Etherchannel to CSS 11506

i'm looking at doing a etherchannel/channel group to CSS 11506 for greater bandwidth on the front of the CSS.. clinets>chan-group>vip>CSS >servers.
has anyone else done this?
reason i ask if this can be done is that the backup (ASR) CSS vir-peer shows as master(backup router) state. i didn't see any commands on css for etherchan, pagp or lacp

HI,
etherchannel is not supported on the CSS from my knowledge. Furthermore you should avoide any spanningtree issue on the CSS. If you need more throughput than 1 GIG think about splitting the VIPs so that one CSS is active for the first half of the VIPS and the otherone for the 2nd part. Be aware that the Gateway on both VIP-pars need to be active on the correct box.
Kind Regards,
Joerg

Similar Messages

  • Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior

    Dear experts
    I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
    content mysite-SSL
    vip address 10.0.0.1
    add service s01
    add service s02
    add service s03
    port 443
    protocol tcp
    advanced-balance ssl
    application ssl
    flow-timeout-multiplier 225
    active
    If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
    However, my stats show:
    Sticky Statistics - SFM Slot 1, Subslot 1:
    Total number of new sticky entries is 4937735
    Total number of sticky table hits is 33476045
    Total number of sticky rejects (no entry) is 0
    Total number of sticky collision is 0
    Total number of available sticky entries is 0
    Total number of used sticky entries is 131071
    Total L3 sticky entries are 131
    Total L4 sticky entries are 0
    Total SSL sticky entries are 130940
    Total WAP sticky entries are 0
    Total number of SIPCID sticky entries is 0
    So, why don't I see anything in the L4 sticky entries?
    Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
    Your thoughts and suggestions are highly appreciated.
    John.

    Hi Gilles
    Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
    "Cisco Content Services Switch
    Content Load-Balancing
    Configuration Guide
    Software Version 8.20
    November 2006
    page 11-14
    Configuring SSL-Layer 4 Fallback
    Insertion of the Layer 4 hash value into the sticky table occurs when more than
    three frames are transmitted in either direction (client-to-server, server-to-client)
    or if SSL version 2 is in use on the network. If either condition occurs, the CSS
    inserts the Layer 4 hash value into the sticky table, overriding the further use of
    the SSL version 3 session ID."

  • CSS 11506 page requests not directed properly

    CSS 11506 sitting in front of mainframe and
    two Windows 2003 servers
    content rule3056gif
    add service web1
    add service web2
    vip address 10.10.200.252
    balance aca
    url "/IMAGE_DIRECTORY_NAME/*.gif"
    port 3056
    active
    A small number of page requests, that do not match the above pattern, are passing to the content servers web1 or web2 instead of the mainframe.
    Any ideas appreciated.

    when a connection comes in and matches the rule above, a flow is created to switch all traffic between client and server.
    If inside this same flow a new request comes in for a different content rule, the flow needs to be remapped to the new server.
    This works fine except when the flow stays idle.
    A flow that was idle can't be remapped.
    All new requests will be sent to the current/last server even if the request does not match the rule.
    The solution is to increase the idle timeout.
    You can do this with a 'flow-timeout-multiplier'.
    A large value will reduce a lot the chance to see the problem but it also means the amount of resources being used will increase as each flow will remain longer in memory.
    It's up to you to find the right balance.
    You can do a 'flow stat' from llama mode to see number of free flows and active flows.
    I would say you start with a flow-timeout-multiplier of 100 and reduce or increase it if necessary.
    Regards,
    Gilles.
    - please take a moment of your time to rate this answer.

  • CSS 11506 / install Disclaimer page

    We have a CSS 11506.  Our public portal web servers are behind that CSS 11506.  How to configure the CSS so that when people click on some external websites URLs on the public portal,  there will be a disclaimer / exit page shows up first.  

    The CSS is only loadbalancing the http traffic to the public portal web servers and does not run an http stack itself. As such the CSS is incapapble of presnting any http content to the client . Any disclamer / exit pages would need to be programmed into the content of the page the public portal server presents to the client. There is not a way to accomplish this on the css.

  • CSS 11506 - Locked up but cannot find why

    I have had a CSS 11506 lock up with no access or activity. From the syslog logs I cannot see any error messages reporting a failure, just a hole. During the lockup I had no access to the equipment.
    Any suggestions on how to investigate the lock up ?
    Thank you in advance.
    Roger.

    Hi Roger,
    Based on the symptons I guess CSS did not save any core, can you double check.
    I would say that we have no enough evidence to say what caused the outage, actually I would need to see the showtech and look for some evidence but I can tell you for sure that your code needs to be upgraded.
    7.50 train is not getting new releases since new tains are 8.10 and 8.20 and also 7.50.103 is a early release on that train and many defects were addressed on newer codes, some of them related to crash and hung issues.
    Hope it helps!!

  • CSS 11506

    I configured VIP on my CSS 11506. I created a content rule and a service, which will be used by the content rule. Both have been activated. However, when I do "show service summary", the new service created is not coming up, it's showing down. I removed the service and re-created it and still down. My VIP won't work if the service remains down. Please help if you experience this before. Thanks so much !!

    Collin,
    You are the man! I removed th keepalive by typing "keepalive type none" initially it was "keepalive type tcp" and now the service is up and I can get to my VIP. Thanks so much! I appreciated. How should I give you a credit ?

  • Etherchannel on CSS?

    Brief question..:
    Can I configure Etherchannel on the css 11501?

    Could that be a trick question though? What if you didn't do etherchannel on the CSS box because it doesn't support it, but you do it on a switch after the CSS box? Don't they have a CSS card out for the 6500 series switches? If so, you could do etherchannel with that, you just do it on the switch ports. What if you set up the network like this?...
    WAN---->Firewall--->CSS---->Catalyst 6509 --[etherchannel]---> Webservers
    or
    WAN--->Firewall----Catalyst 6509 w/CSS module ---> Webservers
    V/R
    Brandon

  • CSS 11506 Help

    We just bought a 11506. I have a few questions
    - One requirement we have is that I need to direct https web requests to the CSS public IP and then have it redirect that web request over tcp 80 to one of our internal web servers.
    Do I need to purchase on SSL module for this ?
    Can someone direct me to the support link for the 11506. Looking for setup and support docs.
    Cheers
    Dave

    In order to do SSL offloading you need to buy SSL module CSS5-SSL-K9.
    You can find lots of CSS config examples
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
    & Supporting documents at
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/tsd_products_support_series_home.html
    Syed Iftekhar Ahmed

  • CSS 11506 running 08.20.2.01

    Can you tell me if this will work?
    keepalive type encrypt
    keepalive method get
    keepalive port xxxx
    Specifically, what can I do for a layer 5 KAL for HTTPS in a service? I hate to compare these things but I know on an F5 I can do an https get.
    These are 11506 running 08.20.2.01
    Thanks for anything you can advise,

    You can definitely setup the CSS to perform a URI keep-alive over HTTPS.
    keepalive type http encrypt
    However, in order for this configuration to work properly your CSS must contain the SSL module as the service will need to be setup as a "type ssl-accel-backend". This will allow the CSS to encrypt the keep-alive request and decrypt the servers response using the cert/keys defined within the backend-server configuration within the ssl-proxy-list.
    Does your CSS contain an SSL module?
    - Jason

  • CSS 11506 problem

    Hi All,
    I have two portals which are located behind the load balancer (client side), the configuration is basic.
    I have faced a problem on accessing these protal via SSL port (HTTPS) using the virtual Ip address which represents them, knowing that the SSL sessions are terminated on the portals not on the CSS.
    any help please.
    thank alot.
    Mo

    what kind of problem ???
    Get a sniffer trace on client and server and see what is going on.
    We'll also want to see the config even if basic.
    Gilles.

