Guest

Cisco ACE GSS 4400 Series Global Site Selector Appliances

Release Note for the Cisco Global Site Selector, Release 3.2(0)

  • Viewing Options

  • PDF (576.9 KB)
  • Feedback
Release Note for the Cisco Global Site Selector, Release 3.2(0)

Table Of Contents

Release Note for the Cisco Global Site Selector, Release 3.2(0)

Contents

Upgrading or Downgrading the GSS Software

Operating Considerations for Software Version 3.2(0)

New Features in GSS 3.2(0)

HTTPS Keepalive Probes

DNSSEC Workaround

Global Keepalive Enable and Disable Feature

GSS GUI Audit Logging

Software Version 3.2(0) Resolved and Open Caveats

Resolved Caveats for Software Version 3.2(0)

Open Caveats for Software Version 3.2(0)

Software Version 3.2(0) CLI and GUI Changes

Command Changes for Software Version 3.2(0)

GUI Changes for Software Version 3.2(0)

Obtaining Documentation and Submitting a Service Request


Release Note for the Cisco Global Site Selector, Release 3.2(0)


February 15, 2011


Note The most current Cisco documentation for released products is available on Cisco.com. For the complete set of Cisco Global Site Selector user documentation, go to the following URL:
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html


Contents

This release note applies to software version 3.2(0) for the Cisco Global Site Selector (GSS).

This document contains the following sections:

Upgrading or Downgrading the GSS Software

Operating Considerations for Software Version 3.2(0)

New Features in GSS 3.2(0)

Software Version 3.2(0) Resolved and Open Caveats

Software Version 3.2(0) CLI and GUI Changes

Obtaining Documentation and Submitting a Service Request

Upgrading or Downgrading the GSS Software

Table 1 provides information about the upgrade sequence for previous software versions before you upgrade to version 3.2(0).

Table 1 GSS Software Upgrade Sequence for 3.2(0)

From version . . .
To version . . .

1.0(x) or

1.1 (prior to 1.1.(1.7.0))

1.1.(1.7.0)

1.1.(1.7.0)

1.2.(2.2.0)

1.2 (x) where x = 1 or 2

1.3(3)

1.3(3)

3.1(2)

2.0(1)

3.2(0)

2.0(2)

2.0(3)

2.0(4)

2.0(5)

3.0(1)

3.0(2)

3.1(0)

3.1(1)

3.1(2)


The Cisco Global Site Selector Administration Guide (Software Version 3.1(1)) contains the required information to upgrade your GSS software.


Note The Cisco Global Site Selector Administration Guide (Software Version 3.1(1)) does not include specific information related to software version 3.2(0); however, the software upgrade and downgrade information that the guide contains can be applied to software version 3.2(0).


See Appendix A, "Performing GSS Software Upgrades and Downgrades" in the guide for information about the following topics:

Understanding Cisco-supported hardware and software compatibility for the GSS.

Understanding the software upgrade sequence to upgrade to either 3.1(0) or 3.1(1). A new feature of software version 3.1(1) is the ability to upgrade directly to this software version from version 1.3(3) or greater.

Preparing the GSS for a software upgrade.

Installing a new software image.

Preparing to downgrade.

Downgrading software versions on GSS devices.

Operating Considerations for Software Version 3.2(0)

The operating considerations for software version 3.1(x) and later are as follows:

Cisco LocalDirector does not reply properly to TCP keepalives sent on port 23 from a GSS device. To correct this behavior, specify a different keepalive method with LocalDirector or directly probe the servers located behind LocalDirector. Refer to the LocalDirector documentation for more information.

The GSS model 4480 cannot support all of the version 3.1(x) or later software functionality when it is operating as the primary GSSM; therefore, you cannot use this combination of hardware and software platforms as a primary or standby GSSM. Because the GSS 4480 is approaching its end-of-life target date, you must contact your Cisco representative regarding a hardware upgrade.

