Info on CSM 4.4

Hi,
   I am evaluating CSM 4.4 and have some questions, hope someone can answer them.
   I imported the config of my most complicated firewall and have those issue:
1- CSM does not support eigrp
router eigrp 115
no auto-summary
distribute-list eigrpACL_Out out interface inside
distribute-list eigrpACL_In in interface inside
eigrp stub static
network x.x.x.x 255.255.255.192
passive-interface default
no passive-interface inside
2- This is not imported into CSM
access-list TNGCnat3 extended permit ip host x.x.x.x host y.y.y.y
static (inside,outside) z.z.z.z access-list TNGCnat3
3- When importing config those are not supported
Line 6:terminal width 170
Line 2358:ip audit signature 1000 disable
Line 2393:no asdm history enable
Line 2395:no arp permit-nonconnected
Line 2742:timeout tcp-proxy-reassembly 0:01:00
Line 2743:timeout floating-conn 0:00:00
Line 2754:service resetinbound
Line 2828:tls-proxy maximum-session 1000
Line 2830:threat-detection basic-threat
Line 2831:threat-detection statistics access-list
Line 2832:no threat-detection statistics tcp-intercept
Line 2911:prompt hostname context state
Line 2912:no call-home reporting anonymous
4- On my firewall I have site-to-site VPN but they are not imported into CSM.
Thanks.

4.4 is a big improvement over previous versions, but there are still a lot of commands it does not support. What I have had to do is when I do a discovery/import of a device, I save a copy of the report and create a flex-config with the unsupported CLI to be appended to the deployed config. We only use it for non critial ASA config due to that issue. No one trusts it enough to use it for the 5585s we have in the data center core. Multi context ASAs are work, but it seems a little kludgy.
VPNs are a bit tricky too. After discovering the device, you have to do a separate discovery for VPN policies and go through that rigamarole.
On the positive..
Image manager is excellent. You can create deployment packages w/ all the files you need (base code, asdm, anyconnect pkg files) and push them out w/ one click.
The event viewer is what we really bought it for. Being able to see all the traffic in one place is worth the cost of the product, IMO.
Cisco should really take a look at Checkpoints management server if they want to see it done right.

Similar Messages

TCP Probe failure on CSM

I have had a customer raise an issue with me. Unfortunately I am not too hot on the CSM.
Switch Type - Cisco WS-C6513
IOS VSN - 12.2(18)SXF4
CSM Module details
Card Type - SLB Application Processor Module
Model - WS-X6066-SLB-APC
Hardware VSN - 1.8
Software VSN - 4.2(5)
I have spotted bug CSCsc38892, but cannot tell if the catakyst is running VRF - this is all the info I have been given.
We have 6500 chassis each with a CSM module in fault tolerance (ft) mode.
The current standby module (at the time it was the active one) reports as per output below that probes failed:
sh mod csm 1 real sf SAPCCP
real server farm weight state conns/hits
10.xxx.xxx.xxx:8000 SAPCCP 8 PROBE_FAILED 0
10.xxx.xxx.xxx:8000 SAPCCP 8 PROBE_FAILED 0
10.xxx.xxx.xxx:8000 SAPCCP 8 PROBE_FAILED 0
Probe failed could be for a number of reasons however the inconsistency is that the failed probes follow the CSM module and that the other module has working probes.
It is to be noted that the command âping module csm 1 10.xxx.xxx.xxxâ reports to be reachable as a good indicator that there is connectivity from the CSM to the server.
The following is the output from the currently active CSM (which used to be the standby one):
sh mod csm 1 real sf SAPCCP
real server farm weight state conns/hits
10.xxx.xxx.xxx:8000 SAPCCP 8 OPERATIONAL 51
10.xxx.xxx.xxx:8000 SAPCCP 8 OPERATIONAL 41
10.xxx.xxx.xxx:8000 SAPCCP 8 OPERATIONAL 52
For info:
FUNCTIONING CSM
sh mod 1
Mod Ports Card Type Model Serial No.
1 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD094803UC
Mod MAC addresses Hw Fw Sw Status
1 0015.f998.a94a to 0015.f998.a951 1.8 4.2(5) Ok
Mod Online Diag Status
1 Pass
relevant config lines
serverfarm SAPCCP
nat server
no nat client
failaction purge
real 10.xxx.xxx.xxx 8000
inservice
real 10.xxx.xxx.xxx 8000
inservice
real 10.xxx.xxx.xxx 8000
inservice
probe ABAP
vserver SAPCCP-VIP
virtual 10.xxx.xxx.xxx tcp www
vlan xxx
serverfarm SAPCCP
sticky 15 group 117
replicate csrp sticky
replicate csrp connection
no persistent rebalance
parse-length 4000
inservice
probe ABAP tcp
interval 2
retries 2
failed 6
open 3
port 8000

Continued:
NON-FUNCTIONING CSM
sh mod 1
Mod Ports Card Type Model Serial No.
1 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD094609ZZ
Mod MAC addresses Hw Fw Sw Status
1 0015.f998.8386 to 0015.f998.838d 1.8 4.2(5) Ok
Mod Online Diag Status
1 Pass
relevant config lines
serverfarm SAPCCP
nat server
no nat client
failaction purge
real 10.xxx.xxx.xxx 8000
inservice
real 10.xxx.xxx.xxx 8000
inservice
real 10.xxx.xxx.xxx 8000
inservice
probe ABAP-CCP
vserver SAPCCP-VIP
virtual 10xxx.xxx.xxx tcp www
vlan xxx
serverfarm SAPCCP
sticky 15 group 117
replicate csrp sticky
replicate csrp connection
no persistent rebalance
parse-length 4000
inservice
probe ABAP-CCP tcp
recover 2
interval 6
retries 2
failed 6
open 5
port 8000
Thanks for any pointers on where to look,
Paul.

ACS not authorising Security Manager devices

Hi I have a setup ACS 4.1 CS-Manager 3.2.2
I have intergrated the CS-Manager into ACS with no problems.
However when I try to add devices into the CS-Manager I get the message "The Device is not in the Cisco Secure ACS"
I have one wildcard entry encompassing all devices and the CS-Manager (TACACS+ (cisco IOS))
I am wondering if CS-Manager is not liking the wildcards.
Unfortunatley as we have 500 or so production devices already using this entry I am not in a position to remove it to test my theory at present.
Any one know if Wildcards are supported for authorising CS-Manager devices?
Regards
Colin

Colin
Assumption: you have CSM's common services integrated correctly into ACS, first with a admin account in acs with full rights and second with the system identity user and pass in the ACS server with full rights as a user (not admin portal) and during the setup of AAA in CS you used the [tick box] to push out the authorization categories from CS into ACS.
Assumption: you have a super admin group in ACS setup that has full rights to CSM authorization categories that was pushed into ACS from Common Services when you first setup AAA in CS. And you have setup a user that is part of that the ACS super admin group.
Three things to check.
1. Under ACS, click the 'Share Profile Components' buttom, check that Common services has pushed out the Authorization categories into ACS, you should see CSM and auto update modules. Drill down into the CSM and check to see which authorization category gives the most access, should be 'System Administrator', make sure that all the tick boxes in this profile is all ticked with no gray or shaded boxes.
2. The user account your logging into CSM is part of the ACS super user group that you created. Check the ACS super user group is correctly matching the CS-manager authorization categories. i.e make sure that you have matched the group that you checked in my previous point, 'System Administrator' or what ever group you created that gave full rights.
3. Finally, you must have the device listed in your network device groups in ACS. Remembering that CSM will check against the ACS's NDG lists and WILL also matches against a FQDN, so if you added domain information into a device in CSM then the device listed in ACS will need to be the FQDN, if its not, then remove the domain name info from CSM and test. (EDIT: This might have been fixed in 3.2.2 not 100% sure but it broke my network in 3.1). I'm going to take a wild stab in the dark and say that the wild card might be failing you because it doesnt match between CSM host name and domain name sections to the ACS host name.
Dale
Oh one final test you can try, log into the end device manually using telnet or ssh using the system identity user and pass. Just double check that the account gets access to the device via tacacs and that you can perform enable access type functions using this account.

Problem with Syncing configuration to our CSM

Recently we have had problems syncing between our pair of redundant CSM's.
Here is the behavior we observe when we run the command on one of our 6500.
! config 6500-2
module ContentSwitchingModule 2
ft group 1 vlan 4
priority 10 alt 20
! config 6500-1
module ContentSwitchingModule 2
ft group 1 vlan 4
6500-2#hw-module csm 2 standby config-sync
After we run this command on 6500-2 the log shows that the sync happens and the CSM config is deleted on 6500-1 and then nothing happens.
Here is the exact logout on each of the 6500.
6500-2(ACTIVE)
May 28 17:45:11.353 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Bulk sync started
May 28 17:45:11.369 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configurations to Standby CSM, this may take several minutes!
May 28 17:45:12.749 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
May 28 17:45:14.869 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
May 28 17:45:24.345 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Manual bulk sync completed
May 28 17:45:24.349 est: %CSM_SLB-4-REDUNDANCY_WARN: Module 2 FT warning: Config Sync does not save Standby running-config to startup-config
6500-1(STANDBY)
May 28 17:45:17.088 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Started clearing configuration
May 28 17:45:17.088 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Completed clearing configuration
May 28 17:45:17.096 est: %CSM_SLB-4-REDUNDANCY_WARN: Module 2 FT warning: Standby: Config Sync does not save running-config to startup-config
May 28 17:45:17.100 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Previous configuration are being deleted from supervisor
May 28 17:45:17.104 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Previous configuration being deleted on Standby CSM
May 28 17:45:17.104 est: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: New configuration are being configured
As you can see the configuration ends up being deleted from the STANDBY and the new configuration never gets configured to 6500-1(STANDBY).
We have tried replacing the SUP engine however this did not help. We will try to replace the CSM next. If anyone can shed some light on why this would happen I would apreciate it.

Hi
pls check for IOS bug CSCtd09117 and CSCsx64648

How to upload data from POS Workbench to BW Info Cubes and then to SAP R/3

Hi,
I have used some sample data as input to BAPI "/POSDW/BAPI_POSTR_CREATE" to create sample transactions in POSDM.
Then I had executed this data to POS Workbench.
Now my requirement is to upload this data further to Info Cubes and then to R/3 in IDocs format.
Can anyone please tell me the method to how to do this?
Thanks in advance.

Hi,
Please see the below links,
http://help.sap.com/saphelp_nw04/helpdata/en/bc/5ef84112f49c39e10000000a155106/frameset.htm
http://help.sap.com/saphelp_erp2005/helpdata/en/0f/7af634b576bc4ee10000009b38f83b/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/b7/b6d59344e93443a7ac8934d2acfb55/frameset.htm
Hope this helps,
Regards
CSM Reddy

How to check the size of an info cube?

Dear all
Is there any t-code which can be used to see the total disk space occupied by a specific cube?
I know ST14 can be used for the TOP 30 cubes and stuff.
but my cube is not in top 30.....so how should i see the total size of my cube in bytes?
please help me...i need it urgently
Please dont recommend the SAP note on Sizing...i have it...the caliculation gave me wrong answer!
Total Points assured!!!!
Edited by: reddy reddy on Jan 27, 2008 9:34 AM

Hi,
we can calculate the size of the info cube.using this information
Each keyfiure occupies 10 Bytes of memory
Each Char occupies 6 Bytes of memory
So in an Infocube the maximum number of fields are 256 out of which 233 keyfigure, 16 Dimesions and 6 special char.
So The maximum capacity of a cube
= 233(Key figure)10 + 16(Characteristics)6 + 6(Sp.Char)*6
In general InfoCube size should not exceed 100 GB of data.
While considering sizing, you must consider factors like years of data rewuired for reporting, acceptable repsonse time, database limitations, archiving options, etc.
pl read this document:
[https://websmp209.sap-ag.de/sizing]
Hope this helps,
regards
CSM Reddy

CSM with Veritas HA geographic redundancy fails over without visible reason

Hello.
Cisco Security Manager shuts down and Veritas fails it over to another site, I have no idea why. It is clean installation without elements.
In Veritas engine log I found this:
2013/02/06 12:52:22 VCS INFO V-16-2-13001 (KV-CSM-01-1) Resource(APP_CSManager): Output of the completed operation (monitor) 60012-202: The following process is not running Process= NameServer State = Administrator has shut down this server Pid = 0 RC = 143 Signo = 0 Start = 2/6/2013 12:35:58 PM Stop = 2/6/2013 12:52:05 PM Core = Not applicable Info = Server started by admin request
Veritas CSM resource log:
2013/02/06 12:52:22 VCS ERROR V-16-2-13067 Thread(3916) Agent is calling clean for resource(APP_CSManager) because the resource became OFFLINE unexpectedly, on its own.
CSM syslog:
Feb 06 12:52:08 127.0.0.1 100: <30> dmgt[9004]: 3021(I):Died method called for process (NameServer, pid=9700).Feb 06 12:52:08 127.0.0.1 100: <30> dmgt[9004]: 3021(I):Died method called for process (EDS, pid=8444).
Eds.log is attached.
NameServer.log is empty.
As we can see from monitor.pl (csm agent script), EDS and NameServer are critical processes to run CSM.
What I should do to prevent such behaviour?

CSM - service ftp not working in dispatch mode

I'm trying to convert my CSM load-balancing environment from directed to dispatch mode. I've had success with normal telnet traffic but run into problems with FTP.
My real servers are layer-2 adjacent to the switch.
My config looks like this:
ip slb vlan 19 client
ip address 176.11.16.11 255.255.240.0
ip slb vlan 9 server
ip address 176.11.48.11 255.255.240.0
serverfarm FTP
no nat server
no nat client
real 176.11.48.104
real 176.11.48.110
vserver FTP
virtual 176.11.16.12 tcp ftp service ftp
no unidirectional
serverfarm FTP
I've put a sniffer on the server side vlan and I can see this pattern:
1) Client SYN pkt goes through CSM, gets
routed to server.
2) Server responds with SYN/ACK, but this packet goes directly back to the client (not through the CSM, because I'm not NATing)
3) Client responds with the final ACK, which goes to the CSM, but the CSM eats the packet. When I turn on debug module csm 11 ftp, I see that each time the final ACK is received by the CSM, it outputs these lines:
May 4 20:48:06.758 UTC: CSM11: called slowpath_ftp_rx
May 4 20:48:06.758 UTC: CSM11: no session for ftp rx
the CSM conn display shows:
prot vlan source destination state
In TCP 19 176.11.16.103:1131 176.11.16.12:21 ESTAB
Why doesn't the ACK get processed and sent to the correct server by the CSM?
One additional note: I also tried this same scenario but without specifying 'service ftp' on the virtual server defintion. In that case, the control connection comes up fine but any attempt to bring up a data connection fails (times out). But then again, that's the whole point of 'service ftp', right?

the problem is your point #2.
If you do service ftp, the CSM expects to terminate the connection from the client and open a new one with the server.
This is how the csm can listen to all the info passed between client and server.
Moreover, the csm will need to see the server response to identify which port the server will be listening on for data connection.
So, definitely not a good idea to do direct server return with this type of config.
You should remove the 'service ftp' command and have anothe vserver to catch all data traffic. You could use a vserver with no tcp port or port 20 if your servers are configured to only use port 20.
You can then use sticky-srcip to make sure the control channel and data channel are sent to the same server.
Gilles.

CSM connection stats missing?

Hi
I have a policy-map to insert an Ip address into the http header. I am also binding this to a sticky group using src ip address(See policy ICHAIN1-INSERT).
When I initiate a connection within the policy, although the connection is successful, when I try to view the connection stats (show mod csm 3 conns) my client is not listed in the connection table.
When I remove the "sticky-group 10" command then show the connection table, I see my client listed.
Is this normal behaviour?
Also when I issue the show sticky command the real ip's are garbled as shown:-
10 ip 143.52.208.19 D^OI^TD^Z^P!KP 65282
10 ip 10.6.1.14 P2^hD^Z^D^B*^X 79985
Config;
module ContentSwitchingModule 2
ft group 1 vlan 107
priority 20 alt 10
preempt
vlan 105 client
ip address 10.14.105.6 255.255.255.0
gateway 10.14.105.1
natpool CSM-PR1-USERS 10.14.105.10 10.14.105.18 netmask 255.255.255.0
probe ICHAIN-HTTP1 tcp
interval 10
failed 60
port 80
probe ZEN-APPS1-PRB tcp
interval 10
failed 60
port 524
probe ZEN-LDAP1-PRB tcp
interval 10
failed 60
port 636
probe ZEN-SERVER1-PRB tcp
interval 10
failed 60
port 524
map ICHAIN1-X-FOR header
insert protocol http header X-Forwarded-For header-value %is
real BONG
address 143.52.2.120
inservice
real HUORN
address 10.11.33.44
inservice
real ICHAIN101
address 10.14.72.21
inservice
real ICHAIN202
address 10.14.72.70
inservice
real JOSHUA
address 143.52.2.121
inservice
real KARAKA
address 143.52.2.42
inservice
real KARO
address 10.11.33.30
inservice
real PATE
address 10.11.33.32
inservice
serverfarm ICHAIN-BB1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name ICHAIN1
inservice
real name ICHAIN2
inservice
probe ICHAIN-HTTP1
serverfarm ZEN-APPS1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name BONG
inservice
real name JOSHUA
inservice
real name KARO
inservice
real name PATE
inservice
probe ZEN-APPS1-PRB
serverfarm ZEN-LDAP1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name HUORN
inservice
real name KARAKA
inservice
probe ZEN-LDAP1-PRB
serverfarm ZEN-SERVER1
nat server
nat client CSM-PR1-USERS
predictor leastconns
real name HUORN
inservice
real name KARAKA
inservice
probe ZEN-SERVER1-PRB
sticky 10 netmask 255.255.255.255 timeout 2880
policy ICHAIN1-INSERT
header-map ICHAIN1-X-FOR
sticky-group 10
serverfarm ICHAIN-BB1
vserver VIP-ICHAIN1
virtual 10.14.105.20 tcp www
serverfarm ICHAIN-BB1
sticky 2880 group 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
slb-policy ICHAIN1-INSERT
inservice
vserver VIP-ICHAIN1-SSL
virtual 10.14.105.20 tcp https
serverfarm ICHAIN-BB1
sticky 1440 group 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver ZEN-APPS1-VIP
virtual 10.14.105.21 tcp 0
serverfarm ZEN-APPS1
replicate csrp connection
persistent rebalance
inservice
vserver ZEN-LDAP1-VIP
virtual 10.14.105.22 tcp 0
serverfarm ZEN-LDAP1
replicate csrp connection
persistent rebalance
inservice
vserver ZEN-SERVER1-VIP
virtual 10.14.105.23 tcp 0
serverfarm ZEN-SERVER1
replicate csrp connection
persistent rebalance
inservice
Many Thanks
Scott

Hello, I have the same problem running CSM Ver 4.1(7)
Showing connection stats with any of
show module csm 4 conn
show module csm 4 real
do not show any connections nor does it matter if I specify vserver or client or detail as the options
I am using cookie-based sticky and the show mod csm 4 sticky command seems to give correct info so that is not an issue for me

CSM L7 LOAD BALANCING

I need to load-balance trafic with a persistence based on http header "X-Nokia-MSISDN".
Knowing that I'm using the version 4.1(6), the command "http header sticky" is not available (version 4.2 and more).
I've seen that the following command is available "persistent rebalance" with version 4.1(6) but I'm not sure about what is its action.
According to the definition given in the guide (
"The CSM allows HTTP connections to be switched based on (...) fields contained in the HTTP header."
MY QUESTION :
How can you define that persistence should occurs on the "X-Nokia-MSISDN"
http header ?
Thanks for your help
Francois

the persistent rebalance command tells the CSM to look at every HTTP request to select the best server. So, if you have a persistent connection ( 1 tcp connection for many http requests ), the CSM will look at each request.
Otherwise, it only looks at the first request and assumes all the other requests stick to the same server. Which is normally true, except if you have a proxy connecting to your vserver.
You still need 4.2.x to allow sticky on header info.
Gilles.

