Implementing two cisco CSS 11154's in an ISP environment.

Similar Messages

• Security on the Cisco CSS

  I have a Cisco CSS 11501s attached to a Cisco 6000. I am using the CSS in an on arm design, which is basically a router on a stick. The Cisco 6000 only provides layer 2 switching. It utilizes 1 Ethernet interface on a single vlan.
  I configure 3 VIPs for client connection.
  - VIP 1 for SSL
  - VIP 2 is for the clear text traffic from the
  VIP1/proxy list.
  - VIP 3 is for redirecting clear text traffic from
  the client.
  - All VIPs use the same address, but differing
  ports.
  I have a source group for all outbound traffic to the server farm. I tried to block traffic to the clear text interface, but I blocked all traffic. Is there an issue with one security of VIPs in a one-arm design?
  Any design ideas?
  Thank you

  Hi,
  If I understand correctly, you want to block the traffic destined to the VIP which is actually meant for the back-end traffic with the server once it is off the proxy-list. I understnad you use the VIP2 for this purpose as per your question and is same as the client side IP range.
  Here is the solution just use a config what is known as "full-proxy" configuration by Cisco on the CSS. To do this you would need two different IP ranges. One would be for your client side (the one resolved by dns) and the other could be a different IP range preferably the non-routable private ip rnage like 192.168.x.x for the back-end server segment. You will now pick-up a VIP from server segment and assign it in the proxy-list with the 'cipher' specs.
  In essence, this way you wouldn't be forced using the same VIP range for the servers and for the clients as well. You can have a private range on the back-end. This prevents traffic being targeted to your server segment from the client segment in the clear http in your case.
  thanks

• Cisco CSS ICS via DWDM

  We are currently splitting up a campus installation (2 datacenters with < 300m cable distance).
  One datacenter remains on the campus, the other one is moved to another part of the town, approx. 30km away.
  The two datacenters are interconnected using DWDM (don't have the exact specs at the moment, but I think we have got the equivalent of 16 duplexed 4Gb/s conenctions between the two data centers)
  So far we have been able to move most of the equipment (including several members of Oracle RAC clusters on Linux and OpenVMS, VPN server farms, ESX cluster members and similar services), but we do not seem to bei able to get the Cisco CSS ICS link up on the DWDM.
  Is there anything we can ask the DWDM provider to check, or is there no chance to get the ICS link up over DWDM?

  Hi Martin,
  I guess you are referring to ISC port, right?
  As per CSS documentation: You must connect the ISC ports directly to the two CSSs. You cannot use Layer 2 devices on the ISC links between the two CSSs. Also, the ISC links must be dedicated to passing only ISC traffic.
  For that reason I believe you need to reconsider your plan.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/ASR.html#wp1038263
  Best regards,
  Ahmad

