CSS VIP Issues (Source Group with 'add destination service')

Similar Messages

• Limitation on source group with services using ip address range

  Hello,
  I have an interface on CSS which I regard as public and another interface I regard as private. On the private interface is a server farm with private ip addresses. Since the server admin guys insisted the servers need to access internet just for Windows Update, I made a source group to NAT the private addresses to public addresses to allow the servers to access internet.
  I defined services for use by the source group. Since keepalive is not important in this case, I set keepalive none to ,I hope so, save system resources.
  I have server 192.168.1.1-5 (5 servers) and 192.168.1.11-14 (4 servers), so I made a service with ip address 192.168.1.1 range 5 and another service 192.168.1.11 range 4.
  But then I found that the two services cannot be put in the same source group. It is because of the different range in the service definition.
  I can get it work if I define services with single ip address, but then I will have a long configuration with repetative information. And I think this may be using more system resources.
  I can also get it work if I include 192.168.11.15 and define two services both with a range of 5 ip addresses. But 192.168.11.15 is not actually there.
  Why is there such a limitation on source group, or services with ip address range? Is there the same limitation for content rules? Or am I getting it all wrong and should do the configuration in other ways?
  Advices will be welcomed.
  CT Yau
  Hong Kong

  Yes you are correct. There is a limitation while adding services into source groups.
  You can create as many services that share an ip range (eg. a /24 subnet range). But the trouble starts when you add them into source groups. You can not add them into a source group NOR you can add them under different source groups as well.
  You mentioned that you can use single ip adress instead of range for the services...but it is not true as you will be stuck when you add them into source groups.
  I can think of these following options in your case.
  Option 1
  Change the ip range on the servers. Use 2 different IP ranges one for those 5 servers and another for those 4 servers.
  Create 2 services for each range.
  Create 2 groups and add the services.
  service server-out-192.168.1.1-5
  ip address 192.168.1.1 range 5
  active
  service server-out-172.168.1.11-14
  ip address 192.168.1.11 range 4
  active
  group server-out-192.168.1.11-14
  vip address x.x.x.1
  add server-out-192.168.1.1-5
  active
  group server-out-172.168.1.11-14
  vip address x.x.x.2
  add server-out-172.168.1.11-14
  active
  Option 2
  Create a service that includes all the ip addresses starting from 192.168.1.1 through .14 using the range keyword.
  Now you need to create one source group with a VIP. Add the service to the source group.
  If you do not want to cover the unassigned ip addresses just move them up and use consecutive ones.
  service server-out-192.168.1.1-14
  ip address 192.168.1.1 range 14
  active
  group server-out-192.168.1.11-14
  vip address x.x.x.x
  add service server-out-192.168.1.1-14
  active
  thanks

• Issue of invoice with reference to service frame work order

  Hi Gurus,
  i am creating service framework purchase order for a service material. in item detail of service framework po  in condition tab i maintain vat %  condition. then i create service entry sheet with reference to that po and post the entry. when i go to maintain invoice for that material  with ref to po the system shows two line items first line item shows amount and quantity to be invoice and second line item shows no amount or quantity but shows po number and po text  which mentions vat% .
  please tell me what customizing mistake has taken place
  regards

  Hi Suresh
  go to OLMSRV > taxes at individual service level
  then check box against country code.
  Best Regards
  Nishant Shende

• Css is it possible to use two VIPs with one source group?

  I have separate VIPs defined for balancing dns and radius. Both services are being balanced behind the CSS between two servers running both services. Is there a way, using source groups, to have the outbound dns udp lookups go out the associated dns VIP and a client's returning radius udp traffic sourced from the associated radius VIP?
  Just a note for clarity: both services defined for dns and radius have the same ip addresses. I can only define one of the services(i.e. dns) in a single source group which automatically associates the other service (i.e. radius) to that group.

  If I understand your question correctly, you want to have the same real server respond with a different source address based on with VIP was used to get to it.
  You can only put on instance of the server's ip address into a source group. That is you can't add the service name used for one rule into one group, and the service used in the other rule into another group, since the CSS only looks at the source address when it is determining to use the source group based on the service named in it. In order to have the same server use two different source groups, you would need ACL clause with the sourcegroup option, like
  permit any 10.0.0.1 eq 53 dest any sourcegroup
  permit any 10.0.0.1 dest any sourcegroup
  Michael

