Exploring CSS 11503 sticky table / sticky mask
Hi All
I am currently undergoing some testing with a client.
We have a VIP load balancing 8 instances. We are testing with the following configs
content test-test
add service a
add service b
add service c
add service d
add service e
add service f
add service g
add service h
vip address 10.10.10.1
flow-timeout-multiplier 225
sticky-mask 255.255.255.252
redundant-index 1000
port 443
protocol tcp
advanced-balance sticky-srcip-dstport
sticky-inact-timeout 360
balance leastconn
active
We have traffic been sourced from 32 IP addresses and want all 8 instances to be used/hit, but this is not happening in all instances.
(from the above config, 4 consecutive IPs will be stuck to the same instance based on the sticky mask -- yes?)
For instance I would expect the following: with the Test IP addresses used based on the sticky mask:
10.120.1.168
10.120.1.169
10.120.1.170
10.120.1.171
(to be stuck to maybe instance a)
10.120.1.176
10.120.1.177
10.120.1.178
10.120.1.179
(to be stuck to maybe instance b)
I have tried the following command during tests:
show sticky-table l4-sticky ipaddress 10.10.10.1 255.255.255.252 443
and get an empty table back.
L4 Sticky List on Slot 1, subslot 1:
Entries for page 1.
Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
Total number of entries found is 0.
L4 Sticky List on Slot 2, subslot 1:
Entries for page 1.
Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
Total number of entries found is 0.
I would like to ascertain what source IP address is been stuck to what load balanced instance at any one time.
I have tried looking at the flow table but, that clears out quite quicky so not really an accurate method.
Thanks!
Hi All
I am currently undergoing some testing with a client.
We have a VIP load balancing 8 instances. We are testing with the following configs
content test-test
add service a
add service b
add service c
add service d
add service e
add service f
add service g
add service h
vip address 10.10.10.1
flow-timeout-multiplier 225
sticky-mask 255.255.255.252
redundant-index 1000
port 443
protocol tcp
advanced-balance sticky-srcip-dstport
sticky-inact-timeout 360
balance leastconn
active
We have traffic been sourced from 32 IP addresses and want all 8 instances to be used/hit, but this is not happening in all instances.
(from the above config, 4 consecutive IPs will be stuck to the same instance based on the sticky mask -- yes?)
For instance I would expect the following: with the Test IP addresses used based on the sticky mask:
10.120.1.168
10.120.1.169
10.120.1.170
10.120.1.171
(to be stuck to maybe instance a)
10.120.1.176
10.120.1.177
10.120.1.178
10.120.1.179
(to be stuck to maybe instance b)
I have tried the following command during tests:
show sticky-table l4-sticky ipaddress 10.10.10.1 255.255.255.252 443
and get an empty table back.
L4 Sticky List on Slot 1, subslot 1:
Entries for page 1.
Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
Total number of entries found is 0.
L4 Sticky List on Slot 2, subslot 1:
Entries for page 1.
Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
Total number of entries found is 0.
I would like to ascertain what source IP address is been stuck to what load balanced instance at any one time.
I have tried looking at the flow table but, that clears out quite quicky so not really an accurate method.
Thanks!
Similar Messages
-
Stickymask Prolbem with sticky-mask 255.255.255.0
We have problem when we use sticky-mask 255.255.255.0. We saw that the css send request from one host to different servers.
we use:
CSS 11150
SW Version: 5.03 Build 15
Does anybody know if this is a bug? Did someone had similar experience ?most probably a bug.
build 15 is the first one for 5.03
Also 5.03 will be discontinued.
I would suggest to use 5.0 latest build or 6.10 if you need a specific feature of 5.03 (will be present in 6.10)
Gilles. -
Hi everyone,
I have a question about CSS cookie sticky.
- Server issues the following cookie string to the client and it is fixed to 18 bytes.
Set-Cookie: JSESSIONID=aaabbbcccdddeeefff; path=/
- Client embedded the following cookie string in the subsequent HTTP header.
Cookie: xx_user_id=ZZZZ03; com.dummy.xyz.session.cookie=|user|pc|ja|Shift_JIS|default||yellow|/oooo/default.portal|; JSESSIONID=aaabbbcccdddeeefff
* Note that I made cookie information suitable as example.
There is the cookie string (JSESSIONID=aaabbbcccdddeeefff) issued by Server in the HTTP header from client but that cookie string (JSESSIONID=aaabbbcccdddeeefff) is located following the cookie string that the client made by oneself at the end of cookie string. And the cookie string and the length of cookie string that client made by oneself might change so the total length of cookie string also might change. It means I can not clarify the total length of the cookie string.
In this situation, I want CSS to stick with cookie string "JSESSIONID=aaabbbcccdddeeefff".
