Remove Health Care (keepalives) CSS 11503
Hi,
We normally distribute the load between two servers by checking if the server its active (using TCP 80), yesterday, we want to remove the Health Care (keepalives) due to a maintenance test, to sent the traffic direct to the server, but the service stop working.
We think we didn’t remove the health care properly, could anybody please help me to know hoe to remove it?
We are using CSS 11503, I’m adding the config.
Thanks
CSS11503-2(config)# service Linux2
CSS11503-2(config-service[Linux2])# ip add 192.168.20.41
CSS11503-2(config-service[Linux2])# active
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (ICMP 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:29:24
Mtu: 1500 State Transitions: 0
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
CSS11503-2(config-service[Linux2])# keepalive type none
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (NONE 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:29:24
Mtu: 1500 State Transitions: 1
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
CSS11503-2(config-service[Linux2])#
Same if the service is down before disabling the keepalive.
CSS11503-2(config-service[Linux2])# keepalive type icmp
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Down
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (ICMP 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:31:42
Mtu: 1500 State Transitions: 4
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 255
Weight Reporting: None
CSS11503-2(config-service[Linux2])# keepalive type none
CSS11503-2(config-service[Linux2])# show service Linux2
Name: Linux2 Index: 33
Type: Local State: Alive
Rule ( 192.168.20.41 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (NONE 5 3 5 )
Keepalive Encryption: Disabled
Last Clearing of Stats Counters: 08/12/2009 05:36:08
Mtu: 1500 State Transitions: 5
Total Local Connections: 0 Total Backup Connections: 0
Current Local Connections: 0 Current Backup Connections: 0
Total Connections: 0 Max Connections: 65534
Total Reused Conns: 0
Weight: 1 Load: 2
Weight Reporting: None
Gilles.
Similar Messages
-
Installing an SSL certificate for a CSS 11503
I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!Allen,
The portion of the configuration guide related to SSL certificates and keys can be found here:
http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
~Zach -
CSS 11503 does not ask confirmation
Hi,
Our CSS 11503 does not ask confirmation when I want to delete or add a service, owner or group.
Here is the log of some deletion and addition a service:
11503_Master(config)# sh run ser mtsopa01-9700
service mtsopa01-9700
ip address A.B.C.D
protocol tcp
port 9700
keepalive type http
keepalive port 9700
active
11503_Master(config)# no service mtsopa01-9700
11503_Master(config)# (As you see there is no confirmation)
11503_Master(config)# service mtsopa01-9700
11503_Master(config-service[mtsopa01-9700])# (As you see there is no confirmation)
11503_Master(config-service[mtsopa01-9700])# ip address A.B.C.D
11503_Master(config-service[mtsopa01-9700])# protocol tcp
11503_Master(config-service[mtsopa01-9700])# port 9700
11503_Master(config-service[mtsopa01-9700])# keepalive type http
11503_Master(config-service[mtsopa01-9700])# keepalive port 9700
11503_Master(config-service[mtsopa01-9700])# active
Have you any idea?
PS:
Version: sg0750103 (07.50.1.03)
Product Name: CSS11503-AC J0do a 'show profile'
You are probably in expert mode.
CSS11503-2# sho prof
@no terminal more
@prompt CSS11503-2
@expert <=====
do 'no expert' to revert to normal mode and don't forget to do a save profile.
Gilles. -
The senerio contains a PIX 515 E firewall,4507R Chassis switch and a CSS 11503. The servers in inside zone of the PIX is load balanced using a vip with default route specified in the CSS is the inside zone interface IP of the PIX
Now I would like to load balance the servers in the DMZ zone of the PIX with a separate vip(from DMZ zone) in the same CSS. Since the default route in CSS is towards the inside zone of the PIX, I am unable to see the load blanced pages from dmz. Is there any solution to load balance the servers of the 2 zones with 2 different vip's using a single css ?The default behavior is to use the calling device's CSS for the redirected calls. In your case it sounds like you want to use the redirecting device's CSS. I haven't tried this myself but I believe you will need to change the following registry entry on your PGs. You will want to use option 2 (ROUTEADDRESS_SEARCH_SPACE).