How will avoid "duplication records" in to info cube

hi friends
what is tha proccesor to avoid duplication records in to info cube
send me notes ...
i will waiting for urs reply

Hi,
1. Set DSO before cube, because DSO has overwrite functionality.
2..Select the check box "ignore duplicate records at infopackage level", while loading data
Regards
CSM Reddy

CSM sticky timeout value - is this an idle timeout value?

We have sticky groups configured in our CSM, with an timeout value of 60 minutes. My question is does the timeout value reference an 'idle' value, such as a user disconnected from the session, and now that timer is counting down from the 60 minutes to 0, to remove the stale session out of CSM?
Or is this some other kind of value? If so, what does the value actually represent?
Group CurrConns Timeout Type
17     290       60       src-ip netmask 255.255.255.255
Also, from this info below, is "this" timeout value in seconds, or should this show in minutes? Or is this a bug that I need to resolve by updating the CSM version? We're still on v2.2(1).
CSM with SSL WS-X6066-SLB-S-K9
Thanks, Tony
switch#sho mod csm 1 sticky group 17
group   sticky-data              real              timeout
17      ip 10.x.x.x            10.x.x.x            3469
17      ip 10.x.x.x            10.x.x.x            3275
17      ip 10.x.x.x            10.x.x.x            3016
17      ip 10.x.x.x            10.x.x.x            2791
17      ip 10.x.x.x            10.x.x.x            879

Hi Ajay, thank you for the response. From your reply, "It appears that you have configured the sticky timeout value higher then the default value. So the sticky timeout value is in minutes," we set each group to have a 60 minute timeout value. I had read from another string that the timeout values I'm seeing in this table were incorrectly displayed, due to an upgraded needed on the CSM. We're running 2.2(1), and I thought I remember reading 4.2.2 was required to correct this bug?
switch#sho mod csm 1 sticky group 17
group   sticky-data              real              timeout
17      ip 10.x.x.x            10.x.x.x            3469
17      ip 10.x.x.x            10.x.x.x            3275
17      ip 10.x.x.x            10.x.x.x            3016
17      ip 10.x.x.x            10.x.x.x            2791
17      ip 10.x.x.x            10.x.x.x            879