New Features in GSS 3.2(0)

This section describes the new and updated features of GSS software version 3.2 and includes the following sections:

HTTPS Keepalive Probes

DNSSEC Workaround

Global Keepalive Enable and Disable Feature

GSS GUI Audit Logging

HTTPS Keepalive Probes

GSS software version 3.2 adds the HTTPS HEAD keepalive probe type to its existing list of probe types used to determine a host device's serviceability status. The list of probe types that GSS supports now consists of ICMP, TCP, HTTP HEAD, HTTPS-HEAD, KAL-AP, Scripted KAL, CRA, and Name Server. The GSS uses the new HTTPS HEAD keepalive to monitor the status of the HTTPS application running on a secure Web server. Monitoring is performed using default port 443.

To access this feature from the GUI, choose one of the following:

DNS Rules > Answers > Create > VIP

DNS Rules > Shared Keepalives > Create

Resources > Keepalive Properties

For more information, see the "GUI Changes for Software Version 3.2(0)" section in this document or from each GUI window that appears using the links above, click Help.

You can also access this feature using the CLI. For command information, see the "Command Changes for Software Version 3.2(0)" section.

DNSSEC Workaround

GSS software version 3.2 supports Domain Name System Security Extensions (DNSSEC) through Name Service (NS) forwarding. For example, GSS forwards all DNSSEC DNS requests (DNSSEC OK flag set in EDNS flags) to an external name server and sends the response back to the D-Proxy. DNSSEC signatures do not depend on the source IP address of the DNS server where zones are signed so GSS can retrieve DNSSEC resource records (RRs) from an external name server and respond back to the D-Proxy.

With the DNSSEC workaround implementation:

When GSS receives DNS queries with DO flag set, it forwards all *matching* non-A DNS queries to the external name server.

For *matching* A queries with DO flag set, when NS answer group is configured for the requested domain, GSS forwards the request to the external name server and provides a DNSSEC response; otherwise, GSS responds back as it currently does with a plain DNS response.

Guidelines and Restrictions

For NS forwarded DNS requests, GSS does not provide GSLB answers. This includes A queries with DO flag set, which gets forwarded to external name server.

If a DNS rule is configured with clause 1 VIP answer group serving A queries and clause 2 NS answer group serving all non-A queries, when GSS receives an MX query, it results in a clause transition and GSS sends an SNMP notification if enabled. Similarly, even for DNSSEC NS forwarded queries, a clause transition notification is generated when there is a clause transition.

The knob for enabling or disabling the DNSSEC workaround functionality for A queries is provided by the following new configuration property:

ServerConfig.dnsserver.nsForwardAQueriesWithDOFlag

This property is disabled by default, which means that GSS does not forward DNSSEC A queries to the external name server. Enabling this property instructs GSS to forward DNSSEC A queries to the external name server.

When making a change to this property, you must do the following:

After making the change, restart the GSS using the gss restart command.

Perform the same property change and GSS restart on every GSS in the mesh.

Procedure


Step 1 From the GSS, enter the following CLI command to enable EDNS and allow the GSS to parse DNSSEC requests and return FORMERR error code:

Property set ServerConfig.dnsserver.enableEDNS

The EDNS property is disabled by default. You must enter this command on each GSS in the GSS network for this workaround to function in the GSS mesh.

The Property set command requires restarting the GSS.

Step 2 Enter the gss restart command to restart the GSS.


Global Keepalive Enable and Disable Feature

GSS software version 3.2 provides a global keepalive enable and disable feature that allows you to enable or disable all keepalives of the type VIP, CRA, or Name Server using the GUI or CLI.

Guidelines and Restrictions

By default, all keepalives are enabled when you install the software version 3.2 image.

When you use the CLI to globally disable a keepalive type, the keepalives remain disabled even if you reload the 3.2 software image. All enabled answers and keepalives remain online.

When you disable a keepalive type at the global level, GSS stops probing all related keepalives for the corresponding Answer type.

