Stateful VIP redundancy

Is it possible to do stateful VIP redundancy on 1105x devices? (Storing sticky db on redundant CSS)
I have two of them and going to configure VIP for server load balancing. Single CSS is working well but i have two of them and i dont want to see disconnected sessions when primary goes down. Does anybody recommends any solution like this?

I have gotten a pseudo statefull failover to work, no sticky information is used. It is not acturally statefull in that the other box does not have any state information but is able to take over the TCP connection without the end points being affected. I don't have the config handy right now. If you need it I can dig it up and send it to you.
One of the keys is to set the persistence command to its default value (persistence reset redirect) also the load balancing must be by source IP address. This ensures that both boxes will select the same server - assuming that the configs and service states are identical.
The manual can help but I found that it called for more statements than were necessary and that it did not note the persistence requirement. I found that the command disables the PAT on the connections so that if the source port is 3546 coming into the CSS it will keep it as 3546 going to the service. If the port is translated then the backup switch will not know the translation and send it to the wrong socket on the client, resulting in an error.
It worked great but the downside is the global persistence command is inefficient and affects all sessions and that you have to use source IP load balancing for the rule you are protecting. I did not implement this in production.

Similar Messages

CSS11501 commit vip redundancy script failure

Hi all,
recently when i run the commit vip redundancy script, i encountered the following error. This script has never failed in the past. Upon checking the backup CSS, i did notice that my most recent changes were actually synced. The following is the debug i have captured while running the script. Can someone please help to look at it? Thanks!
active-lb# script play commit_vip_redundancy "local 167.168.165.10 remote 167.168.165.9 -a -d"
active-lb#
Checking available disk space on systems ...
Checking the disk space locally before continuing with the script.
Verifying that another local session is not running the script.
Creating script/vipr_config_sync_lock file.
Verifying app and redundancy configs ...
Verifying that app session is up with backup switch.
Making sure app session is up.
Seconds to wait before calling it quits:    60
Checking the disk space remotely before continuing with the script.
Checking local and remote switch versions ...
Storing the running code versions of the local and remote switch.
Storing the local switch's version.
Retrieving the remote switch's version.
Checking remote version for 4.0
Checking if switch is BACKUP for any virtual routers and if
the state is 'No Service'.
Checking vip redundancy state....
Checking if backup switch is Master for any VRIDs.
If it is, either a local interface that once held redundant vips
has been removed or the Backup is a Master for another vip-redundant
relationship.
Checking compatibility of systems......
LOCAL switch is a css11501,7
REMOTE switch is a css11501,7
Mode: INTERFACE - Checking to see if interface Ethernet-Mgmt exists on remote system.
Mode: INTERFACE - Checking to see if interface e9 exists on remote system.
Mode: INTERFACE - Checking to see if interface e8 exists on remote system.
Mode: INTERFACE - Checking to see if interface e7 exists on remote system.
Mode: INTERFACE - Checking to see if interface e6 exists on remote system.
Mode: INTERFACE - Checking to see if interface e5 exists on remote system.
Mode: INTERFACE - Checking to see if interface e4 exists on remote system.
Mode: INTERFACE - Checking to see if interface e3 exists on remote system.
Mode: INTERFACE - Checking to see if interface e2 exists on remote system.
Mode: INTERFACE - Checking to see if interface e1 exists on remote system.
Working
Saving Master running-config to startup-config and archiving startup-config.
Copying running-config to startup-config.
Archiving startup-config.
Swapping Master and Backup ip addresses in tmp.cfg for app
and redundancy interface.
Checking for multiple APP sessions between redundant peers.
App Session IP: 167.168.165.9, Local IP address: 167.168.165.10
Checking IP Address size differences : <167.168.165.9> <167.168.165.10>
Adding APP session IP length difference to LOCALCONFIG byte size : 1
Adding APP session IP length difference to REMOTECONFIG byte size : 0
Removing CIRCUIT and INTERFACE modes from tmp.cfg.
Checking for ips with matching subnets for circuit sync.
Checking IP Address size differences : <167.168.165.10> <167.168.165.9>
Replacing local system VRID priorities and preempt settings with remote settings.
Local IP: 167.168.165.10 VRID: 40 PRIORITY: 254 PREEMPT: True
Remote IP: 167.168.165.9 VRID: 40 PRIORITY: 1 PREEMPT: False
Checking Number length differences : <254> <1>
Checking IP Address size differences : <167.168.165.132> <167.168.165.131>
Replacing local system VRID priorities and preempt settings with remote settings.
Local IP: 167.168.165.132 VRID: 41 PRIORITY: 254 PREEMPT: True
Remote IP: 167.168.165.131 VRID: 41 PRIORITY: 1 PREEMPT: False
Checking Number length differences : <254> <1>
Checking IP Address size differences : <167.168.166.3> <167.168.166.2>
Replacing local system VRID priorities and preempt settings with remote settings.
Local IP: 167.168.166.3 VRID: 42 PRIORITY: 254 PREEMPT: True
Remote IP: 167.168.166.2 VRID: 42 PRIORITY: 1 PREEMPT: False
Checking Number length differences : <254> <1>
IP addr bytes to add to LOCAL BYTE COUNT : 1
IP addr bytes to add to REMOTE BYTE COUNT : 1
Checking for SSL configuration ...
Working
Using rcmd to copy tmp.cfg to a file on Backup switch.
Archiving copy to Backup's startup-config.
Archiving Backup's current startup-config.
Restoring startup-config (new copy) to startup-config.
Clearing running-config.
Script playing the copy script of the Master's running-config.
Checking to make sure backup App goes down
Making sure app session is down.
Seconds to wait before calling it quits:    9168
Copy success being verified by comparing byte sizes of archived running-
     configs of the Master switch and the Backup switch.
Making sure app session is up.
Seconds to wait before calling it quits:    9108
Waiting for completion signal from remote switch ...
Verifying running-config copy success ...
Comparing the byte count now.
Accounting for preempt configurations.
Adding 0 bytes to LOCALCONFIG byte count
Adding 24 bytes to REMOTECONFIG byte count
Accounting for priority value length differences.
Adding 0 bytes to LOCALCONFIG byte count
Adding 6 bytes to REMOTECONFIG byte count
Accounting for IP address size differences.
Adding 1 bytes to LOCALCONFIG byte count
Adding 1 bytes to REMOTECONFIG byte count
File copy Vipr Config Sync Failed. Commit unsuccessful!
localconfig: 218346 bytes
remoteconfig : 218320    bytes