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco
Systems,Inc.\ICM\IPCCL\PG1B\PG\CurrentVersion\JGWS\jgw1\JGWData\Dynamic
"UseRouteAddressSearchSpace"=dword:00000000
- Used to control behavior on CTI Route Points for Route Selects.
UseRouteAddressSearchSpace can be to set 0, 1, or 2 where :
DEFAULT_SEARCH_SPACE = 0
CALLINGADDRESS_SEARCH_SPACE = 1
ROUTEADDRESS_SEARCH_SPACE = 2 -
Health Care Adapter Installation Error - SQLException: ORA-00439
Hello,
While attempting to install the SOA Health Care in Windows development environment against an XE database the below error was seen. Any thoughts?
Oracle_SOA1\bin>ant -f ant-soahc-postinstall.xml
replaceSqlScript:
[sql] Executing resource: C:\Oracle\MiddlewareHCA\Oracle_SOA1\soa\thirdpar
ty\healthcare\b2b_mv.sql
[sql] Failed to execute: CREATE MATERIALIZED VIEW LOG ON b2b_business_
message WITH ROWID, SEQUENCE (ext_business_message, channel_name, direction, cre
ated, native_msg_size, doctype_name, doc_protocol_version, doc_protocol_name) IN
CLUDING NEW VALUES
BUILD FAILED
C:\Oracle\MiddlewareHCA\Oracle_SOA1\bin\ant-soahc-postinstall.xml:92: The follow
ing error occurred while executing this line:
C:\Oracle\MiddlewareHCA\Oracle_SOA1\bin\ant-soahc-postinstall.xml:314: java.sql.
SQLException: ORA-00439: feature not enabled: Advanced replicationShreekant,
would you mind sharing the solution.
prakash -
CSS 11503 load-balancing with MS Print Servers
We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.
Pete- Here is our config. See any problems?
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
!************************* INTERFACE *************************
interface 1/2
bridge vlan 2
!************************** CIRCUIT **************************
circuit VLAN1
ip address 1.100.101.110 255.0.0.0
circuit VLAN2
ip address 10.100.249.1 255.255.255.0
!************************** SERVICE **************************
service ps01
ip address 10.100.249.5
active
service ps02
ip address 10.100.249.6
active
!*************************** OWNER ***************************
owner printserver
content L3_Basic
add service ps01
add service ps02
vip address 1.100.100.35 -
CSS 11503 - question on version
We're about to do an annual OS update to our CSS 11503, and I noticed that there are two current versions of WebNS, both released in the same month: 8.10.4.01 and 8.20.2.01. Could anyone outline for me the differences between the two (or point me to the right release notes)? I usually upgrade to the latest release, but having two at the same time is awfully confusing.
Thank you!They are essentially the same.
We always port all fix to both of them.
Release notes are here :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/release/note/RN810_X.html
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/release/note/RN820_X.html
Gilles. -
CSS 11503 in Active Active mode
Can we configure CSS 11503 in Active/Active mode, means can multiple context would be configured?
Thanks & Regards,
Shahzad.Here you go
Assumptions:
VIP 10.10.10.100 is Master on the CSS 2 and backup on the CSS1
VIP 10.10.10.101 is Master on the CSS1 and backup on the CSS1
Vlan 10 is the Server Vlan (Redundant Interfaces here)
Vlan 20 is the Client vlan (Redundant Vips here)
Services for VIP 10.10.10.100 (real server) have default gateway pointing to redundant interface 172.20.40.253
Services for VIP 10.10.10.101 (real server) have default gateway pointing to redundant interface 172.20.40.254
CSS #1
circuit VLAN10
ip address 172.20.40.1 255.255.255.0
ip virtual-router 1 priority 101 preempt
ip virtual-router 2
ip-redundant-interface 1 172.20.40.253
ip-redundant-interface 2 172.20.40.254
Circuit VLAN20
ip address 10.10.10.1 255.255.255.0
ip virtual-router 3 priority 101 preempt
ip virtual-router 4
ip redundant-vip 3 10.10.10.101
ip redundant-vip 4 10.10.10.100
CSS #2
circuit VLAN10
ip address 172.20.40.2 255.255.255.0
ip virtual-router 1
ip virtual-router 2 priority 101 preempt
ip-redundant-interface 1 172.20.40.253
ip-redundant-interface 2 172.20.40.254
Circuit VLAN20
ip address 10.10.10.2 255.255.255.0
ip virtual-router 3
ip virtual-router 4 priority 101 preempt
ip redundant-vip 3 10.10.10.101
ip redundant-vip 4 10.10.10.100
More details at
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1112245
Syed Iftekhar Ahmed -
I currently have a CSS 11503 LB that I am using to balance 443 and 80 traffic and I have it working but my question is if a users are coming from a proxy should I continue to use Layer 3 LB technique? Also is it possible to see the real IP address instead of the IP of the proxy server?
the problem with proxy is if you use some form of stickyness like sticky src ip.
