CSS Sorry server requirements
Folks,
The documentation says that the sorry server concept will only work if the loadbalancing is done at layer 7. My question is why, why can't i see the sorry server redirect if all services are down when doing load balancing at Layer 3 or Layer 4?
Hi,
Can you point me to those docs. I believe sorry server should work regardless of which layer is the content rule configured to check.
Actually this doc's example is layer 3:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093de8.shtml
I will build a working config at layer 3 for you soon.
Similar Messages
-
How to configure Sorry server for HTTPS (443) port. Sorry server works fine with HTTP, But not with 443
In the following config if server1 and server2 are down, the HTTP requests goes to the Sorry Server, but for HTTPS nothing is displayed. I am running the sorry server on port 81
Please suggest
!************************** SERVICE **************************
service prisorry
ip address 10.100.11.11
keepalive type http
keepalive port 81
port 81
active
service secsorry
ip address 10.100.11.12
keepalive port 81
keepalive type http
port 81
active
service server1
ip address 10.100.11.11
keepalive type http
keepalive port 80
active
service server2
ip address 10.100.11.12
keepalive type http
keepalive port 80
active
!*************************** OWNER ***************************
owner Loadbalancing
content L4Rule1
protocol tcp
add service server2
add service server1
port 80
url "/*"
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
active
content L4Rule2
protocol tcp
add service server2
port 443
add service server1
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
application ssl
active
content L4Rule3
add service server2
protocol tcp
port 1443
add service server1
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
active
ThanksI just deployed a couple 11050's the other day so my experience is limited, but I'd guess your problem is that, when using the Primary Sorry Server, you end up with clients sending HTTPS requests to an HTTP port. Having HTTPS requests redirected to HTTP ports is one thing because the client then makes an HTTP request to that port, but the way you have it above, it appears to me that the client will be talking HTTPS to port 81 on the Sorry Server, which is listening for HTTP.
-
Is it possible to define a sorry service with a specific url without service type redirect ?
I want to specify the url location of the sorry service page.
Thanksyou will need a redirect if you want to change the original request from the client.
Or, if your sorryserver is configured to display the same page, whatever the client request, then you do not need the redirect.
You just need a normal service.
Regards,
Gilles. -
CSS 11501 - Balancing vs. Sorry Server
Hi,
I need a little advice.
I have configured my test CSS box with two services. I enabled keepalives and load balancing with one server having a weight of 5, while the other is set to the default.
Testing has proven successfull in redirecting requests when the primary server (weight 5) is taken offline. However, when it comes back online, not all requests are sent to it, and some requests still go to the secondary server.
My question:
If I want all requests to go to the primary server except in the event it is unavailable, should I configure the secondary server as a Sorry server, and not as a load balanced peer? I would effectively be using the Sorry server as a secondary content server.
Is this workable? Am I missing something?
Thanks,
JMJM,
yes you need the sorryserver option if you don't want traffic to go to your backup.
Whatever weight option you configure, there will always be a fraction of the traffic going to the backup.
Gilles. -
Hi,
I have a question regarding sorry server configuration on the CSS 11500 series.
Is there a way for the sorry server to ignore the URL path and always send the user traffic to the "root" page (e.g. index.html) of the sorry server web server?
The problem I have is the redirection of the "root" page (url "/") that is configured for the normal traffic is causing the sorry page not to work since the URL path ("/psp/CUSTOMER1/?cmd=login") does not exist on the sorry page web server:
service Sorry-Server
protocol tcp
port 8000
keepalive type tcp
ip address 192.168.2.254
active
service server1
ip address 192.168.2.101
protocol tcp
keepalive type tcp
port 8080
active
service server2
ip address 192.168.2.102
protocol tcp
keepalive type tcp
port 8080
active
owner Customer1
content Content1
vip address 192.168.1.101
port 80
protocol tcp
url "/*"
balance aca
advanced-balance arrowpoint-cookie
flow-timeout-multiplier 6
add service server1
add service server2
primarySorryServer Sorry-Server
active
content Content1-Redirect
redirect "/psp/CUSTOMER1/?cmd=login"
vip address 192.168.1.101
port 80
protocol tcp
url "/"
active
Thanks in advance for your help!
Best regards,
HarryHi again,
During a maintenance window I made the following change and that made things a bit better:
service Sorry-Server
type redirect
keepalive type none
redirect-string "192.168.2.254:8000"
active
However, since the redirect string points to a private address, Internet users are not able to access the URL.
