cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1912
Views
0
Helpful
4
Replies

Microsoft OCS 2007 and Cisco CSS 11506: Config question

adosedla
Level 1
Level 1

Dear Cisco community,

The users experience quiet often disconnections while using OCS. As we completely bypassed the CSS, the disconnections disappeared. So, something must be wrong with CSS. OCS is using TCP ports 135, 5060, 5061, 444 and 443. For each port and server, I've created a service which results in 10 entries.

service CHWSOCSFE01-SIP

ip address 172.19.134.37

port 5060

protocol tcp

active

Then I bind them into the content rules:

content CHWSOCSFE01&02-SIP

vip address 172.19.139.163

add service CHWSOCSFE01-SIP

add service CHWSOCSFE02-SIP

advanced-balance sticky-srcip

port 5060

protocol tcp

active

Which results in 5 content rules.

Then all services are put into the group config:

group production

vip address 172.19.139.148 range 5

add destination service CHWSOCSFE01-SIP

add destination service CHWSOCSFE02-SIP

add destination service CHWSOCSFE01-SIPTLS

add destination service CHWSOCSFE02-SIPTLS

add destination service CHWSOCSFE01-EPMAP

add destination service CHWSOCSFE02-EPMAP

add destination service CHWSOCSFE01-SNPP

add destination service CHWSOCSFE02-SNPP

add destination service CHWSOCSFE01-SSL

add destination service CHWSOCSFE02-SSL

[other entries]

active

When I show the flows for a user:

CSS11506# sh flows 172.19.134.225

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

172.19.134.225 57722 172.19.139.163 444 172.19.134.37 TCP 1/1 1/1

172.19.134.225 57716 172.19.139.163 443 172.19.134.41 TCP 1/1 1/1

172.19.134.225 57715 172.19.139.163 135 172.19.134.41 TCP 1/1 1/1

172.19.134.225 57728 172.19.139.163 5061 172.19.134.37 TCP 1/1 1/1

Then I see that he gets redirected to two different servers, what I don't like and would rather see it to be redirected to one server only.

How can I do that? Should I use in the content rule, balance srcip or use only 2 services listening on any ports? However, will that help anyway?

Thank you.

4 Replies 4

harrjd222
Level 1
Level 1

you need to do some type of sticky, or session persistance.

Dear Harrjd222,

Thank you for your answer. In the meantime, we have solved the problems. Two content config changes solved the issue:

1. The default load-distribution algorithm round robin to least connections

Command: balance leastconn

2. The default flow timeout to 4.44h. An OCS session will most likely never reach that time but most likely reached the default and therefore we experienced these disconnection.

Command: flow-timeout-multiplier 1000

Everything else, kept untouched.

Best regards,

Alex Dosedla

Here the new content config (maybe it is helpfull for someone:

owner production

content CHWSOCSFE01&02-EPMAP

protocol tcp

port 135

vip address 172.X9.X9.X3

advanced-balance sticky-srcip

add service CHWSOCSFE01-EPMAP

add service CHWSOCSFE02-EPMAP

balance leastconn

flow-timeout-multiplier 1000

active

content CHWSOCSFE01&02-SIP

vip address 172.X9.X9.X3

add service CHWSOCSFE01-SIP

add service CHWSOCSFE02-SIP

advanced-balance sticky-srcip

port 5060

protocol tcp

balance leastconn

flow-timeout-multiplier 1000

active

content CHWSOCSFE01&02-SIPTLS

port 5061

protocol tcp

vip address 172.X9.X9.X3

add service CHWSOCSFE01-SIPTLS

add service CHWSOCSFE02-SIPTLS

balance leastconn

advanced-balance sticky-srcip

flow-timeout-multiplier 1000

active

content CHWSOCSFE01&02-SNPP

port 444

protocol tcp

vip address 172.X9.X9.X3

add service CHWSOCSFE01-SNPP

add service CHWSOCSFE02-SNPP

balance leastconn

advanced-balance sticky-srcip

flow-timeout-multiplier 1000

active

content CHWSOCSFE01&02-SSL

protocol tcp

port 443

vip address 172.X9.X9.X3

add service CHWSOCSFE01-SSL

add service CHWSOCSFE02-SSL

balance leastconn

advanced-balance sticky-srcip

flow-timeout-multiplier 1000

active

All of Cisco certified designs for OCS 2007 uses the ACE product line is the CSS supported?  What mode are you running your CSS in?  One arm or routed?  My environment is a hybrid of the two where the VIP and real servers are on different subnets, but the serves Default gateway is the firewall.   Traffic gets passed back through the CSS with the Destination group like in one arm mode. This works well so the servers do nto have to traverse the CSS unless being hit inbound. Also from your configuration below it seems that you are just passing 443/ssl through the CSS, so is it correct to say that the servers are handling the ssl processing and not the CSS?

Thanks.

One more question what is the range command after the VIP used for?

vip address 172.19.139.148 range 5

Does this mean you have a pool of addresses 172.19.139.148 through 172.19.139.152?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: