Layer 5 port 80 content rule breaks realaudio.

Similar Messages

• Port 443 content rule, can the CSS see inside the cookie ?

  Hi Gilles/everyone,
  With a content rule using port 443, can we use cookie based stickiness or is the cookie also encrpyted ?
  cheers,
  Mike

  also encrypted.
  No way to see it without an SSL module to decrypt.
  Gilles.

• Using a content rule for port translation.

  If I set up a content rule to grab traffic on a VIP on port 81, can I then send it to a server that is configured for port 80 ?
  cheers,
  Mike

  If I receive a udp packet with the sourse port 123. Can CSS forward this packet to the Server, but replace sourse port to something greater than 1023 ???
  As I know CSS doesn't NAT for udp ports less than 1023.

• Sticky sessions across multiple content rules

  Hi,
  If a client PC initiates two requests which match different content rules on a CSS (first request http port 80 to CSS VIP downloads a small application. This application then sends a second request to the VIP, on tcp port 8085) can sticky rules be configured on the CSS content rules, so that they hit the same destination server, given that both content rules contain the same services, and hence be considered part of the same session?
  Thanks

  there is no sitcky accros content rules option on the CSS.
  But there are solutions to this problem.
  First, are you doing anything special with your HTTP content rule ? Like cookies or url inspection ?
  If not, you can group the 2 content rules into a single one. You will have 1 Layer3 rule instead of 2 Layer 4 rules.
  If you have L5-7 rules [http inspection], the previous solution is not possible.
  You will need to maintain 2 rules.
  You could then use a 'balance srcip' balancing method on both rules.
  This algorithm is deterministic.
  The same client will always go to the same server.
  Hope this helps.
  Regards,
  Gilles.
  Thanks for rating.

• Content rule Content CSS 11 500 question

  I have the following question, the port number in a content rule is this the port to witch the content switch forwards or to witch he listens on.
  Suppose i have an url www.myname.org
  when i receive this on the content switch i want to redirect it to the backend on port 8080. How can i do this.

  Frederik,
  Your content rule is what we call a Layer 5 Content Rule since it has a HTTP URL field in its matching criteria.
  This means the CSS will be listening for traffic that is heading towards VIP Address 10.5.1.1 on port 40918 AND that it matches a certain URL. This URL in your case is "//domain.be/*".
  When traffic is initiated to VIP 10.5.1.1, the CSS will use Layer 5 information such as the URL included in the client requests to match the traffic to this content rule.
  When you use a browser to access this desired page, your DNS will probably return 10.5.1.1 for domain.be, telling your browser to make a request to VIP 10.5.1.1 and URL "//domain.be/*".
  Please take a look at this link for more information.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_820/cntlbgd/contrule.htm#wp1037654
  Hope it helps.

• I am not able to telnet my content rule VIP address

  I am not able to telnet my content rule VIP address and port number. But I am able to direct to telnet to service servers, which are added into the content rule set. Can anyone tell me why. I have update the latest WEBOS 5.00 Build 69. The content switch model is 11050. thank you very much .

  Is possible one armed and in line in the same content switch ?
  Currently I have some content rule are using one armed solution, there is only one rule I need to make the server see the original IP. I guess my question is , can I have this rule use in -line solution only, so I will not have to impact other rules set.
  The other question since this content rule's service sever have only one interface only, Can I have this in-line solution go in the content switch and come out content switch in the same server farm switch ? Thank you for all the help.

• Content rules issue - request directed to the wrong content

  Hi,
  We have the following setup;
  Requests to www.oursite.com goes to the content rule LB_FD_87. Request to www.oursite.com/water/* goes to the more specific content rule FD/WATER_LB_87. Sometimes, for unexplicable reasons, requests for www.oursite.com/water/* are sent to the content rule LB_FD_87 instead of the more specific rule FD/WATER_LB_87 and the client get a 404 error. Anyone have a clue?
  our setup:
  dql FD_87
  domain www.oursite.com index 1
  owner FD
  content LB_FD_87
  add service W0_FD_3.71
  add service W1_FD_3.81
  protocol tcp
  vip address XXX.XXX.29.87
  port 80
  balance leastconn
  advanced-balance arrowpoint-cookie
  active
  owner FD_nonbalance
  content FD/WATER_LB_87
  vip address XXX.XXX.29.87
  add service W3_GL_3.160
  protocol tcp
  port 80
  url "/water*" dql FD_87
  active
  Thanks for your help
  Wig

