 100 mode active
  interface Ethernet1/3
    no cdp enable
    switchport mode trunk
    switchport trunk native vlan 991
    switchport trunk allowed vlan 2,14,18,991,1299-1400
    channel-group 102 mode active
  interface Ethernet1/29
    description cfs01_Eth29
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface Ethernet1/30
    description cfs01_Eth30
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface Ethernet1/31
    description cfs01_Eth31
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface Ethernet1/32
    description cfs01_Eth32
    switchport mode trunk
    switchport trunk native vlan 991
    channel-group 7 mode active
  interface mgmt0
    description oam02_Gi0/19
    ip address 172.31.8.179/26
  cfs02#

• Default CSS classes (feature request)

  Hi, there is one feature request I would like to ask for,
  When working with templates/themes. The default template is CSS based on classes. Could it be possible to have default classes defined?
  It's just that when working with PL/SQL Regions and HTP/HTF packages, the output is very far from the theme default look. Which leads to alot of going into theme definitions, copying the CLASS="tXXxxxx" string and using it in the code.
  But if default HTML tags would be overloaded (H1,H2... [table], TH, TD TR.. and so on. It would make the owa code much prettier right out of the box.
  Regards
  Oli

  Hello,
  That is not going to happen for most themes.
  What your asking is for us to arbitrarily say what a certain tag is going to look like lets take <th> for instance, but how and where you or me might use a <th> might be totally different from how someone else use's a <th>
  Someone might be depending on having the default styles applied and would just have to reoverride the style. We try to be very specific with how classes are applied so as to give people the most options and control over the final look and feel.
  Carl

• CSS 11506 page requests not directed properly

  CSS 11506 sitting in front of mainframe and
  two Windows 2003 servers
  content rule3056gif
  add service web1
  add service web2
  vip address 10.10.200.252
  balance aca
  url "/IMAGE_DIRECTORY_NAME/*.gif"
  port 3056
  active
  A small number of page requests, that do not match the above pattern, are passing to the content servers web1 or web2 instead of the mainframe.
  Any ideas appreciated.

  when a connection comes in and matches the rule above, a flow is created to switch all traffic between client and server.
  If inside this same flow a new request comes in for a different content rule, the flow needs to be remapped to the new server.
  This works fine except when the flow stays idle.
  A flow that was idle can't be remapped.
  All new requests will be sent to the current/last server even if the request does not match the rule.
  The solution is to increase the idle timeout.
  You can do this with a 'flow-timeout-multiplier'.
  A large value will reduce a lot the chance to see the problem but it also means the amount of resources being used will increase as each flow will remain longer in memory.
  It's up to you to find the right balance.
  You can do a 'flow stat' from llama mode to see number of free flows and active flows.
  I would say you start with a flow-timeout-multiplier of 100 and reduce or increase it if necessary.
  Regards,
  Gilles.
  - please take a moment of your time to rate this answer.

• CSS - Inbound (WebServer) request to Outbound content

  Hi all,
  Is there any simple way of using the Load Balancer (CSS) to accept Inbound Request's to a Content Rule from Server used by another Content Rule ?
  For example:
  I have Content Rule "WebServer", with Server1, Server2, and Server3.
  Each one of this servers is getting information from one other server (ServerX). This information is taken inside the ServerLan.
  Beside this ServerX has a Content Rule "XXX" for outside Requests, now that we want to add another Service (ServerY) for this content, we had thought that Server1, Server2 and Server3, should get the information by the Content Rule "XXX", instead the ServerX directly.
  Is this achieved with Group's ?
  Any simple example ?
  Best Regards,
  Petrónio

  Hi,
  There should be no limitations regarding this. Server initiating a connection should be seen as any other client for that XXX content rule.
  As a first step, you shoud redirect Server1, Server2 and Server3, to access the VIP address of the Content Rule "XXX", instead the ServerX directly.
  I think source groups are not necessary, unles for example, all servers reside in the same subnet. In that case you would have the problem to force return direction of the traffic form serverX to server1 to go trough the CSS. (CSS shoud see both traffic directions to work regularly)
  I believe you can use source groups to perform source NAT of Server1 address in that case. (The goal is to make ServerX to return traffic to some address which is routed over CSS.)
  If servers 1,2,3 and servers X,Y are by default in different subnets, routed over CSS, you should have no problem for server-to-server load-balancing, and do not need source groups (ServerX can safely see Server1 real address in that case).
  Most simple example is:
  group
  vip address
  add service server1
  add service server2
  add service server3
  active
  Details can be found in the documentation:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/SGrp.html
  Regards,
  Jasmina