• Source groups on css

  Is it possible to load balance on non directly attached servers using source groups.
  I have an application that needs port 80 balanced to servers behind the css. The same app needs ports 7003 and 7004 balanced on the same vip to app servers many hops below the css.
  Thanks

  my config is a css interface on a network facing the internet (external vips) one interface facing internal users (internal vips) and one interface to backend servers.
  routing sends internal ips to and back the internal vips interface and 0.0.0.0 is out to the internet
  what would a config look like?
  define services of servers a few hops away with keepalive ping?
  create 2 source groups with the same ip of the interal vip and a group with the outside vip? add destination servers of the hops away servers to the group?
  Create content rules that points ports 7003 and 7004 to the services of the servers several hops away?
  Thanks
  Steve

• Data Source Groups in Query no reflecting changes in Admin

  Version of US used: 1.0.3
  I removed some data source groups and add new ones in the Admin Application. But the default Query Application does not reflect these changes. That is, when I go to Advanced Search in the Query Application, the list of Data Source Groups displayed (i.e. the checkboxes) does not include the new ones I added and it still shows the ones I already deleted.
  My question: how to update the data groups in the Advanced Query Screen? Do I have to execute all the schedules again before the updates are reflected?
  Thanks!

  Hi,
  The caching Cindy was referring to is NOT in the browser. It is in the JSP middle-tier.
  The JSP cache the data groups information to avoid fetching from the database everytime,
  since data groups change infrequently.
  In addition, in 1.0.3 version, this cache does not have any invalidation logic. So once the
  search application has started (after first use), the data groups will never change unless
  the application server (apache+jserv) is restarted.
  Please restart the application server to see your changes take place. If you wish, you can
  change the caching logic in the jsp itself. You may implement some trivial invalidation based
  on time, or disable it if your server can handle the load.
  Note: Ultra Search samples in 9.0.2 or later releases have invalidation of cache every 15 mins
  or so.
  David

• How can I update an already saved "bookmark all tabs" group with a current group of tabs? Or add only the changes??

  Example of problem:
  I have already saved a group of tabs using the "bookmark all tabs" feature.
  I open that group of tabs in a new browser window.
  Then I modify that group of tabs that I have open, adding new ones, removing old ones.
  How can I replace the existing tab group with the new tabs?
  Is there an option to just add the new ones that I have opened and keep all the others even if I have removed some of the old ones from the currently opened group?
  ...another issue: can I share bookmarks online? What are the options for this?

  You can't do that.<br />
  Each time you use "Bookmark All Tabs" a new folder is created, even if you give the folder the same name, so you will have to do any merging yourself in the Bookmarks Manager or just create a new group and discard (delete) the previous group.
  If you want to share bookmarks online then you need to use a web based service that offers such a feature like Delicious.
  *http://en.wikipedia.org/wiki/Social_bookmarking

• Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

  We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules.  I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution.  There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.  
  We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit. 
  Here are the exact symptoms we saw:
    Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
    Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
    Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds.  Further requests on the same TCP connection would not be delayed
    Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness.  Accessing the same rule skipping SSL, would work fine
  I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken.  This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
  1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
  2. Client sends HTTP 1.1 request for resource (nearly instantly)
  3. 3 seconds of no traffic in our out of the CSS related to this request
  4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
  5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
  6. Response is sent to the client with the resource (nearly instantly)
  7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
  The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse.  3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
  Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes.  Decrypting these messages I found the first message was a
  G
  and the second message was:
  ET /foobar HTTP/1.1
  This essentially splits the initial request the client is sending into two pieces.  This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
  On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
  GET /foobar HTTP/1.1
  (obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
  I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem.  I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before. 
  A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
  and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic. 
  Solution:
  Our ssl config looked something like this:
  ssl-proxy-list SSL_ACCEL
    ssl-server 10 vip address XX.XX.XX.XX
    ssl-server 10 rsakey XXXX
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
    ssl-server 10 unclean-shutdown
    ssl-server 10 rsacert XXXXXX
  Removing:
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
  Solves the problem.  After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message.  The 3 second delay goes away, and L5 stickiness is fixed.  The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
  http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
  This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend.  The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected.  It's quite possible our customers were going through an SSL proxy.  I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
  -Joe

  Hi Joe,
  That's a very good analysis you did.
  As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
  For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
  In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
  Regards
  Daniel

• SSIS 2012 is intermittently failing with below "Invalid date format" while importing data from a source table into a Destination table with same exact schema.

