VIP ping no response on a CSS 11050

Our management system pings devices to verify they are active. The VIP often drops pings (mostly in the morning) and then recovers after a few minutes. The web load balancing never stops and the services are always active. The real addresses on the CSS never drop pings.

Both TAC and local Cisco people have told us that VIPs do not reliably respond to ICMP, which is exactly what you describe.
If I were you, try to change your test so that it executes a script (perl maybe) that does a tcp connection rather than relying on icmp.
Good luck,
Dennis

Similar Messages

Load Balancing Linux servers with CSS 11050 series

We would like to load balance Linux FTP and Web servers with a CSS 11050 series device. Does the content switch use SNMP to load balance the servers? If so, which MIBs need to be loaded on the servers?

I dont believe that the CSS supports any SNMP load balancing mechanism.
There is basically two factors involved in load balancing. One: the state of the servers which can be done via a range of mechanisms including ping, TCP connection, Application request, etc. Two: the way a server is chosen when a request comes in including round-robin, least connections, ACA etc.
Checkout these links:-
http://www.cisco.com/warp/customer/117/basic_css_lb_config.html
http://www.cisco.com/warp/customer/117/methods_load_bal.html

CSS 11050 Load Balancing with Single VLAN (no NAT)

We have several CSS 11050's in use on our network, cheifly for load-balancing web servers. In a test network I've set up, I've configured our test servers' IP addresses and our load-balanced IP address to be on the same subnet. This way our developers can easily check both single servers as well as the LB configuration. This got me thinking...
All the config documentation I've seen on the CSS seems to assume that you are putting the VIP for the content rule on a different VLAN than the IPs for the services. Is there any particular need for this? I'm in the process of setting up another network that will have its services NATed behind a PIX. There are some services (WWW) that I want load balanced and some services (passive FTP with one server) where there's really no need. Would I do any harm by putting the content rules' VIPs on the same subnet as the servers themselves? I can still plug the servers into the other ports on the CSS so that I'm not really doing a "one-arm" configuration.
-Mark Romer

You shouldn't have any problem doing this. In addition to load balancing web servers we've also balanced terminal servers that are configured to be accessed by remote users through VPN connections. Because we have over 90 remote locations, I didn't want the services and the VIP addresses to be on different VLAN's because I'd have to reconfigure the routers in all the remote locations. I was in the same position you're in, all the documentation indicated different VLAN's but I thought it would be a worth a try. Everything works perfectly...
Cody Rowland

Airport Extreme Slow Ping (Internet) Response

I am having problems with my dual-band airport extreme. When connecting to the external internet, I'm seeing high ping responses (>500ms) after about 5-10 minutes of resetting (hard reset) the Extreme and initially seeing 15-30ms response times.
I've tried:
1. Moving the router physcially in the house (no improvement)
2. Trying different channels on both 2.5 and 5 (some, but inconsistent improvement)
3. Multiple hard resets and reconfiguring the Extreme
4. Reinstall the firmware (haven't tried going down in firmware)
5. There are no cordless phones in the house
6. Absolute speed to the internet is strong (above my provider's stated speed)
7. If I connect my Macbook pro directly to the cable router, everything (ping + speed) is great.
8. Seeing slow ping responses both on my MacBook Pro and a separate PC
Any suggestions on how to troubleshoot? Seems like it a problem with the wireless connection and/or interference.
thanks!
Dale

had a 5th gen Extreme that I bought with 7.5 and immediately upgraded to 7.6. Saw the exact issue you described. exchanged it for a 6th gen Extreme, and am experiencing the same behavior again... both with 7.5.2 and 7.6 firmware.
everything is hunky dory when plugged directly into my cable modem.
third time's a charm, hopefully.

CSS 11050 NAT problem

Hi, I have a problem with the NAT group intercepting connections to a PIX on the local VLAN. VLAN1 on the LB is the outside internet connection, VLAN2 is internal, at 10.0.10.0/24. The PIX IP is 10.0.10.254. If a webserver at 10.0.10.5 tries to connect to a server behind the PIX, the PIX logs a connection not from 10.0.10.5, but from the NAT group, which has an external IP address. Not only does this slow things down, but confuses the ACL config on the PIX. Any way to force devices to directly connect on the local VLAN, as one would normally expect? Thanks!

What happens is the traffic that will use the group will need to match the source/dest configured in the ACL, but more importantly, the VLAN you apply to the ACL itself will determine what traffic is even looked at in the ACL itself. So if you apply vlan1 to the ACL, then only traffic coming into the CSS via VLAN1 will use the acl (assuming it matches the clause criteria configured).
By using the ACL approach, you could put those ip addresses you want to NAT in the first clauses, and then leave out the ones you do not want to NAT. If there is no ACL match, then there will be no NAT.
Instead of specifying all the ip addreses in separate ACLs, you can use the subnet mask to create a range of addresses.
Hope this help. I do agree that this can be a bit of a maint challenge having to do this, but I'm not sure any other option exists unless there is something different about the way you have your source groups configured.
Regards
Pete..

Monitoring services in CSS 11050 using SNMP

Has anyone implemented SNMP monitoring of services for CSS?
How do i go about doing it using HP Openview as the SNMP manager?
I have read the SNMP configuration for CSS but still quite confused about setting the threshold for the RMON alarm. How do you determine what threshold to set to indicate that the service is alive or down??
You might want to refer to the RMON guide for CSS below:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/rmon.htm#35012

Hi Matthew,
actually for monitoring services via SNMP you dont need to configure
alarms on the CSS. First, there are default traps generated by the CSS
MIBs. Information can be found here:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/snmp.htm#xtocid1874327
There are two traps "Service Down" and "Service Suspended" send to
the preconfigured mgmt station. This can be used to indicate whether
a service is down or not.
Secound, you can poll the state of the existing services by the mgmt
station using the CSS MIBs, this is described here:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/snmp.htm#xtocid1874330
Use the svcExt.apSvcState variables to get the states.
If you have any further questions ...
cheers
rene

CSS 11050 5.03(15) Log Message (?)

Does anyone know what this log event means? I've tried a few searches on CCO and came up empty.
MAR 11 13:07:28 5/1 319 NETMAN-1: TRAP:Authentication:Generated by: x.x.x.x
MAR 11 13:07:29 5/1 320 NETMAN-1: TRAP:Authentication:Generated by: x.x.x.x
MAR 11 13:07:31 5/1 321 NETMAN-1: TRAP:Authentication:Generated by: x.x.x.x

NETMAN-1: TRAP:Authentication:
is a log statement which states that someone with that IP address is trying to access the SNMP agent on the CSS with a invalid or incorrect
community name.

CSS 11050 Sniffer trace

I'm trying to use a sniffer to capture traffic that is hitting my CSS and what services are requested/handled inside the CSS network. I have redundant CSS with 2 LAN switches (cat.2924XL) behind it. I'm running port monitor on all the internal connections (CSS, web servers, etc), but I'm not seeing any real user traffic inbound or outbound on these connections. All I'm seeing is broadcast traffic inside the network from the css and web servers. Any suggestion or document on this problem will be appreciated.

My assumption here is that you are seeing spoofed information from the CSS as the only way you will see incoming user data is from the outside network where the user comes in. Most often in troubleshooting the CSS we require back and front end traces to understand the traffic flow.
Regards
Pete Knoops
Cisco Systems

Slow HTTPs response time through CSS after applying KB2585542 to windows client

Anyone else having issues with HTTPS sites being very slow after applying KB2585542? Once you remove this Microsoft patch everything returns to normal. It appears that the CSS does not handle the split-ssl requests properly. I have opened a TAC case but am not really getting anywhere as we seem to be the only company that is having this issue.
Thanks,
Jim

A few more details about this patch from Microsoft:
Details about this security patch:
http://support.microsoft.com/kb/2585542
RFC's
Application can handle Fragmentation of SSL/TLS application records, as described in the following RFC’s:
TLS 1.0: http://www.ietf.org/rfc/rfc2246.txt paragraph 6.2.1
SSL 3.0 http://www.ietf.org/rfc/rfc6101 paragraph 5.2.1

CSS 11050 SYN Attacks and auto-reboot

Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!