• Cisco css http keepalive is not working with GET command

  Dear all
  i have Cisco Css connected to Dell Server (via switch)
  Cisco CSS - 192.168.1.3 and Dell Server - 192.168.1.5
  Dell server is setup with windows 2009R2 and Apache HTTPD is version 2.2
  This server is dedicated to host multiple doamins with Apache lik
  www.abc.co.uk
  www.xyz.co.uk
  Now the clinet wants to setup the http keepalive  with specfic web page like /testpage.html  for all these domains. i have teseed with single URI. it is working the comamnds are
  config)# service serv1
  (config-service[serv1])# ip address 192.168.1.5
  (config-service[serv1])# keepalive type http
  (config-service[serv1])# keepalive method head    ( get i have not used due to hash mismatch with apche server, if i use GET it is not working)
  (config-service[serv1])# keepalive uri "/testpage.html"
  (config-service[serv1])# active
  It is working with single URI.  but how can i do the same thing for multiple doamins ?
  for multiple doamins do i need use script ? or can i use with commands ?
  if i need to use script the script is
  !no echo
  ! Filename: httptag-test
  ! Parameters: HostName WebPage HostTag
  ! Description:
  !       This script will connect to the remote host and do an HTTP
  !   GET method upon the web page that the user has asked for.
  !   This script also adds a host tag to the GET request.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !       2. Not receiving an HTTP status "200 OK"
  if ${ARGS}[#] "NEQ" "3"
          echo "Usage: httptag-test \'Hostname WebPage HostTag\'"
          exit script 1
  endbranch
  ! Defines:
  set HostName "${ARGS}[1]"
  set WebPage "${ARGS}[2]"
  set HostTag "${ARGS}[3]"
  ! Connect to the remote Host
  set EXIT_MSG "Connection Failure"
  socket connect host ${HostName} port 80 tcp
  ! Send the GET request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "GET ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Send the HEAD request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "HEAD ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Wait for a good status code
  set EXIT_MSG "Waitfor: Failed"
  socket waitfor ${SOCKET} "200 OK"
  no set EXIT_MSG
  socket disconnect ${SOCKET}sh w
  exit script 0
  in the script i have not used GET becasue, when CSS send GET request to apache it use hash, but apache is not able to respond with same hash and it shows that website is down. more information- click below url
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdKeepC.html#wp1139668
  (config-keepalive) method
  I have uploaded in CSS with httptag-test file and applied these commands
  service comp.brit.co.uk-80
    keepalive port 80
    ip address 192.168.1.5
    keepalive frequency 10
  keepalive maxfailure 2
  keepalive retryperiod 10
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.abc.co.uk
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.xyz.co.uk
  but this script is not working
  my question is:
  1.do i need use script only to setup http keepalvie with webpage for multiple domains ?
  2.with out using script is there any solution like CICSCO  CSS commands  to setup http uril for multiple domains which are on 1 singl server.
  please help me asap

  Hello Muhammad,
  If you wish to use multiple domains for a URI  keep-alive check, and perform a HEAD request what Daniel mentioned is  correct.  You have to use a scripted keep-alive check on the service.  However, you should not use the default "ap-kal-httptag" script to do so  as it's limited to only 1 website (unless you modify the script).  You're best bet would be using the "ap-kal-httplist" script on the CSS  as it allows the checking of 2 different websites along with a webpage  to check for each site using HTTP HEAD method.
  !no echo
  ! Filename: ap-kal-httplist
  ! Parameters: Site1 WebPage1 Site2 WebPage2 [...]
  ! Description:
  !    This script will connect a list of sites/webpage pairs.  The
  !   user must simply supply the site, and then the webpage and
  !   we'll attempt to do an HTTP HEAD on that page.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !   2. Not receiving a status code 200 on the HEAD request on any
  !      one site.  If one fails, the script fails.
  ! Make sure the user has a qualified number of arguments
  if ${ARGS}[#] "LT" "2"
          echo "Usage: ap-kal-httplist \'WebSite1 WebPage1 WebSite2 WebPage2 ...'"
          exit script 1
  endbranch
  while ${ARGS}[#] "GT" "0"
          set Site "${ARGS}[1]"
      var-shift ARGS
      if ${ARGS}[#] "==" "0"
          set EXIT_MSG "Parameter mismatch: hostname present but webpage was not"
          exit script 1
      endbranch
      set Page "${ARGS}[1]"
      var-shift ARGS
      no set EXIT_MSG
      function HeadUrl call "${Site} ${Page}"
  endbranch
  exit script 0
  function HeadUrl begin
  ! Connect to the remote Host
  set EXIT_MSG "Connect: Failed to connect to ${ARGS}[1]"
  socket connect host ${ARGS}[1] port 80 tcp 2000
  ! Send the head request
  set EXIT_MSG "Send: Failed to send to ${ARGS}[1]"
  socket send ${SOCKET} "HEAD ${ARGS}[2] HTTP/1.0\n\n"
  ! Wait for the status code 200 to be given to us
  set EXIT_MSG "Waitfor: Failed to wait for '200' on ${ARGS}[1]"
  socket waitfor ${SOCKET} " 200 " 2000
  no set EXIT_MSG
  socket disconnect ${SOCKET}
  function HeadUrl end
  Rather  then modify the default "ap-kal-httplist" script on the CSS I would  simply define the arguments within the service configuration itself.   Something like the following (using your service example):
  service dell-192.168.1.5
  ip address 192.168.1.5
  keepalive type script ap-kal-httplist "www.abc.co.uk /testpage.html www.xyz.co.uk /testpage.html"
  active
  As  long as the server is configured to reply to host headers, and the page  is configured to retuen a "200 OK" the above service configuration  should work. If there are any errors simply run "show service  " to view why there was a failure. If there is a  failure, and the output from the command specified shows a line number  run the following command against the script to view at what point  (line) did the failure occur:
  show script ap-kal-httplist line-numbers
  Hope this helps!
  - Jason Espino