The characters of string located following the "JSESSIONID=" (in this case, "aaabbbcccdddeeefff") might change but it is fixed to 18 bytes. The total length of cookie string is 141 bytes in above mentioned example.
So I informed customer to configure the following parameters to get CSS done cookie sticky for above mentioned cookie string. CSS software version is sg0750303.
owner test
content testsv-tcp80
add service testsv1-tcp80
add service testsv2-tcp80
advanced-balance cookie
string range 1 to 200
string process-length 18
url "/*"
redundant-index 1001
protocol tcp
port 80
vip address xxx.xxx.xxx.xxx
active
However CSS was not able to treat the above mentioned cookie correctly which means the subsequent HTTP request was not stuck (persisted) to same server.
I do not understand why CSS cookie sticky did not work correctly with this configuration.
Then customer configured CSS with the following parameters to get CSS inserted cookie string and, of course, the result is OK that is CSS could stick the connection to same server.
owner test
content testsv-tcp80
add service testsv1-tcp80
add service testsv2-tcp80
advanced-balance arrowpoint-cookie
url "/*"
redundant-index 1001
protocol tcp
port 80
vip address xxx.xxx.xxx.xxx
active
Has anybody experienced similar thing ?
Could you please let me know if you have any comment, information
Your information would be appreciated.
Best regards,the CSS does not learn dynamic cookie.
You can match a fixed string inside a cookie and pre-define which server to use with that specific string.
That's why your solution did not work.
Arrowpoint-cookie is a better solution and easier to implement.
Gilles. -
I currently have a CSS 11503 LB that I am using to balance 443 and 80 traffic and I have it working but my question is if a users are coming from a proxy should I continue to use Layer 3 LB technique? Also is it possible to see the real IP address instead of the IP of the proxy server?
the problem with proxy is if you use some form of stickyness like sticky src ip.
Since the src ip is always the proxy, you end up with all your traffic going to a single server.
If you are doing sticky src ip, I would suggest to use arrowpoint-cookie instead.
To see the real-ip you need your proxy to insert in the http header a 'x-forwarded-for' line with the client ip.
Your servers can then extract this value to determine the client ip.
On the CSS you won't be able to see the client-ip.
Gilles. -
The senerio contains a PIX 515 E firewall,4507R Chassis switch and a CSS 11503. The servers in inside zone of the PIX is load balanced using a vip with default route specified in the CSS is the inside zone interface IP of the PIX
Now I would like to load balance the servers in the DMZ zone of the PIX with a separate vip(from DMZ zone) in the same CSS. Since the default route in CSS is towards the inside zone of the PIX, I am unable to see the load blanced pages from dmz. Is there any solution to load balance the servers of the 2 zones with 2 different vip's using a single css ?The default behavior is to use the calling device's CSS for the redirected calls. In your case it sounds like you want to use the redirecting device's CSS. I haven't tried this myself but I believe you will need to change the following registry entry on your PGs. You will want to use option 2 (ROUTEADDRESS_SEARCH_SPACE).
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco
Systems,Inc.\ICM\IPCCL\PG1B\PG\CurrentVersion\JGWS\jgw1\JGWData\Dynamic
"UseRouteAddressSearchSpace"=dword:00000000
- Used to control behavior on CTI Route Points for Route Selects.
UseRouteAddressSearchSpace can be to set 0, 1, or 2 where :
DEFAULT_SEARCH_SPACE = 0
CALLINGADDRESS_SEARCH_SPACE = 1
ROUTEADDRESS_SEARCH_SPACE = 2 -
How can I convert my css code into table format?
Wasn't sure how to word the title, but what I am trying to do is post my html code generated with Dreamweaver CS4 into craigslist for an advertisement I designed. Craigslist seems to only accept "TABLE FORMAT". I just learned enough to design this AD using css, now do I have to go back and learn table cell coding? Is there something I am not aware of like a conversion or something that will work?
Thank you very much for any help, I am very anxious to get my ad placed.Example of the accepted code:
<table border="0" cellpadding="5" cellspacing="0" width="100%" id="table4" align="center">
<tr><td width="125"><b><font size="2" face="Verdana">Contact Name:</font></b></td><td><font face="Verdana" size="2">Patrick</font></td></tr>
You must have an old HTML editor because that isn't INLINE CSS CODE. It's deprecated HTML code. It might work OK on Craig's List... but <font> tags won't pass W3C validation in XHTML doc types.
To express what you have above using inline CSS styles without tables would like this:
<p style="font:16px Verdana, Arial, Helvetica, Sans-serif; text-align:center"><strong>Contact Name:</strong> Patrick</p>
http://www.w3schools.com/CSS/css_howto.asp
Nancy O.