First, you should definitely upgrade.
5.0(2) is VERY VERY OLD.
Next, a box never reload by itself on purpose or because it reached a certain threshold.
If there is an auto-reboot, this means the box crash and this is not normal.
Gilles.

Disable Response to Incoming PINGs on E1000

I have an E1000 (brand new) router up and running, but am not able to configure the router to ignore incoming PING requests.
I have the router configured as follows (SECURITY Tab):
SPI Firewall Protection: ENABLED
Filter Anonymous Internet Requests: CHECKED
Filter Multicast: CHECKED
Filter NAT Internet Redirection: CHECKED
Filter IDENT (Port 113): CHECKED
The router *still* responds to incoming PING requests - e.g., ShieldsUp at http://www.grc.com complains that its PINGs generate responses. In addition, I am able to see the router from my home PC with a PING to the ISP assigned temporary WAN IP address.
Question: Does anyone know how to configure an E1000 to ignore incoming PING requests??????

Uncheck Filter Anonymous Internet Requests then click on save settings. Now try accessing the setup page of the router from outside.

CSS 11503 Destination NAT - can only enable one service

I have three web servers configured as six services. Three are for MOSS (Microsoft Office Sharepoint Server) and three are for SSRS (SQL Server Reporting Services 2006 in integration mode).
THE PROBLEM:
When more than one MOSS service is active I can no longer connect to the SSRS services.
This is a trunked Configuration:
interface 1/1
trunk
redundancy-phy
vlan 1
default-vlan
vlan 100
vlan 101
vlan 103
interface 3/16
bridge vlan 4000
circuit VLAN100
redundancy
ip address 192.168.100.xx0 255.255.255.0
circuit VLAN103
redundancy
ip address 192.168.103.xx0 255.255.255.0
circuit VLAN4000
ip address 1.x.x.2 255.255.255.252
redundancy-protocol
circuit VLAN101
redundancy
ip address 192.168.101.xx0 255.255.255.0
service MOSSWeb01
ip address 192.168.103.xx1
keepalive port 80
keepalive type tcp
active
service MOSSWeb02
ip address 192.168.103.xx2
keepalive port 80
keepalive type tcp
active
service MOSSWeb03
ip address 192.168.103.xx3
keepalive port 80
keepalive type tcp
active
service SSRSWeb01
ip address 192.168.103.xx1
active
service SSRSWeb02
ip address 192.168.103.xx2
active
service SSRSWeb03
ip address 192.168.103.xx3
active
owner MOSS
content MOSS
vip address 192.168.100.xx1
vip-ping-response local-remote
add service MOSSWeb01
add service MOSSWeb02
add service MOSSWeb03
active
owner SSRS
content REPORTSERVER
vip address 192.168.100.xx2
add service SSRSWeb01
add service SSRSWeb02
add service SSRSWeb03
vip-ping-response local-remote
active
group MOSS2007-DSTNAT
vip address 192.168.100.xx1
add destination service MOSSWeb01
add destination service MOSSWeb02
add destination service MOSSWeb03
active
group SSRS2005-DSTNAT
vip address 192.168.100.xx2
add destination service SSRSWeb01
add destination service SSRSWeb02
add destination service SSRSWeb03
active
NOTES:
All (3) real servers have a default route to 192.168.103.xx0 which insures traffic passing through the CSS (so I don't understand why I still need a destination service group).
When MOSS accesses SSRS it does so via http://SSRS2005/reportserver. This is configured in DNS as 192.168.100.xx2. I would think that this would also insure traffic through the CSS but I still had to configure a destination service for these.
All clients connect to the MOSS services via one VIP (192.168.100.xx1) and the MOSS services connect to the SSRS services via a 2nd VIP (192.168.100.xx2). MOSS also connects to itself for indexing content and a variety of other services (I had originally tried separating the MOSS content rules using layer 5 matching on Host Headers. This seemed to cause issues with access to ports 139 and 445 for UNC access to document libraries so I simplified the MOSS content rule back to layer 3).
I have setup two distinct groups and have used destination NAT so that the servers can communicate to each other.
When using Wireshark on the servers to run packet traces and all services are up I do not even see any packets destined for the SSRS services leading me to believe that they are dropped by the CSS (however, I don't see them using show flows on the CSS either).
Can anyone here shed some light on the correct way to configure the CSS in such a scenario?
Thanks in advance.

