CSS SSL Scripted Keepalive

Similar Messages

• CSS: How does DNS Scripted Keepalive (ap-kal-dns) work?

  Hello everyone,
  I have a question about how does DNS Scripted Keepalive (ap-kal-dns) work on CSS 11503.
  According to the "Using the CSS Scripting Language",
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/administration/guide/Scripts.html
  it says
  Since we just want to see if the DNS server is alive we will send a simple DNS Query.  This query is hard coded in hexadecimal and sent raw to the DNS server.
  and
  Receive some unexplained response. We don't care what it is because an unstable DNS server or a non-existent one would probably not send ! us any data back at all.
  but it also says
  Failure Upon: 1. Not resolving the host's IP from the domain name
  And according to the "How to Configure the CSS to Load Balance DNS Servers and Use the DNS Scripted Keepalives",
  http://www.cisco.com/en/US/partner/products/hw/contnetw/ps789/products_configuration_example09186a00801d015a.shtml
  it says
  The script is hard-coded to resolve www.cisco.com.  It does not matter if the DNS server can resolve this address or not, as long as a DNS response comes back that the service is alive. This keepalive is only testing if a DNS server can respond to a query, not if it can resolve a specific name. The script queries from the CSS to DNS internal servers keep track of the availability of the DNS servers.
  but it also says
  Access to Internet Domain Name System Root Servers is required for successful implementation of DNS scripted keepalives.
  So I am confused whether DNS server has to resolve the host's IP address correctly for DNS query received from CSS or just needs to reply any response but not need to resolve it.
  I would like to recap about my question.
  Q1: Does DNS Scripted Keepalive (ap-kal-dns) send DNS query with cisco.com as DNS name by default?
  Q2: Does DNS server has to resolve IP address of  cisco.com or just need to respond for DNS query with any response but not need to resolve IP address of cisco.com?
  I understand I should get capture data and see how DNS scripted keepalive works, but I can not prepare lab environment to do it at the present.
  Your information would be appreciated.
  Best regards,
  Shinichi

  yes the query is for www.cisco.com and the script expect a reponse that contains the word cisco.
  Gilles.

• Script keepalive limitation with use-output option

  Hi there,
  The optional use-output keyword on CSS script keepalive allows the script to parse the output for each executed command. This optional keyword allows the use of grep and file direction within a script. You can configure a maximum of 16 script keepalives (out of a maximum of 255 script keepalives) to use script output.
  I have one application which CSS will consider it is alive only when the two keepalive (one is the tcp on port 20100, another one is the http page) are both alive. I am running out of the "16" quota when I use scipt to show both individual service alive by using grep -u Alive.
  How can I circumvent this "16" limitation.
  Appreciate your thoughts and help.
  Richard

  why don't you create a single script that checks the tcp port 20100 and the http page instead of creating 2 separate kal and another one to check the status of the other 2.
  Gilles.

• Script Keepalive with Passive UDP Services

  When sending a script keepalive (socket connect) to a passive UDP service (snmp, syslog, etc.), it doesn't appear that the CSS will recognize an ICMP Port Unreachable response as being associated with the socket. Is this correct, or am I missing something?
  ~Zach

  the scripting function is pretty basic.
  So, I don't know if this is *correct* but it sounds like normal.
  Gilles.

• Scripted Keepalive Problem

  I've run into an issue with a new scripted keepalive. I've created the script and copied it to a CSS11000. I can run the script manually and it works as expected, however when I add it to a service, it is not run. After the service is activated, the service shows down, and the following information is shown for the script:
  Script Error: None (suspended)
  Script Run Time: Did not finish
  I know I've run into similar issues when upgrading the CSS code. After restoring archived scripts within the new version, I'd have to reboot the CSS before I could use them in keepalives.
  I'd prefer not to have to reboot my production switches if there is another way to get this to work.

  Thanks Gilles,
  I am quite backlevel on this particular pair of CSS's. I loaded the newest code on a CSS in the lab and did not have this problem.
  Looks like I need to schedule an upgrade for the production boxes.
  -Dominic

• Scripted Keepalive Library

  Does anyone know if a library exists for scripted keepalives? I know that the css comes with 15 scripted keepalives pre-loaded and with the new 5.0 version of software there is a capability for up to 255 keepalives. What I am looking for specifically is a place where css users can post scripted keepalives that they use, that can be used by others in the css community.
  Thanks,
  Jim

  I'm not aware of anything like this. The only problem I see with this is that many scripts will be custom and as you may know the TAC does not support custom scripts. In the scenario were a shared script fails to work, TAC will not be able to help.
  Also, the 255 keepalives that you are referring is how many scripted keepalives you can run at any given moment. On version 4.0 you can run up to 16 scripted keepalives at any given moment. The limit on how many you can have installed is based on the disk space of your box.
  I hope this helps,
  Gonzalo

