CSS 11503 regularly fails - access to the Web is not available.

Unanswered Question
May 15th, 2010
User Badges:

Hi ALL !c


I connect Cisco CSS to the scheme (2 MS Windows 2003 Server -> Cisco CSS ->  Cisco ASA)


I monitor VIP service on Cisco CSS from inside and outside but CSS 11503 regularly fails:


Chart of HTTP/HTTPS VIP service:

CSS-HTTPS.png


PS: Red dots - this is service down (HTTPS timeout on monitor engine request)


Chart of HTTP NLB-cluster member (second Web site has this chart too):


HTTP1.png


CSS11503 config:



!*************************** GLOBAL ***************************
  no restrict web-mgmt
  ip no-implicit-service


  logging host 10.1.64.200 facility 7


  ssl associate rsakey epayment epayment.key
  ssl associate cert epayment epayment.pem
  ssl associate dhparam epayment dh1024.pem


  load threshold 100


  ip route 0.0.0.0 0.0.0.0 10.1.65.1 1
  ip route 10.1.64.0 255.255.224.0 10.1.65.130 1


!************************* INTERFACE *************************
interface  1/1
  bridge vlan 10


interface  1/2
  bridge vlan 20


interface  2/1
  bridge vlan 30
  bridge port-fast enable


interface  2/2
  bridge port-fast enable
  bridge vlan 30


interface  2/3
  bridge port-fast enable
  bridge vlan 30


interface  2/4
  bridge port-fast enable
  bridge vlan 30


interface  2/5
  bridge vlan 30
  bridge port-fast enable


interface  2/6
  bridge vlan 30
  bridge port-fast enable


interface  2/7
  bridge vlan 30
  bridge port-fast enable


interface  2/8
  bridge port-fast enable
  bridge vlan 30


!************************** CIRCUIT **************************
circuit VLAN10


  ip address 10.1.65.2 255.255.255.128


circuit VLAN20
        
  ip address 10.1.65.129 255.255.255.128


circuit VLAN30


  ip address 1.1.1.1 255.255.255.252


!*********************** SSL PROXY LIST ***********************
ssl-proxy-list epayment
  ssl-server 100
  ssl-server 100 rsacert epayment
  ssl-server 100 rsakey epayment
  ssl-server 100 cipher rsa-with-rc4-128-md5 10.1.65.3 80
  ssl-server 100 vip address 10.1.65.3
  active


!************************** SERVICE **************************
service APP-HTTPS-module-01
  type ssl-accel
  keepalive type none
  slot 3
  add ssl-proxy-list epayment
  active


service APP-srv1
  keepalive type http
  keepalive uri "/"
  keepalive frequency 20
  keepalive retryperiod 2
  ip address 10.1.66.35
  active


service APP-srv2
  keepalive type http
  keepalive uri "/"
  keepalive frequency 20
  keepalive retryperiod 2
  ip address 10.1.66.36
  active


!*************************** OWNER ***************************
owner CSS-NLB


  content App-servers
    add service APP-srv1
    add service APP-srv2
    protocol tcp
    port 80
    vip address 10.1.65.3
    active


  content HTTPS-Proxy
    vip address 10.1.65.3
    protocol tcp
    port 443
    add service APP-HTTPS-module-01
    active




Version

Version:               sg0810106 (08.10.1.06)
Flash (Locked):        08.10.1.06
Flash (Operational):   08.10.1.06
Type:                  PRIMARY
Licensed Cmd Set(s):   Standard Feature Set


Where is my mistake ? Or is it a bug ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 05/17/2010 - 05:14
User Badges:
  • Cisco Employee,

We would only be able to tell exactly where is the failure if you can capture it with a sniffer trace.


A few recommendations would be to configure a flow-timeout-multiplier on all your content rule.  Configure a value of 20.

You my want to also run the latest version.


Regards,


Gilles.

dimaonline Mon, 05/17/2010 - 05:40
User Badges:

I can capture but  the traffic is  very big - connections only 60-100 but traffic ~100Kbyte/s,


I haven't other version of software and haven't access to SmartNet (hardware buyed one year ago). Please, give

me last version.

Actions

This Discussion

Related Content