I have two MOSS services down because MOSS can't get to SSRS if more than one MOSSservice is active. That's the crux of the biscuit.
I had hoped to avoid the whole packet sniffing activity but it looks like I may need to capture more information. I don't really want to change the VLAN configuration since this CSS is managed by our network team and there are other services configured on the CSS that I have not indicated.
I appreciate your advice, so far. I will actually have some downtime this coming weekend where I can try some additional configuration options after prime time from home.
One thing that may not be apparent in this whole discussion is that all of the sites on both MOSS and SSRS use HOST Headers for HTTP. That's what keeps them separated. I had tried using layer 5 content rules but had the same issue plus other issues with non-HTTP traffic. I also did not care for the fact that the CSS actually spoofs the responses when using layer 5. There is a lot of NTLM Challenge/Response traffic for Windows Integrated Authentication and Negotiated Kerberos. The bottom line is that even without Layer 5 content rules the Host Headers do get passed to IIS and the sites are selected properly based on that header. The exception is that Host Headers are no longer required for SSRS since it is the default website on port 80 (besides - setting up host headers for SSRS in MOSS integration mode has it's own set of issues). Still, the host headers are sent to SSRS SOAP Endpoints and there are no issues connecting to any of the three SSRS services from any of the three MOSS servers interactively. The issue is when a client outside of these VLANs makes a request for a report.
client->MOSS->SSRS->MOSS->client
Be aware too that both MOSS and SSRS are making connections back through the CSS to their respective databases for each request.

Problem accessing VIP via HTTP from service servers

I thought I had a pretty simple config on my CSS11501- but have run into an issue I'm having trouble resolving.
I have two unix webservers (IPs are .99 and .100) on ports e1 and e2, and my uplink for the CSS is on port e8.
The CSS has a VIP address (.105) that load balances HTTP requests to .99 and .100.
From .99 and .100 I can ping the VIP address - and from outside the CSS - almost everything works great for the site I'm hosting on .105.
I do have two web pages however that attempt to make calls directly to the VIP address - I noticed I can't load those pages.
Nor can I just browse the website on the VIP address from either of the servers. The webservers can browse their own pages via IP, and each other's pages via IP.
Just not pages on the VIP.
I think it may be a case of the servers thinking that IP spoofing is occurring - or maybe I missed something simple in the config.
Here's what I see in a 'show flows' when I try and browse the VIp address (.105) from the .100 server.
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
65.207.212.100 53758 65.207.212.105 80 65.207.212.100 TCP e2 e2
65.207.212.100 80 65.207.212.100 53758 65.207.212.100 TCP e2 e2
Since it appears that the CSS NATs the request to the same IP the server is using, will the reply from the server ever make it back to the CSS?
Or does it think that it shouldn't need to reply - becauuse it is that IP?
Should I be able to browse the VIP site from the webservers.
Below is the full CSS config if someone can help me figure this out.
Thanks in advnace for any and all help.
Paul
CSS11501# show run
!Generated on 08/30/2005 12:08:11
!Active version: sg0750004
configure
!*************************** GLOBAL ***************************
no restrict web-mgmt
acl enable
logging subsystem acl level debug-7
ip route 0.0.0.0 0.0.0.0 65.207.212.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 65.207.212.104 255.255.255.0
!************************** SERVICE **************************
service www2
keepalive type tcp
keepalive port 80
ip address 65.207.212.99
active
service www3
keepalive type tcp
keepalive port 80
ip address 65.207.212.100
active
!*************************** OWNER ***************************
owner WWW
content rule1
vip address 65.207.212.105
add service www2
add service www3
port 80
protocol tcp
advanced-balance sticky-srcip-dstport
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)

Paul,
simple config and well-know basic mistake :-)
If a server tries to access the vip, the css will forward the request to the same server or the other one.
Both ways, the response from the server will go directly to the client-server, bypassing the CSS.
For this to work, you need to do client nat so the server making the HTTP connection appears to be coming from the CSS.
Create a group like this
group servernat
vip addr 65.207.212.105
active
and add the following to your acl
clause 5 permit any 65.207.212.99 destination content www/rule1 sourcegroup servernet
Do a similar clause for the 2nd server.
re-apply the acl.
Everything should work now.
Gilles.
Thanks for rating.

Unable to issue "redundancy-protocol" command on CSS

This is really weird. I've done box-2-box redundancy on CSSs half a dozen times. I have a CSS 11050 on 5.0(33) code that does not recognize "redundancy-protocol" as a valid command on the VRRP interface.
Config of the CSS is really basic:
!Generated on 01/01/1980 00:00:11
!Active version: ap0500033
configure
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
persistence reset remap
acl enable
ip redundancy
app
app session 192.168.1.2
ip route 0.0.0.0 0.0.0.0 14.60.64.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
interface e2
bridge vlan 2
phy 100Mbits-FD
interface e3
phy 100Mbits-FD
interface e4
phy 100Mbits-FD
interface e5
phy 100Mbits-FD
interface e6
phy 100Mbits-FD
interface e8
phy 100Mbits-FD
bridge vlan 10
!************************** CIRCUIT **************************
circuit VLAN1
redundancy
ip address 14.218.74.110 255.255.254.0
circuit VLAN2
redundancy
ip address 14.60.64.211 255.255.248.0
circuit VLAN10
ip address 192.168.1.1 255.255.255.0
!************************** SERVICE **************************
service tempest
ip address 14.218.74.127
keepalive type http
keepalive uri "/checkServerStatus.html"
active
service tempest-ping
ip address 14.218.74.127
active
service zephyr
ip address 14.218.74.128
keepalive type http
keepalive uri "/checkServerStatus.html"
active
service zephyr-ping
ip address 14.218.74.128
active
!*************************** OWNER ***************************
owner HPS
content layer3
vip address 14.60.64.210
no persistent
add service tempest
primarySorryServer zephyr
active
!*************************** GROUP ***************************
group SOURCE-IP-NAT
vip address 14.218.74.112
active
!**************************** ACL ****************************
acl 10
clause 10 permit any any destination any
apply circuit-(VLAN10)
acl 20
clause 10 permit any any destination any
apply circuit-(VLAN1)
acl 30
clause 10 permit any any destination content HPS/layer3 sourcegroup SOURCE-IP-
NAT
clause 90 permit any any destination any
apply circuit-(VLAN2)
~~~~~~~~~~~~~~~~~~~~~~
Pretty simple, but when I go to configure VLAN10 as the interface to run VRRP on:
scc-lb1(config)# circuit VLAN10
scc-lb1(config-circuit[VLAN10])# redundancy-protocol
^
%% Invalid input detected at '^' marker.
scc-lb1(config-circuit[VLAN10])# re?
redundancy Configure this circuit for redundancy
restore Restore commands
*** Aliases ***
reboot_diags @configure;boot;rebo diags
reboot @configure;boot;rebo
scc-lb1(config-circuit[VLAN10])#
The "redundancy" command is the only command it will recognize.
Anybody have any clue what is happening here?
Thanks!

Hi,
In order to add "redundancy-protocol" to the circuit, you need to go into the ip address section after going into the circuit section and then it will be an available option.
Like this:
scc-lb1(config)# circuit VLAN10
once in the circuit section, type in the ip address of the circuit.
Then you will be in the ip address part of the config and type in "redundancy-protocol"
Regards
Pete Knoops
Cisco Systems

CSS newbie - 8.10 upgrade problem

I typed the config from our working 11503 7.10 CSS into a new 11503 8.10 CSS. Show Run for each is identical (see attached). When I swap-in the new CSS I get "Page not found" from the VIP, and all the 8.10 CSS will do is bridge me to the real server addresses. What have I missed?
NB 8.10 CSS has SSL module and license.

I have seen this kind of things in the past.
Often it is cable misconnected or arp table of gateways/servers still pointing at the previous CSS even if disconnected.
So, clear all arp table on gateways and servers.
Then verify they learn the new CSS mac address correctly.
Then verify connectivity using ping.
Then use a browser.
If it still does not work, capture a sniffer trace in front of the CSS.
Gilles.

VIP ping no response on a CSS 11050

Similar Messages

Maybe you are looking for