As a work-around I sent the redirect to a new content rule with a public address and then configured a second sorry page server:
service Sorry-Server
type redirect
keepalive type none
redirect-string "sorry.example.com:8000"
active
service Sorry-Server-2
ip address 192.168.2.254
protocol tcp
port 8000
keepalive type tcp
active
owner Customer1
content Content2
vip address x.x.x.x
add service Sorry-Server-2
port 8000
protocol tcp
active
Is there a better way to do this?
Best regards,
Harry -
I have been trying to get my CSS 11506 to redirct to a Sorry Server when our content servers go offline. We thought that we had it working, but after some downtime it turned out that our configuration did not work.
After extensive reading I can't figure out what is wrong with my config, or if the problem lies else where. I am attaching my config below, can anyone tell me if they see any problems with what I have or if there is something that I need to do in addition to what I have. Thank you for you help, here is the config:
*************************** GLOBAL ***************************
no restrict web-mgmt
no restrict xml
bypass persistence disable
snmp community ******read-write
snmp name "******"
snmp contact "*******r"
snmp location "CSS11056"
snmp trap-host 10.20.1.4 ******
dns primary 10.20.1.2
ftp-record ******10.20.1.17 *** des-password
ibfebcgg6aheuc4h1hfcqhpcubwdxcjb cssgui
ip route 0.0.0.0 0.0.0.0 10.20.1.1 1 !
*************************INTERFACE*************************
interface 1/1
phy 1Gbits-FD-sym !
**************************CIRCUIT**************************
circuit VLAN1
router-discovery lifetime 1000
ip address 10.20.1.4 255.255.255.0
router-discovery
**************************SERVICE**************************
service Blade01
ip address 10.20.1.60
active
service Blade02
ip address 10.20.1.61
active
service Blade03
ip address 10.20.1.62
active
service Blade04
ip address 10.20.1.63
active
service sorry
ip address 10.20.1.41
active
!*************************** OWNER***************************
owner ***
email-address ******
content Content1
vip address 10.20.1.80
balance aca
add service Blade01
add service Blade02
no persistent
primarySorryServer sorry
active
content Content2
vip address 10.20.1.81
add service Blade03
add service Blade04
balance aca
active
!*************************** GROUP***************************
group content1nat
vip address 10.20.1.80
add destination service Blade01
add destination service Blade02
add destination service sorry
group content2nat
add destination service Blade03
add destination service Blade04
vip address 10.20.1.81
!**************************** ACL ****************************
acl 10
clause 5 permit any 10.20.1.60 destination content ****
sourcegroup ****
clause 6 permit any 10.20.1.61 destination content ICC/flippid
sourcegroup Content1
clause 99 permit any any destination any
clause 2 permit any 10.0.0.0 destination content ****
sourcegroup ****
apply circuit-(VLAN1)
clause 7 permit any 10.20.1.41 destination content ****
sourcegroup Content1One problem I can see is that you don't have any keepalives configured under the services, so they will default to a Ping. As long as they respond to ping, it will keep traffic going to those servers.
What services run on these Servers? We generally recommend you use as higher layer keepalive as possible, so if it is a web server for example, use a HTTP keepalive.
Have a look here for more info:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/KAL.html -
CSS 11051: Sorry Server receives request although the normal server is up
Hello,
my customer has configured a sorry for his server. If the normal server is down the Sorry Server receives the requests. That works fine. But if the normal server comes back the Sorry Server still receives some requests( 2 hours and more). Has anybody an idea what might be the reason for that ?
regards
Dietrich Schleyer
content webserver
add service server12
vip address 10.40.52.20
primarySorryServer server13
protocol tcp
port 80
url "/*"
no persistent
active
service server12
ip address 10.40.52.12
port 80
protocol tcp
keepalive type named applicationwww01
active
service server13
ip address 10.40.52.13
protocol tcp
port 80
keepalive type named applicationwww02
active
keepalive applicationwww01
ip address 10.40.52.12
port 80
type http non-persistent
uri "/test.html"
frequency 10
method get
active
keepalive applicationwww02
ip address 10.40.52.13
port 80
uri "/test.html"
frequency 10
method get
type http non-persistent
activeAccording to: http://www.cisco.com/warp/public/117/css_sorry_server.html After the CSS 11000 directs requests to a primary sorry server, the switch will continue to use the primary sorry server even when the original server becomes functional. To force the connection back to the original server, you must suspend the primary sorry server or wait until the connection is dropped or times out. When a new session is initiated by the CSS 11000, the connection should go back to the original server.
