Sorry Server for CSS 11500

Similar Messages

• CSS Sorry Server for HTTPS

  How to configure Sorry server for HTTPS (443) port. Sorry server works fine with HTTP, But not with 443
  In the following config if server1 and server2 are down, the HTTP requests goes to the Sorry Server, but for HTTPS nothing is displayed. I am running the sorry server on port 81
  Please suggest
  !************************** SERVICE **************************
  service prisorry
  ip address 10.100.11.11
  keepalive type http
  keepalive port 81
  port 81
  active
  service secsorry
  ip address 10.100.11.12
  keepalive port 81
  keepalive type http
  port 81
  active
  service server1
  ip address 10.100.11.11
  keepalive type http
  keepalive port 80
  active
  service server2
  ip address 10.100.11.12
  keepalive type http
  keepalive port 80
  active
  !*************************** OWNER ***************************
  owner Loadbalancing
  content L4Rule1
  protocol tcp
  add service server2
  add service server1
  port 80
  url "/*"
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  active
  content L4Rule2
  protocol tcp
  add service server2
  port 443
  add service server1
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  application ssl
  active
  content L4Rule3
  add service server2
  protocol tcp
  port 1443
  add service server1
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  active
  Thanks

  I just deployed a couple 11050's the other day so my experience is limited, but I'd guess your problem is that, when using the Primary Sorry Server, you end up with clients sending HTTPS requests to an HTTP port. Having HTTPS requests redirected to HTTP ports is one thing because the client then makes an HTTP request to that port, but the way you have it above, it appears to me that the client will be talking HTTPS to port 81 on the Sorry Server, which is listening for HTTP.

• What is the appropriate product name for CSS 11500 on Bug Toolkit

  Today I tried to search DDTs of CSS 11500 on Bug Toolkit (http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl), however I can not find out appropriate product name corresponding to CSS 11500.
  Before I had searched DDTs of CSS 11500 on Bug Toolkit many times, at that time, if my memory correct..
  I selected "Cisco CSS 11500 Series Content Services Switches" in the list of "Search for bugs in other Cisco software and hardware products" on Bug Toolkit.
  But I can not find this product name today.
  Do you know what product name appropriate for CSS 11500 on Bug Toolkit ?
  Your information would be appreciated.
  Best regards,

  Hi Gilles,
  Thank you for your cooperation.
  Today, I can find the CSS at "new Bug Toolkit".
  http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  Select Product Category: Application Networking Services
  Select Product: Cisco CSS 11000 Series Content Services
  So I understand I should go "new Bug Toolkit" instead of old "Bug Toolkit" to
  search any DDTs for CSS 11500.
  Many thanks.
  Best regards,

• Https serverfarm with http sorry server

  Hello all,
    I am having difficulty configuring a sorry server for an existing https serverfarm.  The sorry (backup) server is failing all connections and I think it's because I can not determine a way to differentiate ssl connections for the production serverfarm and non-ssl connections for the sorry server.  Here is the load balance policy:
    policy-map type loadbalance http first-match WWW-HTTPS-LBP
    class class-default
      serverfarm WWW-HTTPS backup WWW-OUTAGE
      action https-rewrite
      ssl-proxy client CLIENT-SSL-PROXY
    The WWW-HTTPS serverfarm is comprised of HTTPS real servers, hence the necessity of the ssl-proxy client; however, when the WWW-HTTPS serverfarm is offline, the ssl-proxy can't connect to the WWW-OUTAGE serverfarm as the real server in that farm is HTTP only.
    Has anyone run into this scenario before?

  The ssl-proxy client forces the connection on the backend (to the real server to be https).
  You should instead create a redirect serverfarm and use it to redirect the user to an http vserver where you can use your http serverfarm without the ssl-proxy client.
  Gilles.

• CSS and a Sorry Server

  I have been trying to get my CSS 11506 to redirct to a Sorry Server when our content servers go offline. We thought that we had it working, but after some downtime it turned out that our configuration did not work.
  After extensive reading I can't figure out what is wrong with my config, or if the problem lies else where. I am attaching my config below, can anyone tell me if they see any problems with what I have or if there is something that I need to do in addition to what I have. Thank you for you help, here is the config:
  *************************** GLOBAL ***************************
  no restrict web-mgmt
  no restrict xml
  bypass persistence disable
  snmp community ******read-write
  snmp name "******"
  snmp contact "*******r"
  snmp location "CSS11056"
  snmp trap-host 10.20.1.4 ******
  dns primary 10.20.1.2
  ftp-record ******10.20.1.17 *** des-password
  ibfebcgg6aheuc4h1hfcqhpcubwdxcjb cssgui
  ip route 0.0.0.0 0.0.0.0 10.20.1.1 1 !
  *************************INTERFACE*************************
  interface 1/1
  phy 1Gbits-FD-sym !
  **************************CIRCUIT**************************
  circuit VLAN1
  router-discovery lifetime 1000
  ip address 10.20.1.4 255.255.255.0
  router-discovery
  **************************SERVICE**************************
  service Blade01
  ip address 10.20.1.60
  active
  service Blade02
  ip address 10.20.1.61
  active
  service Blade03
  ip address 10.20.1.62
  active
  service Blade04
  ip address 10.20.1.63
  active
  service sorry
  ip address 10.20.1.41
  active
  !*************************** OWNER***************************
  owner ***
  email-address ******
  content Content1
  vip address 10.20.1.80
  balance aca
  add service Blade01
  add service Blade02
  no persistent
  primarySorryServer sorry
  active
  content Content2
  vip address 10.20.1.81
  add service Blade03
  add service Blade04
  balance aca
  active
  !*************************** GROUP***************************
  group content1nat
  vip address 10.20.1.80
  add destination service Blade01
  add destination service Blade02
  add destination service sorry
  group content2nat
  add destination service Blade03
  add destination service Blade04
  vip address 10.20.1.81
  !**************************** ACL ****************************
  acl 10
  clause 5 permit any 10.20.1.60 destination content ****
  sourcegroup ****
  clause 6 permit any 10.20.1.61 destination content ICC/flippid
  sourcegroup Content1
  clause 99 permit any any destination any
  clause 2 permit any 10.0.0.0 destination content ****
  sourcegroup ****
  apply circuit-(VLAN1)
  clause 7 permit any 10.20.1.41 destination content ****
  sourcegroup Content1

