Denial of Service Feature on CSS 11501

New to CSS world, just wondering if the DoS feature on 7.30 is just a counter or it will acturally shut down services?
Can this feature be disable?
Thanks...

this feature is not configurable and can't be disable.
It is also not just a counter.
Each time the counter increases by 1, a reset is being sent to source and destination.
Gilles.

Similar Messages

Defeat denial of service attacks: New feature in WLS 5.1 SP9

          Hi all,
          SP 9 for WLS 5.1 provides 2 new properties to prevent denial of service attacks
          (ISSUE 31269).
          The properties are weblogic.httpd.maxPostSize and weblogic.httpd.maxPostTimeSecs.
          However I miss more detailed information about the use of the properties, for
          example: Aer there default values
          whcih are used when I don't set the properties? Is there a geberal recommendation
          for values to which the properties could be set?
          What is the unit for the properties (bytes or kbytes for maxPostSize)?
          Has anybody used the new feature already?
          Thanks in advance
          Dieter


in WLS 6.0 I believe the default is -1, which means infinite post size and
secs. I don't think there's any recommended values for these. It all depends
on how large your post size may be.
"Dieter Arnold" <[email protected]> wrote in message
news:3afa4fcb$[email protected]..
>
Hi all,
SP 9 for WLS 5.1 provides 2 new properties to prevent denial
of service attacks (ISSUE 31269). The properties are
weblogic.httpd.maxPostSize and
weblogic.httpd.maxPostTimeSecs.
However I miss more detailed information about the use of the
properties, for example: Aer there default values whcih are
used when I don't set the properties? Is there a geberal
recommendation for values to which the properties could be
set? What is the unit for the properties (bytes or kbytes for
maxPostSize)?
Has anybody used the new feature already?
Thanks in advance
Dieter

Denial of Service Vulnerability

Jdeveloper 11.1.1.4
We had an security audit on our ADF application and one of the vulnerabilities found was a XML recursive Entity Expansion vulnerability from the login button. AKA Billion laughs DoS attack.
The parser used is
weblogic.xml.jaxp.RegistryDocumentBuilder
Weblogic jvm is configured with these paramters
org.xml.sax.driver=weblogic.xml.jaxp.RegistryXMLReader
org.xml.sax.parser=weblogic.xml.jaxp.RegistryParser
Is there a weblogic configuration parameter that can be set to limit entity expansion?
weblogic.xml.jaxp.RegistryDocumentBuilder parse method is called from DefaultMarshalingService
Which expands this DOCTYPE entity to 300,000 characters
<!DOCTYPE foo [<!ENTITY lol "lol"><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">]><m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>&lol5;</s></k></m>
Details of the vulnerabiltiy
1 Unrestricted XML
Entity Expansion
CVSS: 7.1
Risk: High
The XML parser used by the application to process input fields allows user-supplied
document type declarations (DTDs). Consequently, an attacker can abuse this feature
to cause a denial service condition on the web server through the use of XML entity
expansion attacks.
An example modified request with the exploit inserted in red.
=&org.apache.myfaces.trinidad.faces.FORM=loginForm&javax.faces.ViewState=!4
i0dvg2x&oracle.adf.view.rich.DELTAS={d1%3a%3amsgDlg%3d{titleIcon
Source%3dhttps%3a//11.254.250.200/app/afr/error.png,title%3dEr
ror}}&event=loginBtn&event.loginBtn=<!DOCTYPE+foo+[<!ENTITY+lol+
"lol"><!ENTITY+lol1+"%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%
3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b"><!ENTITY+lol2+"
%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26l
ol1%3b%26lol1%3b%26lol1%3b%26lol1%3b"><!ENTITY+lol3+"%26lol2%3b%
26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lo
l2%3b%26lol2%3b%26lol2%3b"><!ENTITY+lol4+"%26lol3%3b%26lol3%3b%2
6lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol
3%3b%26lol3%3b"><!ENTITY+lol5+"%26lol4%3b%26lol4%3b%26lol4%3b%26
lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4
%3b">]><m+xmlns%3d"http%3a//oracle.com/richClient/comm"><k+v%3d"
type"><s>%26lol5%3b</s></k></m>
The following screenshot demonstrates that the above login request takes
approximately 20 times longer to process than a normal login request. With
additional entity expansions, an attacker could bring down the web server
completely.
Best Practice
Configure the XML parser to not process DTDs in the <!DOCTYPE> declaration. In addition, URI
resolution should be disabled to prevent against external entity attacks and denial of service
conditions caused by hanged requests.
This issue appears to be a vulnerability in Oracle’s Application Development Framework (ADF). If
that is the case, consider using a web application firewall to block malicious requests until Oracle
issues a patch.

Don, I'm not sure that there is a parameter to do this. However you can do it in java like outlinded here https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing or https://gist.github.com/Prandium/dee14ea650ff7900f2c0
One other way is to implement a servelet filter which scans all parameters and rejects all xxe typ parameters.
Timo

NAT and Servers behind CSS 11501

All,
Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
Everything works inbound no problem.
What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
Is this possible with our setup? Does anyone have some code examples?
Thanks in advance.
Addresses changed to protect the innocent:
Load Balancer 1:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.252
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Primary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Primary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.251 255.255.255.0
ip virtual-router 1 priority 254 preempt
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.2 255.255.255.0
ip virtual-router 2 priority 254 preempt
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content
Load Balancer 2:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.251
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Secondary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Secondary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.252 255.255.255.0
ip virtual-router 1
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.3 255.255.255.0
ip virtual-router 2
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content.

Gilles,
I added the following commands, and things seem to be working.
To circuit VLAN1
ip redundant-vip 1 1.1.1.80
!*************************** GROUP ***************************
group natout
vip address 1.1.1.80
add service nat_web_servers
active
service nat_web_servers
ip address 192.168.1.10 range 3
active
I do have a question about the above service commands.
I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
Otherwise, I think you have resolved this problem for us. Thank you.

CSS 11501 Load Balancing with X-forwarded-for

Hi,
We have a pair of CSS 11501,
Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .
This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
This way we are able to also send it back to the same server when it uses SSL.
I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
Regards

Hi,
Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
content HTTP-HTTPS
    vip address 10.198.44.70
    advanced-balance sticky-srcip
    add service server1
    add service server2
    add service server3
    add service server4
    add service server5
    protocol tcp
    active
Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
Thanks,
Rodrigo

CSS 11501 Load Balancing Issue

Hi,
We are facing some issue in load balancing in cisco CSS 11501 as we are not able to access the application through virtual IP. Below is the ruuning configuration of the CSS:
CSS11501# sh running-config
!Generated on 10/06/2010 16:51:34
!Active version: sg0810106
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 132.186.199.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 132.186.199.145 255.255.255.0
!************************** SERVICE **************************
service Server1
ip address 132.186.199.243
port 5001
protocol tcp
keepalive port 5001
active
service Server2
ip address 132.186.199.246
protocol tcp
port 5001
keepalive port 5001
active
!*************************** OWNER ***************************
owner L5_Owner
content L3_Rule
    vip address 132.186.199.146
    protocol tcp
    port 5001
    add service Server1
    add service Server2
    active
content L5_Rule
    vip address 132.186.199.146
    add service Server1
    add service Server2
    protocol tcp
    port 5001
    url "//132.186.199.146:5001/emi"
    active
CSS11501#
Observation : We are able to telnet on VIP: 132.186.199.146 on port 5001, but not able to access the application.
In Actual scenarion customer access application by accessing URL: http://132.186.199.243:5001/emi and once he enter this URL in web browser the request redirects ( by server itself) to URL: https://132.186.199.44:6002/cas/login?service=http%3A%2F%2F132.186.199.243%3A5001%2Femi%2Findex.jsp&acceptStrength=BASIC on backend server for user authenticaton and once user is authenticated then it again redirect to main URL ( http://132.186.199.243:5001/emi ) to access the application but when we are trying to access the application through VIP ( URL: http://132.186.199.146:5001/emi) we are not getting the login page as the request is not gettting redirected to backend server for user authentication.
Please suggest a solution here.

The problem is that you are in one-armed mode.
So you need to configure client nat.
Without nating the client ip address, the server response goes back directly to the client and bypasses the CSS.
Therefore the client receives a response from an unknown server ip address (not the vip).
So configure a group.
For example
group Client
    vip address 132.186.199.146
    add destination service Server1
     add destination service Server2
    active
Also, remove the url command from your content rule.
It is useless in your case and will just make performance worst.
Gilles.

CSS 11501 - Network reconnection issue

Using a CSS 11501 switch to configure both Load balancing and server hot standby between two servers (of same config). Clients are connecting to the server using tcp/ip sessions.
The configuration used is shown below:
=========================================
configure
ip route 0.0.0.0 0.0.0.0 10.167.50.1 1
!************************* INTERFACE
interface e2
bridge vlan 9
interface e3
bridge vlan 9
!************************** CIRCUIT
circuit VLAN1
ip address 10.167.50.108 255.255.254.0
circuit VLAN9
ip address 10.167.70.1 255.255.254.0
!************************** SERVICE
service abc_service1
ip address 10.167.70.2
protocol tcp
port 6300
keepalive type tcp
active
service abc_service2
ip address 10.167.70.3
protocol tcp
port 6300
keepalive type tcp
active
!*************************** OWNER
owner xxxxx
content abc_crule
vip address 10.167.50.109
add service abc_service1
add service abc_service2
protocol tcp
port 6300
balance aca
active
===============================
We conducted three tests to verify the hot standby while client sending the data to server app thro tcp/ip.
1) Brought down the service on one server 2) Restarted the OS (Windows 2003) on one server 3) Removed a network cable of one of the server connecting to CSS.
client app lost the conn to the service/server, but when it tried reconnecting to the alternate server, it was successful.
CSS status reflected the actual status of the service/server.
But in third test (removing network conn) the service state changed from "Alive" to "Down" and client app lost conn to the server. Client app tried reconnecting and it was successful connecting to the alternate server.
But when we connected the network cable back, the CSS state was continue to be in "Down". Also,the network connection between CSS and server was not available after reconnection. Also, the status of alternate server changed to "Down", but still client app was successfully transmitting to the alternate server. Stopping the client app and tried reconnecting,
the connection was not going thro.
The connection could be established between CSS and server boxes only after restarting the OS(running windows 2003).
Issues:
1. Service status in CSS continue to be down even after reconnecting the cable with the service running.
2. CSS status of the first service also went down after reconnecting the other server.
3. Client app could not reconnect to any of the servers.
Are we missing any configuration parameter in CSS which will address the above?
regards
Param

Param,
what software version for the CSS ?
Did you see an ARP entry on the server for the CSS ?
Did you see an ARP entry on the CSS for the server ?
is the server directly connected to the CSS or is there an L2 switch inbetween ?
Could you configure 'bridge spanning-tree disabled' on the CSS and see if this improves the situation.
Regards,
Gilles.

Cisco CSS 11501 - High-Availabilty

We have a single CSS 11501 and were thinking about just buying a new one and putting it online as the standby with statefull (hopefully) failover, but weren't sure that this would work.
Does anyone know what is needed to create a high-availability Cisco CSS 11501 environment?
Do you only need 2 CSS 11501 and then configure them with one being active and the other being in a standby mode, like a PIX?
Is there a HA Cable that would need to be connected between the 2 CSS's?
Thanks in Advanced.
Joe

Daniel,
There is a new stateful failover mechanism for the Cisco CSS 11500.
This description is a bit "salesy" I know, but it covers the question asked :-)
The Cisco CSS 11500 delivers ASRthe industry's first stateful Layer 5 session redundancy feature that enables failover of important flows while maximizing performance. Some flowssuch as a long-lived File Transfer Protocol (FTP) or a database session may be mission critical, but many are not. Most solutions on the market today require all trafficimportant or notto be backed up from one box to another. If the majority of flows are not critical, then most of system performance is wasted on unnecessary back
ups. With ASR, the Cisco CSS 11500 may be configured so critical flows are marked as replication worthy, whereas others do not need to be so marked. ASR focuses traffic management resources precisely where needed.
Better yet, have a look at the following link focusing on the section on Stateless Redundancy.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/redndncy.htm
Regards
Pete..

CSS 11501 DNS

Do I need a live internet/DNS environment to test this switch? I have bridged vlan2 to e1. my VIP is set to X.X.X.47 and I have to services set to X.X.X.45 and .46. They both say active. The e1 port is up but my vlan2 is down. I am assuming that the circuit is my problem.
When you define a vlan IP address, the manual says that this is the IP address that the CSS will recieve traffic from, so that would be the virtual IP .47 that links to either .45 or .46 right?
I am suppose to configure 1 web server ip per port on the CSS switch? I currently connect the 2 web servers to a 8 port 10/100 switch and I have a straight ethernet cable from that 10/100 switch to port 1 (e1) on the css Switch.
Are all my port numbers suppose to be configured to 80 since they are being used for HTTP? Am I to use the HTTP keepalive function as well?
I guess any additional info would be great. I guess this isn't a click, click, and go switch like someone said.

Ok. Thanks for the tip on the examples. I have tried to follow them as much as possible and have made progress, but I am still having problems with a few things that i can;t seem to find answers for.
CSS 11501 = IP 10.0.0.49 Subnet 255.255.255.0 Gateway 10.0.0.1
Srv01 = IP 10.1.0.45 Subnet 255.255.255.0 Gateway NONE
Srv02 = IP 10.1.0.46 Subnet 255.255.255.0 Gateway NONE
Dell 2708 = IP 10.0.0.13 subnet 255.255.255.0 Gateway 10.0.0.1
Client = IP 10.0.0.113 subnet 255.255.255.0 Gateway 10.0.0.1
I have Srv01 and Srv02 plugged into the CSS 11501 with IP address listed above. They reside in e7 and e8.
I have a cable from e1 to the dell 2708.
I have a laptop with a cable to the dell 2708.
I have configured a vlan (VLAN10) which includes ports e7 and e8 with an IP interface of 10.1.0.1. Status is active (GREEN)
I have configured two services with Srv01 and Srv02 and the status of both are active (Green)
I have created a content rule which includes both srv01 and srv02 with a VIP of 10.1.0.25. Status is active (green)
So I go to one of the web servers that is plugged into e7 or e8 and I can ping 10.1.0.25 sucessfully on both boxes. But I can only ping each servers IP address on its own box. In otherwords I can't ping cross server. When I try to access 10.1.0.25 from the servers the page doesn't come up. I know the VIP works because I can ping it.
I have also configured a VLAN (VLAN5) for e1 which goes to the dell 2708 with an IP of 10.0.0.48. But the status is down.
I am doing something wrong and can't seem to figure it out. any suggestions? I can diagram a picture in visio if you need a visual aid. I might consider Cisco University after all this.

CSS 11501: NAT all ports?

Hi, I have just a little experience with a CSS 11501, so this may be a dumb question.
I created a service and content rule for a FTP server behind the CSS.
This works fine, the public address is translated to the private address etc.
But what i really would like is to NAT ALL requests for this public address to the private address, so not just FTP but also Remote Desktop (port 3389) etc.
How can i accomplish this?

be carefull that ftp uses data connections.
By specifying the protocol and port you helped the CSS understand it was ftp traffic and therefore monitor the control session to find data sessions and do nating accordingly.
So, instead of removing protocol and port, I would recommend to create a 2nd content rule with the same vip and the same service but no protocol or port.
The first rule will handle ftp.
The 2nd rule will handle the rest.
Regards,
Gilles.

Cisco CSS 11501 Capacity Planning

We have a pair of CSS 11501 units which currently have one VIP in front of two servers. Hence they are not being utilised at all.
I've been asked about putting some additional services on these but have no idea what sort of capacity they could take, i.e. max servers, max VIPs, max users/connections.
I've looked around but cannot find any documentation that helps. The following: http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html document states it has a '6Gbps Bandwidth Aggregate', which is strange as it doesn't even have that physical capacity?
Any help appreciated.

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps792/product_data_sheet0900aecd800f851e.html
No limit for vip and server (except you need to keep your conig under 10k lines)
Number of concurrent connections is 200k per module and there is only 1 module in the 11501
Gilles.

Denial of Service attacks and Java

Im in the process of doing my final year project. Im very interested in internet security and I am proposing to do a project on denail of service attacks and building some sort of software in java to handle them
As I understand it java has security features but it doesnt have many provisions for denial of service attacks...
Im just wanting to hear peoples views on this subject and see how I could posssibly start this project. I dont have many resources atm, and am currently trying to find information so I can better approach this project
Any help/suggestions would be useful!
Thanx

You won't be able to block a DoS-attack from Java.
Some DoS principle examples:
Just a few machines with high upstreams could generate a huge amount of data with random ip numbers (using simple IP spoofing techniques) and can use different types of packages (e.g ACK or SYN packages) causing some software programs to crash. Besides the DoS attacks don't have to even be routed to an open port, it can also be addressed for a closed port, but if there are enough packets comming over the line to the closed port (assuming the closed port drops the packets on arrival) the line will still be filled.
Java on the other hand does not work on low level networking therefor it has no influance on what does make it to the operating system's kernel and the services.
In short, I can't think of a way that Java will be able to block a DoS attack, even the best hardware firewalls/routers i know have problems blocking big ones (if it is possible at all).
Sorry to pop your bubble, but i think you should look into another subject.
Good luck,
Barre

CSS 11501S GSLB DNS

Hi
I am in the process of planning for a GSLB failover solution for a web site. I have attached a very basic diagram showing an example of the topology.
The aim is to have two sites. A primary site and a DR site to be used as a failover solution.
The main site has two web servers that will need to be load balanced and the failover DR site will only have 1 web server.
My initial plan was to use 2 Cisco CSS 11501S devices as I believe this would provide the load balancing and GSLB functionality I require.
To achieve this I was going to use the CSS's as the primary and secondary name servers for the domain. This has raised a few question marksâ¦.
Both of our sites are connected to a private WAN (with private IP ranges). See attached diagram. Our internet access is provide through a third party âFirewall Portâ directly off the WAN. We don't manage the firewall that connects to the internet. This third party firewall provides the NAT for our public facing services (web servers, mail servers, ftp servers etc).
So my questions areâ¦
* Because the CSS's and web servers are located on a private network will the CSS's be able to respond to the DNS requests with the PUBLIC IP address (as seeen from the internet) of the servers as apposed to the private IP address of the servers? If the firewall in front of the CSS's was connected to the internet this could be done via DNS doctoring but our firewall is on a private subnet!
* Is it possible to get the CSS's to respond to DNS requests for other domain devices that do not reside behind the CSS - E.g. a MX record for a mail server that resides on another 'private' network?
*Is there a better way to achieve this?
Any assistance would be much appreciated!!

Thanks for the reponse Gilles. When you say
"If you configure the css to answer with the public ip address, you can't access your vip from the internal network anymore."
Do you mean that you will only get the public ip address from a DNS query and therefore this won't work locally?
If I have a host file entry providing the private address resolution for my internal hosts will this work?
"Also, be aware we do not support GSLB on the CSS anymore.
So, if this is a new install, it is better to start with a solution that we support - GSS"
Why is this no longer supported? Are there a lot of problems with GSLB on the CSS? It is pretty hard to justify the cost of a solution including 2 GSS's for GSLB and 1 CSS for server load balancing when comapred to the price of 2 CSS's with the enhanced license for both GSLB and server load balancing.
I have one client that wants to use their existing CSS's for a solution like this and another that is starting from scratch.
Thanks

Cabling the CSS 11501

I have never worked with Content service switches so here's my question: Are my 2 web servers that I am trying to load balance suppose to be plugged into the CSS 11501?
The way I have it now is the servers are both plugged into a switch and the switch has a cable to the CSS. Plus I have the cable from the ethernet management port in the switch to for web interface access. Is this correct?

the servers can be connected the way you did.
Just make sure you have ip connectivity between css and servers.
You'll also want another cable between the CSS and your switch for client vlan (or internet side vlan).
I personally avoid the use of the management vlan. Too many restrictions there.
Gilles.

High CPU utilization on CSS 11501 version sg0750303

Hi everyone,
I have the problem about High CPU utilization on CSS 11501 version sg0750303.
Our customer has used one pair of CSS 11501 (active-standby).
As a matter of convenience, called "Old CSS" after here in this post.
However traffic via Old CSS had been increasing so customer decided to add one more
pair (active-standby) of CSS to separate traffic.
Yesterday we installed new two CSS 11501 version sg0750303 (active-standby).
As a matter of convenience, called "New CSS" after here in this post.
Today, active CSS 11501 and standby CSS 11501 which were installed yesterday (New CSSs)
indicates High CPU utilization.
Active CSS 11501:
Peak CPU utilization: about 85%
Average CPU Utilization: about 60%
Standby CSS 11501:
Peak CPU utilization: about 40%
Average CPU Utilization: unknown
I do not understand why CPU utilization of both New CSSs become high.
The traffic pass through New CSS less than Old CSS, because the traffic is separated into
Old CSS and New CSS.
And CSS's configuration parameters (service, content, access-list) also less than Old CSS,
because real servers are also separated into Old CSS and New CSS.
Old CSS indicated average of CPU utilization about 20% before installing New CSSs yesterday,
in spite of all traffic pass through Old CSS only.
I wrote "New CSS remains High CPU utilization", however end users do not feel the
performance issue (e.g., performance delay, communication failure and so on) and
the traffic pass through New CSS normally.
So I have the question "CSS 11501 sg0750303 remains High CPU utilization on normal situation ?"
And customer uses MTRG to poll SNMP for Old CSSs and New CSSs.
So I have the question "CSS 11501 sg0750303 become High CPU utilization in case of receiving
SNMP polling ?".
Or if this situation is abnormal we need to start investigation.
Would you please let me know how do we investigate this situation.
I found the DDTS CSCek57080 "Performance issue using arrowpoint-cookie with ASR".
Release note of this DDTS says that
A customer was using a CSS pair configuration where arrowpoint-cookie
is being used along with a redundant-index on many content rules. When
the flow rate increased to a few hundred flows/sec, the peer message
queue of the CSS receiving ASR related message began to fill up.
When the peer message queue became over subscribed, the CPU increased
and the CSS became unstable.
New CSSs have configured redunrant-index on two content rules, and end users do not feel the
performance issue (e.g., performance delay, communication failure and so on) and
the traffic pass through New CSS normally.
So I think this DDTS does not related to this case.
Your information would be greatly appreciated.
Best regards,

Gilles,
Thank you very much for your cooperation.
I got the capture you instructed us.
The following are additional information from our customer.
At time user traffic path through the active CSS, active CSS indicates;
CPU utilization always range of 30% - 40%
Peak CPU utilization about 60% - 80%
At time there is no user traffic pass through active CSS, active CSS indicates;
CPU utilization always range of 0% - 5%
Attached files are named "Active CSS.log" and "Standby CSS.log".
"Active CSS.log" is captured on active CSS and "Standby CSS.log" is captured on
standby CSS.
I found the following process is using resource by looking the output of
"shell 1 1 spyReport" command.
On active CSS,
tFlowMgrPktR 8ba24070 50 26% ( 1469) 20% ( 26)
On standby CSS,
fmPeerMsgTas 8a511510 50 16% ( 176) 10% ( 7)
Your comment would be greatly appreciated.
Best regards,

Denial of Service Feature on CSS 11501

Similar Messages

Maybe you are looking for