  • CSS - 11506 - Adding New SSL Services on Single SSL Modules

    Hi,
    We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
    Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

    Hi Sean,
    Thanks for replying back just want few clarifcations in configuration part.
    1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
    2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
    1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
    /home/johndoe
    2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
    Connecting
    Completed successfully
    3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
    Connecting
    Completed successfully
    4.Enter configuration mode.
    # config
    (config) #
    4. To use RSA public key exchange and authentication:
    a. Associate the imported RSA certificate with a file.
    (config) # ssl associate cert myrsacert1 rsacert.pem
    b. Associate the imported RSA key pair with a file.
    (config) # ssl associate rsakey myrsakey1 rsakey.pem
    5. Compare the public key in the associated certificate with the public key
    stored with the associated private key and verify that they are identical.
    (config) # ssl verify myrsacert1 myrsakey1
    Certificate mycert1 matches key mykey1
    ssl associate rsakey NEWKEY newkey.pem
    ssl associate cert NEWCERT newcert.pem
    !************************* INTERFACE *************************
    interface 3/3
    description "****WEB SIDE****"
    bridge vlan _ID_X.X.X.X
    bridge port-fast enable
    interface 3/4
    bridge vlan_ID_Y.Y.Y.Y
    bridge port-fast enable
    description "****PIX SIDE****"
    !************************** CIRCUIT **************************
    circuit VLAN_ID_X
    ip address A.A.A.A B.B.B.0
    ip virtual-router 2 priority 101 preempt
    ip redundant-interface 3 C.C.C.C
    ip critical-service 3 chk-con-pix_Y.Y.Y.Y
    ip critical-service 3 chk-con-web_X.X.X.X
    circuit VLAN_ID_Y
    ip address D.D.D.D E.E.E.0
    ip virtual-router 4 priority 101 preempt
    ip redundant-vip 4 F.F.F.F
    ip critical-service 4 chk-con-pix_Y.Y.Y.Y
    ip critical-service 4 chk-con-web_X.X.X.X
    !*********************** SSL PROXY LIST ***********************
    ssl-proxy-list NEW
    ssl-server 20
    ssl-server 20 vip address F.F.F.F
    ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
    ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
    ssl-server 20 rsacert NEWCERT
    ssl-server 20 rsakey NEWKEY
    active
    !************************** SERVICE **************************
    service FRONT_SSL
    type ssl-accel
    slot 4
    keepalive type none
    add ssl-proxy-list NEW
    active
    service WEBSERVER-03
    ip address G.G.G.G
    redundant-index 3
    protocol tcp
    port 80
    active
    service WEBSERVER-04
    ip address H.H.H.H
    redundant-index 4
    protocol tcp
    port 80
    active
    service chk-con-pix_Y.Y.Y.Y
    keepalive type script ap-kal-pinglist "N.N.N.N"
    ip address J.J.J.J
    keepalive frequency 2
    keepalive maxfailure 2
    keepalive retryperiod 2
    active
    service chk-con-web_X
    ip address K.K.K.K
    keepalive type script ap-kal-pinglist "P.P.P.P"
    keepalive frequency 2
    keepalive maxfailure 2
    keepalive retryperiod 2
    active
    !*************************** OWNER ***************************
    owner NEW
    content BACKNEW_HTTP
    vip address F.F.F.F
    add service WEBSERVER-03
    add service WEBSERVER-04
    protocol tcp
    port 81
    url "/*"
    redundant-index 5
    no persistent
    active
    content FRONTENDNEW_SSL
    vip address F.F.F.F
    protocol tcp
    port 443
    application ssl
    add service FRONT_SSL
    active
    content NEW
    url "//www.ABC.com/*"
    vip address F.F.F.F
    protocol tcp
    port 80
    redundant-index 4
    redirect "https://ABC.com"
    active
    your reply on this would be highly appericated.

  • Capture Traffic on Css 11506

    Hello,
    I am trying to troubleshoot all traffic related to backend servers (behind CSS) from input and output interfaces of CSS, could anybody help my in capturing this kind of traffic? with support guide or commands?
    Thanks,
    Mo

    You can use a CSS port as Span port. Connect a sniffer at that port and you will get the packets.
    Command to use
    setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly
    More details at
    http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.20/configuration/administration/guide/Intface.html#wp1099686
    Syed Iftekhar Ahmed

  • HTTP and terminal services connection intermittently for CSS 11506

    I am configuring a client/server CSS configuration. I am facing an intermittent of http connection. The browser will require to refresh 3 times before the web page is seen. I am also facing the connection to the real server behind the CSS using the terminal services in Windows server 2003. I am using ML330 to connect to the real server through their VIP address. The connection is sometime successful but most of the time is not. I had attach the network diagram and the config for reference. Please advice!