• Looking for a two-column CSS layout

  I am looking for a two-column CSS layout that is centered
  with blank space
  on the sides, so the layout does not expand across the entire
  screen, but
  instead uses a portion of it (such as 75%). The left column
  would be for
  navigation and I haven't decided if I want it to be liquid or
  fixed, but the
  right column for content would be liquid. There would also be
  a heading div
  and navigation div across the top and a footer across the
  bottom.
  While looking for sample sites I keep finding ones that use
  three columns,
  and I'm worried that if I remove the third column that the
  layout will break
  at some point, even if I don't see it in my test browsers.
  I'm also
  discovering that some of the sample pages out there don't
  respond well when
  I resize the browser window. The columns don't have a minimum
  width or they
  stack on top of each other at some point.
  There are so many different techniques to use when designing
  a layout with
  CSS, some better than others, that I thought maybe some
  people here may
  already know what's tried and true and what should be
  avoided. Are any
  layouts robust enough to allow a third column to be added at
  a future date
  if needed? I also like the idea of putting the content div
  first in the
  code, to improve search engine indexing and also to aid those
  who may be
  using a screen reader, but if that feature makes the coding
  much more
  complex then I could see why I might avoid it for now.

  Sorry Nancy, I didn't see your post for some reason. At least
  we agree (o:
  Jo
  "josie1one" <[email protected]> wrote in message
  news:g4tv32$57f$[email protected]..
  >I have DW8 and am very happy with this:
  >
  http://projectseven.com/products/templates/pagepacks/cssmagic/index.htm
  >
  >
  > --
  > Jo
  >
  >
  > "Matt" <[email protected]> wrote in message
  > news:g4tg96$isq$[email protected]..
  >>I am looking for a two-column CSS layout that is
  centered with blank space
  >>on the sides, so the layout does not expand across
  the entire screen, but
  >>instead uses a portion of it (such as 75%). The left
  column would be for
  >>navigation and I haven't decided if I want it to be
  liquid or fixed, but
  >>the right column for content would be liquid. There
  would also be a
  >>heading div and navigation div across the top and a
  footer across the
  >>bottom.
  >>
  >> While looking for sample sites I keep finding ones
  that use three
  >> columns, and I'm worried that if I remove the third
  column that the
  >> layout will break at some point, even if I don't see
  it in my test
  >> browsers. I'm also discovering that some of the
  sample pages out there
  >> don't respond well when I resize the browser window.
  The columns don't
  >> have a minimum width or they stack on top of each
  other at some point.
  >>
  >> There are so many different techniques to use when
  designing a layout
  >> with CSS, some better than others, that I thought
  maybe some people here
  >> may already know what's tried and true and what
  should be avoided. Are
  >> any layouts robust enough to allow a third column to
  be added at a future
  >> date if needed? I also like the idea of putting the
  content div first in
  >> the code, to improve search engine indexing and also
  to aid those who may
  >> be using a screen reader, but if that feature makes
  the coding much more
  >> complex then I could see why I might avoid it for
  now.
  >>
  >
  >

• Problem with fax rely bitween two Cisco 5350

  I have two cisco 5350 with the following setting:
  Originating cisco :
  voice service voip
  fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
  dial-peer voice 1 voip
  huntstop
  destination-pattern 111
  session target ipv4:xxx.xxx.xxx.xxx
  tech-prefix 011
  fax rate 4800
  fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
  no vad
  Terminating cisco :
  dial-peer voice 71 voip
  huntstop
  incoming called-number 111
  fax rate 4800
  fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
  no vad
  voice service voip
  fax protocol t38 ls-redundancy 3 hs-redundancy 0 fallback none
  So using such settings i can not send faxes.
  How can i find the problem ?

