Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS - Content Rules with no available services

I have a requirement to ensure that when a client attempts a connection to a Rule that has no valid services behind it, the CSS sends a TCP-RST. How do I achieve this?

I have tried flow-reset-reject, but I think this only sends a reset for a flow that is already established when the backend server fails.

I want a new request to get reset if there are no backend servers.

Additional info:

We currently have multiple rules with the same IP address (using different ports) so if all the services on one rule are down the VIP address will still respond to ARP and PING as the other rules have services that are UP. Hence the client will time out rather than get a (relatively speedy) ARP failure.

It is a one-armed config with source-groups.

One dirty solution we have tried successfully but rejected is to configure a sorry-server with a keepalive type of none, valid IP address, but invalid port. When the clients are directed at this service the connection attempt is rejected by the valid IP address (TCP-RST) which is then passed back to the original client. This works but is very messy.

4 REPLIES
Silver

Re: CSS - Content Rules with no available services

New Member

Re: CSS - Content Rules with no available services

Thanks for this,

unfortunately there is a wealth of information here and it is quite difficult to identify an example or tip that might relate to my particular issue.

I was hoping for someone to have had a similar problem ....but like you I am not at all confident.

I have also wondered whether it is sensible to allow the action I am trying to configure in terms of its impact on DOS.

Thanks anyway...

Cisco Employee

Re: CSS - Content Rules with no available services

this does not exist currently.

But I think it is a valid request.

Therefore, I would suggest you to contact your local Cisco Sales person and ask him to introduce a feature request.

BTW, your workaround is good to know.

Gilles.

New Member

Re: CSS - Content Rules with no available services

Thanks Gilles,

I will raise the issue with our CISCO Rep.

I am also investigating another "dirty" solution....

I am considering making the content rule sticky and then giving it a sticky-serverdown-failover of "REJECT". However, the documentation does not say what "REJECT" means. I am hoping it means TCP-RST!

Andrew T

117
Views
2
Helpful
4
Replies
CreatePlease login to create content