Globally changing the operating state of a keepalive type affects all of the GSS devices in the GSS mesh.

To access this feature using the GUI, choose Resources > Keepalive Properties > Global Keepalive Properties. For more information, see the "GUI Changes for Software Version 3.2(0)" section or from the Global Keepalive Properties window, click Help.

You can also access this feature using the CLI. For command information, see the "Command Changes for Software Version 3.2(0)" section.

GSS GUI Audit Logging

GSS software version 3.2 logs all user-initiated GUI operations in the guiAudit.log file. GUI operations that GSS logs include the following:

Create a new object, such as an Answer, Answer Group, DNS Rules, and so forth.

Modify existing objects.

Delete existing objects.

Log in or out from the GUI.

The following is an example of the log file output:

gssm1.example.com#type guiAudit.log
 
   
# Start GuiAudit logging at Wed Jan 26 11:59:14 GMT 2011
 
   
Wed Jan 26 11:59:14 GMT 2011    Page:Login.jsp User:admin Role:admin 
RemLoginAddr:10.78.18.230 Action:User LoggedIn
Wed Jan 26 12:02:16 GMT 2011    Page:keepAliveMain.jsp User:admin Role:admin 
RemLoginAddr:10.78.18.230 kalId:null KalType:HTTP KalRate:Standard HttpIpAddr:92.0.0.10 
HttpHeadDestPort:null HttpHostTag: HttpPath: HttpConnTermMeth:Reset Action: added
 
   

Software Version 3.2(0) Resolved and Open Caveats

The following sections contain the resolved and open caveats for software version 3.2(0):

Resolved Caveats for Software Version 3.2(0)

Open Caveats for Software Version 3.2(0)

Resolved Caveats for Software Version 3.2(0)

This section lists the resolved caveats for software version 3.2(0):

CSCtc38727—When a KAL-AP shared keepalive is configured with secondary circuit IP address, GSS can enter a state in which answers configured with Manual Reactivation can be in an Operational Suspend state.
Workaround: Either use the KAL-AP keepalive with only a primary circuit IP address or use another keepalive type.

CSCtc39127—GSS PGSSM at [runmode = 0] is not showing any running configuration and the GUI is unavailable; however, a start-up configuration exists and GSS is answering queries is accessible using telnet.
Workaround: None.

CSCtd01467—An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
Workaround: None.

CSCte64381—GSS does not function as per Internet DNS Standards. For example, let's say that a request for the MX record for www.example.com is received by GSS, which is the authoritative and is configured with the NS answer. If for some reason the mail server does not exist, the NS server responds with an NXDOMAIN. GSS forwards the NXDOMAIN response to the requesting DNS proxy, which caches this response for www.example.com. When another client makes a request for an A record for www.example.com, the DNS proxy has it cached as NXDOMAIN and responds with that status. At this point, the entire site behind the DNS proxy cannot resolve the domain ww.example.com. If the DNS server (GSS) is authoritative for the domain and the NS server returns a NXDOMAIN for MX, SOA, and other records, the GSS should send a NODATA/NOERROR response back to the client.
Workaround: Configure Resource Records for the requested domain name on the external name server.

CSCtf30643—When SNMP is enabled and the GSS is sending a getBulkRequest with maximum repetitions set to 0, SNMP becomes unresponsive.
Workaround: Change the value to non zero for max repetitions on the network management system (NMS) application.

CSCtg60511—When global sticky is enabled in a GSS cluster, the global sticky entries stop being replicated to all the devices. When observing the sticky mesh, it was determined that some of the boxes were in an INIT state and the local peer IP address was 0.0.0.0.
Workaround: Perform a GSS stop and then GSS start on the devices and the global sticky mesh will go from INIT to Running.

CSCti20170—When GSS receives a high rate of TCP DNS traffic and sticky is enabled for the DNS clauses, the DNS server becomes unresponsive and generates a core dump.
Workaround: None.