• CSS/SSL termination - cypher negotiation Q

  Hi everyone
  question regarding SSL termination on CSS/SSL module.
  I have several several cyphers in my ssl-proxy list,
  What is the algorithm to choose the cypher ?
  I may assume that CSS and browser negotiate it during SSL session establishing.
  The testing shows that same browser gets different cyphers when it hits
  different CSSs (cyphers are in the same order in proxy-lists on CSSs)
  Thanks
  Alex

  Alex,
  it's not really an algorithm.
  The browser selects the first cipher that matches its requirements in the list presented by the server/CSS.
  The CSS builds a list in the order of weight.
  If you did not specify any weight, the list can be random depending in which order you entered the command.
  I would say, if you want a specific cipher to be selected, use a highest weight for this cipher.
  Gilles.

• How many CSS SSL certificates needed?

  From reading the CSS SSL Configuration Guide, it seems that one certificate is needed for each virtual SSL server (or VIP), regardless of how many servers are being load-balanced behind that VIP, but that is not made very clear. Also, it appears that a separate certificate is required for each virtual SSL server. Can someone please confirm or correct this for me? Thank You.

  A quick (I hope) follow-up question on this...
  Given multiple domain names being load-balanced by a CSS with a single SSL module, would I need different key and cert associations? I am thinking of something like this:
  ssl associate rsakey prodkey prodkey.pem
  ssl associate cert prodcert prodcert.pem
  ssl associate dhparam proddh proddh.pem
  ssl associate rsakey intkey intkey.pem
  ssl associate cert intcert intcert.pem
  ssl associate dhparam intdh intdh.pem

• Cisco CSS 11503 ntp keepalive script

  Have setup a new Owner/Service/Group for loadbalancing NTP traffic to 2 NTP servers. It all appears to work fine apart from failure of one of the servers NTP service. I've currently set up a simple ping keepalive which works fine if one of the servers fail but this keepalive won't detect if the servers NTP service fails. I'm running 8.20 code. My question is has anybody created a working keepalive script for NTP traffic  for the CSS?

  Hi Daniel,
  I had looked at that script but it doesn't suit my needs. The script uses TCP port 37 for its keepalives whereas our  NTP servers use UDP port 123.
  Regards
  Noel

• CSS - Executing a Keepalive Script

  Hi,
  I am trying to execute the following script, this script is testing connectivity on multiple hosts and TCP ports to define a service as 'up'
  #!name = CHECKPORT_STD_SCRIPT
  # Scriptname : CheckPortsTask.tcl
  # Pamapaters : <list of hosts ip >
  # <list of ports >
  # [verbose] optional verbose debug flag.
  # Description :
  # This is an example of standalone script. The script is given a list of hosts
  # and a list of posrts for each host. The script then checks to see if the host:port
  # is available and listening.
  # Example execution:
  # script task 1 "10.2.0.12 10.2.0.14 10.5.0.15" " 21 23 80 2048"
  proc ck_puts { msg } {
  puts "[ info script ] : $msg"
  # main
  # parse cmd line args and setup ip , port
  if { $argc != 2 } {
  ck_puts "paramaters: script task <id> [ info script ] <hostList> <portList>"
  exit -1
  set hostList [ lindex $argv 0 ]
  set portList [ lindex $argv 1 ]
  ck_puts "================= test start========================="
  foreach ip $hostList {
  ck_puts "----------------- host $ip-------------------------"
  foreach port $portList {
  ck_puts "testing $ip:$port"
  if { [catch { socket $ip $port } sock ] } {
  ck_puts "\t$ip:$port ERR : $sock"
  if { [ regexp "connection timed out" $sock ] } {
  ## erro due to connection timeout, skip to next ip
  break;
  ## other error, don't break, keep test next port for the same ip
  } else {
  ck_puts "\t$ip:$port OK"
  close $sock
  ck_puts "================= test end========================="
  My issue is that the comments suggest the arguements are put into 2 sections of quotations but the CSS will not allow this input....
  CSS11503(config-service[TEST-SERVICE])# keepalive type script checkportstask ?
  <cr> Execute command
  use-output Allow tools such as grep to parse script output
  <Quoted text> Script Arguments (Len: 0-128)
  CSS11503(config-service[TEST-SERVICE])# keepalive type script checkportstask
  CSS11503(config-service[TEST-SERVICE])# keepalive type script checkportstask "10.1.1.1 10.2.2.2" "80 443"
  ^
  %% Invalid input detected at '^' marker.
  CSS11503(config-service[TEST-SERVICE])#
  Can anyone shed some light on how this script is executed.
  Thanks,
  Brian

  what you show is a CSM/ACE TCL script.
  The CSS uses its own scripting language.
  More info @
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080327ff9.html
  BTW, what you need already exists.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a00801e1e14.shtml
  Gilles.