Alt-Web Design & Publishing
Web | Graphics | Print | Media Specialists
www.alt-web.com/
www.twitter.com/altweb
www.alt-web.blogspot.com -
CSS 11503 load-balancing with MS Print Servers
We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.
Pete- Here is our config. See any problems?
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
!************************* INTERFACE *************************
interface 1/2
bridge vlan 2
!************************** CIRCUIT **************************
circuit VLAN1
ip address 1.100.101.110 255.0.0.0
circuit VLAN2
ip address 10.100.249.1 255.255.255.0
!************************** SERVICE **************************
service ps01
ip address 10.100.249.5
active
service ps02
ip address 10.100.249.6
active
!*************************** OWNER ***************************
owner printserver
content L3_Basic
add service ps01
add service ps02
vip address 1.100.100.35 -
CSS 11503 - question on version
We're about to do an annual OS update to our CSS 11503, and I noticed that there are two current versions of WebNS, both released in the same month: 8.10.4.01 and 8.20.2.01. Could anyone outline for me the differences between the two (or point me to the right release notes)? I usually upgrade to the latest release, but having two at the same time is awfully confusing.
Thank you!They are essentially the same.
We always port all fix to both of them.
Release notes are here :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/release/note/RN810_X.html
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/release/note/RN820_X.html
Gilles. -
CSS 11503 in Active Active mode
Can we configure CSS 11503 in Active/Active mode, means can multiple context would be configured?
Thanks & Regards,
Shahzad.Here you go
Assumptions:
VIP 10.10.10.100 is Master on the CSS 2 and backup on the CSS1
VIP 10.10.10.101 is Master on the CSS1 and backup on the CSS1
Vlan 10 is the Server Vlan (Redundant Interfaces here)
Vlan 20 is the Client vlan (Redundant Vips here)
Services for VIP 10.10.10.100 (real server) have default gateway pointing to redundant interface 172.20.40.253
Services for VIP 10.10.10.101 (real server) have default gateway pointing to redundant interface 172.20.40.254
CSS #1
circuit VLAN10
ip address 172.20.40.1 255.255.255.0
ip virtual-router 1 priority 101 preempt
ip virtual-router 2
ip-redundant-interface 1 172.20.40.253
ip-redundant-interface 2 172.20.40.254
Circuit VLAN20
ip address 10.10.10.1 255.255.255.0
ip virtual-router 3 priority 101 preempt
ip virtual-router 4
ip redundant-vip 3 10.10.10.101
ip redundant-vip 4 10.10.10.100
CSS #2
circuit VLAN10
ip address 172.20.40.2 255.255.255.0
ip virtual-router 1
ip virtual-router 2 priority 101 preempt
ip-redundant-interface 1 172.20.40.253
ip-redundant-interface 2 172.20.40.254
Circuit VLAN20
ip address 10.10.10.2 255.255.255.0
ip virtual-router 3
ip virtual-router 4 priority 101 preempt
ip redundant-vip 3 10.10.10.101
ip redundant-vip 4 10.10.10.100
More details at
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1112245
Syed Iftekhar Ahmed -
CSS positioning within table cells
Maybe I've just been staring at this too long but I'm stumped. I want to position a table (could be a list) within a table by setting the parent element to relative and the position of the child element to absolute. The only problem is that I can't get my table cells to act as parent elements so the smaller table (or list) positions itself relative to the wrapper div which is also set to relative. Do I have to create divs within the table cells? If so it sort of defeats the purpose of the table. How can I do this using appropriate markup?
Hope this makes sense. I think my brain has gone numb.
Here's the page I'm trying to fix:
http://www.kirstencassidy.com/_miniprints2.html
Thanks in advance for your help.Lon Winters wrote:
What I see is a table with red borders that contain images left justified. What do you want to position - the images? I think you could do all this in CSS without any tables.
I think what the OP is trying to do is position some text to the right of the images?
Obvious answer as the OP has used tables is to insert another 2 column table into each existing table cell, one for the image an one for the text.
Alternative is to use css to float the images left, give the image a right margin and then the text will appear to the right of it in the table cell. Then just style the text with some css? -
Global Cerificate on CSS 11503
Hi
I am planning to enable https for few web servers behind a CSS 11503. I have tested the functionality with the trial cert every thing works as desired.
Now I need to buy a certificate from Verisign to make it work in production.
At verisign they offer two different certs (Secure Site --40 bits encryption) and (Secure Site Pro -- 128 bit encryption).
1. Is this 128 bit cert a "global cert"? and I need to concatenate the "intermediate cert" and "server cert" to make it work?