CSCti93734—When rebooting the GSS or suspending and reactivating an answer, the GSS returns a NXDomain while initialing. This issue can be seen during normal operations.
Workaround: None.

CSCtj24854—When using SSH to log in and make configuration changes, the GSS creates *.config files in the /tmp directory which the GSS fails to delete the file when done. Over time, the /tmp directory fills up (all inodes are used up) and further SSH logins to the GSS fail because the GSS cannot create a process_id.config file (for example, 3483.config) in /tmp due to inode exhaustion.
Workaround: None.

CSCtk59595—When you exit the CLI, the CLI/exec process may generate a core dump. This issue has no impact on GSS operat.ion.


Note The fix for this issue may only be a partial fix, which is based on what is currently known about the issue. Engineering has opened defect CSCtn20412 to track any possible future occurrences of this issue.


Workaround: None.

CSCtk61446—When the GSS is configured with any feature that uses SSL, it may be affected by OpenSSL vulnerabilities as described in CVE-2010-4180 and CVE-2010-4252.
Workaround: None.

CSCtk83562—When you create an HTTPS probe that points to an IIS web server running on a Windows 2003 server, the probe stays in an Offline state.
Workaround: None.

CSCtl22727—When an HTTPD server goes to a Stop state, the HTTPS probe that monitors its operation stays in an Online state.
Workaround: None.

CSCtl24462—You cannot create a Fast rate shared HTTPS keepalive when performing the following steps:

1. From the Shared Keepalive window, create an HTTPS keepalive.

2. Create an Answer of the type VIP and enter the VIP IP address.

3. Uncheck the VIP Address check box under HTTPS keepalive.

4. From the Shared HTTPS HEAD KeepAlive drop down list, choose the shared HTTPS keepalive created in Step 1.

5. Click Submit. The Keepalive type displays as a non-shared keepalive.

Workaround: None.

CSCtl49829—When using the GSS GUI or CLI to create an HTTPS HEAD keepalive, there is no option to specify the SSL version; TSLv1, SSLv2, or SSLv3. By default, the GSS sends TLSv1 requests. The HTTPS HEAD keepalive shows a status of OFFLINE for SSLv2 and SSLv3.
Workaround: None.

CSCtl55167—When an NS answer and a VIP answer share the same LID and the two answers are configured in to answer groups, then the DNS server might generate a core file if you try to delete the NS answer.
Workaround: None.

CSCtl96936—When Manual Reactivation (MR) is enabled on answers that have KALAP type keepalives attached to them (either with just the primary circuit configured or with both primary and secondary circuit configured), the keepalive process becomes unresponsive if the circuit becomes unresponsive (both circuits when there is a primary and secondary configured). Under normal circumstances, the answer should change to the Operational Suspend state.
Workaround: None.

Open Caveats for Software Version 3.2(0)

This section lists the open caveats for software version 3.2(0):

CSCtc76185— When using the CLI to manage the GSS, on rare occasions the answer suspend functions does not work.
Workaround: Use the GSS GUI to suspend the answer.

CSCte43718—When an answer group change is being made on the GSS GUI, GSS is seeing dnsserver cores, which can be traced back to the change. This issues is not seen with 4492 GSS devices.
Workaround: None.

CSCtf78828—GSS uses a variable "numInUse" to track number of answers available to return to the D-proxy based on keepalive checks. When a CSM real bounces in and out of service, a failure can occur that results in the GSS not returning the valid online CSM answer. In a round robin rule, the GSS will not hand out the CSM answer even though the answer is online. This issues is not seen with 4492 GSS devices.
Workaround: None.

CSCtg97066—When the GSS is integrated with TACACS+ and the user is accessing the GSS GUI, on rare occasions the Tomcat process restarts and generates a core.
Workaround: None.

CSCtj86311—When an HTTP-HEAD KAL response from a VIP is delayed (because FW drops first 3 SYNs), the GSS mis-handles the TCP session and marks the KAL as failed.
Workaround: None.

