Cisco Application :: Managing CSS11500 Loadbalancers In Cluster Mode
Jul 1, 2012
This is a newbie question regarding CSS11500 series loadbalancers as I trying to get up to speed with managing them as part of my job. I noticed that there are a couple of CSS "clustered together" since I see they are managed using a single ip address.
My question is around how to establish a session to each individual device in this cluster, if at all possible? If is not possible, how do manage the secondary device in this cluster to perform tasks such as copying new software to it, backing it up, etc.?
View 1 Replies
ADVERTISEMENT
Jul 19, 2011
Why do my connection not clear when my service goes to a down state. The only way I can get the connections to clear is by bouncing my content rule. CSS11503 version 08.20.4.05s - SSL all the way to the server --- I also have flow permanent port3 443 configured, but I don't understand why the other two servers go to zero while server01 never goes to zero. If I remove the flow permanent port3 all the counters go to zero, but I would think if the servers goes down then the connections should go to zero regardless of the flow permanent port configuration. [code]
View 3 Replies
View Related
Sep 11, 2012
I'm seeing the following error on one of our real server. Is there a way to find out who is spamming?
10.x.x.x(VIP) - - "POST /slmruntime/service HTTP/1.0" 404 1214
View 1 Replies
View Related
May 29, 2012
I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url. For instance, I can set up URL at the same 192.168.35.12 address in DNS, and set up two different content rules:
content cats
vip address 192.168.35.12
port 80
url "//www.cats.com/*"
add server cats1
add server cats2
active
content dogs
vip 192.168.35.12
port 80
url "//www.dogs.com/*"
add server dogs1
add server dogs2
active.
Easy and straightforward.
But what if I want to add SSL handling for URl. I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
Can this be done? Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service? Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
View 1 Replies
View Related
Jun 13, 2011
I am not able to find information of how to configure a balance in CSS11500 depending of the IP source. I want to do the next:
Site A : 192.168.1.0/24
Site B : 192.168.2.0/24
Both sites access to the same VIP: http://vip_balnace_IP but depending of the source the should be balanced to diferentes servers.
Site A -> VIP_balance -> server1
Site A -> VIP_balance -> server2
how to do that?
View 2 Replies
View Related
Jun 6, 2011
How to change host name in CSS11500 Series. I cannot find any documentation for that matter.Is there any impact in the system to change the host name?
View 3 Replies
View Related
Jun 28, 2011
I have a CAS array for Exchange 2010 configured to loadbalance on my Cisco ACE 47XX. My question is: Can I run a mixed VMware cluster version 3.5 and 4.1 on my ACE? I am experiencing is dropped RPC connections and I was wondering if that could be the cause of it or maybe I am misconfigured something on the ACE
Another question:Should I seperate the two cluster versions on their own serverfarm and than loadbalance the farms? What I mean is serverfarm 3.5 and serverfarm 4.1 and than loadbalance them.
View 3 Replies
View Related
Jun 4, 2012
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA
[code]....
View 1 Replies
View Related
Jun 6, 2012
if ACE SM in L2 mode need the default gateway? We're running v. 3.2a.
View 8 Replies
View Related
Apr 15, 2012
Whatever a NAT is supported for ACE-20 module? I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure if the configuration below is correct. ACE module should be configured in bridge mode with two vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36. NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding "policy-map type loadbalance". Check two parts of configs and if the ACE config is properly converted from CSM and will be working in the same way (especialy for NAT). [code]
View 2 Replies
View Related
Aug 30, 2012
We currently have ACE20's, which only support multicast in bridge mode.Was wondering if it's the same on ACE30's, or if Cisco finally implemented support for mcast in routed mode.
View 3 Replies
View Related
Mar 12, 2012
clients ---asa--3750--cisco ace--- servers behind vip
|
visa card transaction servers
I am able to setup a vip on ace using routing mode on ACE,as the servers need to see the client ip ,so we are not performing SNAT,this part is working fine.
when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly.
View 2 Replies
View Related
May 16, 2011
We have a 6509 with an ACE module. For reasons I don't fully understand the ACE is running using a BVI in bridge mode. It has loads of secondary interfaces.