  One problem I can see is that you don't have any keepalives configured under the services, so they will default to a Ping. As long as they respond to ping, it will keep traffic going to those servers.
  What services run on these Servers? We generally recommend you use as higher layer keepalive as possible, so if it is a web server for example, use a HTTP keepalive.
  Have a look here for more info:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/KAL.html

• CSS 11051: Sorry Server receives request although the normal server is up

  Hello,
  my customer has configured a sorry for his server. If the normal server is down the Sorry Server receives the requests. That works fine. But if the normal server comes back the Sorry Server still receives some requests( 2 hours and more). Has anybody an idea what might be the reason for that ?
  regards
  Dietrich Schleyer
  content webserver
  add service server12
  vip address 10.40.52.20
  primarySorryServer server13
  protocol tcp
  port 80
  url "/*"
  no persistent
  active
  service server12
  ip address 10.40.52.12
  port 80
  protocol tcp
  keepalive type named applicationwww01
  active
  service server13
  ip address 10.40.52.13
  protocol tcp
  port 80
  keepalive type named applicationwww02
  active
  keepalive applicationwww01
  ip address 10.40.52.12
  port 80
  type http non-persistent
  uri "/test.html"
  frequency 10
  method get
  active
  keepalive applicationwww02
  ip address 10.40.52.13
  port 80
  uri "/test.html"
  frequency 10
  method get
  type http non-persistent
  active

  According to: http://www.cisco.com/warp/public/117/css_sorry_server.html “After the CSS 11000 directs requests to a primary sorry server, the switch will continue to use the primary sorry server even when the original server becomes functional. To force the connection back to the original server, you must suspend the primary sorry server or wait until the connection is dropped or times out. When a new session is initiated by the CSS 11000, the connection should go back to the original server.”

• CSS 11500 Responds for any Port

  Hopefully this is an easy question but I am having a heck of a time finding an answer.
  We have multiple CSS 11500 clusters.  We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client.  This happens regardless of whether there is something on that IP address or not.
  Example:
  Front                           Back
  10.1.1.0/24 --- CSS --- 10.2.2.0/24
  Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection.  I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.
  Is there any way to shut this off?  This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.
  Thanks for any input!

  Thanks for your reply Marvin.
  We actually use ACLs already - primarily for purposes of allowing backend servers to reach load-balanced services on the CSS they sit behind or for reverse proxy services. 
  I have tried specifically blocking access to backend IP addresses that are not used but oddly enough the CSS still replies and opens the initial TCP session just like any other.
  I think I'm going to have to open a TAC case on this one.  If they can't answer it, I may be forced to put all of these behind firewalls - which is doable but not ideal.

• CSS 11501 - Balancing vs. Sorry Server

  Hi,
  I need a little advice.
  I have configured my test CSS box with two services. I enabled keepalives and load balancing with one server having a weight of 5, while the other is set to the default.
  Testing has proven successfull in redirecting requests when the primary server (weight 5) is taken offline. However, when it comes back online, not all requests are sent to it, and some requests still go to the secondary server.
  My question:
  If I want all requests to go to the primary server except in the event it is unavailable, should I configure the secondary server as a Sorry server, and not as a load balanced peer? I would effectively be using the Sorry server as a secondary content server.
  Is this workable? Am I missing something?
  Thanks,
  JM

  JM,
  yes you need the sorryserver option if you don't want traffic to go to your backup.
  Whatever weight option you configure, there will always be a fraction of the traffic going to the backup.
  Gilles.