• CSS SSL Keepalives

  Is it possible to use SSL keepalives with a uri string? The config guide seems to say just SSL Hellos, but I would like confirmation.
  Today we have this:
  <b>service WWW-Test
  keepalive type http
  keepalive uri "http://XXX.XXX.197.28/efs/servlet/efs/whoami.jsp"
  ip address XXX.XXX.197.28</b>
  But would like something like this:
  <b>service WWW-Test
  keepalive type ssl
  keepalive uri "https://XXX.XXX.197.28/efs/servlet/efs/whoami.jsp"
  ip address XXX.XXX.197.28 </b>
  Thanks!

  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/command/reference/CmdSrvC.html#wp1139992
  This keepalive only sends a client HELLO and expect a server HELLO.
  No data is actually encrypted or sent.
  So, wto answer your question, no you can't specify a URI.
  You could with the ACE module.
  Gilles.

• CSS best practice / keepalives

  We have a Cisco 11503 running 7.40.1.03 (standard feature set) that we are setting up as a load balancer for a new e-mail system. I had two previous threads - thanks to Gilles and the others who responded. The box is now more or less configured to do what we want it to do, but I'm curious about "best practice" suggestions for keepalives.
  As I understand it, keepalives are per service. As an example, we have two webmail servers. They are only running SSL, so each server is a service with keepalive type ssl. If webmail1 looses its apache or just dies entirely, the keepalive will not respond, and the CSS will send all traffic to webmail2, which still has its keepalives active.
  This is all well and good. But, our IMAP servers are running multiple protocols - 7 of them. I have two services configured; one for each server, with no protocol specification. Then I have a content rule for each seperate protocol, where the port #s are configured.
  I am thinking that if I want the most out of the CSS, I need to configure a seperate SERVICE for each protocol for the e-mail servers, with a specific keepalive for each individual protocol. That way if SSH goes away, the CSS will close SSH to email1 and only send that traffice to email2, but will still send IMAP or SIMAP to email1, since those protocols didn't go down.
  For me this seems like a configuration disaster. I'd need a seperate service for each server and each protocol, and then a separate content rule as well for every service and every protocol.
  Is this correct? Or is there some way of streamlining the configuration to reduce the number of services and/or content rules?
  Thank you! And let me know if the configuration would be helpful.
  Cheers...

  The best is to indeed split each protocol and create a separate service and rule for each of them.
  2 servers and 7 protocols is not a big config [some customer have 300 servers and 2 or 3 protocols which makes it more problematic to configure].
  If you really think this is too much, simply create 1 ip service per server and 1 ip content rule.
  You don't monitor the protocols but just ip connectivity.
  Easy config, it works but you don't have the granularity to detect specific protocols going down.
  Regards,
  Gilles.

• Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

  We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules.  I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution.  There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.  
  We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit. 
  Here are the exact symptoms we saw:
    Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
    Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
    Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds.  Further requests on the same TCP connection would not be delayed
    Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness.  Accessing the same rule skipping SSL, would work fine
  I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken.  This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
  1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
  2. Client sends HTTP 1.1 request for resource (nearly instantly)
  3. 3 seconds of no traffic in our out of the CSS related to this request
  4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
  5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
  6. Response is sent to the client with the resource (nearly instantly)
  7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
  The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse.  3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
  Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes.  Decrypting these messages I found the first message was a
  G
  and the second message was:
  ET /foobar HTTP/1.1
  This essentially splits the initial request the client is sending into two pieces.  This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
  On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
  GET /foobar HTTP/1.1
  (obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
  I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem.  I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before. 
  A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
  and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic. 
  Solution:
  Our ssl config looked something like this:
  ssl-proxy-list SSL_ACCEL
    ssl-server 10 vip address XX.XX.XX.XX
    ssl-server 10 rsakey XXXX
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
    ssl-server 10 unclean-shutdown
    ssl-server 10 rsacert XXXXXX
  Removing:
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
  Solves the problem.  After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message.  The 3 second delay goes away, and L5 stickiness is fixed.  The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
  http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
  This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend.  The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected.  It's quite possible our customers were going through an SSL proxy.  I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
  -Joe

  Hi Joe,
  That's a very good analysis you did.
  As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
  For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
  In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
  Regards
  Daniel

• CSS SSL Proxy - how can I write the original source address in http header

  I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
  thanks,
  Brian

  here is what you can insert with the SSL module :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
  Gilles.

• CSS SSL renewal problem

  While renewing the ssl certification in CSS everything went fine while installation but after that when i checked with the following command
  sh ssl associate rsakey | grep url(dont want to mention name)
  i can see the previous as well as the new both key as associated and says yes
  while the new should show yes and old should be no
  same it is showing for cert
  can anyone help me to sort out with this problem what it can be
  Thanks in advance

  Sagar,
  Have you performed the "no ssl associate rsakey" and the "no ssl associate cert"?
  After that, perform the "clear ssl file " and "clear ssl file rsakey "
  HTH
  Dave