03-18-2008 03:02 AM
Dear Cisco community,
The users experience quiet often disconnections while using OCS. As we completely bypassed the CSS, the disconnections disappeared. So, something must be wrong with CSS. OCS is using TCP ports 135, 5060, 5061, 444 and 443. For each port and server, I've created a service which results in 10 entries.
service CHWSOCSFE01-SIP
ip address 172.19.134.37
port 5060
protocol tcp
active
Then I bind them into the content rules:
content CHWSOCSFE01&02-SIP
vip address 172.19.139.163
add service CHWSOCSFE01-SIP
add service CHWSOCSFE02-SIP
advanced-balance sticky-srcip
port 5060
protocol tcp
active
Which results in 5 content rules.
Then all services are put into the group config:
group production
vip address 172.19.139.148 range 5
add destination service CHWSOCSFE01-SIP
add destination service CHWSOCSFE02-SIP
add destination service CHWSOCSFE01-SIPTLS
add destination service CHWSOCSFE02-SIPTLS
add destination service CHWSOCSFE01-EPMAP
add destination service CHWSOCSFE02-EPMAP
add destination service CHWSOCSFE01-SNPP
add destination service CHWSOCSFE02-SNPP
add destination service CHWSOCSFE01-SSL
add destination service CHWSOCSFE02-SSL
[other entries]
active
When I show the flows for a user:
CSS11506# sh flows 172.19.134.225
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
172.19.134.225 57722 172.19.139.163 444 172.19.134.37 TCP 1/1 1/1
172.19.134.225 57716 172.19.139.163 443 172.19.134.41 TCP 1/1 1/1
172.19.134.225 57715 172.19.139.163 135 172.19.134.41 TCP 1/1 1/1
172.19.134.225 57728 172.19.139.163 5061 172.19.134.37 TCP 1/1 1/1
Then I see that he gets redirected to two different servers, what I don't like and would rather see it to be redirected to one server only.
How can I do that? Should I use in the content rule, balance srcip or use only 2 services listening on any ports? However, will that help anyway?
Thank you.
06-06-2008 05:50 AM
you need to do some type of sticky, or session persistance.
06-06-2008 08:43 AM
Dear Harrjd222,
Thank you for your answer. In the meantime, we have solved the problems. Two content config changes solved the issue:
1. The default load-distribution algorithm round robin to least connections
Command: balance leastconn
2. The default flow timeout to 4.44h. An OCS session will most likely never reach that time but most likely reached the default and therefore we experienced these disconnection.
Command: flow-timeout-multiplier 1000
Everything else, kept untouched.
Best regards,
Alex Dosedla
Here the new content config (maybe it is helpfull for someone:
owner production
content CHWSOCSFE01&02-EPMAP
protocol tcp
port 135
vip address 172.X9.X9.X3
advanced-balance sticky-srcip
add service CHWSOCSFE01-EPMAP
add service CHWSOCSFE02-EPMAP
balance leastconn
flow-timeout-multiplier 1000
active
content CHWSOCSFE01&02-SIP
vip address 172.X9.X9.X3
add service CHWSOCSFE01-SIP
add service CHWSOCSFE02-SIP
advanced-balance sticky-srcip
port 5060
protocol tcp
balance leastconn
flow-timeout-multiplier 1000
active
content CHWSOCSFE01&02-SIPTLS
port 5061
protocol tcp
vip address 172.X9.X9.X3
add service CHWSOCSFE01-SIPTLS
add service CHWSOCSFE02-SIPTLS
balance leastconn
advanced-balance sticky-srcip
flow-timeout-multiplier 1000
active
content CHWSOCSFE01&02-SNPP
port 444
protocol tcp
vip address 172.X9.X9.X3
add service CHWSOCSFE01-SNPP
add service CHWSOCSFE02-SNPP
balance leastconn
advanced-balance sticky-srcip
flow-timeout-multiplier 1000
active
content CHWSOCSFE01&02-SSL
protocol tcp
port 443
vip address 172.X9.X9.X3
add service CHWSOCSFE01-SSL
add service CHWSOCSFE02-SSL
balance leastconn
advanced-balance sticky-srcip
flow-timeout-multiplier 1000
active
03-07-2010 05:51 AM
All of Cisco certified designs for OCS 2007 uses the ACE product line is the CSS supported? What mode are you running your CSS in? One arm or routed? My environment is a hybrid of the two where the VIP and real servers are on different subnets, but the serves Default gateway is the firewall. Traffic gets passed back through the CSS with the Destination group like in one arm mode. This works well so the servers do nto have to traverse the CSS unless being hit inbound. Also from your configuration below it seems that you are just passing 443/ssl through the CSS, so is it correct to say that the servers are handling the ssl processing and not the CSS?
Thanks.
03-07-2010 06:01 AM
One more question what is the range command after the VIP used for?
vip address 172.19.139.148 range 5
Does this mean you have a pool of addresses 172.19.139.148 through 172.19.139.152?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: