Sorry Server for CSS 11500
Hi,
I have a question regarding sorry server configuration on the CSS 11500 series.
Is there a way for the sorry server to ignore the URL path and always send the user traffic to the "root" page (e.g. index.html) of the sorry server web server?
The problem I have is the redirection of the "root" page (url "/") that is configured for the normal traffic is causing the sorry page not to work since the URL path ("/psp/CUSTOMER1/?cmd=login") does not exist on the sorry page web server:
service Sorry-Server
protocol tcp
port 8000
keepalive type tcp
ip address 192.168.2.254
active
service server1
ip address 192.168.2.101
protocol tcp
keepalive type tcp
port 8080
active
service server2
ip address 192.168.2.102
protocol tcp
keepalive type tcp
port 8080
active
owner Customer1
content Content1
vip address 192.168.1.101
port 80
protocol tcp
url "/*"
balance aca
advanced-balance arrowpoint-cookie
flow-timeout-multiplier 6
add service server1
add service server2
primarySorryServer Sorry-Server
active
content Content1-Redirect
redirect "/psp/CUSTOMER1/?cmd=login"
vip address 192.168.1.101
port 80
protocol tcp
url "/"
active
Thanks in advance for your help!
Best regards,
Harry
Hi again,
During a maintenance window I made the following change and that made things a bit better:
service Sorry-Server
type redirect
keepalive type none
redirect-string "192.168.2.254:8000"
active
However, since the redirect string points to a private address, Internet users are not able to access the URL.
As a work-around I sent the redirect to a new content rule with a public address and then configured a second sorry page server:
service Sorry-Server
type redirect
keepalive type none
redirect-string "sorry.example.com:8000"
active
service Sorry-Server-2
ip address 192.168.2.254
protocol tcp
port 8000
keepalive type tcp
active
owner Customer1
content Content2
vip address x.x.x.x
add service Sorry-Server-2
port 8000
protocol tcp
active
Is there a better way to do this?
Best regards,
Harry
Similar Messages
-
How to configure Sorry server for HTTPS (443) port. Sorry server works fine with HTTP, But not with 443
In the following config if server1 and server2 are down, the HTTP requests goes to the Sorry Server, but for HTTPS nothing is displayed. I am running the sorry server on port 81
Please suggest
!************************** SERVICE **************************
service prisorry
ip address 10.100.11.11
keepalive type http
keepalive port 81
port 81
active
service secsorry
ip address 10.100.11.12
keepalive port 81
keepalive type http
port 81
active
service server1
ip address 10.100.11.11
keepalive type http
keepalive port 80
active
service server2
ip address 10.100.11.12
keepalive type http
keepalive port 80
active
!*************************** OWNER ***************************
owner Loadbalancing
content L4Rule1
protocol tcp
add service server2
add service server1
port 80
url "/*"
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
active
content L4Rule2
protocol tcp
add service server2
port 443
add service server1
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
application ssl
active
content L4Rule3
add service server2
protocol tcp
port 1443
add service server1
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
active
ThanksI just deployed a couple 11050's the other day so my experience is limited, but I'd guess your problem is that, when using the Primary Sorry Server, you end up with clients sending HTTPS requests to an HTTP port. Having HTTPS requests redirected to HTTP ports is one thing because the client then makes an HTTP request to that port, but the way you have it above, it appears to me that the client will be talking HTTPS to port 81 on the Sorry Server, which is listening for HTTP.
-
What is the appropriate product name for CSS 11500 on Bug Toolkit
Today I tried to search DDTs of CSS 11500 on Bug Toolkit (http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl), however I can not find out appropriate product name corresponding to CSS 11500.
Before I had searched DDTs of CSS 11500 on Bug Toolkit many times, at that time, if my memory correct..
I selected "Cisco CSS 11500 Series Content Services Switches" in the list of "Search for bugs in other Cisco software and hardware products" on Bug Toolkit.
But I can not find this product name today.
Do you know what product name appropriate for CSS 11500 on Bug Toolkit ?
Your information would be appreciated.
Best regards,Hi Gilles,
Thank you for your cooperation.
Today, I can find the CSS at "new Bug Toolkit".
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Select Product Category: Application Networking Services
Select Product: Cisco CSS 11000 Series Content Services
So I understand I should go "new Bug Toolkit" instead of old "Bug Toolkit" to
search any DDTs for CSS 11500.