CSCtk56123—When sticky and proximity are enabled on GSS and under the DNS rule, "Wait" is enabled, the GSS stops serving answers (DNS request timeout on the client end) for some clients.
Workaround: Disable sticky or proximity, or disable the "Wait".

CSCtl11705—The GSS is unresponsive; no response from console, GUI, or SSH and DNS requests also go unanswered.
Workaround: Reboot the GSS to recover.

CSCtz88393—In GSS 3.x and earlier versions, if an AAAA query hits the GSS box and if the NS Forward DNS clause is selected, the AAAA queries will not be forwarded to the corresponding Name Server. Instead, an NOERROR will be returned by GSS.

Workaround: None

Software Version 3.2(0) CLI and GUI Changes

This section describes the CLI command and GUI changes associated with software version 3.2(0) and includes the following sections:

Command Changes for Software Version 3.2(0)

GUI Changes for Software Version 3.2(0)

Command Changes for Software Version 3.2(0)

Table 2 shows the command that has been added in software version 3.2(0).

Table 2 CLI Command Change in Version 3.2(0) 

Mode
Command and Syntax
Description

Global server load-balancing configuration

keepalive-properties global {cra-keepalive | ns-keepalive | vip-keepalive} {disable | enable}

no keepalive-properties global {cra-keepalive | ns-keepalive | vip-keepalive} {disable | enable}

This new command allows you to globally enable or disable all keepalives of the type VIP, CRA, or Name Server. To reset the operating status of a keepalive type to its default state (enabled), use the no form of this command.

The keywords for this command are as follows:

cra-keepalive—Specifies the CRA keepalive type.

ns-keepalive—Specifies the Name Server keepalive type.

vip-keepalive—Specifies the VIP keepalive type.

disable—Disables the specified keepalive type.

enable—Enables the specified keepalive type. This is the default.

User EXEC, privileged EXEC, global configuration, and global server load-balancing

show gslb-config keepalive-properties | grep global

The show gslb-config keepalive-properties command output has been expanded to show whether the CRA, Name Server, and VIP keepalive operating statuses are globally set to disabled or enabled.

For example:

gssm1.example.com(config-gslb)#sh gslb-config 
keepalive-properties | grep global
 
        
keepalive-properties global vip-keepalive enable
keepalive-properties global cra-keepalive disable
keepalive-properties global ns-keepalive enable
 
        

Global server load-balancing configuration

keepalive-properties https-head {fast [path | port | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes] | standard [min-interval number | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes | timeout number]

no keepalive-properties https-head {fast [path | port | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes] | standard [min-interval number | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes | timeout number]

The global keepalive-properties command now includes the https-head keyword for configuring the global properties of HTTPS HEAD keepalives. To reset keepalive properties to their default values, use the no form of this command.

The keywords for this command are as follows:

https-head—Specifies the HTTPS Head keepalive type.

standard—Specifies the standard failure detection mode. Failure detection time is the amount of time between when a device failure occurred (the answer resource goes offline) and when the GSS realized the failure occurred.

fast—Specifies the fast failure detection mode. Failure detection time is the amount of time between when a device failure occurred (the answer resource goes offline) and when the GSS realized the failure occurred.

min-interval number—(Optional) Specifies the minimum frequency with which the GSS attempts to schedule HTTPS HEAD standard keepalives. The valid entries are 40-255 seconds. The default is 40.

path path—(Optional) Default path that is relative to the server website being queried in the HTTPS HEAD request. If you do not specify a default path, the GSS uses the globally configured value.