Hi Daniel,
According to this output, the synchronization process goes well, but it fails when it has to verify what it synchronized. If you look at the last two lines, you will see that the size of the original local configuration is slightly bigger than the remote one. That's causing the validation to fail.
The first thing we need to confirm is whether the configuration really got properly replicated (you will have to check line by line to make sure it's the same). If so, we would just need to figure out why the file sizes are different.
There were some cases in the past in which the hard drive on the secondary device was failing, and as a result, the file was getting corrupted, leading to the size mismatch, so that's a possibility we need to take into account. Anyway, it would probably be better to open a TAC case to have it investigated in more detail.
Regards
Daniel

CSS 11151 VIP Redundancy - Link State Redundancy/Keepalive

I have a pair of CSS 11151 each connected to a pair of cross-connected 3550 switches,I've configured VIP & Interface Redundacy,either VLAN1 interface or VLAN2 interface is shut down will cause the virtual router switchover. Recently I met some problem with CSS switchover when just one VLAN1 interface shutdown, and I was told that "type redundancy-up" should not work with VIP redundant mode, so I am trying to configure a critical service with a keepalive ap-kal-pinglist and ping all the circuit vlan's ip address on the CSS itself. but I am still confuse with some aspects.
1. Should I configure two separate virtual router for two circuit VLANs?
2. How to configure the service IP address? Because two 3550 have separate vlan ip address, and did not configured HSRP.
3. The script on my CSS is different with document, can I edit a new ap-kal-pinglist script to replace it?
Here's my config...
!************ INTERFACE *********************
interface 2
bridge vlan 2
!**************** CIRCUIT **************************
circuit VLAN1
ip address 10.0.2.33 255.255.255.128
ip virtual-router 1 priority 100
ip redundant-interface 1 10.0.2.29
ip critical-service 1 sw1-up-down
ip critical-service 1 sw2-up-down
circuit VLAN2
ip address 10.0.2.133 255.255.255.240
ip virtual-router 1 priority 100
ip redundant-interface 1 10.0.2.129
ip redundant-vip 1 10.0.2.132
ip critical-service 1 gateway
!************************** SERVICE
service gateway
ip address 10.0.2.130
type redundancy-up
active
service sw1-up-down
ip address 10.0.2.30
type redundancy-up
active
service sw2-up-down
ip address 10.0.2.31
type redundancy-up
active

I would recommend an upgrade to version 7.40 in order to get the 'reporter' functionality.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008028fe6c.html
A reporter let you define which ports you want to monitor and when to failover [all ports down or any port down].
If you can't use 7.40, here is an answer to your question :
1. it does not matter. The vrid is used to differentiate other instances of VRRP that could exist on the same VLAN.
2. if you plan to use an ap-kal-pinglist, the service ip address really does not matter. The keepalive will use the ip addresses that you will pass to the ap-kal-pinglist function
3. you can modify the script and upload it back to the CSS. However, I would recommend using a different name in case you need the original script in the future.
Regards,
Gilles.