Many thanks.
Best regards, -
Https serverfarm with http sorry server
Hello all,
I am having difficulty configuring a sorry server for an existing https serverfarm. The sorry (backup) server is failing all connections and I think it's because I can not determine a way to differentiate ssl connections for the production serverfarm and non-ssl connections for the sorry server. Here is the load balance policy:
policy-map type loadbalance http first-match WWW-HTTPS-LBP
class class-default
serverfarm WWW-HTTPS backup WWW-OUTAGE
action https-rewrite
ssl-proxy client CLIENT-SSL-PROXY
The WWW-HTTPS serverfarm is comprised of HTTPS real servers, hence the necessity of the ssl-proxy client; however, when the WWW-HTTPS serverfarm is offline, the ssl-proxy can't connect to the WWW-OUTAGE serverfarm as the real server in that farm is HTTP only.
Has anyone run into this scenario before?The ssl-proxy client forces the connection on the backend (to the real server to be https).
You should instead create a redirect serverfarm and use it to redirect the user to an http vserver where you can use your http serverfarm without the ssl-proxy client.
Gilles. -
I have been trying to get my CSS 11506 to redirct to a Sorry Server when our content servers go offline. We thought that we had it working, but after some downtime it turned out that our configuration did not work.
After extensive reading I can't figure out what is wrong with my config, or if the problem lies else where. I am attaching my config below, can anyone tell me if they see any problems with what I have or if there is something that I need to do in addition to what I have. Thank you for you help, here is the config:
*************************** GLOBAL ***************************
no restrict web-mgmt
no restrict xml
bypass persistence disable
snmp community ******read-write
snmp name "******"
snmp contact "*******r"
snmp location "CSS11056"
snmp trap-host 10.20.1.4 ******
dns primary 10.20.1.2
ftp-record ******10.20.1.17 *** des-password
ibfebcgg6aheuc4h1hfcqhpcubwdxcjb cssgui
ip route 0.0.0.0 0.0.0.0 10.20.1.1 1 !
*************************INTERFACE*************************
interface 1/1
phy 1Gbits-FD-sym !
**************************CIRCUIT**************************
circuit VLAN1
router-discovery lifetime 1000
ip address 10.20.1.4 255.255.255.0
router-discovery
**************************SERVICE**************************
service Blade01
ip address 10.20.1.60
active
service Blade02
ip address 10.20.1.61
active
service Blade03
ip address 10.20.1.62
active
service Blade04
ip address 10.20.1.63
active
service sorry
ip address 10.20.1.41
active
!*************************** OWNER***************************
owner ***
email-address ******
content Content1
vip address 10.20.1.80
balance aca
add service Blade01
add service Blade02
no persistent
primarySorryServer sorry
active
content Content2
vip address 10.20.1.81
add service Blade03
add service Blade04
balance aca
active
!*************************** GROUP***************************
group content1nat
vip address 10.20.1.80
add destination service Blade01
add destination service Blade02
add destination service sorry
group content2nat
add destination service Blade03
add destination service Blade04
vip address 10.20.1.81
!**************************** ACL ****************************
acl 10
clause 5 permit any 10.20.1.60 destination content ****
sourcegroup ****
clause 6 permit any 10.20.1.61 destination content ICC/flippid
sourcegroup Content1
clause 99 permit any any destination any
clause 2 permit any 10.0.0.0 destination content ****
sourcegroup ****
apply circuit-(VLAN1)
clause 7 permit any 10.20.1.41 destination content ****
sourcegroup Content1One problem I can see is that you don't have any keepalives configured under the services, so they will default to a Ping. As long as they respond to ping, it will keep traffic going to those servers.
What services run on these Servers? We generally recommend you use as higher layer keepalive as possible, so if it is a web server for example, use a HTTP keepalive.
Have a look here for more info:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/KAL.html -
CSS 11051: Sorry Server receives request although the normal server is up
Hello,
my customer has configured a sorry for his server. If the normal server is down the Sorry Server receives the requests. That works fine. But if the normal server comes back the Sorry Server still receives some requests( 2 hours and more). Has anybody an idea what might be the reason for that ?
regards
Dietrich Schleyer
content webserver
add service server12
vip address 10.40.52.20
primarySorryServer server13
protocol tcp
port 80
url "/*"
no persistent
active
service server12
ip address 10.40.52.12
port 80
protocol tcp
keepalive type named applicationwww01
active
service server13
ip address 10.40.52.13
protocol tcp
port 80
keepalive type named applicationwww02
active
keepalive applicationwww01
ip address 10.40.52.12
port 80
type http non-persistent
uri "/test.html"
frequency 10
method get
active
keepalive applicationwww02
ip address 10.40.52.13
port 80
uri "/test.html"
frequency 10
method get
type http non-persistent
activeAccording to: http://www.cisco.com/warp/public/117/css_sorry_server.html After the CSS 11000 directs requests to a primary sorry server, the switch will continue to use the primary sorry server even when the original server becomes functional. To force the connection back to the original server, you must suspend the primary sorry server or wait until the connection is dropped or times out. When a new session is initiated by the CSS 11000, the connection should go back to the original server.
-
CSS 11500 Responds for any Port
Hopefully this is an easy question but I am having a heck of a time finding an answer.
We have multiple CSS 11500 clusters. We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client. This happens regardless of whether there is something on that IP address or not.
Example:
Front Back
10.1.1.0/24 --- CSS --- 10.2.2.0/24
Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection. I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.
Is there any way to shut this off? This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.
Thanks for any input!Thanks for your reply Marvin.
We actually use ACLs already - primarily for purposes of allowing backend servers to reach load-balanced services on the CSS they sit behind or for reverse proxy services.
I have tried specifically blocking access to backend IP addresses that are not used but oddly enough the CSS still replies and opens the initial TCP session just like any other.
I think I'm going to have to open a TAC case on this one. If they can't answer it, I may be forced to put all of these behind firewalls - which is doable but not ideal. -
CSS 11501 - Balancing vs. Sorry Server
Hi,
I need a little advice.
I have configured my test CSS box with two services. I enabled keepalives and load balancing with one server having a weight of 5, while the other is set to the default.
Testing has proven successfull in redirecting requests when the primary server (weight 5) is taken offline. However, when it comes back online, not all requests are sent to it, and some requests still go to the secondary server.
My question:
If I want all requests to go to the primary server except in the event it is unavailable, should I configure the secondary server as a Sorry server, and not as a load balanced peer? I would effectively be using the Sorry server as a secondary content server.
Is this workable? Am I missing something?
Thanks,
JMJM,
yes you need the sorryserver option if you don't want traffic to go to your backup.
Whatever weight option you configure, there will always be a fraction of the traffic going to the backup.
Gilles. -
I have added a service for the sorr server and I have added the name of the server SorryServer1 to the content rule. However when I suspend the content rule I get a Page Not diplayed instead of the redirect to the Sorry Server.
The config has mulitple Content rules, I am currently only testing on one.
ThanksHi,
if you suspend the whole content rule the sorry server can not do it's action as the rule is "down" you need do suspend all services except the sorry server.
Kind Regards,
Joerg
PS
For a HowTo and recommendations refer to http://www.cisco.com/en/US/partner/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801579f2.html#1038009 -
CSS 11500:Client ip-address visible to the real server
Is it possible to keep the original ip-address of the client when the the css is redirecting the traffic to the real server. customer needs the client ip-address on the real server for reporting.
regards
Dietrich SchleyerDietrich,
by default the CSS will keep the original client ip address.
To have the CSS changing the client ip, your customer must have configured a group with 'add destination service'.
Probably because your client is using a one-armed setup which is the easiest to implement but the worst to use.
So, your customer should go to a 2-sides CSS design and have the traffic flow through the CSS without the need to do client nat.
Once the design is correct, you can remove the group and the CSS will keep the client ip address.
Regards,
Gilles.
Thanks for rating. -
Folks,
The documentation says that the sorry server concept will only work if the loadbalancing is done at layer 7. My question is why, why can't i see the sorry server redirect if all services are down when doing load balancing at Layer 3 or Layer 4?Hi,
Can you point me to those docs. I believe sorry server should work regardless of which layer is the content rule configured to check.
Actually this doc's example is layer 3:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093de8.shtml
I will build a working config at layer 3 for you soon. -
Services with different IP address subnets over CSS 11500 series
Hi all folks!
I have two CSS 11500 series...
In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.
So then the doubt i arises is:
Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?
This would be so....