Note The HTTPS path adheres to the RFC specification and is defined as follows:
https://<host>:<port>/<path>?<searchpart>

When you specify the path as blank (""), GSS sends the following URL:
https://<host>:<port>/

When you specify the path as "index.html," GSS sends the following URL:
https://<host>:<port>/index.html

When you specify the path as "/index.html," GSS sends the following URL
https://<host>:<port>//index.html


port number—(Optional) Port on the remote device that receives the HTTPS HEAD-type keepalive request from the GSS. The port range is 1 to 65535. The default HTTPS port is 443. If you do not specify a destination port, the GSS uses the globally configured value.

Global server load-balancing configuration

keepalive-properties https-head {fast [path | port | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes] | standard [min-interval number | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes | timeout number]

no keepalive-properties https-head {fast [path | port | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes] | standard [min-interval number | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes | timeout number]


(continued)

SSL-Version—(Optional) Specifies the version of Secure Sockets Layer (SSL) or Transport Layer Security (TLSV) to use for encryption:

SSLV2— (Optional) Specifies SSL version 2.

SSLV3—(Optional) Specifies SSL version 3.

TLSV1—(Optional) Specifies TLS version 1. This is the default.

timeout number—(Optional) Specifies the length of time allowed before the GSS retransmits data to a device that is not responding to a request. This option is available for standard keepalives only. The valid entries are 20-60 seconds. The default is 20.

Global server load-balancing configuration

shared-keepalive https-head ip_address [host-tag domain_name | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes number]

no shared-keepalive https-head ip_address [host-tag domain_name | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes number]

The shared-keepalive command now includes the https-head keyword for configuring an HTTPS HEAD shared keepalive. To reset shared keepalive properties to their default values, use the no form of this command.

The keywords and arguments for this command are as follows:

https-head ip_address—Specifies the HTTPS HEAD shared keepalive type.

ip_address—IP address used to test the online status for the linked VIPs.

host-tag domain_name—(Optional) Domain name that is sent to the VIP as part of the HTTPS HEAD query in the Host tag field. This tag allows an SLB to resolve the keepalive request to a particular website even when multiple sites are represented by the same VIP.

path path—(Optional) Default path that is relative to the server website being queried in the HTTPS HEAD request. If you do not specify a default path, the GSS uses the globally configured value.


Note The HTTPS path adheres to the RFC specification and is defined as follows:
https://<host>:<port>/<path>?<searchpart>

When you specify the path as blank (""), GSS sends the following URL:
https://<host>:<port>/

When you specify the path as "index.html," GSS sends the following URL:
https://<host>:<port>/index.html

When you specify the path as "/index.html," GSS sends the following URL
https://<host>:<port>//index.html


Global server load-balancing configuration

shared-keepalive https-head ip_address [host-tag domain_name | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes number]

no shared-keepalive https-head ip_address [host-tag domain_name | path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1] | successful-probes number]


(continued)

port umber—(Optional) Port on the remote device that receives the HTTPS HEAD-type keepalive request from the GSS. The port range is 1 to 65535. The default HTTPS port is 443. If you do not specify a destination port, the GSS uses the globally configured value.

SSL-Version—(Optional) Specifies the version of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to use for encryption:

SSLV2—(Optional) Specifies SSL version 2.

SSLV3—(Optional) Specifies SSL version 3.

TLSV1—(Optional) Specifies TLS version 1. This is the default.

successful-probes number—(Optional) Specifies the number of consecutive successful HTTPS HEAD keepalive attempts (probes) that GSS must recognize before bringing an answer back online and reintroducing it into the GSS network. The range is 1 to 5 probes. The default is 1.

Answer vip configuration mode

keepalive type https-head ip_address [path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1]]

no keepalive type https-head ip_address [path path | port number | SSL-Version [SSLV2 | SSLV3 | TLSV1]]

The keepalive type command now includes the https-head keyword for configuring a VIP answer with an HTTPS HEAD keepalive. To reset keepalive properties to their default values, use the no form of this command.

The keywords and argument are as follows:

https-head—Specifies the HTTPS HEAD keepalive type.

ip_address—IP address used to test the online status for the linked VIPs.

path path—(Optional) Default path that is relative to the server website being queried in the HTTPS HEAD request. If you do not specify a default path, the GSS uses the globally configured value.