2. If all my users are in USA then does it make sense to buy this 128 bit certificate?
3. Verisign website also asks for "server Platform" and cisco is not mentioned as an option (I can see other LB as F5 in the list). What should I select for the server Platform when I am requesting it for CSS 11503 (I have generated the CSR on CSS 11503).
Thanks in advance
Glenn1.The guy who picked the phone at verisign had no clue.Verisign website says the following
Secure Site Certificate (40bit minimum)- SSL Certificates without SGC
To install your SSL Certificate, go to the instructions below for your server software. If your server is not listed or you need additional information, refer to your server documentation or contact your server vendor
Secure Site Pro Certificate(128bit minimum) - SSL Certificates with SGC
If you are installing an SSL Certificate with SGC, you need to copy an Intermediate CA Certificate before proceeding to the installation instructions for your server software.
2.My understanding was that 40 bit is minimum encryption level and only old browsers (exported ones) will us 40/56 bit ciphers. Other wise even with 40 bit certificate the new browsers will establish a 128 bit session.
Verisign says about their 40 bit certificate
"40-Bit to 256-Bit SSL Encryption Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption. Site visitors using certain older browsers and many Windows 2000 users will only receive 40- or 56-bit encryption unless they’re connecting to an SGC-enabled SSL Certificate"
I found a document on net in favor of buying 40 bit certs.
http://www.whichssl.com/myths_about_sgc.html
Gilles I am a bit confused here.Need HELP :) -
Routing non-TCP/UDP traffic while using FWLB on CSS 11503s
Hello all,
I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
Thanks in advance.
(sorry for the dots in the drawing but the spaces kept getting deleted)
.| Internet |
..........|
.| CSS-outside |
.............|
........|...............|
.| FW1 |.....| FW2 |
.......|................|
............|
.| CSS-inside |
............|
.| Intranet |for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
So, it's not per packet loadbalancing.
The same source/destination ip/port will always go to the same firewall.
Gilles. -
Remove Health Care (keepalives) CSS 11503
Hi,
We normally distribute the load between two servers by checking if the server its active (using TCP 80), yesterday, we want to remove the Health Care (keepalives) due to a maintenance test, to sent the traffic direct to the server, but the service stop working.
We think we didn’t remove the health care properly, could anybody please help me to know hoe to remove it?
We are using CSS 11503, I’m adding the config.
ThanksCSS11503-2(config)# service Linux2
CSS11503-2(config-service[Linux2])# ip add 192.168.20.41
CSS11503-2(config-service[Linux2])# active
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (ICMP 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:29:24
Mtu: 1500 State Transitions: 0
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
CSS11503-2(config-service[Linux2])# keepalive type none
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (NONE 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:29:24
Mtu: 1500 State Transitions: 1
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
CSS11503-2(config-service[Linux2])#
Same if the service is down before disabling the keepalive.
CSS11503-2(config-service[Linux2])# keepalive type icmp
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Down
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (ICMP 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:31:42
Mtu: 1500 State Transitions: 4
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 255
Weight Reporting: None
CSS11503-2(config-service[Linux2])# keepalive type none
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (NONE 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:36:08
Mtu: 1500 State Transitions: 5
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
Gilles. -
Installing an SSL certificate for a CSS 11503
I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!Allen,
The portion of the configuration guide related to SSL certificates and keys can be found here:
http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
~Zach -
To set enable password for CSS 11503
We need to set enable password on CSS 11503.
Can we do this.If yes how we can do this?there is no enable password on the CSS.
The user is a privilege user or not.
If you login as a privilege user, you get full access. No need to enable anything.
CSS11503-2> en
enable Authenticate for SuperUser mode
endbranch End a branching command
CSS11503-2> enable
Username:
As you can see above, if you type enable you have to re-login with a superuser account.
Gilles.
Maybe you are looking for
-
Hi, I am in version R12.1.3 . I have a requirement to create a user who must have access only to create payments in AP module.So when i try to define a responsibility for this payment user there is a data group to be assigned. In this data group bloc
-
Can columns be selected by table name?
If I have a table T1 with columns A,B and C is there a shortcut to specifiy those column in a complex query, instead of listing them all? For example: SELECT A,B,C FROM (SELECT ... some complex query returning multiple columns). Can this be written l
-
Pixelation / digital squares on images in Slideshow
Quite often in Slideshow in LR I get images which are not properly processed by Lightroom, that is to say that it's as tho' my machine can't process the image and display it properly -- the images are a montage of the original in large (2 or 3 millim
-
How to reserve stocks for customers belonging to one sales office ?
For example, we have 100c/s of a material and we want to reserve 60c/s for customers in one sales office only? the remaining 40c/s can be billed to anyone else. There are no firm orders of these 60c/s as of now from the select group of customers in p
-
2 hour update and wont let me log in into my ipod so it wont even work