What causes the VIP to failover when using VIP redundancy?

I am trying to setup VIP redudancy and would like to understand what circumstances cause a failover for the VIP. An example of what I would hope it does is if a redundant interface were to failover the VIP could be associated with it and failover as well or be configured to do so. Thanks in advance.

the CSS master is responsible to advertise itself on the interface you have Vip redundancy configured.
If the backup does not hear the master it will take over mastership.
another reason would be the lost a critical service.
You can define a service to be critical, and if it goes down, the active CSS will stop advertising itself as master forcing failover to the backup.
Gilles.

VIP Redundancy and Management interface

If two CSS's have been configured as active and standby (VIP redundancy), and one of the interfaces of the active CSS goes down, and say the backup becomes active, I lose total connectivity to the Active box via the management interface IP. Once it regains back the active status, i can reconnect. Is this a "feature" or a "bug"...??

I think the software version is 6.14 build 107..I will post the configs soon..i dont see anything wrong with the configuration, its all straight forward configuration. I will post the boot config and the running config soon.

VIP and Interface Redundancy

Yet another question...
I am running two CSS 11501 using VIP and INT Redundancy. One thing I am a little confused about, based on the sample configs and documentation is the following statment.
"Typically, you configure VIP redundancy on the public side of CSS peers that are positioned in front of a server farm. You configure virtual interface redundancy on the private-side interfaces attached to the Layer 2 device in front of the servers"
This sort of makes sense to me. Except if I only configure VIP redundancy on the public side of the CSS how do I route my packets from my firewall to the CSS for servers behind the CSS that are not VIPed - if I do not use Interface redundancy on the public side as well, then I have to route the packets to the physical interface.
I guess the question is - can I use interface redundancy on both the public side and the Server sid of the CSS as well as VIP Redundancy on the Public side??
Thanks,
Heath

Heath,
that's no problem.
You can turn on interface redundancy wherever you want.
The documentation just refers to the most common situation.
Regards,
Gilles.

Slow stateful failover for mission critical applications

I have two CSS running vip redundancy,ip interface redundancy and redundant-index on a ASR active-backup model.
They are attached to separate 3750 which share vlan info via a port channel.
When the master fails, we see the VRIR negotiation and mastership of VIPs occurs normally but the script that we run to validate our services fails and the services go to a down state.
Since the gateway for the reals is a redundant VIP that stays alive always based on a DUMMY service, we believe this could be a mac address table update on the 3750.
Traffic back from the reals is still sent to the "old" port where the gateway used to live.
Failover takes several minutes and TCP sessions timeout defeting stateful failover.
Any ideas???
Thanks
MANUEL

VLAN1 STP State: Disabled
VLAN1: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-78
Bridge ID: 06-a4-00-11-93-90-61-78
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
VLAN11 STP State: Disabled
VLAN11: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-79
Bridge ID: 06-a4-00-11-93-90-61-79
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
e1 Fwd 06-a4-00-11-93-90-61-79 06-a4-00-11-93-90-61-79 0 19 8001
VLAN211 STP State: Disabled
VLAN211: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-7a
Bridge ID: 06-a4-00-11-93-90-61-7a
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
VLAN222 STP State: Disabled
VLAN222: Root Max Age: 6 Root Hello Time: 1 Root Fwd Delay: 4
Designated Root: 06-a4-00-11-93-90-61-7b
Bridge ID: 06-a4-00-11-93-90-61-7b
Root Port Desg
Port State Designated Bridge Designated Root Cost Cost Port
e3 Fwd 06-a4-00-11-93-90-61-7b 06-a4-00-11-93-90-61-7b 0 19 8003

How long I have to wail the Stateful Failover on CSS 11154 ?

Somebody knows when the next Webns release is expected to implent the TCP Stateful Failover on CSS with VIP redundancy configuration.
At the begining of the year, the Product manager said that will be available on the WebNs V6.
For information: Alteon WEBOS v8 has released this feature for more one year ago.
What do cisco ?