  Hi Gilles,
  I don't understand your sugestion .
  I don't think increasing the flow timeout will help since according to CISCO documentation that will only permit to the flow to stay idle longer.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801ee806.html#wp1013729
  CISCO DOC: "Configuring Flow Inactivity Timeouts on Content Rules and Source Groups
  Use this feature with a CSS to configure flow inactivity timeout values for TCP and UDP flows on a per content rule and per source group basis. This timeout value is not the frequency with which a CSS reclaims flow resources, but is the time period that must elapse for an idle flow before the CSS marks the flow for cleanup. "
  And I am not sure of what you mean by "the CSS it will stop looking into the content to detect if a remapping to a better rule is required" I think you mean that the CSS will look for a another content rule if a content rule does not repond to a request. But our understanding is that a CSS look for the more specific content rule to serve a request and if all the service of that content rule are dead the pacquet is drop not send to a another content rule.
  We did test that with spefic and less specific content rule and if the more specific content rule as all is services dead the packet is drop not send to the least specific content rule.
  thanks for your interest in our problem
  We cannot reproduce this problem but still find the line sporadically in the web server log .

• CS-150-LAN extra content rule disables all access to website

  We have a CS-150-LAN Content switch with software version 6.10Build203. Yesterday for no apparent reason we lost connectivity to our website through our CSS. To get around this issue we removed all content rules except for the "everything-else" rule.
  owner http://www.acmi.net.au
  content AIC
  add service acmi-web3
  url "//www.acmi.net.au/AIC*"
  protocol tcp
  port 80
  vip address 203.14.59.174
  content everything-else
  add service acmi-web1
  vip address 203.14.59.174
  protocol tcp
  port 80
  active
  owner http://www.vceart.com
  content everything
  add service acmi-web3
  vip address 203.14.59.175
  protocol tcp
  port 80
  active
  What is happening now is that when l create an addional content rule it then times out all connections to our website http://www.acmi.net.au. If l suspend the additional rule "AIC" the website comes back online. We need these additional content rules for accessing subsites. Please help.
  Thanks

  Here are the sho service summary and show summmary outputs
  Owner Content Rules State Services Service Hits
  www.acmi.net.au AIC Suspended acmi-web3 6
  everything-else Active acmi-web1 243
  acmi-web2 340
  www.vceart.com everything Active acmi-web3 23
  sec-css-11150# sh service summary
  Service Name State Conn Weight Avg State Idx
  Load Transitions
  acmi-web1 Alive 2 1 2 2 2
  acmi-web2 Alive 9 1 23 2 3
  acmi-web3 Alive 1 1 17 2 4
  The content rule AIC is suspended because if l activate it, it then makes the website www.acmi.net.au unreachable and timesout.
  This config was working from day one with the AIC content rule and about another 9 content rules under the owner www.acmi.net.au
  If l add the url "/*" command to the content rule "everything-else this also hangs the site www.acmi.net.au

• Use of content rule vs source group for NATing

  To NAT outgoing flows out of two servers, is it necessary to define a content rule and source group (or is just a source group sufficient?).
  Having trouble with Option 2.
  Option 1:
  service svr1
  ip address 192.168.10.1
  no port
  protocol tcp
  active
  Also does CSS do NAPT i.e. alter the source port number for outgoing packets from source groups?
  service svr2
  ip address 192.168.10.2
  no port
  protocol tcp
  active
  content outflows
  protocol tcp
  add service svr1
  add service svr2
  vip address <externalip>
  active
  group outgrp
  vip address <external ip>
  add service svr1
  add service svr2
  active
  <add appropriate acl>
  Option 2:
  service svr1
  ip address 192.168.10.1
  no port
  protocol tcp
  active
  service svr2
  ip address 192.168.10.2
  no port
  protocol tcp
  active
  group outgrp
  vip address <external ip>
  add service svr1
  add service svr2
  active
  <add appropriate acl>

  to nat connections initiated by the server, you only need a source group.
  No need for a content rule.
  The CSS will port nat.
  Gilles.

• One Arm config Domain Name Content rule

  Hi Guys
  How does domain name content rule works in one arm config.
  What do we put in source groups as VIP address.
  Does it need host headers in WebServer as a requirement.
  How does the client request gets completed.
  Any help much appriciated..

  Thanks for your reply Jim,
  This is what I am trying to do in a One arm config topology
  ( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
  The CSS allows you to use a domain name in place of, or in conjunction with, a
  VIP address in a content rule. Using a domain name in a content rule enables you
  to:
  Enable service provisioning to be independent of IP-to-domain namemappings
  Provision cache bandwidth as needed based on domain names
  So I am trying to create a content rule with a domain name instead of VIP address. For ex.
  content domainRule3
  protocol tcp
  port 80
  url "//domain.com/*"
  add service Serv1
  active
  group servers
  add destination service Serv1
  VIP address  ???????? ( what shd we put in here )
  In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
  My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
  Many thanks.