[Code]...
I can ping all of the IPs on the BVI, but only servers in Subnet 10.7.42/42 can ping out of the the layer 3 on the 6509. I have all the routes configured properly on the 6509 pointing to the ACE for these subnets. The question is though the config has been excepted, is there a limit to the number of secondary on a BVI.
View 1 Replies
View Related
Sep 4, 2011
Current topology in network is such: web servers with content needing to be load balanced are in vlan 35 and these servers are directly connected to Core switch (two 6509 VSS) via 20 Gb EtherChannel. Vlan 35 also spans some other switches with other servers residing in this vlan. Additionally, there are dozens of another vlans (including external users) that need to communicate with web servers. IP addresses of these two web servers are: 192.168.35.1/24 and 192.168.35.2/24 accordingly with default gateway 192.168.35.254/24 (SVI on Core switch). Currently these ip addresses are used by management and other purposes and need to be reachable for same purposes after configuring load balancing with ACEs - it is needed to have direct access to servers behind ACE. How I can do that using ACE in routed mode?
View 3 Replies
View Related
Sep 20, 2012
I have two ACE working on active-standby mode, I have one context configured on bridge mode, with two vlans, the client (vlan 100) and server (vlan 101) sides.I need to balance another service for two servers (different from the ones on the first context ) on the vlan 101, so as the documentation says i can't configure the same vlan on another context because it is already configured on the 1st context as bridge.so my question is the only way i could balance this service is to configure it on the same context??. or there is another way?.These are the design limitations that i have to do this:
1.- I can't change the servers IP address.
2.- The VIP which will answer the clients request is on the same IP network segment as the servers, for example: server1: 192.168.100.125, server2: 192. 168. 100.126, VIP: 192.168.100.124
View 1 Replies
View Related
May 8, 2013
I am desiging a topology with two Cat 6509 and Two ACE Module, one ACE per Catalyst. I am thinking to use bridge mode for the customer contexts, I would like to know if the Bridged mode is an Assymetric topology.
The server gateway is the ip address of the ACE or the Router?
View 6 Replies
View Related
Feb 28, 2012
I am trying to setup ACE in bridge mode. Network topology is as follows:
1. ACE Gi 1/2 (client-side vlan) is connected to 3750 (vlan 40)
2. ACE Gi 1/3 (server-side vlan) is connected to 3750 (vlan 50)
3. Two real servers are connected to 3750 (vlan 50)
4. One client device (linux box) is connected to 3750 (vlan 40)
I am not using admin context. I have created a new one for user. I am unable to ping VIP (10.10.50.15) either from client linux box or from within ACE.
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http PROBE_CGNMS_WEB
port 80
interval 15
passdetect interval 60
[code]....
View 6 Replies
View Related
Oct 6, 2011
During high throughput times (nightly, when backup runs) we see packet drops on the network. We think it's the ACE module that drops. We use 2 ACE 20-MOD-K9 with base licenses in a FT configuration in Layer2 Mode.Now I found an interesting statistic on the ACE: [code] How to reset this counter?
View 4 Replies
View Related
Sep 23, 2012
We are in the situation we have a active configuration with ACE30 doing normal load balancing in routed mode, we have tons of rservers going out on a VIP.we now had to add a new private network to a provider that strangely enough does not want to see our public or private addresses. we need to loadbalance towards him on a priovided subnet (still rfc1918) (IOS VRF bug? is that correct?)I have two options, add the network (new interface) to the active loadbalancers (contexts) and then tie in new policies to the active serverfarms or make a new context just to load balance towards this provider.(preferred)Now - If I do this, the rservers see the client source addresses from this new provider. as the loadbalancer does not "hide" the client IP's. I would then have to add static routers toward the new context - I would want to skip that.
is there a way, to make the loadbalancer hide the client addresses towards the rservers ? perhaps I'm just needing the correct search term to find the config example.
View 1 Replies
View Related
Nov 10, 2010
I understand routed vs bridged mode configuration fairly well, however, I do not understand the pros/cons between using them.