• HSRP : routers respond with virtual mac AND physical mac to ARP requests

  Hello.
  I've noticed a very strange behaviour on my two Cisco's 2621 with HSRP configured.
  But first, this is a simplified schema of my current network.
  1. Summary
  - IOS version : 12.2(37)
  - File image : c2600-ik9o3s-mz.122-37.bin
  - R1 is the active router.
  - Both have tagged virtual interfaces : f0/0.10 & f0/0.60
  - NAT functionnality is enabled.
       - f0/0.10 is configured as outside.
       - f0/0.60 is configured as inside.
  2. Configuration samples
  R1
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.254 255.255.255.0
  ip nat outside
  service-policy output parent_out_internet
  no ip mroute-cache
  standby 10 ip 192.168.0.2
  standby 10 priority 120
  standby 10 preempt
  interface FastEthernet0/0.60
  encapsulation dot1Q 60
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  no ip mroute-cache
  no cdp enable
  standby 60 ip 192.168.1.1
  standby 60 priority 120
  standby 60 preempt
  ip nat pool ovrld 192.168.0.2 192.168.0.2 prefix-length 24
  ip nat inside source list internet pool ovrld overload
  R2
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.253 255.255.255.0
  ip nat outside
  service-policy output parent_out_internet
  no ip mroute-cache
  standby 10 ip 192.168.0.2
  standby 10 preempt
  interface FastEthernet0/0.60
  encapsulation dot1Q 60
  ip address 192.168.1.253 255.255.255.0
  ip nat inside
  no ip mroute-cache
  no cdp enable
  standby 60 ip 192.168.1.1
  standby 60 preempt
  ip nat pool ovrld 192.168.0.2 192.168.0.2 prefix-length 24
  ip nat inside source list internet pool ovrld overload
  3. Events.
  - When HSRP first runs or when there is a topology change, the active router sends correct ARP gratuitous reply packets (with the virtual MAC address)
  - ARP table is filled in on the Internet router.
  - When the ARP entry in the table expires it asks for the virtual IP mac address (192.168.0.2).
  - R1 responds with the virtual MAC address ---- BUT ---- R2 also responds with its physical mac address !
  - So packets are sent to the wrong router (R2) which can't route any packets because the NAT table is not up to date. I don't even have NAT command to synhronize NAT sessions between routers. But anyway, it should not solve my issue.
  It occurs only on the NAT (outside) interface. On the other virtual interfaces it behaves as expected.
  I don't have any explanations to this behaviour.
  For the moment, I have to keep R2 offline and bring it back online in case of failure.
  I tried several workarounds but I can neither filter ARP packets (no such function) on my router nor on my switch (too restrictive).
  If I forgot any information please ask me.
  Any help would be very much appreciated.

  Hello.
  I've noticed a very strange behaviour on my two Cisco's 2621 with HSRP configured.
  But first, this is a simplified schema of my current network.
  1. Summary
  - IOS version : 12.2(37)
  - File image : c2600-ik9o3s-mz.122-37.bin
  - R1 is the active router.
  - Both have tagged virtual interfaces : f0/0.10 & f0/0.60
  - NAT functionnality is enabled.
       - f0/0.10 is configured as outside.
       - f0/0.60 is configured as inside.
  2. Configuration samples
  R1
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.254 255.255.255.0
  ip nat outside
  service-policy output parent_out_internet
  no ip mroute-cache
  standby 10 ip 192.168.0.2
  standby 10 priority 120
  standby 10 preempt
  interface FastEthernet0/0.60
  encapsulation dot1Q 60
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  no ip mroute-cache
  no cdp enable
  standby 60 ip 192.168.1.1
  standby 60 priority 120
  standby 60 preempt
  ip nat pool ovrld 192.168.0.2 192.168.0.2 prefix-length 24
  ip nat inside source list internet pool ovrld overload
  R2
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.253 255.255.255.0
  ip nat outside
  service-policy output parent_out_internet
  no ip mroute-cache
  standby 10 ip 192.168.0.2
  standby 10 preempt
  interface FastEthernet0/0.60
  encapsulation dot1Q 60
  ip address 192.168.1.253 255.255.255.0
  ip nat inside
  no ip mroute-cache
  no cdp enable
  standby 60 ip 192.168.1.1
  standby 60 preempt
  ip nat pool ovrld 192.168.0.2 192.168.0.2 prefix-length 24
  ip nat inside source list internet pool ovrld overload
  3. Events.
  - When HSRP first runs or when there is a topology change, the active router sends correct ARP gratuitous reply packets (with the virtual MAC address)
  - ARP table is filled in on the Internet router.
  - When the ARP entry in the table expires it asks for the virtual IP mac address (192.168.0.2).
  - R1 responds with the virtual MAC address ---- BUT ---- R2 also responds with its physical mac address !
  - So packets are sent to the wrong router (R2) which can't route any packets because the NAT table is not up to date. I don't even have NAT command to synhronize NAT sessions between routers. But anyway, it should not solve my issue.
  It occurs only on the NAT (outside) interface. On the other virtual interfaces it behaves as expected.
  I don't have any explanations to this behaviour.
  For the moment, I have to keep R2 offline and bring it back online in case of failure.
  I tried several workarounds but I can neither filter ARP packets (no such function) on my router nor on my switch (too restrictive).
  If I forgot any information please ask me.
  Any help would be very much appreciated.