• Defining virtual servers using content-rules

  Can multiple virtual servers be "bound" to a single real server when all of the virtual servers have the same ip address and port, with the only difference between each virtual server being a unique content rule applied to each? (This is more of a migration issue, than a load-balance issue)

  I assume you are saying Web(HTTP) and the answer is yes.
  1. Your server should has name-based virtual hosting enabled if your server only use 1 IP address.
  2. In CSS, you can use single service for this server or use different services with different keepalive uri for each service.
  3. You can use a number of unique Content rules (same VIP, TCP 80 with different URLs) and add the service to it.
  Remarks: If you want to use unique Content rules, you should make them difference with URL, otherwise all the content rules are the same and you can't activate all.
  Another suggestion: If your server already support Name-VHOST, you can use just single L4 Content rule and all the traffic would be handled by that server (service).

• SSL Content rules based on uri

  I don't seem to be able to construct an ssl content rule that allows dilineation by uri. The documentation says to set the rule as follows for ssl:
  vip address x.x.x.x
  add service abcd
  add service defg
  application ssl
  advanced-balance ssl
  protocol tcp
  port 443
  uri "/*"
  active
  This works but if I try to change the uri to:
  uri "/CSO/html/SignOn.html" the rule stops working.
  Is it possible to do this?????

  That's the nature of SSL.
  All traffic is encrypted to avoid people to look at it.
  So, the CSS does not see and has no way to see the URL.
  With 'url "/*"' it works because it means any URL.
  Gilles.

• Content rule URL matches

  Is there a way to have a user going to http://www.xxx.com/ redirected to http://www.xxx.com/subdir?
  I am trying to match on a domain in a URL statement in a content rule and then have the client redirected to a subdirectory on the same domain. This doesn't appear to work because the redirect string has the same domain and also matches the URL string in the content rule, creating a loop of sorts.

  Thought your suggestion would work, but it didn't. Here is the before and after code.
  service www_elearning_to_https
  ip address 172.20.4.138
  keepalive type none
  type redirect
  no prepend-http
  redirect-string https://www.elearning.xxx.ca/sapportal/
  active
  content www_elearning_to_https
  vip address 214.114.133.112
  add service www_elearning_to_https
  protocol tcp
  port 80
  url "/*"
  active
  content www_elearning
  vip address 214.114.133.112
  add service cwh-ott-nt-019-www_elearning
  active
  The above works, but fails when the following is added. Shouldn't it match on the URL and permit the traffic to flow?
  content www_elearning_sapportal
  vip address 214.114.133.112
  add service cwh-ott-nt-019-www_elearning
  protocol tcp
  port 443
  url "//www.elearning.xxx.ca/sapportal/*"
  active
  Thanks.

• Porting table contents to other system

  Hi experts,
  We have created custom table ZXXX and table maintenance generator. We have maintained the data in development box. We have ported the transport request to other box. The TR contains function group, table, Table contents (TDDAT, TVDIR) and definition of maintenance and Transport Object.
  But, after porting we cant see the contents of table.
  My question is, how can we port table contents to other boxes?
  Thanks & Regards,
  Keya

  in table definition you have to specify "delivery class" = C to have the data written to transport request.
  You can add the table contents manually to your request as R3TR TABU tablename key values (e.g. client*)

• LD416 (Ver4.2.5) specification content-rule

  I have localdirector 416 with 4.2.5.
  How to define the rules for content load balancing
  with https.
  First of all, on specification Is it impossible?
  As the following
  content-rule rule01 depth 1024 "/aaa/"
  content-rule rule02 depth 1024 "/bbb/"
  virtual 10.1.1.1:443:0:tcp1 is
  virtual 10.1.1.1:443:0:tcp:rule01 is
  virtual 10.1.1.1:443:0:tcp:rule02 is
  bind 10.1.1.1:443:0:tcp 10.1.1.2:443:0:tcp
  bind 10.1.1.1:443:0:tcp:rule01 10.1.1.3:443:0:tcp
  bind 10.1.1.1:443:0:tcp:rule02 10.1.1.2:443:0:tcp
  sticky 10.1.1.1:443:0:tcp 10 ssl

  I found the following comments about CSS.
  All traffic is encrypted to avoid people to look at it.
  So, the CSS does not see and has no way to see the URL.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea6243
  Does this correspond to Local Director ?