  Hi,
  I tried to use ls-redundancy 0 but - no result. When the faxes tring to connect to each other - i can hear the tones, but it looks like short tone and then silence.
  Also i use the following commadns to solve the broblem:
  -fax nfs 000000 at voip peer, fax interface-type and fax interface-type fax-mail. But no result also.

• Two Cisco Routers in one class-c network

  Hello,
  i have two cisco routers, which are connected to one switch. On this switch, there are several servers connected as well.
  When i connected the second cisco router, i got messages on the first router, that there is an ip address conflict. After a few minutes it seems as if the vpn tunnel on the first router breaks down because of this conflict. I'm not sure about this, but when i disconnected the second router again, the vpn tunnel could be established again. The vpn tunnel goes to another router via WAN and ends in the local class-c network, where both routers are in.
  Router1
  LAN 192.168.105.254 (255.255.255.0)
  WAN 212.xxx.xxx.xxx
  ||
  ||
  Cisco Switch
  ||
  ||
  Router2
  LAN IP 192.168.105.253 (255.255.255.0)
  WAN IP 217.xxx.xxx.xxx
  Router1
  int fa 0/1
  ip address 192.168.105.254 255.255.255.0
  Router2
  int fa 0/1
  ip address 192.168.105.253 255.255.255.0
  Could the /24 mask on the interfaces cause the conflicts?
  From the servers, none has the ip 192.168.105.253 or 192.168.105.254 and if i disconnect Router2, the IP 192.168.105.253 is not reachable from any system on the switch.
  So how does this ip address conflict occur?

  hello,
  can you check the router 1 log. with error message you should have a mac address
  May 10 05:32:20.489: %IP-4-DUPADDR: Duplicate address 10.10.10.1 on GigabitEthernet0/1.1, sourced by 0003.oc12.a2c3
  This should help you to identify host already with 192.168.105.253.
  Before connecting Router 2, from Router 1 ping 192.168.105.253 and do a sh arp ?
  HTH,
  regards,
  cisand

• Etherchannel two cisco 3750 stacks for iscsi?

  I have two sites connected by 96 strands of fibre. At each site I have an IBMv7000 relicating to the other one. For iSCSI traffic I have two Cisco 3750 switches, each are in 2 switch stack. 
  SAN A                         Fibre Link                          SAN B
          |                                                                        |
  Cisco Stack A =========================Cisco Stack B
          |                                                                        |
          |                                                                        |
  iSCSI Clients                                                       iSCSI Clients
  My question: Is it ok to connect the the two stacks with etherchannel using the fibre links? Will is provide the necessary redundancy, if one of the interfaces goes down?

  What model numbers of 3750 are you using?
  What is the distance between the stacks as this will dictate your fiber run modules.

• IPSec with two Cisco RV220W's

  I have two Cisco RV220W's. FTP over my VPN is so slow, that I have to slow down the FTP Transfer to about 10kbps in order to keep the tansfer steady. Trying to move TB's of information at that speed is not reasonable. What will resolve this issue?

  Also, if the IP Helper command is used to relay DHCP request to the root bridge side router.....
  will the VLAN settings (trunks) on non-root bridge side router work ok since I will need to remove the DHCP pools configured there...... Or is it a better idea to keep it there and just exclude addressees that are available to the other side, and vice versa???
  I say this because the non-root bride is also going to serve for wireless clients as well, and has VLANs setup on it so I'm guessing the non-root bridge side router needs the DHCP pools for both VLANs intact, for VLANs to operate correctly.
  Please give me your insight on this....

• Bridge with two Cisco AP's

  Hello Everyone,
  So I have a scenario here and I’m wondering if this plan I have will work flawlessly or is there anything I have to lookout for?
  So I'm going to bridge two Cisco AP's 1260 and 3500, which have an 880 router on each side.
  (Currently I have a VPN set-up through the internet for the two locations to communicate)
  (Naturally they are currently in different subnets)
  Will absolutely change this and set up as one subnet.
  There is VLANs setup on each router (same VLANs)
  VLAN 1
  And
  VLAN 10
  Everything is configured on the Routers and AP's for these VLANs (works flawlessly over the VPN).
  So now since I’m going to get rid of the VPN and set-up a bridge with two AP's, will having same VLANs across both routers be a problem?
  Will VLANs work OK through the bridge?
  Besides using (IP helper address DHCP-IP) command on the non-root bridge side router to forward DHCP requests to the root bridge side router,
  Is there anything else I have to consider?
  Also I want to be able to route internet traffic on the non-root bridge side through the WAN port, and only route LAN traffic through the bridge...
  Will I have to use Access list for this?
  Sorry everyone...
  I know this is a lot I'm throwing out there...
  Thanks in Advance
  Regards,
  Ed

  Also, if the IP Helper command is used to relay DHCP request to the root bridge side router.....
  will the VLAN settings (trunks) on non-root bridge side router work ok since I will need to remove the DHCP pools configured there...... Or is it a better idea to keep it there and just exclude addressees that are available to the other side, and vice versa???
  I say this because the non-root bride is also going to serve for wireless clients as well, and has VLANs setup on it so I'm guessing the non-root bridge side router needs the DHCP pools for both VLANs intact, for VLANs to operate correctly.
  Please give me your insight on this....

• Implementing two generic interfaces

  I have a generic interface,
  public interface Callback<R> {
     void result(R r);
  }Now I want to implement two Callback interfaces, like this
  class X implements Callback<Type1>, Callback<Type2> {
     public void result(Type1 r) {};
     public void result(Type2 r) {};
  }But Eclipse tells me "The interface Callback cannot be implemented more than once with different arguments".
  I don't see the reason why really. The two overloaded result methods have different signatures so there shouldn't be any problem in resolving the correct one based on parameter type in principle.
  Does anybody know the reason for this restriction or is it maybe an issue with Eclipse. I'm using Eclipse 3.2M5a and Java 6.0 beta.

  mlk has the correct answer, but here's some more explanation:
  Generics are only used at compile time. The actual bytecode specifies the base object type (aka type erasure), in this case Object. When you implement a generified interface, the compiler will generate a bridge method from the erased type to the specific type.
  Some examples should make this clearer.
  First, your interface. If you run javap on the compiled class, you'll see that it only defines a single method, "void result(Object)".
  Code that invokes the interface, like this:
      Callback<String> foo = \\
      foo.result("bar");also gets translated to a call on the base type. As far as the compiled class is concerned, there is no type safety. However, the compiler will complain if you pass something other than a String.
  The implementation class is where things get interesting:
  public class TestCallback implements Callback<String> {
    public void result(String x) {
  }If you run javap on this class, you'll see that it contains two implementations of result(): one that takes a String, and one that takes an Object. If you look at the bytecode, the latter performs a cast on the Object and invokes the String variant.

• Cisco CSS 11501 - High-Availabilty

  We have a single CSS 11501 and were thinking about just buying a new one and putting it online as the standby with statefull (hopefully) failover, but weren't sure that this would work.
  Does anyone know what is needed to create a high-availability Cisco CSS 11501 environment?
  Do you only need 2 CSS 11501 and then configure them with one being active and the other being in a standby mode, like a PIX?
  Is there a HA Cable that would need to be connected between the 2 CSS's?
  Thanks in Advanced.
  Joe

  Daniel,
  There is a new stateful failover mechanism for the Cisco CSS 11500.
  This description is a bit "salesy" I know, but it covers the question asked :-)
  The Cisco CSS 11500 delivers ASR—the industry's first stateful Layer 5 session redundancy feature that enables failover of important flows while maximizing performance. Some flows—such as a long-lived File Transfer Protocol (FTP) or a database session — may be mission critical, but many are not. Most solutions on the market today require all traffic—important or not—to be backed up from one box to another. If the majority of flows are not critical, then most of system performance is wasted on unnecessary back
  ups. With ASR, the Cisco CSS 11500 may be configured so critical flows are marked as replication worthy, whereas others do not need to be so marked. ASR focuses traffic management resources precisely where needed.
  Better yet, have a look at the following link focusing on the section on Stateless Redundancy.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/redndncy.htm
  Regards
  Pete..

• Default Gateway on CSS 11154

  Hello,
  I just set up my CSS 11154 and I assigned the IP address to the Mgmt interface. I can ping it if I'm on the same subnet, but if I'm across a routed interface, I can not. I didn't see anywhere to put in a "default-gateway" parameter like on at regular switch. So, I just put in the
  ip route 0.0.0.0 0.0.0.0 10.1.0.1
  statement, thinking that would do the trick. It doesn't work. Any suggestions. Here's my config:
  CSS11150# show run
  !Generated on 01/01/1981 00:00:34
  !Active version: ap0500033
  configure
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  ip route 0.0.0.0 0.0.0.0 10.1.0.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  interface e2
  phy 100Mbits-FD
  interface e3
  phy 100Mbits-FD
  interface e4
  phy 100Mbits-FD
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  interface e9
  phy 100Mbits-FD
  interface e10
  phy 100Mbits-FD
  interface e11
  phy 100Mbits-FD
  interface e12
  phy 100Mbits-FD
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 20.33.33.33 255.255.255.0
  CSS11150#

  Hi Gilles,
  It doesn't appear as though the "ip management route" is a valid command. Here's my version and what I have as options when issuing the "ip" command:
  CSS11150(config)# version
  Version: ap0500033 (5.00 Build 33)
  Flash (Locked): 5.00 Build 33
  Flash (Operational): 5.00 Build 33
  Type: PRIMARY
  Licensed Cmd Set(s): Standard Feature Set
  CSS11150(config)# ip ?
  ecmp Set the equal-cost multipath selection algorithm
  firewall Configure firewall load-balancing route
  no-implicit-service Do not start an implicit service for the next hop of
  static routes
  opportunistic Set the IP opportunistic layer-3 forwarding mode
  record-route Enable processing of frames with a record-route option
  redundancy Enable box-to-box redundancy
  route Configure a static route
  source-route Enable processing of source-routed frames
  subnet-broadcast Enable forwarding of subnet broadcast addressed frames
  uncond-bridging Do not allow routing lookup to override bridging decision
  CSS11150(config)# ip
  Any suggestions?
  Also, your comment regarding "you can't have the same route pointing to a management interface and to a regula interface." What does that mean. I'm treating these things as basically the same as a regular 29xx/35xx switch, but there are definitely differences.
  Thanks,
  Dave

• Nortel Alteon rules conversion to Cisco CSS

  We currently have some servers that are being load serviced by an Alteon content switch. The rules were not written or are supported by our group. We have a printout of the config but it is a bear to translate. Are there any tools to translate the config to Cisco CSS style?
  Thanks,
  John

  John,
  There are no tools to translate Alteon to Cisco CSS. For long configs, it can be a tedious process.
  I have seen in the past tools to convert configs from one Cisco load balancer to another type, but never for conversion of configs between vendors.
  -Steve

• Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

  Hi ,
  Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
  04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
  04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
  04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
  Thanks
  Manish

  Hi Nicolas,
  Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
  Can you help me troubleshooting the issue?
  I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
  We  have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE  servers.Now Client calls to FE VIP and LB forwarding it to server and  then FE server calls the BE VIP which goes through the same LB and  forward to BE server under the VIP.When we start load test, we have  observed after 2 hour test, application team getting HTTP timeout.As  this application is used by Call center so getting timeout is bad.
  Need to troubleshoot this issue if there is any problem from LB End.
  Please find the attached file for VIP configs.