I’m wondering if there is a way to configure CSS11503 running 8.10 so that the servers in the content rules can see the client port number?The servers can see the client IP, but not the port!! It seems when forwarding packets to the servers in the content rule, the CSS uses a new high-number port when communicating with servers.
View 2 RepliesCSS11503 that has a SAM module having a 99-100% utilization. Can this affect the services if both the accelerator module cpu peak to 99%.
Kindly see below logs:
LPHGT11# show system-resources
System Resources for 1/1:
Installed Memory: 268,435,456 (256 MB)
[Code].....
How can you check if balance ACA is enabled in CSS11503? How can you see also if the content switch(CSS11503) is load balancing using balance ACA? "show load" command does not show it.
xxxxxx# show load Global load information:
Reporting:Enabled
Calculation method:Relative Step Size:Dynamic Configured:10 Actual:1280
Threshold:254 Ageout-Timer:60 Teardown-timer: Configured:20 Actual:20
Service load information: Average Average Peak Average Service Name Load Number ResponseTime Response Time ----------------------------------------------------------------------- DNS1 4 8999 33972 DNS2 4 8884 28254 SSH-WPHGT11 2 0 87509 WPHGT11 2 0 0 def-gwy-server 255 0 0 fe1-gw1-radius1 2 0 0 fe1-gw1-radius2 2 0 0 fe1-gw1-wap-8799 8 15344 662337 fe1-gw1-wap-9200 2 [Code].....
We have a CSS11503 that is currently being used to accept incoming HTTPS and SSH connections on a specific VIP and then PAT those client connections. I understand that it also PATs the server initiated connections. [code]
View 1 Replies View RelatedWhat is the equivalent of the command "show flash" in IOS for the CSS11503 as I would like to view available flash space on the CSS11500 series load balancers?
View 3 Replies View RelatedI have two CSS 11503 in my network, recently we had configured sticky with advanced-balance arrowpoint-cookie.
The sticky is functioning but we found our server's private IP in the IE cookie ARPT box.
Is there any way to hide ARPT info? Below is an example configuration of my CSS and attached screenshot is Firefox cookie info.
content 5301
add service 172.18.71.77_5301
add service 172.18.71.77_5302
[Code]......
I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example: 172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 50.50.50.50 / 60.60.60.60 70.70.70.70 / 80.80.80.80 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.
My CSS is 11503
Version: sg0810106
Customer needs to send tagged traffic from various DSL sites (DSL is with us) and wants to be able to see vlan tags in the core. Essentially each site will have a vlan tag associated with it.
View 19 Replies View RelatedI have two wi-fi network, and i have written client server model in c (Linux), client has three threads and each thread having different physical wi-fi conection to server. But the problem is that, overall data rate is not increased by this, it is similar to using with one wi-fi connection.
View 1 Replies View Relatedclient is unable to establish a connection to the backend servers via the vip on port 389 ,636 configured that servers are listening on these ports .even the probe is successful on port 389 but not getting any response back from the servers. [code]
View 1 Replies View RelatedWhatever a NAT is supported for ACE-20 module? I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure if the configuration below is correct. ACE module should be configured in bridge mode with two vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36. NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding "policy-map type loadbalance". Check two parts of configs and if the ACE config is properly converted from CSM and will be working in the same way (especialy for NAT). [code]
View 2 Replies View RelatedI have an environment with SSL termination and client authentication with a client certificate. Now, the backend server application needs to be informed of the client DN information present in the presented client certificate. Is it possible to tell the ACE to send specific client certificate fields to the backen server via insertion of an HTTP header or, to forward the entire client certificate in any way to the backend server ?
