Cisco Application :: WS-X6066-SLB-APC / CSM - Server Will Suddenly Not Receive Any Traffic For 5 Minutes
Sep 10, 2012
A company I work for has a number of CSM modules (WS-X6066-SLB-APC) installed in 6513 chasis switches. The CSM modules are running version 4.2(14)These CSM modules are configured to load-balance a number of vservers via serverfarms, each serverfarm containing multiple real servers.
The company is facing a problem with what seems to be related to return code checking. Every once in a while a server will suddenly not receive any traffic for 5 minutes. This always occurs right after the server has sent a HTTP 503 return code. However we cannot see in the CSM logs that the CSM module has actually disabled the real server. For other serverfarms which are running regular HTTP and/or ICMP health checks to real servers we can clearly see in the CSM logs when a real server has been temporarily disabled due to health check failures.
The return code checking is set to disable a real server for 300 seconds after the CSM has received five HTTP 503 responses from the real server. If we check the real server log however we cannot find more than that single 503 return code right before the server stops seeing any incoming traffic unless we move back at least hours in time.I have tried to figure out what time frame those 5 return codes must be received within for them to count towards the maximum allowed return codes, but nowhere in no documentation can I find any information about this time frame.For all I know the CSM could keep track of every incoming 503 forever, until the maximum of five 503's is reached, and then the server is disabled for 300 seconds.
I´m having a problem/issue with my CSM. I have a WS-X6066-SLB-APC - Version 4.2(1), installed on a 6500, and for a while now whenever I ping the VIPs (vservers) I detect some packet loss (In 10.000 ping packets, I loose around 1%), and higher response times; If I ping the reals I see no issues, only with the L3 behind the CSM.
I have a Cisco ACE 4710 A5(1.2). Scenario: Inbound call from PSTN to SIP Phone. Call comes into the VIP and then load balances to sip server, the server then routes the call out via WAN to the SIP phone as below:
Note: Router is Cisco 3925 with "ip nat service sip udp port 5060" and Port 5060 mapped to the VIP of the ACE.If I put the sip server directly behind the router it works fine. From behind the ACE:
If I turn on sip inspect on the VIP the call setup (INVITE) and termination (BYE) work fine but the audio loops on the PSTN side from the mic to the speaker.If I turn OFF sip inspect then the audio is fine and mapped correctly but the call terminaton (SIP BYE) hits the VIP from the PSTN but never reaches the sip server.For ease and dianostics, I have turned off all sip servers except one meaning the load-balancer has only one server to choose from.SIP Call_id sticky is setup and seems to work, though irrelevent with one server only on test.How do I get the ACE to accept 'server initiated traffic' with sip inspect so it knows about the pending BYE when it comes back from the IP phone via the VIP?Config below, image attached. Bridged mode (also get the same result in routed mode)
access-list everyone line 8 extended permit ip any anyaccess-list everyone line 16 extended permit icmp any any probe sip udp 1 description SIP Health Monitor interval 30 expect status 200 200 rserver host server1 description Production SIP Server ip address 10.44.56.172 conn-limit max 980 min 980 probe 1 inservice serverfarm host sip failaction purge probe 1 rserver server1 inservice
I have a web application behind a SSL-offloading CSS 11506 that may require the server to be able to use a SSL connection as soon as it is established. At least I'm troubleshooting a problem that is starting to look like this is a possibility.
The default behavior seems to be to not start the SYN/SYN-ACK sequence with the real server until the client starts talking first (such as send an http get request), even though the SSL termination part is done and ready.
Any way to change this behavior? The scenario is a webapp. Client side starts more than one SSL session to the server, but only uses one immediately. The client knows it has more than one connection and may have told the server so. Like a control plus data channel(s) arrangement. The client opens all the connections (full SSL handshake on all channels), starts using the control channel, and expects the server to start talking on the data channel. However, since the client hasn't sent anything down that TCP connection first... the server doesn't have it.
I don't think this would occur when the server is doing the SSL... as it should have all the TCP connections as soon as the SSL handshakes are done.
’m somewhat new to Cisco routers this is my first attempt at getting one to work. I work in an environment with multiple locations, most are using the Cisco Model: 2911/K9 or the Model: 2921/K9 routers running IOS Version 15.0.We just added a new small office and all I had in the way of a router was a Cisco C1841-IPBASE-M router, running IOS Version 12.4.When setting up the C1841 I kept the configuration pretty much the same as the others allowing for the differences in the OS. I can remote into the 0/0 (outside port) from over the network, I can ping to that port without fail, but I can’t send or receive traffic from the 0/1 (inside port).