• CSS-Directing request to particular file on webserver

  Hi ,
  I am trying to direct user request to particular file on webserver.
  We have many customer using same portal through different url(DNS Alias).
  Is it possible that CSS can direct request to a file (e.g xxx.html) on webserver instead of direction on specified port?
  Thanks in Advance
  Aniruddha

  you can have the CSS intercept the HTTP traffic and have a redirect generated.
  The redirect could point to your specific file.
  redirect configuration are explained @
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a0080093ff6.shtml
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a00801c65b5.shtml
  Gilles.

• CSS 11051: Sorry Server receives request although the normal server is up

  Hello,
  my customer has configured a sorry for his server. If the normal server is down the Sorry Server receives the requests. That works fine. But if the normal server comes back the Sorry Server still receives some requests( 2 hours and more). Has anybody an idea what might be the reason for that ?
  regards
  Dietrich Schleyer
  content webserver
  add service server12
  vip address 10.40.52.20
  primarySorryServer server13
  protocol tcp
  port 80
  url "/*"
  no persistent
  active
  service server12
  ip address 10.40.52.12
  port 80
  protocol tcp
  keepalive type named applicationwww01
  active
  service server13
  ip address 10.40.52.13
  protocol tcp
  port 80
  keepalive type named applicationwww02
  active
  keepalive applicationwww01
  ip address 10.40.52.12
  port 80
  type http non-persistent
  uri "/test.html"
  frequency 10
  method get
  active
  keepalive applicationwww02
  ip address 10.40.52.13
  port 80
  uri "/test.html"
  frequency 10
  method get
  type http non-persistent
  active

  According to: http://www.cisco.com/warp/public/117/css_sorry_server.html “After the CSS 11000 directs requests to a primary sorry server, the switch will continue to use the primary sorry server even when the original server becomes functional. To force the connection back to the original server, you must suspend the primary sorry server or wait until the connection is dropped or times out. When a new session is initiated by the CSS 11000, the connection should go back to the original server.”

• Cisco css http keepalive is not working with GET command

  Dear all
  i have Cisco Css connected to Dell Server (via switch)
  Cisco CSS - 192.168.1.3 and Dell Server - 192.168.1.5
  Dell server is setup with windows 2009R2 and Apache HTTPD is version 2.2
  This server is dedicated to host multiple doamins with Apache lik
  www.abc.co.uk
  www.xyz.co.uk
  Now the clinet wants to setup the http keepalive  with specfic web page like /testpage.html  for all these domains. i have teseed with single URI. it is working the comamnds are
  config)# service serv1
  (config-service[serv1])# ip address 192.168.1.5
  (config-service[serv1])# keepalive type http
  (config-service[serv1])# keepalive method head    ( get i have not used due to hash mismatch with apche server, if i use GET it is not working)
  (config-service[serv1])# keepalive uri "/testpage.html"
  (config-service[serv1])# active
  It is working with single URI.  but how can i do the same thing for multiple doamins ?
  for multiple doamins do i need use script ? or can i use with commands ?
  if i need to use script the script is
  !no echo
  ! Filename: httptag-test
  ! Parameters: HostName WebPage HostTag
  ! Description:
  !       This script will connect to the remote host and do an HTTP
  !   GET method upon the web page that the user has asked for.
  !   This script also adds a host tag to the GET request.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !       2. Not receiving an HTTP status "200 OK"
  if ${ARGS}[#] "NEQ" "3"
          echo "Usage: httptag-test \'Hostname WebPage HostTag\'"
          exit script 1
  endbranch
  ! Defines:
  set HostName "${ARGS}[1]"
  set WebPage "${ARGS}[2]"
  set HostTag "${ARGS}[3]"
  ! Connect to the remote Host
  set EXIT_MSG "Connection Failure"
  socket connect host ${HostName} port 80 tcp
  ! Send the GET request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "GET ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Send the HEAD request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "HEAD ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Wait for a good status code
  set EXIT_MSG "Waitfor: Failed"
  socket waitfor ${SOCKET} "200 OK"
  no set EXIT_MSG
  socket disconnect ${SOCKET}sh w
  exit script 0
  in the script i have not used GET becasue, when CSS send GET request to apache it use hash, but apache is not able to respond with same hash and it shows that website is down. more information- click below url
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdKeepC.html#wp1139668
  (config-keepalive) method
  I have uploaded in CSS with httptag-test file and applied these commands
  service comp.brit.co.uk-80
    keepalive port 80
    ip address 192.168.1.5
    keepalive frequency 10
  keepalive maxfailure 2
  keepalive retryperiod 10
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.abc.co.uk
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.xyz.co.uk
  but this script is not working
  my question is:
  1.do i need use script only to setup http keepalvie with webpage for multiple domains ?
  2.with out using script is there any solution like CICSCO  CSS commands  to setup http uril for multiple domains which are on 1 singl server.
  please help me asap

  Hello Muhammad,
  If you wish to use multiple domains for a URI  keep-alive check, and perform a HEAD request what Daniel mentioned is  correct.  You have to use a scripted keep-alive check on the service.  However, you should not use the default "ap-kal-httptag" script to do so  as it's limited to only 1 website (unless you modify the script).  You're best bet would be using the "ap-kal-httplist" script on the CSS  as it allows the checking of 2 different websites along with a webpage  to check for each site using HTTP HEAD method.
  !no echo
  ! Filename: ap-kal-httplist
  ! Parameters: Site1 WebPage1 Site2 WebPage2 [...]
  ! Description:
  !    This script will connect a list of sites/webpage pairs.  The
  !   user must simply supply the site, and then the webpage and
  !   we'll attempt to do an HTTP HEAD on that page.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !   2. Not receiving a status code 200 on the HEAD request on any
  !      one site.  If one fails, the script fails.
  ! Make sure the user has a qualified number of arguments
  if ${ARGS}[#] "LT" "2"
          echo "Usage: ap-kal-httplist \'WebSite1 WebPage1 WebSite2 WebPage2 ...'"
          exit script 1
  endbranch
  while ${ARGS}[#] "GT" "0"
          set Site "${ARGS}[1]"
      var-shift ARGS
      if ${ARGS}[#] "==" "0"
          set EXIT_MSG "Parameter mismatch: hostname present but webpage was not"
          exit script 1
      endbranch
      set Page "${ARGS}[1]"
      var-shift ARGS
      no set EXIT_MSG
      function HeadUrl call "${Site} ${Page}"
  endbranch
  exit script 0
  function HeadUrl begin
  ! Connect to the remote Host
  set EXIT_MSG "Connect: Failed to connect to ${ARGS}[1]"
  socket connect host ${ARGS}[1] port 80 tcp 2000
  ! Send the head request
  set EXIT_MSG "Send: Failed to send to ${ARGS}[1]"
  socket send ${SOCKET} "HEAD ${ARGS}[2] HTTP/1.0\n\n"
  ! Wait for the status code 200 to be given to us
  set EXIT_MSG "Waitfor: Failed to wait for '200' on ${ARGS}[1]"
  socket waitfor ${SOCKET} " 200 " 2000
  no set EXIT_MSG
  socket disconnect ${SOCKET}
  function HeadUrl end
  Rather  then modify the default "ap-kal-httplist" script on the CSS I would  simply define the arguments within the service configuration itself.   Something like the following (using your service example):
  service dell-192.168.1.5
  ip address 192.168.1.5
  keepalive type script ap-kal-httplist "www.abc.co.uk /testpage.html www.xyz.co.uk /testpage.html"
  active
  As  long as the server is configured to reply to host headers, and the page  is configured to retuen a "200 OK" the above service configuration  should work. If there are any errors simply run "show service  " to view why there was a failure. If there is a  failure, and the output from the command specified shows a line number  run the following command against the script to view at what point  (line) did the failure occur:
  show script ap-kal-httplist line-numbers
  Hope this helps!
  - Jason Espino