Guest

Cisco ACE GSS 4400 Series Global Site Selector Appliances

KAP-AL by Tag Keepalive on the GSS with CSS Configuration Example

Document ID: 44661

Updated: Apr 07, 2004

   Print

Introduction

This document provides a sample configuration for the KAL-AP by tag keepalive on the Cisco ACE Global Site Selector (GSS) 4400, and the associated configuration for the Cisco Content Services Switch (CSS) 11000/11500.

The GSS is a networking product that globally load balances distributed data centers. The GSS acts as the cornerstone of multi-site disaster recovery plans in deployments of Cisco's content switches. Customers who deploy new Cisco content switches such as the CSS 11500 content services switch, the Content Switching Module (CSM) for the Cisco Catalyst 6500 series switches, or the Application Control Engine (ACE), or who have already deployed legacy switches such as the Cisco CSS 11000 and Cisco Local Directors, can benefit from the new levels of traffic management and centralized command and control provided by the GSS 4400.

The KAL-AP by tag feature embeds a unique alphanumeric tag in the KAL-AP request. The tag value is used to match the correct Virtual IP (VIP) address on the SLB. This avoids confusion that can be caused when probing for the status of a VIP on an SLB that is located behind a firewall using Network Address Translation (NAT), or that is applied to multiple content rules.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

Components Used

The information and screen shots in this document are based on these software and hardware versions:

  • GSS 4492R that runs version 2.0(x)

  • CSS 11501S that runs version 8.20

The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

gss_kal_ap-1.gif

Note that the CSS has two content rules with the same VIP. Therefore, the CSS does not know which rule is probed by the GSS if the Host-By-Tag feature is not configured. If you specify the same tag in both the GSS configuration and in the CSS content rule, the CSS can respond with the load of the proper content rule.

Configurations

This document uses these configurations:

  • GSS 4492R

  • CSS 11501S

GSS 4492R

Complete these steps:

  1. Configure a Shared KeepAlive:

    1. Log into the GSS.

    2. Click the DNS Rules tab.

    3. Click Shared KeepAlives.

    This screen appears.

    gss_kal_ap-2.gif

    Note that there are currently no Shared KeepAlives configured. In order to configure a new shared keepalive, click the icon that looks like piece of paper.

  2. Select KAL-AP as your Shared KeepAlive type.

    gss_kal_ap-3.gif

  3. For the Shared KeepAlive configuration, the primary IP address is a physical circuit IP address on the CSS, reachable through the GSS. Be sure not to enter the VIP address here. Check the CAPP secure box in order to enable MD5 encryption. Enter a hash secret for the MD5 encryption. In this case, it is cisco. Click the Submit button when finished.

    gss_kal_ap-4.gif

    Your new Shared Keepalive now appears in the Shared Keepalives screen. Note the Type is KAL-AP.

    gss_kal_ap-5.gif

  4. Go to the Answers screen under the DNS Rules tab. A list of your current Answers appears. You need to create a VIP-type Answer for the VIP on the CSS, in this case the 10.86.178.15 VIP. In order to configure a new Answer, click the icon that looks like piece of paper.

    gss_kal_ap-6.gif

  5. When the Answer configuration window appears, configure these parameters:

    1. Set the Type to VIP.

    2. Give the Answer a name, and optionally specify a location.

    3. For the VIP Address, specify the same VIP that is configured in the content rule of the CSS.

    4. Set the VIP KeepAlive Type to KAL-AP.

    5. Set the KAL-AP Type to KAL-AP By Tag.

    6. Set the Shared KAL-AP KeepAlive to the Shared KeepAlive that you just created, which points to the circuit IP address of the CSS.