View 6 Replies
View Related
Sep 10, 2012
I am trying to get documentation on how to integrate an ACE30 module in a service chassis design integrated with the Nexus 7000 in routed mode. Only documentation I could find shows this design with the ACE30 module in a one arm mode. Any documentation that shows this implementation of this design?
View 2 Replies
View Related
Sep 26, 2012
We just got a new ASA5510 (straight out of the box). I’m new to the Cisco but feel we followed the directions. We connect to the management port and have our workstation set to get an ip via dhcp. A cat5 is connected to the management port, that goes into a hub (tested to work) and a cat5 is connected from the hub to the workstation (tested to work). Nothing else is connected. The workstation does not get an ip address. (assigns APIPA) Both the 5510 and workstation have been rebooted.The workstation works otherwise. We have also connected both a crossover and straight through cable from the 5510 to the workstation. We have statically assigned an ip of 192.168.1.2 to the workstation and cannot ping the cisco (192.168.1.1).
View 2 Replies
View Related
Jul 31, 2011
The application here is a wind power project, built in two phases, without any effort to coordinate or integrate the two sites during the design phase. All operations activities for both phases are performed by one staff out of a common location. This is a rural area and Internet connectivity is mission critical due to contractual obligation with Electrical Utilities.
The client has a need to reconfigure a network which has grown over time in a layer by layer approach, whereas at every point in time that an additional T-1 or other changes occurred to address a specific need, no thought was ever put into integrating the entire site as a whole. It is at best a dysfunctional solution which somewhat accomplishes thier needs, and at worst, a kludgy, grossly security compromised, and difficult to use infrastructure. There is every kind of equipment one can imagine, each installed by some entity providing needed services on the site, but forced to make uninformed decisions because the client really has no IT department to coordinate with. Over time, every vendor just provided their own switch, router, or maybe figured out how to reconfigure another existing device to also provide the routing or access needed, To say the least, it's a mess.
The client requests a solution which provides a means to accomodate 6 internet connections (4 T-1 lines, and 2 satellite) in a manner which aggregates available bandwith and provides redundancy. The T-1 lines will be the main internet access, with the satellite connections only used if available bandwidth falls below some threshold, say 3Mb. There are many internal networks which need to be routed to and between, in total, about 20 subnets. There are 2 SCADA (Control) networks which have a mandatory requirement of 1Mb each, a VoIP system which does not use any internet connetivity as there are 6 POTS lines dedicated to it, an internal office LAN and a turbine manufacturers site LAN.
The T-1 lines, at 1.5Mb x 4 = 6Mb.
The 2 SCADA networks require a guaranteed 1Mb each, the remaining 4Mb is to be allocated between the office LAN and the turbine manufacturer site LAN. The satellite connection are only to be active in the event bandwidth falls below 3Mb.
There are 2 Cisco 2801 routers on site which could be reutilized if appropriate. Each T-1 has it's own Adtran CSU with Ethernet out. All T-1 lines are /29 IP Blocks. 2 of the T-1 lines are adjacent IP Blocks, for what its worth.
Everything here is open to reconfiguration. The client wants this finally integrated correctly with the ability to address emerging Electrical Utility cybersecurity requirements in the immediate future.
An ideal solution would be fully redundant to eliminate the single point of failure at the edge router. As to whether there needs to be separate edge and interior routers, I just don't know that. I would guess everything could be done with just a pair of redundant routers at the edge, but perhaps it is better to do the interior routing between subnets on a different router(s).
Again, the goal is a well integrated, redundant, and secure solution. My part is mostly complete, with the OSP part of the network finally at 100% after 5 years of stupid and careless misconfigurations and bad fiber splicing (by others).
I'm absolutely covered up in business at Layer 1 & 2 on these sites, as the physical plant and associated network elements are typically very poorly designed, specified, and implemented. The complexity of this job leads me to seek outside advice and ultimately a more qualified Cisco professional than me. I'm experienced enough with Cisco to know when I'm in over my head. I know a diagram would be nice, but at this point I've only got a very detailed diagram which reveals too much site identity information to make public. I'll wait to see a few comments and in the meantime work on removing site identity info so I can post a good diagram for everyone to see.