-
Sorry server - different replies
We have CSS 11000 that provides load balancing between several servers with configured max-session .
How to configure that sorry server sends different reply:
1) if all servers are down, it has redirect to page "sorry, server is down"
2) in case of overload, it it has to redirect to page "sorry, server is bussy, try later"
Can you advise how it possible to configue this?
thanks in advance,
Nataliathere is no direct way of doing this.
However, my solution is to do this :
service sorry_down
service sorry_overloaded
keepalive type script check_service_down use-output
owner mycompany
content www
vip ...
add service ...
primarysorryserver sorry_overloaded
secondarysorryserver sorry_down
active
The script check_service_down, will do a 'show service ' grep -u Alive to detect if a service is alive or just not used because down.
Or you could also simply do ap-kal-pinglist and ping the services.
Anyway, the idea for the kal for the service sorry_overloaded is to check the status of the other services and detect if they are down or just overloaded.
Gilles. -
Hi,
we have two CSS11503 to load balance http and https traffic, we have to know the source IP packet of request to a Sorry Server when all the services on the content are down.
I mean, when all services into the content are down a request from a client i forwarded to the primary sorry server, is the source IP of the request the load balancer IP address, or is the client IP address wherefrom the request starts?!
Thanks
CinziaBy default we do not source nat the client ip address.
But if the sorry server is at a remote location, you will NEED to do source nat for the connection to work, otherwise the sorry server will respond directly to the client bypassing the CSS and the client will not appreciate seeing a response from a different ip than the vip.
You could use a redirect sorry server, so that a redirect response is sent to the client which does open a new connection directly with the sorry server.
Gilles. -
ACE and secondary sorry server?
Hi,
I need to transfer the CSS' concept of the "secondary sorry server" to the ACE.
My (so far untested) idea is: attaching a backup server-farm to the primary server-farm to get the "sorry server" function; attaching a backup rserver to the rserver used in the backup server-farm to get a backup for the backup.
Will it work this way?
ArnoCascading serverfarms is restricted to one backup level but you can cascade backup for individual servers.
-
is it possible to confider the css so that is one of the servers goes down that it will redirect the request to the sorry server, as per the documentation all servers have to be done, i want it to go to sorry server if one of the servers goes down. any ides?
so, you have multiple servers assigned to a content rule, and if one of them goes down, you want the traffic to be redirected to a sorryserver. Is that correct ?
The only solution would be to create a probe that would bring all servers down at the same time. You can create a global keepalive that uses a script probe that does check each server and assign this same global keepalive to all server. Like this, they will all go down at the same time and your sorryserver will be used.
Gilles. -
try
MailMessage mail = new MailMessage();
SmtpClient SmtpServer = new SmtpClient("smtp.gmail.com");
mail.From = new MailAddress("[email protected]");
mail.To.Add("[email protected]");
mail.Subject = "Test Mail..!!!!";
mail.Body = "mail with attachment";
System.Net.Mail.Attachment attachment;
attachment = new System.Net.Mail.Attachment(@"C:\Attachment.txt");
mail.Attachments.Add(attachment);
SmtpServer.Port = 587;
SmtpServer.UseDefaultCredentials = true;
SmtpServer.Credentials = new System.Net.NetworkCredential("userid", "Password");
SmtpServer.EnableSsl = true;
SmtpServer.Send(mail);
Catch(Exception exception)
When i m run this part of code it throw an Ecxeption
Given Below is the Error..
The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required.
Bikky Kumartry
MailMessage mail = new MailMessage();
SmtpClient SmtpServer = new SmtpClient("smtp.gmail.com");
mail.From = new MailAddress("[email protected]");
mail.To.Add("[email protected]");
mail.Subject = "Test Mail..!!!!";
mail.Body = "mail with attachment";
System.Net.Mail.Attachment attachment;
attachment = new System.Net.Mail.Attachment(@"C:\Attachment.txt");
mail.Attachments.Add(attachment);
SmtpServer.Port = 587;
SmtpServer.UseDefaultCredentials = true; ///Set it to false, or remove this line
SmtpServer.Credentials = new System.Net.NetworkCredential("userid", "Password");
SmtpServer.EnableSsl = true;
SmtpServer.Send(mail);
Catch(Exception exception)
Given Below is the Error.. The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required.
