CSS11503 LOAD BALANCING

Hello all,
I just want to have your solution on the below issue we are facing with CSS11503.
loadbalancer should detect whenever the service running on a server down , the server will be suspended from the loadbalancing mechanisim and traffic should be forwarded only to the one active.
Pls let me have your update.

I checked the connectivity to the servers form the CSS and it was good. I was able to ping, and the connection status in sh service summary incremented by 1 each time I tried to connect. From the server, I was able to ping back to the IP of the CSS and the VIP address as well. I have tried using only 1 server for 1 VIP. I have tried changing the default gateway on the server to the IP of the CSS and the VIP IP as well. It still doesn't seem to help. Anymore suggestions for me to try?
Thanks
Mike

Similar Messages

  • CSS11503 load balancing virtual server IP's

    Hi CSS experts,
    We have a Cisco Content Services Switch 11503 Load Balancer which seems to require Real Server NICs to be plugged in. When I plug a cable from our Cisco 3560 switch into the Cisco Load Balancer, it can't see the 2 web server IP's that I'm trying to load balance for HTTP/HTTPS. The virtual IP does not display the webpage of either web servers.
    On the otherhand, when I use two physically separate 1U web servers and physically plug 2 cables (1 for each server) into the CSS 8 port switch, the virtual IP is able to redirect the traffic to both web servers.
    How do I configure the CSS to load balance and actually see 2 IP's on the network which isn't plugged in physically per server into the CSS 8 port switch.
    Internet->CSS->1 cable plugged into Cisco switch which host 2 web servers.
    Thanks,
    Mike
    Configuration:
    circuit VLAN1
    ip address 192.168.1.10 255.255.255.0
    service Websrv1
    ip address 192.168.1.104
    protocol tcp
    port 80
    keepalive type http non-persistent
    active
    service Websrv1SSL
    ip address 192.168.1.104
    protocol tcp
    port 443
    keepalive type ssl
    active
    service Websrv2
    ip address 192.168.1.101
    protocol tcp
    port 80
    keepalive type http non-persistent
    active
    service Websrv2SSL
    ip address 192.168.1.101
    protocol tcp
    port 443
    keepalive type ssl
    active
    owner Web
    content NG
    add service Websrv1
    add service Websrv2
    vip address 192.168.1.7
    port 80
    protocol tcp
    advanced-balance arrowpoint-cookie
    url "/*"
    active
    content NGSSL
    add service Websrv1SSL
    add service Websrv2SSL
    vip address 192.168.1.7
    port 443
    protocol tcp
    advanced-balance sticky-srcip
    sticky-inact-timeout 60
    active

    I checked the connectivity to the servers form the CSS and it was good. I was able to ping, and the connection status in sh service summary incremented by 1 each time I tried to connect. From the server, I was able to ping back to the IP of the CSS and the VIP address as well. I have tried using only 1 server for 1 VIP. I have tried changing the default gateway on the server to the IP of the CSS and the VIP IP as well. It still doesn't seem to help. Anymore suggestions for me to try?
    Thanks
    Mike

  • Configuring 2 css11503s for multiple service load-balancing

    first here's my present config on one of my CSS11503:
    !************************** CIRCUIT **************************
    circuit VLAN33
    ip address 19.10.28.211 255.255.255.0
    ip virtual-router 2 priority 110 preempt
    ip redundant-vip 2 19.10.28.210
    ip critical-service 2 UpstreamRouter
    circuit VLAN200
    ip address 10.15.15.251 255.255.255.0
    ip virtual-router 1 priority 110 preempt
    ip redundant-interface 1 10.15.15.1
    ip critical-service 1 UpstreamRouter
    !************************** SERVICE **************************
    service BrowServ-1
    ip address 10.15.15.21
    redundant-index 1
    protocol tcp
    port 80
    active
    service BrowServ-2
    ip address 10.15.15.22
    redundant-index 2
    protocol tcp
    port 80
    active
    service UpstreamRouter
    ip address 19.10.28.1
    active
    !*************************** OWNER ***************************
    owner BrowServ_Owner
    content BrowServ_Rule
    add service BrowServ-1
    add service BrowServ-2
    vip address 19.10.28.210
    redundant-index 1
    active
    !*************************** GROUP ***************************
    group BrowServ_Group
    vip address 19.10.28.210
    add service BrowServ-1
    add service BrowServ-2
    redundant-index 1
    active
    here are my questions:
    1) how do I configure an additional vip address? e.g. I'd like to configure a vip - 19.10.28.215 to load-balance http traffic to 10.15.15.25 and 10.15.15.26?
    2) I presently have a static route in my core router "ip route 10.15.15.0 255.255.255.0 19.10.28.210". (this enables the load-balanced servers to connect to Oracle servers on the Core network). do I need to configure a new route on my core router when I add the additional vip 19.10.28.215?
    relevant references and/or examples will be much appreciated.
    dayo

    1/ configure the following :
    service web1
    ip address 10.15.15.25
    active
    service web
    ip address 10.15.15.26
    active
    content WEB
    vip address 19.10.28.215
    proto tcp
    port 80
    add service web1
    add service web2
    active
    2/ I would create a redundant-interface and point your static route to this redundant ip address.
    you should not use vip address in static route.
    VIP address should only be used when you want to reach the vip address not a when you want a direct connection to the real server.
    Gilles.

  • Load balancing problem with CSS11503

    Hello all,
    We have two web servers that are being load balanced with this configuration on two CSS11503 with IOS version 7.20 Build 206;
    content Web
    add service web1
    add service web2
    vip address 10.1.4.4
    protocol tcp
    port 80
    url "/*"
    advanced-balance sticky-srcip-dstport
    active
    When we try and access the web servers from client workstation using the URL on Internet explorer 6.0 and get authenticated through the login window; we get error 12031. Error 12031 means " ERROR_INTERNET_CONNECTION_RESET The connection with the server has been reset. "
    On refresh the error goes away.
    If we bypass the content switches by accessing any of the servers using server name; the error does not appear. The problem seems to be related to the load balancing.
    Any suggestions?

    the problem is probably due to CSS sending an HTTP redirect with the RESET flag when you send multiple request inside the same connection.
    To avoid the proble, do a 'no url' under your content rule.
    There is absolutely no need to specify the url since you do stickyness based on source ip address.
    Regards,
    Gilles.

  • Load Balancing of Chat connections on CSS11503

    I need to load balance between two servers namely " A " and " B " on TCP port 8057 for example with the help of CSS 11150. Lets assume I have a single user by name " Z "that wants to access the servers. " Z " hits the VIP of the Load Balancer to initiate a connection. I want the number of connections to be load balanced equally and at the same time the stickyness of the connection should be maintained. For example , when Z initiates the first connection assuming his connection goes to server " A " he should be connected to the same server until he disconnects the connection. And, the second connection should go to server " B " and the connection should be maintained with the same until he disconnects. Please keep in mind that the user " Z " initiates a connection not via a browser but instead he uses a chat application to connect to the servers.
    What algorithm we can use on CSS for this type of loadbalancing?
    Can we able to load balance on the basis of src ip & port on CSS or ACE Appliance?
    Kindly help me out in resolving above issue.

    Any application that uses standard Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) protocols can also be load-balanced including firewalls, mail, news, chat, and lightweight directory access protocol (LDAP).
    What port you are using for this , is this 8057.

  • Load balancing sftp servers on css11503

    I have an 11503 and I am trying to load balance sftp servers behind it. not sure why it's not working.
    here is the content rule:
    content test_sftp
    add service www1_sftp
    add service www2_sftp
    port 22
    protocol tcp
    balance aca
    advanced-balance sticky-srcip
    vip address 172.17.0.248
    active
    here are the service rules:
    service www1_sftp
    ip address 172.17.0.27
    protocol tcp
    keepalive port 22
    keepalive type tcp
    active
    service www2_sftp
    ip address 172.17.0.25
    protocol tcp
    keepalive port 22
    keepalive type tcp
    active
    couple of questions:
    1) do I need to set up a source group like I would have to for ftp? Does the return traffic from the servers need to be NAT'd back out as the VIP?
    2) the content rule and service rules are all set for port 22 only....is that enough ports open for the control and data channels? I think sftp uses port 22 for both.
    Any assistance would be greatly appreciated.
    Thanks!
    Sandeep

    You definitely need a group to nat the data-channel.
    But I'm not even sure that will make it work.
    You can give it a try so.
    Gilles.

  • CSS on multiple subnets and separate load balancing

    Hello,
    I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
    But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
    Basically I want to use the CSS for 3 different load balancing operations.
    Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
    Any help appreciated
    Regards Tony

    you can have as many vlan as you want.
    So yes you can do what you want.
    Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
    Gilles.

  • Load Balancing across Multiple DMZ's

    Can you split one Css11503 across two separate DMZ's securely. I have a group of server that are currently being load balanced in one DMZ I now have a requirement to Load balance another set of server in another DMZ is it possible spilt the CSS across two DMZ's and still maintain a high level of Security

    You need a separate CSS for each interface of the firewall.
    If you use the same CSS for 2 DMZ, traffic inter DMZ will be routed by CSS and will bypass the firewall.
    Gilles.

  • Cisco CSS 11503 Arrowpoint/Load Balance question

    I am troubleshooting an issue with my 11503.  I am running version 07.40.0.04. I have it configured as follows:
      content upcadtoa-rule
        add service cadtoa-wls1-e0
        add service cadtoa-wls1-e1
        add service cadtoa-wls2-e0
        add service cadtoa-wls2-e1
        add service cadtoa-wls3-e0
        add service cadtoa-wls3-e1
        add service cadtoa-wls4-e0
        add service cadtoa-wls4-e1
        add service cadtoa-wls5-e0
        add service cadtoa-wls5-e1
        add service cadtoa-wls6-e0
        add service cadtoa-wls6-e1
        arrowpoint-cookie expiration 00:00:15:00
        protocol tcp
        port 8001
        advanced-balance arrowpoint-cookie
        redundant-index 2
        vip address 172.30.194.195 range 2
        arrowpoint-cookie name TOA
        active
    However, the load-balancing across the servers does not seem to be doing much balancing.  One of those servers is getting hit with 5 times as much traffic as another and another server is lucky to get a connection at all.  With the cookie expiration set, one would think that this would all balance out over time.
    I just came across this information from Cisco and I am wondering if it is relevant:
    If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.
    In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.
    content testing
    vip address 192.168.128.131
    add service s1
    balance url
    active
    The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.
    In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.
    content testing
    vip address 192.168.128.131
    add service s1
    advanced-balance arrowpoint-cookie
    active
    The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.
    Thanks in advance for any help you can give.  The thing is not down, it is just balancing strangely causing application performance issues.
    James

    Hey James,
    You will need to suspend the content rule in order to add the url statement.  This will cause a quick downtime until the content rule is activated again.  I have shown below the commands to add the statement.  Perhaps you can create your commands in a Notepad file, then paste them all in so they execute quickly to minimize your downtime:
      content MY-SITE
        vip address 10.201.130.140
        port 80
        protocol tcp
        add service MY-SERVER
        active
    CSS11503# config t
    CSS11503(config)# owner TEST
    CSS11503(config-owner[TEST])# content MY-SITE
    CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
    %% Attribute may not be modified on active rule
    CSS11503(config-owner-content[TEST-MY-SITE])# suspend
    CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
    CSS11503(config-owner-content[TEST-MY-SITE])# active
    CSS11503(config-owner-content[TEST-MY-SITE])# exit
    CSS11503(config-owner[TEST])# exit
    CSS11503(config)# exit
    CSS11503# show run
      content MY-SITE
        vip address 10.201.130.140
        add service MY-SERVER
        port 80
        protocol tcp
       url "/*"       <--------
        active
    Hope this helps,
    Sean

  • Error while selecting Load Balancing in JCO creation

    While creating JCO i am facing this error.It is working fine with Single server connection,but when i chose Load balancing i error comes out.Please tell me the solution.
    I have read couples of forum mentioned you need to start both Portal and ECC.
    For you information my Portal and Java are both on diffrrent Box.
    com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server host failed Connect_PM  TYPE=B MSHOST=olameccpdvr GROUP=PUBLIC R3NAME=DVR MSSERV=sapmsDVR PCS=1 LOCATION    CPIC (TCP/IP) on local host with Unicode ERROR       service 'sapmsDVR' unknown TIME        Thu Feb 24 12:19:54 201 RELEASE     701 COMPONENT   NI (network interface) VERSION     38 RC          -3 MODULE      nixxhsl.cpp LINE        776 DETAIL      NiHsLGetServNo: service name cached as unknown COUNTER     5

    Is your backend system configured correctly in your SLD ?
    Go to transaction SMMS on your backend system that your are connecting to. Click on Goto=>Parameters=>Display. Look for "server port" value.
    This should give you the TCP/IP port for your message server. It could be 3600 or 3601 (36NN - where NN is the instance number).
    In your services file, if you made the entry at the end of the file, press Enter (Return) after your entry.
    Try restarting your server after making the above changes.
    - Shanti

  • Error in creation of JCO with Load balancing server

    Hi,
    We are using a ABAP user base for our WEBAS server 6.40 (with ABAP+JAVA). i have created a Public group in concerned ECC 5.0 system. I have already configured SLD, and then i maintain data supplier bridge in SLD and run RZ70 in ECC 5.0 system to load system information.. i can see details in SLD ..
    now i am trying to create JCO connections .. here i am unable to create JCO with load balancing option..  i get
    com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server host failed Connect_PM  TYPE=B MSHOST=<servername> GROUP=PUBLIC R3NAME=SID MSSERV=sapms<SID> PCS=1 ERROR       service 'sapms<SID>' unknown TIME        Fri Jun 16 12:41:20 2006 RELEASE     640 COMPONENT   NI (network interface) VERSION     37 RC          -3 MODULE      ninti.c LINE        505 DETAIL      NiPGetServByName2: service 'sapms<SID>' not found SYSTEM CALL getservbyname_r COUNTER     1
    i am able to create single server JCO, but it fails in load balancing.. is there anything i have  missed out in settings...
    Thanks and regards,
    Sudhir

    Thanks, Bogdan Rokosa
    I have the same problem,and solved it following the steps provided by Bogdan Rokosa  :
    you must insert an entry for your R3 system
    (like: sapms<SID> 3600/tcp)
    in services file
    (C:\WINDOWS\system32\drivers\etc\services) on Java WAS.
    I test the Jco successful without restart J2EE Engine.

  • ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

    Hello guys
    Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
    Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
    I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
    Thanks in advance
    Sayre

    Hello Sayre-
    For Question #1:
    Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
    You can configure Radius and Profiling to be enabled on other interfaces
    Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
    Take a look at this link for more info:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
    For Question #2
    If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
    The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
    –Option 12—HostName of the client
    –Option 60—The Vendor Class Identifier
    After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
    Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
    On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
    http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
    I hope this helps!
    Thank you for rating helpful posts!

  • SAP GLM Print Request - Load Balancing of WWI server

    Hi GLM Experts,
    I am using new GLM + module that generates labels based on Print Requests. I am unable to understand how I can load balance the WWI services when there are multiple label printing requests.
    In GLM + we associate a WWI to a Print Station and which can then be associated with a printer. So in the configuration we are tying up a printer a WWI.
    Also during label printing, if the scenario uses print request module, then the use need to select a print station and printer. What happens if the WWI related to the print station is down?
    For example I have two services in WWI server GENPC1 and GENPC2. I created WWII and WWI2 as two print stations. I will associate my printer PRNWWI to both the print stations WWI1 and WWI2.
    During label printing if the user picks and WWI1 and Printer PDNWWI and if the GENPC1 WWI server assocaited with print status WWI1 is busy and down I want WWI GENPC2 to generate the label?
    How to setup the above load balancing or fall back? Please let me know.
    Thanks
    Pugal

    Dear Pugal
    we are not using GLM + and I am not sure about the technqiue used there to handle load balancing. Regarding general WWI setup I assume you know this Note: EH&amp;amp;S: Availability and performance of WWI and Expert servers
    On the top there is a further SAP Note abvailable which might be of interest. This is referenced here:
    http://de.scribd.com/doc/191576739/011000358700000861002013-e
    May be check OSS note: 1958655; OSS Note 1155294 is more related to normal WWI stuff; but may be check it as well. May be 1934253 might help better
    May be this might help.
    C.B.
    PS: may be check as well: consolut - EHS_MD_140_01 - EH&amp;amp;S-Management-Server einrichten
    The load balancing of synchron WWi servers is donein the "RFC" layer, therefore you have no inffluence here, for asynchron WWI servers you can do a lot to manage the WWI load balancing by using "exits" etc.

  • APEX SSO and Load balancing: Could not determine workspace for application

    We had a single HTTP Server serving APEX in a 10.2.0.2 database configured with SSO to be used by the developers. APEX has been registered as a partner application and the login url has been CA Siteminder protected so that the SM_USER details are forwarded in the header for the application to use for authorization. Everything is fine so far.
    Now we have added a HTTP Server on another host and have it all set up for APEX and its pointing to the same database. APEX_ADMIN access works as normal, but applications previously using SSO now get the following error after entering the URL.
    Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
    Error ERR-7620 Could not determine workspace for application ().
    Using HTTP Watch I find that the application is not even trying to redirect to the login page.
    What is wrong here?

    APEX has been registered as a partner application as described in
    http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
    In the meantime I found metalink document 368746.1 which describes the cause of this problem. Please read carefully what I wrote, it all works when the the new APEX web server is turned off in the server farm on the load balancer and directed through the original web server. When running regapp.sql the hostname in the listener token was using the virtual hostname. This works fine if the request comes from the original APEX server which proofs that there is nothing wrong with the installation and set up of SSO. When directing the request to the new APEX web server the APEX_ADMIN page still works only existing work spaces using SSO don't seems to work anymore resulting in a error as described in the subject.
    As for metalink document 368746.1 naming the causes of this error:
    - there are no duplicate entries in WWSEC_ENABLER_CONFIG_INFO$
    -LISTENER_TOKEN clearly works for requests coming from the first web server
    -theoretically the web server listener port could be changed from 7777, but port 80 needs to be maintained here as production is mimiced as far down as possible.
    Is there some cache table which can be cleared? How is it that the flows schema (apex engine) can not find the work space when the request comes from a new web server which can however access the APEX_ADMIN pages.
    anyone?

  • SSO with SAP R/3 with load balancing as backend over the Web AS

    Hi,
    we have Netweaver 2004 at this time and we have to connect the portal to a BSP application in a load balancing environment.
    We set user mapping for the user and set the connection type from SAPLOGONTICKET to UIDPW. This is running for a test environment with only one R/3 system without load balancing.
    Does anyone know the setting parameters for a load balancing environment (ok, the message server and...?).
    Thank you.
    Best regards
    Patrizia

    Hi all,
    run into the same problem. Setting up a mapping with UIDPW in a non load balanced WEB-AS enviroment for BSP or Webdynpro for ABAP works fine. But if I go to set it up in a balanced system I can see the following behavior. The http request is send to the messageserver. This request enclosed my mapped user and password. The messageserver responds with an HTTP 301 wich contains one of my applicationservers, so far so good. The client sends a new request to the mentioned applicationserver but this time without the UIDPW. So the user will not be logged in.
    I was wondering if my backend have to issue logonticket too, cause today it only accept tickets from the portal.
    Is this is a bug or a feature?
    Regards,
    Bernd

Maybe you are looking for