I have two CSS 11500 series.In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
View 3 Replies
I can access our CSSS 11500 through telnet and a serial connection. When I try the web interface, I get:
CVDM Startup Error CVDM has not been granted the necessary privileges to startup successfully, or another unknown error occurred during startup. Please close all involved browser windows and try again by granting all requested privileges.
We have multiple CSS 11500 clusters. We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client. This happens regardless of whether there is something on that IP address or not.
Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection. I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.
Is there any way to shut this off? This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.
We have a CSS 11503 with the following partial config [code] it is clear that the server at 10.10.10.222 is active. What we cannot understand is why web site is inaccessible thru load balancer using http://10.10.10.1.
View 2 Replies View RelatedI have a question regarding CSS loadbalancer. Let's say there are 2 vlans in CSS:
1. Vlan 10: 10.1.1.0/24 as external interface, interface where most of the clients are coming from.
2. Vlan 20: 10.1.2.0/24 for real server vlan.
Virtual IP 10.1.1.10 is created in CSS on behalf of two real servers (10.1.2.11 & .12) in Vlan 20. Client from Vlan 10 can http access to 10.1.1.10 successfully.
In Vlan 20 there's also few clients which need to access servers via virtual IP. Vlan 20 Client PC (10.1.2.101) can ping 10.1.1.10, but can't access 10.1.1.10 http service.
Is there any way for CSS to forward service request coming from Server vlan to be send back to the same segment?
I need to configure a keepalive that check an url in a server (http in port 9500 not in port 80) and check the port 443 in the same server. If any of them not response . the service should go down.
View 1 Replies View Relatedi don't know why cu need this feature, he want stickiness based on source ip and source port. Does CSS 11500 support stickiness based on source IP and source port?or is there any other method to support stickness based on source ip and sourceport?
View 12 Replies View RelatedAm I able to use an SSL cert in the proxy list for the same VIP but on a different port?
View 1 Replies View RelatedI'm attempting to redirect SSL from the base site to a different page on the same SSL site. I want to redirect https://10.4.16.54/* to[URL] . If I enter[URL], site loads, but if I enter simply https://10.4.16.54, it times out. The ssl_sharepoint service is my ssl_proxy_list.
content Sharepoint_https
flow-timeout-multiplier 10
sticky-inact-timeout 35
vip address 10.4.16.54
application ssl
[code]....
We have a subnet setup on the ACE as follows:
interface vlan 300
description CALLISTA Environment
ipv6 enable
ip address 2001:388:608c:8b8::fffd/64
alias 2001:388:608c:8b8::fffe/64
peer ip address 2001:388:608c:8b8::fffc/64
ipv6 nd ra interval 30
[code]....
Notes:There is the primary subnet 130.194.13.0/26 and the secondary IP subnet 130.194.19.192/27?The nat-pool is configured to allow server initiated connections to their frontend VIP when necessary.We are noticing that when a server on the 130.194.19.192/27 subnet needs to communicate with a server on 130.194.13.0/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
We have a subnet setup on the ACE as follows:
interface vlan 300
description CALLISTA Environment
ipv6 enable
[Code].....
We are noticing that when a server on the 130.194.19.192/27 subnet needs to communicate with a server on 130.194.13.0/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
We have recently implemented Windows Deployment Services on our local network, but everytime we do a multicast image deployment the network get flooded to point of total saturation.
We have Netgear switches and a Cisco 2800 series router. IGMP Snooping has been enabled on all Switches, however, we are unsure on how to implement multicasting on the router.
The whole network is flat - no VLANs over than the default VLAN1. We only want multicasting to work within our local network and does not need to go out the other side of the router as that is the connection to the internet.
How to get the Cisco router configured properly to enable multicasting to not flood the network. It seems that even if we were to image 4 PCs using multicast this is enough to completely get the network flooded.
Also, am I right in thinking that IGMP needs to be enabled on all of the Switches?
Our Exchange 2010 hub servers run multiple services/ports: smtp, www, pop3,135, 143, https, 993, 995, 6001,6002,6003,60200,60201,8400, and 8402 what is the best way of balancing these servers so that if only one of the services failed on a server, it would switch only the failed service to remaining servers. At present I only use an smtp probe, so as log as that sevrice is running the server is marked good.
View 3 Replies View RelatedWe have hosted spam filter service with 3rd party vendor. My vendor is switching to different spamming services and I need to add ip address lets say 44.33.454.32 to the list of allowed system that can connect to my smtp service. I am going over my firewall 5510 configs and I think I need add the entry like this: “access-list outside-to-inside extended permit tcp object-group obj-44.33.454.32 interface outside eq smtp”. [code]
View 2 Replies View Relatedi'm using some catalysts 3560 with 10 VLANs and inter vlan routing. we use a windows deployment services server to install our workstations. the pxe boot works fine. the image is loading, and when the windows 7 PE is booting, the dhcp request failes. when i use a small not manageable switch between the computers and the catalysts, it works fine.all other things work fine.
View 9 Replies View RelatedHow to change host name in CSS11500 Series. I cannot find any documentation for that matter.Is there any impact in the system to change the host name?
View 3 Replies View Relatedcan we make a bridge connection between cisco aironet 1400 series and cisco R5005?
In Root and Non Root Manner.
Some Routers support DHCP spoofing (zyxel / speedtouch).With DHCP spoofing (or half bridge) you can directly spoof you'r public IP address to the firewall. Firewall gets public IP address directly from modem. Benefit of this (no waste of an extra IP address). Modem has no IP address. It has to be possible with an 8xx series router I heard, but I cannot find how.I guess it can be done with a bridgegroup with the dialer and VLAN 1 in it (no ip addresses given).I tried but without any result.
View 2 Replies View RelatedI need to NAT some subnets to one IP and other subnets to another IP. The range command want work because some of the subnets are out of order.For example subnets 192.168.1.0 - 192.168.7.0 and 192.168.25.0, 192.168.28.0 nat'd to 1.1.1.1. subnet 192.168.26.0-192.168.27.0 nat'd to 1.1.1.2
View 2 Replies View RelatedI am new to load balancing technology pls give me the articles for load balancing technology of servers & want to know about CSS 11500 switch.I am Interseted to know about SAN do for the same.
View 1 Replies View RelatedNot able to enter 10.12 series address in LAN PC
View 12 Replies View RelatedNormaly all incoming IP addresses can use NAT to gain access. I would like to make a rule that only one IP address can connect to my router and use that port or range of ports defined.
Is there a way to configure a SRP 527W on such a way?
If not possible now, can I expect a software update ?
I'm stuck with some NAT issues. I've got an 800-series router wich connects to the internet via a PPP connection (dialer0). On the inside the router has 192.168.0.253/24 as IP address, the outside is negotiated with the ISP
My mailserver has the ip address of 192.168.0.1 but with default gateway of 192.168.0.254 (primary internet connection). If I use plain NAT (ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 80) the packets arriving on the mailserver do have a public IP address as source address.
Would it be possible to rewrite those packets (source address) so they have 192.168.0.253 as source address. This way the mailserver won't send the replies to it's default gateway but back to the cisco router.
I am trying to hook my hp photosmart C4700 series printer up wireless to my laptop and i need my ip address and cant find it?
View 2 Replies View RelatedHow come the 2600 series IOS has the show mac-address command but it does not display anything? you need to use show arp? is this for when you use one of those network modules that is a switch?
View 2 Replies View Relatedi have Router 2800 series we are using leased line Connection 8 Pubilc IP.One IP Config in Router FE0/0 IP 101.102.148.91 and FE0/1 192.168.0.0 Local IP.I have 6 Web Server. How to Config other 7 IP address on Web server in the router 2800 series.
View 6 Replies View RelatedHow to change ip address in cisco 2960 series switch?
View 4 Replies View RelatedAny document that details the steps to change the FT ip addresses of a pair of Cisco 4710 whilst they are running in a production environment without causing an outage?
Would the steps be:
On the secondary unit:
hbs-syd04-lb01ft interface vlan 417 ip address 172.30.254.221 255.255.255.252 peer ip address 172.30.254.222 255.255.255.252
Then on the primary unit:
hbs-syd04-lb01ft interface vlan 417 ip address 172.30.254.221 255.255.255.252 peer ip address 172.30.254.222 255.255.255.252
Or Vice Versa?
I have a problem with an ACE 4710 regarding to the ping of especially one VIP address.
[code]...
At the Box I setup 10 Servcies, all with different VIP addresses, also the IP is not used duplicate somewhere in the network.
in the class defined under Policy-Map Multi-Match I setup identical to the others loadbalance vip icmp-replay active, the VIP is usable by the defined service http, the serverfarm is up and running all ok so far but this VIP does not respond to ping even the correct arp resolution was done.
I started also a capture locally on the ACE and see the ICMP - Echo coming in, but the box sends no echo-reply back.
In the access-lists Management and so on I allowed icmp and also on all interfaces the icmp guard is disabled...
we have 6 access points in production and we want to chnage the IP addresses of them. So what would be the procedure for that.
View 17 Replies View RelatedHow many IP address can handle the DHCP server of the RV0xx Series VPN router? can be configured for more than 250 ip addresses? it is posible to configure the router in order to have more than 250 ip address?
View 2 Replies View RelatedI've configured the ACE4710 to bring the logging to a syslog server! Here's the configuration
[...]
logging enable
logging fastpath
[Code]....
I saw to log with connection on the syslog server but It would be interesting to know the "source ip address" and my question is : It may be possible to configure for the logging a kind of "transparent pass through"?
I have recently configured a pair of ACE 4710 appliances in a FT group. The ACE's are deployed in one-arm mode, using Source NAT, with all routing to and from being done by a pair of PIX firewalls.
My configuration does not include the use of an "alias" IP address on the data VLAN interface within each of my contexts.
My understanding is that the "alias" IP address is similar to a HSRP address and if the ACE is deployed in Routed mode the default gateway for the servers can be configured with the "alias" address so as this is always available even if a fail over occurs.
if this is a correct interpretation and of use of the "alias" IP address and if so whether it is required when using a one-arm mode topology?