Solution:
The error might occur due to following cases.
case 1: when the password is wrong
case 2: when you try to login from some App
case 3: when you try to login from the domain other than your time zone/domain/computer (This
is the case in most of scenarios when sending mail from code)
There is a solution for each
solution for case 1: Enter the correct password.
Recomended: solution for case 2: go to
security settings at the following link https://www.google.com/settings/security/lesssecureapps and
enable less secure apps . So that you will be able to login from all apps.
solution 1 for case 3: (This might be helpful) you need to review the activity. but reviewing the activity will not be helpful due to latest security
standards the link will not be useful. So try the below case.
solution 2 for case 3: If you have hosted your code somewhere on production server and if you have access to the production server, than take remote
desktop connection to the production server and try to login once from the browser of the production server. This will add exception for login to google and you will be allowed to login from code.
But what if you don't have access to the production server. try
the solution 3
solution 3 for case 3: You have to enable
login from other timezone / ip for your google account.
to do this follow the link https://g.co/allowaccess and
allow access by clicking the continue button.
And that's it. Here you go. Now you will be able to login from any of the computer and by any means of app to your google account.
Regards,
Nabeel Arif -
Server requires authentication - How do I program for this?
Hello,
I'm testing out a webpage I have created that will be used to send email. I have DSL service...just recently subscribed. Previously I had Dial up. The server at that time didn't require authentication, but now that I have DSL it does. I'm a bit lost as to how to update my program (I've included the snippet in the post), so that it will run correctly. I am having some difficulty.
My program looked like this :
String POP3 = "pop.windstream.net";
String SMTP = "smtp.windstream.net";
// Specify the SMTP host
Properties props = new Properties();
props.put(POP3, SMTP);
// Create a mail session
Session ssn = Session.getInstance(props, null);
ssn.setDebug(true);
//...html to make up the body of the message
// set the from information
InternetAddress from = new InternetAddress(emailaddress, fromName);
// Set the to information
InternetAddress to = new InternetAddress(EmailAddress2, toName);
// Create the message
Message msg = new MimeMessage(ssn);
msg.setFrom(from);
msg.addRecipient(Message.RecipientType.TO, to);
msg.setSubject(emailsubject);
msg.setContent(body, "text/html");
Transport.send(msg);
//.... I did some research already, and have looked at some other forum posts. The one thing I have noted when I run my program is that the dos prompt for tomcat is showing this:
*DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smpt,com.sun.mail.smtp.SMTPTransport,Sun Microsystem, Inc]*
DEBUG SMTP: useEhlo true, useAuth false
DEBUG: SMTPTransport trying to connect to hose "localhost", port 25
My ISP provider, Windstream, assures me that port 25 is NOT blocked. Also, I've noticed that useAuth is set to false, whereas the posts I have been looking at say true. It would make sense to me for it to be set to true in my case, since my server requires authentication. But how do I do that?
I found this bit of information from another person's post :
props.setProperty("mail.smtp.auth", "true");
you also need an Authenticator like this
Authenticator auth = new Authenticator() {
private PasswordAuthentication pwdAuth = new PasswordAuthentication("myaccount", "mypassword");
protected PasswordAuthentication getPasswordAuthentication() {
pwdAuth;
Session session = Session.getDefaultInstance(props, auth);*
Post located at http://forums.sun.com/thread.jspa?forumID=43&threadID=537461
From the FAQ section of JavaMail
Q: When I try to send a message I get an error like SMTPSendFailedException: 530, Address requires authentication.
A: You need to authenticate to your SMTP server. The package javadocs for the com.sun.mail.smtp package describe several methods to do this. The easiest is often to replace the call Transport.send(msg); with
String protocol = "smtp";
props.put("mail." + protocol + ".auth", "true");
Transport t = session.getTransport(protocol);
try {
t.connect(username, password);
t.sendMessage(msg, msg.getAllRecipients());
} finally {
t.close();
You'll have to supply the appropriate username and password needed by your mail server. Note that you can change the protocol to "smtps" to make a secure connection over SSL.