  We migrated Packages from SSIS 2008 to 2012. The Package is working fine in all the environments except in one of our environment.
  SSIS 2012 is intermittently failing with below error while importing data from a source table into a Destination table with same exact schema.
  Error: 2014-01-28 15:52:05.19
     Code: 0x80004005
     Source: xxxxxxxx SSIS.Pipeline
     Description: Unspecified error
  End Error
  Error: 2014-01-28 15:52:05.19
     Code: 0xC0202009
     Source: Process xxxxxx Load TableName [48]
     Description: SSIS Error Code DTS_E_OLEDBERROR.  An OLE DB error has occurred. Error code: 0x80004005.
  An OLE DB record is available.  Source: "Microsoft SQL Server Native Client 11.0"  Hresult: 0x80004005  Description: "Invalid date format".
  End Error
  Error: 2014-01-28 15:52:05.19
     Code: 0xC020901C
     Source: Process xxxxxxxx Load TableName [48]
     Description: There was an error with Load TableName.Inputs[OLE DB Destination Input].Columns[Updated] on Load TableName.Inputs[OLE DB Destination Input]. The column status returned was: "Conversion failed because the data value overflowed
  the specified type.".
  End Error
  But when we reorder the column in "Updated" in Destination table, the package is importing data successfully.
  This looks like bug to me, Any suggestion?

  Hi Mohideen,
  Based on my research, the issue might be related to one of the following factors:
  Memory pressure. Check there is a memory challenge when the issue occurs. In addition, if the package runs in 32-bit runtime on the specific server, use the 64-bit runtime instead.
  A known issue with SQL Native Client. As a workaround, use .NET data provider instead of SNAC.
  Hope this helps.
  Regards,
  Mike Yin
  If you have any feedback on our support, please click
  here
  Mike Yin
  TechNet Community Support

• Known issues for OBIEE Office Add in with Excel 2007?

  Hi,
  Does anybody know if there are issues for the office add-in with Office 2007?
  i'm playing around a little bit to see how it works, but it seems that Excel interferes with the layout.
  I do get different grafs and also i tried the tutorial with the excel template and my changes come only partly through.
  Thanks
  Sandra

  Hi Sandra,
  Were you able to use OBIEE Office Add in with Excel 2007? I am planning to look at this compatibility. I am looking here to seeif anyone found issues with this setup..
  Thanks,
  Bharat

• Regarding : How to add a user to portal group with the help of webdynpro .

  Hii ,
  I am working on an application in which with the help of an action( Button)  we r adding a user in Ztable in R/3 , as well as  group in portal.
  The user r successfully creating in Ztable but from portal side No user is assigned to Portal group.
  I need coding solution for " How to add a user to portal group with help of webdynpro"
  Any usefull link will also do.
  Pls anyone have any solution ??
  Thnks in advance.
  Rewards r waiting for u .

  Hi,
  Use UME api to add user to portal group.
  Using UME API:
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40d562b7-1405-2a10-dfa3-b03148a9bd19
  Regards,
  Naga

• OVM 3.0.3 - cannot add new server to VLAN group with bonded VLANs

  I have a new OVS 3.0.3 server built with 2 bonded interfaces and a single VLAN running on top for the management interface. It gets discovered fine by OVM Manager (I'm running Version: 3.0.3.126, Build: 20111214_126)
  I am trying to add it to a VLAN group with two VLANs -- the existing management VLAN (ID=300) plus one other (ID=301). (I already have one identical server assigned to the VLAN group, with both VLAN interfaces configured and running fine.) This works OK, and I can see VLAN 301 for the new server in Oracle VM Manager with no IP address assigned to it.
  However, when I try to apply an IP address to the VLAN (via Hardware / Resources / VLAN Groups / Edit VLAN Group / Configure IP Addresses / VLAN Interfaces) it fails with this error:
  Job Internal Error (Operation)com.oracle.ovm.mgr.api.exception.FailedOperationException: com.oracle.ovm.mgr.api.exception.FailedOperationException: OVMAPI_4010E Attempt to send command: dispatch to server: whyovmprd02 failed. OVMAPI_4004E Server Failed Command: dispatch https://?uname?:[email protected]:8899/api/1 ovs_br_config start 0004fb0010be2df bond0.301, Status: org.apache.xmlrpc.XmlRpcException: exceptions.RuntimeError:Command ['/etc/xen/scripts/ovs-network-bridge', 'start', 'bridge=0004fb0010be2df', 'netdev=bond0.301'] failed (1): stderr: ovs-network-bridge Start: No such device bond0.301
  Oracle VM Manager seems to be expecting the subinterface for VLAN 301 to exist on the server already - which it doesn't of course, because the server has just been built, so it only has its management interface VLAN in place (VLAN ID 300)
  I have managed to work around this by removing VLAN segment 301 from the VLAN group completely, then adding it back in with the IP addresses for both servers in place. This seems to convince Oracle VM Manager that it needs to create the bond0.301 subinterface before it configures it. However, I obviously had to shut down all VMs to do this, and it was really messy as VLAN 301 is the storage network, so my original server lost contact with the NFS storage for a while which caused it to fence etc.
  There must be another way??! Any pointers would be very much appreciated.