View 1 Replies
View Related
Aug 12, 2011
I have an interesting SVPN challenge that I'm asking the subject experts here to assist me in solving.A customer in Domain A wants to transmit data to Domain B. The customers have agreed to establishing a secure vpn connection from Domain A to Domain B to transmit real time data. The challenge comes from sending unencrypted data from nodeA to nodeB & nodeC withing an encrypted VPN tunned to node d.The challenge is sending non-encrypted data from NodeA to NodeB where an encrypted VPN session is active. Every time I attempt to configure the interface (AppC) the VPN session is terminated, and the interface can no longer "see" nodeD via IP mapping. An engineer recommended adding a second NIC card to NodeB thereby permitting control of the AppC even when the VPN is up and running.Can I send live non-encrypted data to NodeB data buffer, while AppC sends data to NodeD in a VPN tunnel ?
View 1 Replies
View Related
Jan 5, 2012
I want to create a network with a bunch of routers and switches to be used as a test network for company employees to remotely login and learn networking.I don't want this network to interfere with the rest of the network in any way.I am basically trying to create a stub network or a passive network!!
View 4 Replies
View Related
May 28, 2012
I am trying to manage my Dell switch that is trunked from my Cisco 2950, I have trunked vlan 251 (management vlan) and 252,configs below
Cisco 2950 :-
Current configuration : 4794 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
[code]....
View 7 Replies
View Related
Feb 27, 2013
I've downloaded Prime Infrastructure 1.2 eval and wanted to see what it looked from WCS that I am currently using to manage the wireless network and I added the WLC (4404) device but it list the device as "Managed with Warning" and I can't find what the warning is.
View 3 Replies
View Related
Sep 1, 2011
Running Cisco NAC 4.1.6 OOB on the LAN. For some reason in the middle of the night, the snmp trap mac-notification added command appeared on the trunk uplink port of one of our switches.
I don't know exactly when the command was added but at 2am when the backup of the config was taken, it was there. At around 4:30am, the uplink went off-line. Is there anything within NAC that would push a change like that automatically to a switch. We do have NAC Profiler running on the network also.The problem was in a branch office so I only got the information second hand what was on the switch itself. We moved the uplink to a different port which allowed the switch to show up on the CAM again, however when I viewed it, the uplink port was set to controlled!
Does this make any sense?
how long devices will stay in the certified device list if no timer is configured to clear it out?
View 2 Replies
View Related
Sep 23, 2011
I have been trying to convince my bosses, the IT department, and others where I work, in a small call center, to switch to a different browser other than IE. The reason is IE times out on the techs a lot and freezes up constantly. I am able to use Firefox and Chrome at the lead station and do not have any issues, but the only browser currently allowed on the techs computers is IE. The reason I am getting as to why this is not possible is that with IE, IT is able to block certain options in IE from being changed such as proxy settings, add-ons, and advanced settings, but that these settings cannot be blocked or managed in firefox and chrome.
View 4 Replies
View Related
Jul 25, 2011
Is it possible to manage Lightweight Access Points in Ciscoworks LMS 4.0?
View 3 Replies
View Related
Jun 1, 2011
I have a small lan of around 10 computers in my office which are connected through a switch connected to a airtel broadband connection. I want to configure a network server so that I could manage an control the internet traffic used by all the workstations in the lan through that server. All the workstations have either WinXP or Windows 7 on it. I haven't purchased a server. I want to use a desktop(having some good configuration) as my network server.
View 6 Replies
View Related
Apr 17, 2012
Anyone got a single VSM (albiet in HA) managing two vDS split over two ESX clusters connected to a single instance of vCenter?
View 0 Replies
View Related
May 22, 2012
We are currently using several AP's in our organization. And in this one AP i want to give a user the power to change the password of the wireless network to prevent miss use. I was wondering if it was possible to create an account who only has the privilege to change the WPA key?? I want to prevent that he will accidently change other settings.
View 5 Replies
View Related