I have a RV220W (running fw version 1.0.2.4) that i am trying to configure for a client. They are set up on Comcast with 13 available IP's. I should note that this netowrk is now currently running without issue using a Cisco Pix 506e. Unfortunately, the Pix is almost impossible to configure using the GUI now as I have to load a 4-year old version of Java now just to get the PDM to load. But I digress.I've set up the RV using the identical settings as the Pix on bth the LAN and WAN side. When I do, computers on the LAN side can all reach the Internet ok. However, once I enable one-to-one NAT for an internal server, that machine can't send or receive ANY traffic to the WAN side. I've even tried setting access rules enabling ANY traffic in both directions, and that has no effect. Either I'm missing something, or this is just one more bug in this product.
Even though it was a bit of a step down going from the Pix to the RV220W, it was done for the ease of setting up VPN's as I was ready to purchase a second one for a new satellite office opening in a few weeks. It looks like we will be switching vendors on the router side as my faith in Cisco is waning at this point.
I just got my dad's old notebook (VAIO VPC F223FB) which is better than my older one. So, I did a backup and then managed to clean install a Windows 7 Professional x64.At first I had a problem with the drivers, because the internet wasn't connecting and the USB ports weren't detecting my External Drive. So, I tested other USB port and got it. Installed the drivers and I could connect to the wireless network. But it doesn't detect the ethernet cable! And I want it detecting because then it's faster. I already tried downloading the Ethernet Controller driver. At first, I downloaded through Sony's support site but it didn't recognize the driver. Now, it recognizes but still doesn't connect it. And when I tried Solving Connection Problems, it said the network gateway was accessible but Windows can't receive Internet network traffic.
We are having issues with our Cisco ACE 4710, it suddenly stopped to telnet admin context.We are able to telnet another context from the same appliance, but unable to telnet the admin context. Is possible to pings the gateways from the other contexts, but we are not able to ping the gateway from the admin context.Actual we have 5 context with the minimum allocation is 10%.ACL and policy map allowing telnet and etc are enable and configured on the interface.
How to prepare my network for snmp,currently i don't have SNMP configured with community,so what is the requirement for that?what server i need to configure in order to receive SNMP traps coz last time i had issue ,one of my tunnels (terminated on asa 5510) goes down for 2 hours and i didn't realized that
I have been on my computer all day and I was just watching hulu plus when I lost my internet. When I used the windows troubleshoot it told me my dns server isnt responding and I cannot.figure.out.how to fix it. Im using windows.7.and.a NetGear router.
I tried to connect to the Internet this morning on my Windows Vista, but it wouldn't work. My router seems to be fine (I can connect on all the other computers in the house.), and it shows that I'm connected to the network but not the Internet. After running Diagnose and Repair, I got this message:"Cannot communicate with Primary DNS Server(192.168.2.1). Network diagnostics pinged the remote host but did not receive a response." [code]
So for example rserver1 and rserver2 are put in serverfarm production1 and are in use with particular sticky and load balancing settings.
Can I then create serverfarm test_production and put both rserver1 and rserver2 in it? Then play around with the sticky and load balancing settings as a test without affecting the production serverfarm.
I'm trying to design a CSS configuration that allows servers in the same vlan to be the source and destination of load-balanced traffic. My thought is to add two new vlans, one for the VIPs and one for the servers, then NAT the source IPs going from the LB to the servers.
Is this the right way to do it?I've never NATted using CSSs, so I wanted to verify what I'm thinking.Our current config trunks the vlans -
About every 20 minutes, my internet connection, which otherwise runs well, just drops out randomly. When I diagnose the problem, it tells me "Cannot communicate with Primary DNS Server (50.30.208.77)." If I leave it alone, it corrects itself after a couple of minutes, but I can also reset the local area connection and that will get things working again as well. This started a few days ago, and I was hoping it would just go away, but it has not. To reiterate, my connection is fine for about 20 minutes at a time, but then it will just drop out for seemingly no reason. I don't use wi-fi, I'm connected via an ethernet cable to an outlet on my wall. I've tried different cables and the problem persists, so I don't believe it has to do with a faulty cable. I didn't change anything about my hardware or software the day this problem sprung up. [code]
on ASA 5540 , i configured the logging setup as following :
log in to the internal buffer : buffer size 1048576 bytes
Then i save the buffer to FTP server to save the log messages in continuously way everything was working fine but suddenly sending the ftp traffic to FTP traffic has stopped suddenly before in the live log viewer it was showing when ASA throws the ftp traffic to the ftp server but this stopped suddenly nothing has changed in the ftp server setting (same username and password and the connectivity is there) sending logging traffic to the ftp server came back just when i reboot the ASA.but this is not solution.
I want to route gre traffic through an ACE20, but it doesn't seem to work. The only thing I configured was an ACL with gre enabled, but the ACE20 seems to drop the gre packtes. The gre traffic is entering via the vlan 561 interface and should be send out via the vlan 472 interface. Source 10.94.32.212, destination 10.94.132.39. The tunnel control traffic on port tcp/1723 is working fine. In the service-policies is nothing configured for the gre traffic.
I am using an ACE 30 module for loadbalancing to two proxy servers. Not all the traffic needs to be loadbalanced and directed to the proxy servers. I would like the clients trying to access our intranet and other internal resources to be redirected to them before they are loadbalanced and sent to the proxy servers . Can this be done with the ACE?
I have an HTTPS probe that sometime fail, sometimes does not fail.
[code]....
The probe that sometimes fails is the TEST-HTTPS. The TCP_443 probe works perfectly well.The ACE is configured in bridge mode.Is it possible to capture the PROBE traffic on the ACE side?
I want to be able to use port 1-80 for all outgoing traffic. I have a VPS outside my home, which can redirect the packets to the prober ports.Is it possible with an application on the computer and VPS? Or is it impossible?
I trying configure ASN traffic load balance, but doesn't works.I have one Cisco Catalyst 6509 and onde Cisco Ace10 module, in my context "PanWEB" i have the interfaces above: [code] If i try to establish a telnet session(telnet 10.96.202.10 80) i see the SYN packet passing through the ACE and going to the real server, but, the server do not response the SYN packet. I done a capture in the server using wireshark and could see that the IP address of the destination is the VIP and not the rserver ip address , this is a problem? Why can not I have the SYN + ACK from the server?
Can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time.
I have a requirement to bypass some specific traffic (with particular source to specific internet destination) in ACE 4710.
All the webtraffic (http and https) is configured to loadbalance to my proxies , i need to configure some specific traffic with source and destiantion to internet to byepass from this loadbalancing and directly got to outside interface .
I'm looking for a way to configure Cisco ACE4710 loadbalancer to bypass traffic that is initiated from server side to Internet?Are there any way to configure this, so that the loadbalancer will not maintain session for this bypass traffic to maximize throughput?
I am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server. But I am not able to do this. I want to redirect only subnet 192.168.80.0/24..Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.
We are currently running ANM server version 4.1. I am trying to upgrade to version 5.1. But when I run the "application upgrade anm-va-5.1.ova Upgrade" command, I receive an error that states: "Manifest file not found in the bundle".I then tried to run the install command with the same error.
I want to learn how to make application server?I have Windows server 2008 enterprise edition and it is connected to 10 Client Machines. I want to install software programes only on server and use them on client machines without knowing server password.
If we use an ACE4710 to load balance two real servers, obviously it will use health checks to determine if a server is down.When it detects a server is down, it will not send it any more traffic.But can we also have it take any other action? For example maybe email an admin, or send an SNMP trap? Or better yet, can we use a custom TCL script to do other things, like launch some custom activities?
I had a working server running ISE version 1.1.0.665 but someone in the build room decided to pull the power out of the server rather than shutting it down correctly. I have booted the server back up however the web management page was not accessable. I have checked the server status and the end result is the Application Server in the "still initializing" stage. I have left the server for several hours and the status has not changed.
I know people have previously run into this issue but no one has posted any resolution or confirmed that a rebuild is the only solution. I have tried to create an on-demand backup but it seems to fail when attempting to provide the credentials (which are correct) for the FTP server.
configure Cisco Ace 4710 ?Note :- Just a testing face I need to access my one server(192.168.1.11 : 80) through VIP :- 10.13.77.10 , I have only one Cisco Router 2800 and One L2 Cisco Switch 2960 and Cisco Ace 4710 . So I already configured 2 Different VLANS in Switch (Vlan 10 & Vlan 100) and by router I given the ip address of that Vlans with Inter Routing Vlan. My Connectivity is like this :-- Router Ethernet 0/0 --- 10.13.77.1/24 with vlan 10) & Router Ethernet 0/1 ---- 192.168.1.1/24 with vlan 100 ) connected with switch after that I configured ACE LB and connect the ACE interface with switch Like that ---- Connect to ACE Interface 2/3 vlan10 with switch vlan10(Ethernet port 2-12) and Connect to ACE Interface 3/3 vlan100 with switch vlan100(Ethernet port 13-24) .Testing to access server from Switch Vlan10 to Vlan 100 where my server is there.
Configuration :---
ACE> client side Vlan10 (10.13.77.4/24) , VIP :- 10.13.77.10, SM-- 255.255.255.255 ACE> server side Vlan100 (192.168.1.5/24), Web server -- 192.168.1.11 with 80 port ACE> Managment Vlan 1000 (172.16.6.5/24) , ip route 0.0.0.0 0.0.0.0 10.13.77.1
I already Configured in Routed mode but From Vlan10 ip subnet example like 10.13.77.12(Client or User PC) tried to access server 192.168.1.11 with VIP http://10.13.77.10 but not responding , if i access server with real IP then accessible (why boz there is inter vlan routing)?