One thing I have noticed in the majority of the posts is that useAuth in the tomcat dos prompt should be set to true, and not false. Mine is coming up as false. Also, I think it should be set to true because the ISP's server requires authentication for sending and receiving email.
Can you please provide me with some input on how to update my program so it will run?
Thank you in advance:)Thank you for replying.
Per your advice, I made these changes to my code:
Properties props = new Properties();
props.setProperty("mail.smtp.auth", "true");
props.put("mail.pop3.host", POP3);
props.put("mail.smtp.host", SMTP);
Session ssn = Session.getInstance(props, null); The props.setProperty("mail.smtp.auth","true"); is something I found previously to posting my question. I'm assuming this is the line of code that has changed useAuth from false to true...is that correct?
I'm most pleased to report that with the changes made above, my program works! But is my code good? As soon as I start taking on clients, I will need my code to be reliable, and it needs to work with Dial Up and DSL connections.
With regards to your question about how I had found the authentication code but hadn't used it. Well, I did try it, again, this was previous to posting my question, and the compiler couldn't compile the program because of this statement - pwdAuth;
I also tried this code I had found in the JavaMail FAQ section -
String protocol = "smtp";
props.put("mail." + protocol + ".auth", "true");
Transport t = session.getTransport(protocol);
try {
t.connect(username, password);
t.sendMessage(msg, msg.getAllRecipients());
} finally {
t.close();
}But according to the compiler, t.connect(username,password); was not an available method. I checked the documentation and found that to be true. Do you have any suggestions? Looking into the documentation I find that there are 3 methods called connect that are inherited by the Transport class from javax.mail.Service.
connect()
connect(java.lang.String host, int port, java.lang.String user, java.lang.String password)
connect(java.lang.String host, java.lang.String user, java.lang.String password)
I would opt to try the third connect method, but what would I put for host?
Thank you for helping me with this issue, I'm not an expert on using the JavaMail package, at least not yet, and I appreciate the help you have provided. -
Dear Support Team,
i am having the error ''The specified forest functional level is invalid. "Lync Server" requires forests running in Windows 2003 mode or higher'' from lync 2013 during the schema master prepare on windows server 2008r2 and my forest functional
level are 2008r2.. so can you help me please...?Dear Support Team,
in my network there are one forest and two domain controller (primary and secondary).. my domain functional
level is windows server 2008r2.. but i am still receiving error.. when i hit the run button for schema prepare its says:
ServerSchemaPrepareTask execution failed on an unrecoverable error.
and when i open log it sasys:
Error: The specified forest functional level is invalid. "Lync Server" requires forests running in Windows 2003 mode or higher.
kindly help me -
I have added a service for the sorr server and I have added the name of the server SorryServer1 to the content rule. However when I suspend the content rule I get a Page Not diplayed instead of the redirect to the Sorry Server.
The config has mulitple Content rules, I am currently only testing on one.
ThanksHi,
if you suspend the whole content rule the sorry server can not do it's action as the rule is "down" you need do suspend all services except the sorry server.
Kind Regards,
Joerg
PS
For a HowTo and recommendations refer to http://www.cisco.com/en/US/partner/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801579f2.html#1038009
Maybe you are looking for
-
Photoshop CS6 performance on new Macbook Pro Retina Late 2013
Hi guys, Just bought the new 13" Macbook Pro Retina Late 2013 with 8GB RAM and 256SSD. Installed CS6 with all patches and retina update but performance is appaling. Im editing a Nikon D800 file which I know is heavy, but when zoomed in at 100% and us
-
I have a used iMac, HD wiped clean, OS 10.6.8 freshly installed w/Rosetta, Photoshop Elements was installed but won't start saying "could not complete because of missing or invalid personalization info." is previous owner's name somehow still there p
-
Delivery not picked in Wave in T code VL35
Hi Friends, I have created delivery for 201 Movement (Issue to Cost Centre)and with HODN-Item Category. This is not picked up for Wave in VL35 T Code. Please let me know if there is any SPRO setting missed out. Is there any Upgrade related issue. (EC
-
My wife mad a video on her ipad with imovie. Can we loop that video to play over and over? If so, how?
-
Calling a Z-Report using a Function Module.
Hi All, Kindly provide me help in: How to call a Z-Report which generates a flat file in the Application server. And which I want to call using a Function Module and display all the fields which are generated in the file. Steps I've already done: 1)