View 2 Replies View RelatedI have a ACE4710 setup to load balance a couple of web servers. The real servers all show as inservice as do the propbes and serverfarms/virtual servers. If I ping the Virtuual server ip address I get a reply but it I try to access VIP via telnet or web browser. I get a connection could not be open error on the client.The question is how do i determine where the error is comming from so far I can not tell if the client is getting through the acl or not.I have used the trouble shooting guide and nothing has worked to determine the cause so far. show service-policy int479 detail does not show an increase in the hit count when I try to connect.show stats conn does not show an increase in failed or timed out connections when i try to connect. [code]
View 3 Replies View Relatedconfiguration example on how to reconstruct the original client IP address from X-forwarded-for in HTTP request?
View 4 Replies View RelatedI have a web application behind a SSL-offloading CSS 11506 that may require the server to be able to use a SSL connection as soon as it is established. At least I'm troubleshooting a problem that is starting to look like this is a possibility.
The default behavior seems to be to not start the SYN/SYN-ACK sequence with the real server until the client starts talking first (such as send an http get request), even though the SSL termination part is done and ready.
Any way to change this behavior? The scenario is a webapp. Client side starts more than one SSL session to the server, but only uses one immediately. The client knows it has more than one connection and may have told the server so. Like a control plus data channel(s) arrangement. The client opens all the connections (full SSL handshake on all channels), starts using the control channel, and expects the server to start talking on the data channel. However, since the client hasn't sent anything down that TCP connection first... the server doesn't have it.
I don't think this would occur when the server is doing the SSL... as it should have all the TCP connections as soon as the SSL handshakes are done.
I want to use one arm infrastructure of ACE4710. But I remember it was problem for back end server can not get logging for which client/ip address access the web server.
View 3 Replies View RelatedI've got a web app that the owners want to run over port 80, but also using SSL to secure private data in transit. The architecture is an ACE 4710 in SSL termination mode->Apache (port 2000)->Back-End app server.
I've got two VIPs set up already - one on port 443 and one on 2000 - both of which do the SSL termination quite nicely, but using the 3rd VIP set up on port 80, the connection steadfastly refuses to be HTTPS (i.e. doesn't show the padlock).
I've done all the set-up through the web interface so far, can this be done? If so, how?
I have CSS in single arm deployment model. I want to configure port redirection for the servers. Servers are actually running web service on port TCP 3636. Which is accessibale by VIP http://192.168.200.87:3636 but I dont want to give user this URL I want the user to use standard HTTP URL as mention below, I want user to open http://192.168.200.87 and once they access this URL automatically CSS redirect them to port 3636. How I can achive this. I am using IP addresses for the load balancing.
View 4 Replies View Relatedthe dynamic port range server load balancing supported for MS Exchange 2010
View 1 Replies View RelatedWe have multiple CSS 11500 clusters. We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client. This happens regardless of whether there is something on that IP address or not.
Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection. I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.
Is there any way to shut this off? This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.
I'm running several game and file servers via a dynamic IP, which I unfortunately cannot change to a static connection for several reasons. I've solved this by using No-IP, which is a Dynamic IP resolution service. This solved the first part of my problem - I can give people IP's for their websites, such as myfreemusic.sytes.net and so forth, but they all HAVE to append their ports to the url - i.e.
site1.sytes.net:90
site2.sytes.net:91
My main problem right now is the game servers - I'm hosting games that default host to 25565, and though I can change the ports the server hosts from, I must give those who want to connect the ports at the end of their urls, i.e.
server1.sytes.net:25566
server2.sytes.net:25567
I know DNS is essentially agnostic when it comes to ports, so no solution there. And I don't think the game (Minecraft vis-a-vis bukkit) supports SRV records, and even if they did, I'd have no idea how to configure them. How can I resolve static urls redirecting to a dynamic IP by pointing them to ports?
To simplify the question -
How can I make server1.sytes.net resolve to port 25566, and server2.sytes.net resolve to port 25567 when the default port is set to 25565?
I need to configure a keepalive that check an url in a server (http in port 9500 not in port 80) and check the port 443 in the same server. If any of them not response . the service should go down.
View 1 Replies View Relatedwe would like to setup FTP server over CSS where our member sever use non-std-port to open both control/data channel (i.e. 6370 as ctrl and 6369 as data this case.) but seems we only get Passive mode FTP mode work only but not for Active mode FTP case for data channel establishement for server back to client..
# sh ver
Version: sg0820501 (08.20.5.01)
Flash (Locked): 08.10.1.06
Flash (Operational): 08.20.5.01
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
[code]....
I must redirect all connections from port 443 to 9443.
this is configered and running:
serverfarm host FARM-002
probe test-xml
rserver svx-xmlfw-lb-01 9443
backup-rserver svx-xmlfw-lb-02 9443
inservice
rserver svx-xmlfw-lb-02 9443
[code]....
I have in the moment following problem. All connections become redirectet to port 9443 but port 8080 shouldn`t be redirectet to port 9443. What can i change in my config to solve this problem?
Am I able to use an SSL cert in the proxy list for the same VIP but on a different port?
View 1 Replies View RelatedI want to be able to use port 1-80 for all outgoing traffic. I have a VPS outside my home, which can redirect the packets to the prober ports.Is it possible with an application on the computer and VPS? Or is it impossible?
View 1 Replies View RelatedMy customer wants each ACE4710 (of a highly available cluster) to have its own, dedicated port for management purposes.
According to documentation, IP addressing can be applied to VLAN interfaces, so in order to satisfy the requirement, I should make one port belong to an "access VLAN X", and then apply IP addressing to the corresponding "interface VLAN X". This should satisfy my customer´s requirement in an indirect way.
But... ¿ Can´t I just configure IP address on one of the 4 ethernet ports in order to save the work of building the aforementioned VLAN? I am asking this since I do not have access to a real box in order to verify.
Setting up vpn using quickvpn client to asa5505. QucikVPN client version is 1.4.1.2. I need to use port 60443, port 443 is already taken.
View 1 Replies View RelatedI am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server. But I am not able to do this. I want to redirect only subnet 192.168.80.0/24..Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.
My setup is as follows: as a part of a global network, I have two separate measurement stations collecting data in the field. They are working with some kind of embedded linux system and is running an FTP-server so that I can download collected data. I have some control over the stations, which e.g. means that I can select the port used for the FTP-server (default is 21).Unfortunately, for this particular set of measurement stations, they are connecting via FTP-over-radio-link to another station which is connected to my computer via a router (on the server-side) and I can only "see" their common external IP address. If I have understood this correctly, they can not use the same port for FTP traffic, right? The router used is some (for me) unknown brand with unknown capabilities, so I don't expect/want a solution at that end.Now, to my problem: as a part of this global network there is a custom software running on my computer that automatically connects to all the different stations to download and process the data. This software runs on any recent version of Windows, but I'm running Windows XP right now. There is no way for me to modify this software at this point (for the future, maybe, but not now), and unfortunately it has a severe limitation: it MUST use port 21 for FTP-connections.My first attempt was to set the FTP-port to 2121 for one of the servers and create another IP address on my client network adapter and try to forward port 21 of this new IP to port 2121 on the server/router side, but due to lack of knowledge and experience I did not manage to get this working fully.
View 9 Replies View RelatedI want to prioritize League of Legends, a game which uses ports of ranging between 5000-5500. Does the WRT54GL "Application Priority" section allow for port ranges. If yes, have I put the range in correctly.
View 2 Replies View RelatedI have a problem configuring port forwarding to 443 and having client VPN to work.When 443 is NOT forwarded, VPN just runs fine (QuickVPN).As soon as I enable 443, the VPN stops working. No client can connect.I have the latest 1.2.0.9 firmware.Is there a way to enable 443 and having VPN to work at the same time ? I need 443 for Exchange.
View 4 Replies View Relatedhow to get the web activity report of clients in Ironport WSA S670. I need each and every URL's visited by the exact clients.As of now i am able to download the client web activity report upto URL categories...but i need exact URL's accessed by the clients.
View 1 Replies View Related