Is Adaptive Session Redundancy what you are looking for?
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/vipredun.htm#xtocid24

Redundancy and load sharing on more than 2 CSS's

Hello,
I have configured VIP, virtual interface and ASR on a pair of CSS's before. Currently, I have some VIP on CSS1 and some other VIP on CSS2 for resilience.
Because of performance issue (actually a fear for performance issue instead of real) I am looking into scaling up to 3 or more CSS's. I think I can have VIP and virtual interface redundancy on 3 or more CSS's but not ASR. Is it true?
Any advice will be welcomed.
CT Yau
Hong Kong

normally vip redundancy and asr are for pair of css only.
I think you can do vip redundancy with more than 2 CSS but it is officially not supported.
You can however have multiple VRRP group per interface and therefore combine your CSS by pair [a-b,b-c,a-c]
ASR is definitely not going to work with more than 2 CSS.
Regards,
Gilles

VIP failover time

I have configured a critical service(ap-kal-pinglist) for the VIP redundant failover, default freq,maxfail and retry freq is 5,3,5, so I think the failover time is 5+5*3*2=35s.But the virtual-router's state changed from "master" to "backup" in around 5 secs after connection lost.
Anyone help me to understand it?

Service sw1-up-down connect to e2 interface,going down in 15sec
Service sw2-up-down connect to e3 interface,going down in 4sec?
JAN 14 02:38:41 5/1 3857 NETMAN-2: Generic:LINK DOWN for e2
JAN 14 02:39:57 5/1 3858 NETMAN-2: Generic:LINK DOWN for e3
JAN 14 02:39:57 5/1 3859 VRRP-0: VrrpTx: Failed on Ipv4FindInterface
JAN 14 02:40:11 5/1 3860 NETMAN-2: Enterprise:Service Transition:sw2-up-down -> down
JAN 14 02:40:11 5/1 3861 NETMAN-2: Enterprise:Service Transition:sw1-up-down -> down

CSS redundancy

We have configured two CSS in vip redundant mode.If one CSS rebooted which is active and having high priority traffic is flowing from CSS having low priority.Once high priority CSS again comes online will it take active mode back? Secondly If now we reboot active CSS which has low priority will other CSS take over?
Pushpak

Pushpak,
In VIP redundancy the CSS uses VRID to determine what VIP addresses it will be master and backup for. When CSS-1 comes back online, it will take mastership for any VRID(s) it has a higher priority for.
Regards
Kris

Quirkiness with box to box redundancy.

I have several sets of CSS's running in box to box redundancy running version 5.03 Build 15.
My question is what causes one CSS to out of the blue go backup and the other become master? I've had this happen on just about all the ones I have configured for box to box. This one pair has been running for a little over a year without a problem and today failed over to the other CSS twice. Nothing shows up in the logs except the "transition to redundancy backup / master." Another pair did this several times about a year ago, after having ran for quite some time. I rebooted both units and they were fine for a period of about 6 months. I find this very strange and am curious if anyone else has had these same problems. I have updated the code on one set, the problem reappered about 7 months later.
I'm now deploying all new CSS installs using interface/vip redundancy.
Thanks!

the version you are using is a potential explanation.
I would really not recommend it.
You should either go to 5.0 or 6.10
Regarding the problem you got, it could also be related to how you connected the CSS together.
Do you have a straight connection between the 2 ? or do you use a switch ?
If a switch, something could have happened there.
Gilles.

CSS 11501 7.40 Monitoring the services on real servers?

Hi,
Just want to ask some basic questions, How can i monitor the services (ie 80 and 443) of the real servers. So that when the CSS11501 detects that one of the services of one of the real servers is down, it will not forward the traffic to that server. Or is the CSS is configured to monitor the services by default?
Because we are planning to upgrade one of the webservers (web01) while web02 is running, if we shutdown the service 80 and 443, does it affect the end-user, will CSS automatically redirect it to web02?
Regards,
Marlon

Here is my sample configuration
!************************** SERVICE **************************
service WEB01-79-HTTP
ip address 172.20.13.4
keepalive type tcp
keepalive port 80
active
service WEB01-79-HTTPS
ip address 172.20.13.4
keepalive type tcp
keepalive port 443
active
service WEB01-80-HTTP
ip address 172.20.13.5
keepalive type tcp
keepalive port 80
active
service WEB01-80-HTTPS
ip address 172.20.13.5
keepalive type tcp
keepalive port 443
active
service WEB01-82-HTTP
ip address 172.20.13.6
keepalive type tcp
keepalive port 80
active
service WEB01-82-HTTPS
ip address 172.20.13.6
keepalive type tcp
keepalive port 443
active
service WEB01-83-HTTP
ip address 172.20.13.7
keepalive type tcp
keepalive port 80
active
service WEB01-83-HTTPS
ip address 172.20.13.7
keepalive type tcp
keepalive port 443
active
service WEB01-79
ip address 172.20.13.4
active
service WEB01-80
ip address 172.20.13.5
active
service WEB02-82
ip address 172.20.13.6
active
service WEB02-83
ip address 172.20.13.7
active
!*************************** OWNER ***************************
owner VRL
content VIP
redundancy-l4-stateless
content WEB-HTTP1
vip address 172.20.10.85
protocol tcp
port 80
advanced-balance sticky-srcip
add service WEB01-79-HTTP
add service WEB01-82-HTTP
redundancy-l4-stateless
active
content WEB-HTTP2
vip address 172.20.10.86
port 80
protocol tcp
advanced-balance sticky-srcip
add service WEB01-80-HTTP
add service WEB01-83-HTTP
redundancy-l4-stateless
active
content WEB-HTTPS1
advanced-balance sticky-srcip
vip address 172.20.10.85
protocol tcp
port 443
add service WEB01-79-HTTPS
add service WEB01-82-HTTPS
redundancy-l4-stateless
application ssl
sticky-inact-timeout 20
active
content WEB-HTTPS2
advanced-balance sticky-srcip
vip address 172.20.10.86
protocol tcp
port 443
add service WEB01-80-HTTPS
add service WEB01-83-HTTPS
redundancy-l4-stateless
application ssl
sticky-inact-timeout 20
active
content WEB01-79
add service WEB01-79
vip address 172.20.10.79
redundancy-l4-stateless
active
content WEB01-80
add service WEB01-80
vip address 172.20.10.80
redundancy-l4-stateless
active
content WEB02-82
add service WEB02-82
vip address 172.20.10.82
redundancy-l4-stateless
active
content WEB02-83
add service WEB02-83
vip address 172.20.10.83
redundancy-l4-stateless
active
!*************************** GROUP ***************************
group WEB01-79
add service WEB01-79
vip address 172.20.10.79
redundancy-l4-stateless
active
group WEB01-80
add service WEB01-80
vip address 172.20.10.80
redundancy-l4-stateless
active
group WEB02-82
add service WEB02-82
vip address 172.20.10.82
redundancy-l4-stateless
active
group WEB02-83
add service WEB02-83
vip address 172.20.10.83
redundancy-l4-stateless
active

Critical Services on CSS - All or Any?

I've configured vip redundancy on a pair of 11506. I would like critical services defined to failover when ALL the services are down or the upstream gateway is down. The documentation isn't very clear on this. There are simple examples and only the one line about an ALL SERVICES option. (see below)
"Local critical services for any service other than scripted or redundancy
uplink, such as a Web service. The VR goes down when all associated local
critical services go down."
I assume you do the ALL services option by creating multipe critical services under the IP Interface. But the documentation doesn't say. Am I right?

Hi Gilles,
Thanks for the weekend reply! I'd read that section on critical services. It lists three options. The first two will fail if ANY of the configured keepalives fail while the third we clarified how to do an ALL option.
What I really want to do is fail over when the upstream gateway is unreachable OR all services are down (basically a hybrid ANY/ALL option).
Rather than build a separate service should I use the existing ones? I'm already using port specific keepalives under my services (port 80 and a custom application TCP port).
Can I add a second keepalive type to each service with the ping script listing the server IP and upstream router IP? That way if the router fails the service is down.
I'm guessing if it isn't possible to add a second keepalive to a service I will need to write a custom script to accomplish what I'm trying to do. No biggie I'm just looking for the quickest way to do this.
Thanks in advance.

CSS Config Syncing problem 8.10

When I sync two CSSs running virtual router redundancy with "script play commit_vip_redundancy", I get an error about the remote unit not having the virtual IP configured.
If I try add the IP to the circuit (ip redundant-vip) on the backup CSS manually first, I get an error that the content rule does not exist.
So currently I'm pasting the config into the devices separately, which is time consuming. Only after the config is present on the 2nd unit can I replicate changes using the specified script.
I am running ver 8.10 software. Any solutions to the problem?
Related to the above, is there an easy way to switch over to box-box redundancy from VIP, keeping in mind that the configuration is over 4000 lines long with hundreds of services and content rules?

First, I would not recommend to switch over to box-to-box redundancy.
You have better failover response time with vip redundancy.
Regarding your issue, I would suggest to open a service request with the TAC.
Provide your config and the output of "script play commit_vip_redundancy -d"
We need to investigate this and submit a bug if necessary.
Gilles.

Stateful VIP redundancy

Similar Messages

Maybe you are looking for