• Sorry Server Config for 11503

  I have added a service for the sorr server and I have added the name of the server SorryServer1 to the content rule. However when I suspend the content rule I get a Page Not diplayed instead of the redirect to the Sorry Server.
  The config has mulitple Content rules, I am currently only testing on one.
  Thanks

  Hi,
  if you suspend the whole content rule the sorry server can not do it's action as the rule is "down" you need do suspend all services except the sorry server.
  Kind Regards,
  Joerg
  PS
  For a HowTo and recommendations refer to http://www.cisco.com/en/US/partner/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801579f2.html#1038009

• CSS 11500:Client ip-address visible to the real server

  Is it possible to keep the original ip-address of the client when the the css is redirecting the traffic to the real server. customer needs the client ip-address on the real server for reporting.
  regards
  Dietrich Schleyer

  Dietrich,
  by default the CSS will keep the original client ip address.
  To have the CSS changing the client ip, your customer must have configured a group with 'add destination service'.
  Probably because your client is using a one-armed setup which is the easiest to implement but the worst to use.
  So, your customer should go to a 2-sides CSS design and have the traffic flow through the CSS without the need to do client nat.
  Once the design is correct, you can remove the group and the CSS will keep the client ip address.
  Regards,
  Gilles.
  Thanks for rating.

• CSS Sorry server requirements

  Folks,
  The documentation says that the sorry server concept will only work if the loadbalancing is done at layer 7. My question is why, why can't i see the sorry server redirect if all services are down when doing load balancing at Layer 3 or Layer 4?

  Hi,
  Can you point me to those docs. I believe sorry server should work regardless of which layer is the content rule configured to check.
  Actually this doc's example is layer 3:
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093de8.shtml
  I will build a working config at layer 3 for you soon.

• Services with different IP address subnets over CSS 11500 series

  Hi all folks!
  I have two CSS 11500 series...
  In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
  But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.
  So then the doubt i arises is:
  Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?
  This would be so....
               ________________LAN to LAN_____________________
               |                                                                                |
               |                                                                                |
  |------SITE A------|                                                        |------SITE B------|  
       [Firewall] ===============IPSEC============= [Firewall]               
             |                                                                                |
             |                                                                                |
  [CSS-A]-[CSS-B]                                                            [SWITCH]
         |          |                                                                     |         |         
       [SWITCH]                                                                    |         |                                                                 
  [srvA] [srvB] [srvC]                                                          [srvD] [srvE]
  So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.
  So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.
  This should be seen as well:
  !*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]
  ip route SITE B [IP FIREWALL]
  !************************** SERVICE **************************
  service srvA
    ip address A.A.A.x
    port 8080
  service srvB
    ip address A.A.A.x+1
    port 8080
  service srvC
    ip address A.A.A.x+2
  port 8080
  service srvD
    ip address B.B.B.y
  port 8080
  service srvE
    ip address B.B.B.y+1
  port 8080
  I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work
  Within their experiences that they say? Will operate?
  Thanks in advance!
  Regards!
  Esteban =)

  Daniel!
  Sorry by delay!
  Thank you so much for you time for reply.
  You have given me a great help to this doubt!
  But..using "source group" let me know..
  I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)
  and
  this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)
  where the NAT is configured under a method different from the previous one..
  So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?
  Thanks in advance again!!!
  Have nice day!
  Regards.
  Esteban.

• Multihoming with CSS 11500?

  Can I do load balancing between two internet ISP's (multihoming), from Internet to Web Server (inside traffic) and from Internal network to Internet (outside traffic) with a Cisco CSS 11500?

  you can connect the CSS to multiple ISP.
  With the ECMP feature, the CSS will forward the response back to where the connection came from.
  However, for outgoing connection, the CSS can't do loadbalancing over multiple ISP.
  Regards,
  Gilles.

• Sorry server - different replies

  We have CSS 11000 that provides load balancing between several servers with configured max-session .
  How to configure that sorry server sends different reply:
  1) if all servers are down, it has redirect to page "sorry, server is down"
  2) in case of overload, it it has to redirect to page "sorry, server is bussy, try later"
  Can you advise how it possible to configue this?
  thanks in advance,
  Natalia

  there is no direct way of doing this.
  However, my solution is to do this :
  service sorry_down
  service sorry_overloaded
  keepalive type script check_service_down use-output
  owner mycompany
  content www
  vip ...
  add service ...
  primarysorryserver sorry_overloaded
  secondarysorryserver sorry_down
  active
  The script check_service_down, will do a 'show service ' grep -u Alive to detect if a service is alive or just not used because down.
  Or you could also simply do ap-kal-pinglist and ping the services.
  Anyway, the idea for the kal for the service sorry_overloaded is to check the status of the other services and detect if they are down or just overloaded.
  Gilles.

• Sorry server request

  Hi,
  we have two CSS11503 to load balance http and https traffic, we have to know the source IP packet of request to a Sorry Server when all the services on the content are down.
  I mean, when all services into the content are down a request from a client i forwarded to the primary sorry server, is the source IP of the request the load balancer IP address, or is the client IP address wherefrom the request starts?!
  Thanks
  Cinzia

  By default we do not source nat the client ip address.
  But if the sorry server is at a remote location, you will NEED to do source nat for the connection to work, otherwise the sorry server will respond directly to the client bypassing the CSS and the client will not appreciate seeing a response from a different ip than the vip.
  You could use a redirect sorry server, so that a redirect response is sent to the client which does open a new connection directly with the sorry server.
  Gilles.