Since the src ip is always the proxy, you end up with all your traffic going to a single server.
If you are doing sticky src ip, I would suggest to use arrowpoint-cookie instead.
To see the real-ip you need your proxy to insert in the http header a 'x-forwarded-for' line with the client ip.
Your servers can then extract this value to determine the client ip.
On the CSS you won't be able to see the client-ip.
Gilles. -
Health care benefit plan -- Smoker
Hi all ,
While configuring the benefit plans under health care I create cost variants where none of them selected the option Smoker. IN the infotype 376 I marked my employee as smoker. While trying to enroll to benefits from HRBEN0001 my assumption is that none of the plans will be offered since my employee is smoker and none of the cost variants checked smoker. But still I am able to enroll in one of the plans.
How is this cost variant controlling the employee in the enrollment process. can anyone please explain me .
Thanks,
Daniel.Hi,
I believe when specifically checked as smoker, the plans will be only available to employee with smoker checked. Though never tried this.
Regards,
Somar -
Apparently "Canadian Health&Care" hacked my computer and sent out a message to everyone on my address list. I need to have them blocked.
Email may not be the best way to move pictures.
There are lots of ways of moving files.
A simple and popular way to copy files and share files among your devices.
https://www.dropbox.com/
"Box lets you store all of your content online, so you can access, manage and share it from anywhere. Integrate Box with Google Apps and Salesforce and access Box on mobile devices" Rated the most secure cloud storage by SkyHigh Networks.
https://www.box.com/
Using iTunes to transfer files:
http://support.apple.com/kb/HT4094?viewlocale=en_US&locale=en_US
Files Connect -- "Cloud Storage services like Dropbox, MobileMe iDisk, Google Docs/Picasa, Facebook photos, FTP, SFTP, WebDAV ... AFS (Apple File Shares) SMB (Windows shares) protocols"
https://itunes.apple.com/us/app/files-connect/id404324302?mt=8
Windows File server
http://itunes.apple.com/us/app/filebrowser-access-files-on/id364738545?mt=8
"The kiteworks mobile file sharing solution provides secure creation, viewing, and sharing of enterprise content on smartphones and tablets while providing IT and security teams the administrative controls to manage user privileges and access rights necessary to ensure enterprise security and compliance." " Includes choice of private cloud on-premise."
http://www.accellion.com/solutions/mobile-enablement/mobile-file-sharing
"Dukto is a simple application that allows you to share files between devices connected to the same (wireless) LAN network."
http://www.tidal.it/?page_id=309&lang=en
http://www.msec.it/blog/?page_id=11 -
I would like to know how to ask to add a Health Care Provide to Health Vault ? I use Facey Medical Group as my current provider. They have a web site called MyFacey Connect which has all of my medical records. It would be very helpful if they
would be able to sync with Health Vault.Hello,
At this time Facey Medical Group does not sync directly with HealthVault, but you can upload your medical records into HealthVault. To do this contact Facey Medical and request your records in either a CCD (Continuity of Care Document, or CCR Continuity
of Care Record) and then you can upload to your HealthVault account.
To upload
your data as CCD or CCR, please follow these steps:
Download
the CCD or CCR to your local computer
Then go to http://healthvault.com
Once signed in, select Documents and under Documents select either CCD or CCR
then select add
Your medical info will then be added to your HealthVault account
Thanks and please let us know if you have further questions
Tomas
MS HealthVault Support -
Global Cerificate on CSS 11503
Hi
I am planning to enable https for few web servers behind a CSS 11503. I have tested the functionality with the trial cert every thing works as desired.
Now I need to buy a certificate from Verisign to make it work in production.
At verisign they offer two different certs (Secure Site --40 bits encryption) and (Secure Site Pro -- 128 bit encryption).
1. Is this 128 bit cert a "global cert"? and I need to concatenate the "intermediate cert" and "server cert" to make it work?
2. If all my users are in USA then does it make sense to buy this 128 bit certificate?
3. Verisign website also asks for "server Platform" and cisco is not mentioned as an option (I can see other LB as F5 in the list). What should I select for the server Platform when I am requesting it for CSS 11503 (I have generated the CSR on CSS 11503).
Thanks in advance
Glenn1.The guy who picked the phone at verisign had no clue.Verisign website says the following
Secure Site Certificate (40bit minimum)- SSL Certificates without SGC
To install your SSL Certificate, go to the instructions below for your server software. If your server is not listed or you need additional information, refer to your server documentation or contact your server vendor
Secure Site Pro Certificate(128bit minimum) - SSL Certificates with SGC
If you are installing an SSL Certificate with SGC, you need to copy an Intermediate CA Certificate before proceeding to the installation instructions for your server software.
2.My understanding was that 40 bit is minimum encryption level and only old browsers (exported ones) will us 40/56 bit ciphers. Other wise even with 40 bit certificate the new browsers will establish a 128 bit session.
Verisign says about their 40 bit certificate
"40-Bit to 256-Bit SSL Encryption Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption. Site visitors using certain older browsers and many Windows 2000 users will only receive 40- or 56-bit encryption unless they’re connecting to an SGC-enabled SSL Certificate"
I found a document on net in favor of buying 40 bit certs.
http://www.whichssl.com/myths_about_sgc.html
Gilles I am a bit confused here.Need HELP :) -
Health care sends out call for more IT security pros
The only problem I see, and the reason they may be clamoring for help, is they are always posting jobs requiring Health Care industry experience. My wife who is a nurse at several hospitals says most of the I.T. staff are nurses who have transitioned into I.T. If they aren't open to hiring qualified people without clinical experience or background they will continue to have problems hiring qualified I.T. staff.
This is common for many industries in the U.S. They keep saying they can't find qualified I.T. staff, yet they are not willing to bend a little on their requirements.If you're a security pro looking for a mid-career industry switch, you might want to look into the health care industry.With the fast-paced introduction of electronic medical records (EMR), electronic health records (EHR), wearables, health-monitoring devices, and data analytics,CSO reportshealth care industry leaders are "scrambling to catch up with the demand forstaff to manage and support these technological advances." Health care facilities are consequently looking for IT security pros that understand the intricacies of the HIPAA privacy laws.Speaking with CSO, Brad Elster, president of Health care IT Leaders, explains, "EMR installations at U.S. hospitals, fueled by federal incentives, have been a major catalyst for IT job growth in health care. Many of our hospital and health system clients have seen their IT departments grow by...
This topic first appeared in the Spiceworks Community -
Routing non-TCP/UDP traffic while using FWLB on CSS 11503s
Hello all,
I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
Thanks in advance.
(sorry for the dots in the drawing but the spaces kept getting deleted)
.| Internet |
..........|
.| CSS-outside |
.............|
........|...............|
.| FW1 |.....| FW2 |
.......|................|
............|
.| CSS-inside |
............|
.| Intranet |for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
So, it's not per packet loadbalancing.
The same source/destination ip/port will always go to the same firewall.
Gilles.
Maybe you are looking for
-
Hi, May I know whether Tcode J1IIEXCP is not a country specific? Wehn User tries this TCode,it displays dump as 'It needs country Code org. value as * '. User is an specfic country user giving him country code as *, leads to problem. Whether their is
-
Using URL Alias in "main rule" for a new portal desktop.
Hi I am having a scenario : I am having two different business functionality. For accessing them separately i have to create to different portal desktops. Each one will have there own iviews and roles. BUT They can have similar user ids. I.e. same us
-
Why does my computer occasionally/randomly tell me "I need to restart..." - in four languages. Something ain't right.
-
I am trying to quit my safari but it won't do it.. The only response I get is the one of closing the window. I can't shut down my computer or restart it because of this. Can somebody please tell me what to do?
-
Dear All, When we should go for which delta method and is there any specific reason for this. What we use in real time scenerio. Thanks, Saveen Kumar