________________LAN to LAN_____________________
| |
| |
|------SITE A------| |------SITE B------|
[Firewall] ===============IPSEC============= [Firewall]
| |
| |
[CSS-A]-[CSS-B] [SWITCH]
| | | |
[SWITCH] | |
[srvA] [srvB] [srvC] [srvD] [srvE]
So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.
So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.
This should be seen as well:
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]
ip route SITE B [IP FIREWALL]
!************************** SERVICE **************************
service srvA
ip address A.A.A.x
port 8080
service srvB
ip address A.A.A.x+1
port 8080
service srvC
ip address A.A.A.x+2
port 8080
service srvD
ip address B.B.B.y
port 8080
service srvE
ip address B.B.B.y+1
port 8080
I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work
Within their experiences that they say? Will operate?
Thanks in advance!
Regards!
Esteban =)Daniel!
Sorry by delay!
Thank you so much for you time for reply.
You have given me a great help to this doubt!
But..using "source group" let me know..
I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)
and
this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)
where the NAT is configured under a method different from the previous one..
So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?
Thanks in advance again!!!
Have nice day!
Regards.
Esteban. -
Multihoming with CSS 11500?
Can I do load balancing between two internet ISP's (multihoming), from Internet to Web Server (inside traffic) and from Internal network to Internet (outside traffic) with a Cisco CSS 11500?
you can connect the CSS to multiple ISP.
With the ECMP feature, the CSS will forward the response back to where the connection came from.
However, for outgoing connection, the CSS can't do loadbalancing over multiple ISP.
Regards,
Gilles. -
Sorry server - different replies
We have CSS 11000 that provides load balancing between several servers with configured max-session .
How to configure that sorry server sends different reply:
1) if all servers are down, it has redirect to page "sorry, server is down"
2) in case of overload, it it has to redirect to page "sorry, server is bussy, try later"
Can you advise how it possible to configue this?
thanks in advance,
Nataliathere is no direct way of doing this.
However, my solution is to do this :
service sorry_down
service sorry_overloaded
keepalive type script check_service_down use-output
owner mycompany
content www
vip ...
add service ...
primarysorryserver sorry_overloaded
secondarysorryserver sorry_down
active
The script check_service_down, will do a 'show service ' grep -u Alive to detect if a service is alive or just not used because down.
Or you could also simply do ap-kal-pinglist and ping the services.
Anyway, the idea for the kal for the service sorry_overloaded is to check the status of the other services and detect if they are down or just overloaded.
Gilles. -
Hi,
we have two CSS11503 to load balance http and https traffic, we have to know the source IP packet of request to a Sorry Server when all the services on the content are down.
I mean, when all services into the content are down a request from a client i forwarded to the primary sorry server, is the source IP of the request the load balancer IP address, or is the client IP address wherefrom the request starts?!
Thanks
CinziaBy default we do not source nat the client ip address.
But if the sorry server is at a remote location, you will NEED to do source nat for the connection to work, otherwise the sorry server will respond directly to the client bypassing the CSS and the client will not appreciate seeing a response from a different ip than the vip.
You could use a redirect sorry server, so that a redirect response is sent to the client which does open a new connection directly with the sorry server.
Gilles.
Maybe you are looking for
-
MP3 Flash player is not working in webpage.
I have a NOKIA 5800 express music set. I have implemented a flash player(for MP3) in my website which is running in normal browser but in my mobile this player is not working..showing NaN error. Please suggest what to do. Is there any option to embed
-
Hi all, I need your help. I have created my website, and I'm linking it to mobile me galleries. (no problem). But-- instead of mobile me galleries I would like to link to Simple Viewer. No problem creating the SV galleries in iphoto , but getting the
-
Hi, I've looked everywhere for this, and I figure it is something simple, but I can't find any information on it. I am looking for some place to define which image displays first in a lightbox scroll. If you'll take a look at the site www.upstatesc
-
How do I get rid of the question marks?
All my thumbnails have question marks in the upper corner. These pictures do not load. In fact, I get an error message (file not found) for each one. So far, I have no pictures to log in with. Any suggestions?---Doc
-
*** [23000][2627][Microsoft][SQL Server Native Client 11.0][SQL Server]Violation of UNIQUE KEY constraint 'ClientPushMachine_G_AK'. Cannot insert duplicate key in object 'dbo.ClientPushMachine_G'. The duplicate key value is (16777412). : sp_CP_CheckN