    7. Set the Tag to any string, as long as it is specified exactly the same in the content rule of the CSS. In this example, the Tag is set to basicssl.

    gss_kal_ap-7.gif

    The new Answer now shows up in the list of Answers with the Basic_SSL name and a KeepAlive Method of KAL-AP by tag.

    gss_kal_ap-8.gif

  6. In order to view the status of the new Answer, click the Monitoring tab, and click Answers. Until the CSS is properly configured to accept the KAL-AP probes, the Answers show as Offline with a Load of 255.

    gss_kal_ap-9.gif

Content Services Switch 11501S

CSS 11501S
CSS#show running-config 
 
!Active version: sg0820001
 
configure
 
 
!*************************** GLOBAL ***************************
  app-udp 
 

!--- This is required for communication between GSS and CSS.
!--- The protocol uses UDP port 5002 by default.
!--- In order to change this port, issue the app-udp port 1025-65535 command.

 
 
  app-udp secure
 

!--- Allow only secure APP-UDP sessions.

 
  app-udp options 10.86.178.191 encrypt-md5hash cisco 
  app-udp options 10.86.178.192 encrypt-md5hash cisco
 

!--- Configure the Primary and Standby GSSMs and shared secret key the same
!--- as that specified in the GSS config (cisco).

 
 
  ip route 0.0.0.0 0.0.0.0 10.86.178.1 1 
 
!************************** CIRCUIT **************************
 
  circuit VLAN179
 
    ip address 10.86.179.14 255.255.255.0 
 
  circuit VLAN180
 
    ip address 192.168.1.14 255.255.255.0 
 
!************************** SERVICE **************************
 
  service SERVER_01 
    ip address 192.168.1.81 
    active 
 
!*************************** OWNER ***************************
 
  owner Basic 
 
    content Basic-SSL 
      vip address 10.86.179.15 
      protocol tcp 
      port 443 
      add service SERVER_01 
      add dns basicssl
     
 !--- This is the tag as configured on the GSS.  Since the CSS has 
      !--- two content rules with the same VIP, this tag enables the CSS
      !--- to know which content rule the GSS verifies the health of at any given time.

 
      active 
 
    content Basic-HTTP 
      vip address 10.86.179.15 
      protocol tcp 
      port 80 
      add service SERVER_01 
      active 

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

GSS

You can monitor the answer status on the GSS from the Monitoring tab. This shows you the status of the VIP.

gss_kal_ap-10.gif

You can also monitor the answer keepalive statistics. This shows you statistics about the configured keepalive. Note that there can be a five minute delay in statistical updates.

gss_kal_ap-11.gif

You can also monitor the Answer status from the GSS CLI.

Lab192.gss.com2#show statistics keepalive answer type vip 10.86.179.15
IP: 10.86.179.15   
Status: ONLINE
No of Keepalives Configured: 1
Keepalive => 10.86.179.14
Status: ONLINE
Keepalive Type: kalap, Shared, Standard
Tag: "basicssl"
Hash Secret: "cisco"
Primary Circuit:      10.86.179.14
Load:                            2
Circuit Transitions:             0
VIP Failovers:                   0
Packets Sent:                   95
Packets Received:               63
Positive Probe:                 63
Negative Probe:                 24
Transitions:                     6
VIP GID: 207 LID: 4
Keepalive GID:                 206

CSS

show app-udp global—Provides CSS statistics about the APP protocol.

CSS#show app-udp global 
            APP-UDP Global Info 
            Transmit Frames:             615 
            Transmit Bytes:           19,680 
            Transmit Errors:               0 
            Receive Frames:              615 
            Receive Bytes:            27,473 
            Receive Errors:                0 

show app-udp secure—Provides secure information configured on the CSS.

CSS#show app-udp secure 
            APP-UDP Security Options (Allow non-secure: No) 
               IP Address        Type    Secret
               ----------        ----    ------
               10.86.178.191     md5     cisco
               10.86.178.192     md5     cisco 

show service summary—Issue this CSS command in order to confirm the load of the servers.

CSS501-B#show service summary
 
               Service Name       State      Conn  Weight  Avg      State
                                                           Load     Transitions
               SERVER_01          Alive        0      1     2           0

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Apr 07, 2004
Document ID: 44661