CSS 11503 regularly fails - access to the Web is not available.

dimaonline · ‎05-15-2010

Hi ALL !c

I connect Cisco CSS to the scheme (2 MS Windows 2003 Server -> Cisco CSS -> Cisco ASA)

I monitor VIP service on Cisco CSS from inside and outside but CSS 11503 regularly fails:

Chart of HTTP/HTTPS VIP service:

PS: Red dots - this is service down (HTTPS timeout on monitor engine request)

Chart of HTTP NLB-cluster member (second Web site has this chart too):

CSS11503 config:

!*************************** GLOBAL ***************************
no restrict web-mgmt
ip no-implicit-service

logging host 10.1.64.200 facility 7

ssl associate rsakey epayment epayment.key
ssl associate cert epayment epayment.pem
ssl associate dhparam epayment dh1024.pem

load threshold 100

ip route 0.0.0.0 0.0.0.0 10.1.65.1 1
ip route 10.1.64.0 255.255.224.0 10.1.65.130 1

!************************* INTERFACE *************************
interface 1/1
bridge vlan 10

interface 1/2
bridge vlan 20

interface 2/1
bridge vlan 30
bridge port-fast enable

interface 2/2
bridge port-fast enable
bridge vlan 30

interface 2/3
bridge port-fast enable
bridge vlan 30

interface 2/4
bridge port-fast enable
bridge vlan 30

interface 2/5
bridge vlan 30
bridge port-fast enable

interface 2/6
bridge vlan 30
bridge port-fast enable

interface 2/7
bridge vlan 30
bridge port-fast enable

interface 2/8
bridge port-fast enable
bridge vlan 30

!************************** CIRCUIT **************************
circuit VLAN10

ip address 10.1.65.2 255.255.255.128

circuit VLAN20

ip address 10.1.65.129 255.255.255.128

circuit VLAN30

ip address 1.1.1.1 255.255.255.252

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list epayment
ssl-server 100
ssl-server 100 rsacert epayment
ssl-server 100 rsakey epayment
ssl-server 100 cipher rsa-with-rc4-128-md5 10.1.65.3 80
ssl-server 100 vip address 10.1.65.3
active

!************************** SERVICE **************************
service APP-HTTPS-module-01
type ssl-accel
keepalive type none
slot 3
add ssl-proxy-list epayment
active

service APP-srv1
keepalive type http
keepalive uri "/"
keepalive frequency 20
keepalive retryperiod 2
ip address 10.1.66.35
active

service APP-srv2
keepalive type http
keepalive uri "/"
keepalive frequency 20
keepalive retryperiod 2
ip address 10.1.66.36
active

!*************************** OWNER ***************************
owner CSS-NLB

content App-servers
    add service APP-srv1
    add service APP-srv2
    protocol tcp
    port 80
    vip address 10.1.65.3
    active

content HTTPS-Proxy
    vip address 10.1.65.3
    protocol tcp
    port 443
    add service APP-HTTPS-module-01
    active

Version

Version:               sg0810106 (08.10.1.06)
Flash (Locked):        08.10.1.06
Flash (Operational):   08.10.1.06
Type:                  PRIMARY
Licensed Cmd Set(s):   Standard Feature Set

Where is my mistake ? Or is it a bug ?

Gilles Dufour · ‎05-17-2010

We would only be able to tell exactly where is the failure if you can capture it with a sniffer trace.

A few recommendations would be to configure a flow-timeout-multiplier on all your content rule. Configure a value of 20.

You my want to also run the latest version.

Regards,

Gilles.

dimaonline · ‎05-17-2010

I can capture but the traffic is very big - connections only 60-100 but traffic ~100Kbyte/s,

I haven't other version of software and haven't access to SmartNet (hardware buyed one year ago). Please, give

me last version.