    This is the kind of thing that you need a sniffer trace on both sides of the CSS to determine what the problem is.

  • CSS 11506 Default "Site is down" Page

    The Company that I work for needs to bring down our servers for some hardware upgrades for a period of time. Is it possible to configure the CSS so that it will display an HTML page any time that it cannot find one of the servers that it should be looking for? If it is possible, how would I go about doing that,or where would I look for directions on setting that up? Thank you very much for any help provided.

    Another question, we've brought down our content servers and the sorry server is sending out the sorry page that we have set up. I added all the settings indicated in the link about you gave me, and based on some of the other articles that I have seen while troubleshooting I have changed some of the persistence settings. Here are my configurations, any ideas?
    !*************************** GLOBAL ***************************
    no restrict web-mgmt
    no restrict xml
    dns primary 10.20.1.2
    ip route 0.0.0.0 0.0.0.0 10.20.1.1 1
    !************************* INTERFACE *************************
    interface 1/1
    phy 1Gbits-FD-sym
    !************************** CIRCUIT **************************
    circuit VLAN1
    router-discovery lifetime 1000
    ip address 10.20.1.4 255.255.255.0
    router-discovery
    !************************** SERVICE **************************
    service Blade01
    ip address 10.20.1.60
    active
    service Blade02
    ip address 10.20.1.61
    active
    service Blade03
    ip address 10.20.1.62
    active
    service Blade04
    ip address 10.20.1.63
    active
    service sorry
    ip address 10.20.1.41
    active
    !*************************** OWNER ***************************
    owner OWNER
    email-address
    content server1
    vip address 10.20.1.80
    balance aca
    add service Blade01
    add service Blade02
    primarySorryServer sorry
    no persistent
    active
    content server2
    vip address 10.20.1.81
    add service Blade03
    add service Blade04
    balance aca
    active
    !*************************** GROUP ***************************
    group server1
    vip address 10.20.1.80
    add destination service Blade01
    add destination service Blade02
    add destination service sorry
    group server2
    add destination service Blade03
    add destination service Blade04
    vip address 10.20.1.81

  • Css 11506 snmp trap for defective modules

    is it possible that the css is sending a trap or mail if a module like the ssl module change the status to bad or powered-off. Are there scripts available for module monitoring
    andre

    Try this
    snmp trap-host x.x.x.x community
    snmp trap-type enterprise
    snmp trap-type enterprise chmgr-module-transition
    Syed

Maybe you are looking for

  • URGENT :Error while Running java application in crowntab(linux)

    Hi, I have java application on linux machine. i created a jar file of my application with all dependencies like oracle drivers etc. when i run my jar file from any path using java -jar appjar.jar its works fine for this or if i add it in .sh file wit

  • Publication is not listed in reolication monitor after manual database failover

    Hi All, I have three servers using which I have configured database mirroring and  transactional replication with pull  subscription. ServerA--Publisher/Distributor/principal ServerB--Subscriber ServerC--Mirror After failover now ServerB pulls the da

  • Process Order Material availability check error

    Dear All, At the time of i create the process order after that i push Material availability button system give me the following error log. Please provide me the solution how can i resolved following Error. "No control data maintained for checking gro

  • Animate Stroke Weight of a vector graphic

    Hi. I'm new to adobe's programs and digital art as a whole, so bare with me. I've watched all of the tutorials on adobe's website to learn my way around and am excited to utilize these new tools. I'm trying to create an idea, but am having trouble fi

  • Error when trying to install Netweaver ABAP version...

    Hello experts, I am currently trying to install the said edition but when I double click the setup(installshield wizard) there is an error saying: java.lang.NoClassDefFoundError: run Exception in thread "main". What is the problem here? any inputs wo