Problem with config sync between two CSM-S modules

Hi everybody,
I have a problem with config sync between two CSM-S modules.
I am using CSM-S software version 2.1(8).
The acitve module is used in a 6509 with WS-SUP720-BASE supervisor running software version 12.2(18)SXF12a.
The standby module is used in a 6509-V with VS-S720-10G supervisor (no VSS setup) running software version 12.2(33)SXI3.
Failover seems to work fine:
switch-active#sh modu csm 2 ft
FT group 1, vlan 398
This box is active
Configuration is out-of-sync
priority 150, heartbeat 3, failover 40, preemption is on
switch-standby# sh modu csm 2 ft
FT group 1, vlan 398
This box is in standby state
Configuration is out-of-sync
priority 80, heartbeat 3, failover 40, preemption is on
The command (on active side) "hw-module contentSwitchingModule 2 standby config-sync" leads to following result:
switch-active:
2010-04-14T16:21:45+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56042: Apr 14 16:21:44.223: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Bulk sync started
2010-04-14T16:21:45+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56043: Apr 14 16:21:44.251: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configurations to Standby CSM, this may take several minutes!
2010-04-14T16:21:46+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56044: Apr 14 16:21:45.995: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:21:51+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56045: Apr 14 16:21:50.831: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:21:57+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56046: Apr 14 16:21:56.151: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56047: Apr 14 16:22:58.791: %CSM_SLB-3-REDUNDANCY: Module 2 FT error: Active: Manual bulk sync timed out
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56048: Apr 14 16:22:58.803: %CSM_SLB-3-REDUNDANCY: Module 2 FT error:
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56049: FT CONFIG SYNC: Failed config sync entity send
switch-standby:
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2475: Apr 14 16:21:44.232: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Bulk sync started
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2476:
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2477: Apr 14 16:21:44.240: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: STANDBY:Configuration is being received, This may take several minutes!
2010-04-14T16:21:49+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2478: Apr 14 16:21:48.824: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Receiving configuration from Active CSM
2010-04-14T16:21:54+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2479: Apr 14 16:21:53.964: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Receiving configuration from Active CSM
2010-04-14T16:21:59+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2480: Apr 14 16:21:58.852: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Started clearing configuration
2010-04-14T16:21:59+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2481: Apr 14 16:21:59.400: %CSM_SLB-4-REDUNDANCY_WARN: Module 2 FT warning: Standby: Config Sync does not save running-config to startup-config
2010-04-14T16:22:00+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2482: Apr 14 16:21:59.400: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Previous configuration are being deleted from supervisor
The last log message on standby device seems to be correct - there is no CSM configuration after the attempted config sync.
Our configuration includes about 3500 lines and it is really uncomfortable to keep in sync manually.
Maybe someone has the same problem?
kind regards,
Christoph

Hi Christoph,
I am running into the exact same issue. Upon further investigation I've discovered that this is a known bug, CSCtd09117. You can read more about it here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd09117 . Apparently this is fixed in ver 12.2(32.8.11)SX323 .
I haven't had a chance to upgrade yet, so I can't verify the fix, but if it works for you please let me know.
Regards,
Brandon

CSM HTTP problem

Hello
Just came across a problem we are facing and thought to share it.
wondering about the feasibility on the CSM to forward HTTP requests to a "Service not available" web page (which could be available on a web server located on the same server(s), i.e. front-end web server) when a particular threshold is reached on the Load-Balancer that control access to web services. This way, the user does not start the process of generating myKey then fails due to busy system (congestion of resources), as the clean-up process is pretty heavy.
Thanks for the help!

Hi Aser,
I think you ned to configure backup serverfarm so that in case of primary server unavailable the backup servers can process further requests.
Whenever the primary serverfarm is down (all its vservers have failed or are down), the CSM will start using the sorry serverfarm servers to serve requests to the vserver.
new connection will use the backup serverfarm but existing active connection will try to use the old serverfarm.
You need to configure a 'failaction [purge|reassign]' to change this behavior.
The CSM only allow 1 backup server. When a client is connected to a server, it stays connected to that server even if a new server goes up. Only new connections from the client would be sent to a different server.
Please read my previous matching post for more info:
https://supportforums.cisco.com/thread/2056310?tstart=0
HTH
Sachin Garg

CSCur37347 - CSM 4.6sp1 find usage shows "Unable to display any data"

Is there any solution for this issue at the moment?
The suggested workaround (Recreate the CSM index using CSM Client > Tools > Cisco Security Manger - Administration > Customize Desktop > Recreate Index.) helps for a few minutes.

Hi Ben,
Is there a way I can collect more relevant statistics
about network usage with SunMC, using the "MIB-II
Instrumentation" module, or something else within
SunMC?It sounds like a general problem with PRM: though if the Data Availability tab shows it's pulling Kernel Reader data every hour, then it should show your MIB-II info as well.
Even then octet counts aren't terribly useful: they're just big numbers that get bigger: you really need to see rates over time to get an idea of what your network is doing.
You could try the SystemMonitor module that's part of PlusPack:
http://www.halcyoninc.com/products/PlusPack/help/SystemMonitor/HALSolarisSystemAlert-network-h.html
It shows MB/minute rates for each interface. If that's the type of info you need then you can enable those numbers for PRM or Reporter instead.
Regards,
[email protected]
http://www.HalcyonInc.com

Info on CSM 4.4

Similar Messages

Maybe you are looking for