  Avi Miller wrote:
  It's fixed in 3.1. In the meantime, if you can remove and reapply the Virtual Machine role on that network, it'll recreate the bridges for you.Thanks for replying Avi. (I won't ask you for a release date for 3.1 :))
  I did try that initially, but it didn't seem to help - I got this error back:
  Job Internal Error (Operation)com.oracle.ovm.mgr.api.exception.FailedOperationException: OVMAPI_4010E Attempt to send command: dispatch to server: whyovmprd02 failed. OVMAPI_4004E Server Failed Command: dispatch https://?uname?:[email protected]:8899/api/1 ovs_if_meta bond0.301 ethernet:0004fb00100a35f{why-be-301}:STORAGE, Status: org.apache.xmlrpc.XmlRpcException: exceptions.Exception:ovs_set_metadata: interface /sys/class/net/bond0.301 does not exists
  This appears to be from ovs_if_meta in /opt/ovs-agent-3.0/OVSVMNetConfig.py, which looks to be where the agent tries to write out the new roles for the network into the metadata file - it seems to be expecting the VLAN to exist already, and specifically checks in /sys to make sure that it is there.
  Should / could I add a step to my kickstart build to force the 301 VLAN to be created maybe? This would bring it into line with the other VLAN that is used for management, which is of course sitting there ready and waiting as soon as the server is built.

• Replace source code with destination code

  Hi,
  How to replace a program in source system with the program in production system technically?
  Thanks in advance...

  hi,
  Using Version Management you can do that.
  Use menupath...
  Utilies->Vesion->Version Management.
  Check the lastet request whcih exist in the Production sytem using Remote Comparsion Button
  After know the Request number Select the request number in the source system and press retrive.

• Use of content rule vs source group for NATing

  To NAT outgoing flows out of two servers, is it necessary to define a content rule and source group (or is just a source group sufficient?).
  Having trouble with Option 2.
  Option 1:
  service svr1
  ip address 192.168.10.1
  no port
  protocol tcp
  active
  Also does CSS do NAPT i.e. alter the source port number for outgoing packets from source groups?
  service svr2
  ip address 192.168.10.2
  no port
  protocol tcp
  active
  content outflows
  protocol tcp
  add service svr1
  add service svr2
  vip address <externalip>
  active
  group outgrp
  vip address <external ip>
  add service svr1
  add service svr2
  active
  <add appropriate acl>
  Option 2:
  service svr1
  ip address 192.168.10.1
  no port
  protocol tcp
  active
  service svr2
  ip address 192.168.10.2
  no port
  protocol tcp
  active
  group outgrp
  vip address <external ip>
  add service svr1
  add service svr2
  active
  <add appropriate acl>

  to nat connections initiated by the server, you only need a source group.
  No need for a content rule.
  The CSS will port nat.
  Gilles.

• Source Groups & IP Logging

  Our server administrators would like to start logging connections to the web servers and tried to do so but keep seeing the IP addresses of the load balancers in their logs.
  We are using source groups on the CSSes since they are sitting behind a set of firewalls; and, we found that the servers would be blocked when removing the source groupings. I have attached a rough diagram of how we are configured.
  How do we transmit the remote clients' IP address to the web servers?

  We were able to successfully connect to the VIP from the Internet with the removal of source groups and pointing the servers to the CSS as the def gateway.
  We ran into an issue where the clients on the LAN would connect to the VIP and then get no response back. I believe this to be due to the fact we are crossing the firewall on a higher security interface and trying to come back over on a lower security interface. The source of the IP from the LAN is NATed to an address that is on the local network for the CSS, therefore the servers respond back directly to our NAT address instead of going to the CSS and back out, as in the case of the Internet connection.
  Keep in mind that we are one-arming this configuration and using a firewall sandwich, as indicated in the diagram. The firewalls have their higher security interfaces point back toward the LAN.
  Would I still need to bridge? Do you have an example I may look at to verify it would work? (We would like to be able to track IP addresses on the servers.)