Note The HTTPS path adheres to the RFC specification and is defined as follows:
https://<host>:<port>/<path>?<searchpart>

When you specify the path as blank (""), GSS sends the following URL:
https://<host>:<port>/

When you specify the path as "index.html," GSS sends the following URL:
https://<host>:<port>/index.html

When you specify the path as "/index.html," GSS sends the following URL
https://<host>:<port>//index.html


port number—(Optional) Port on the remote device that receives the HTTPS HEAD-type keepalive request from the GSS. The port range is 1 to 65535. The default HTTPS port is 443. If you do not specify a destination port, the GSS uses the globally configured value.

SSL-Version—(Optional) Specifies the version of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to use for encryption:

SSLV2—(Optional) Specifies SSL version 2.

SSLV3—(Optional) Specifies SSL version 3.

TLSV1—(Optional) Specifies TLS version 1. This is the default.

Privileged EXEC, global configuration, and interface

show statistics keepalive https-head {ip_address | all | list}

The show statistics keepalive command now includes the https-head keyword for displaying statistical information about the HTTPS HEAD keepalive component of the GSS software.

The keywords and argument are as follows:

https-head—Specifies the HTTPS HEAD keepalive type.

ip_address—IP address for which statistics are displayed.

all—Displays all configured HTTPS HEAD-type keepalives.

list—Lists all available IP addresses.

Global configuration

debugflags {kale | selector | sticky} [disable | enable]

no debugflags {kale | selector | sticky} [disable | enable]

This new command enables or disables debug flags for the KALE, Selector, or Sticky keepalive module. To reset the debug flags to their default values (disabled), use the no form of this command.


Note Enabling the debug flags feature may affect GSS performance. Enable this feature only when needed for debugging purposes.


The keywords are as follows:

kale—Specifies the Kale module debug flags.

selector—Specifies the Selector module debug flags.

sticky—Specifies the Sticky module debug flags.

disable—(Optional) Disables the debug flags feature for the specified keepalive module. This is the default.

enable—(Optional) Enables the debug flags feature for the specified keepalive module.

Privileged EXEC

gss tech-report memdump [boomerang | dnsserver | drp | keepalive | proximity | sticky]

The gss tech-report command now includes the memdump keyword for creating a snapshot memory dump of the GSS C/C++ processes for use by Cisco Technical Assistance Center (TAC) representatives in troubleshooting persistent GSS problems.

The keywords are as follows:

boomerang—(Optional) Specifies a snapshot memory dump of the boomerang process only.

dnsserver—(Optional) Specifies a snapshot memory dump of the dnsserver process only.

drp—(Optional) Specifies a snapshot memory dump of the drp process only.

keepalive—(Optional) Specifies a snapshot memory dump of the keepalive process only.

proximity—(Optional) Specifies a snapshot memory dump of the proximity process only.

sticky—(Optional) Specifies a snapshot memory dump of the sticky process only.

After you enter the command, you must enter the gss tech-report filename command to collect the snapshot memory dump file for use by TAC. For more information about the gss tech-report filename command, see the "Viewing the GSS Operating Configuration for Technical Support" section in the Cisco Global Site Selector Administration Guide for software version 3.1(1).


GUI Changes for Software Version 3.2(0)

GSS software version 3.2(0) includes several GUI changes associated with the new features that allow you to globally enable or disable keepalive probes or create keepalive probes of the type HTTPS HEAD (for more information, see the "New Features in GSS 3.2(0)" section).

The new or modified screens are as follows:

Keepalive Properties window (Resources > KeepAlive Properties)—This window now includes the following options:

Global Keepalive Properties—This window allows you to globally enable or disable keepalives of the type VIP, CRA, or Name Server (see ). By default, all keepalive types are enabled.

Figure 1 Global Keepalive GUI Window

HTTPS HEAD—This window allows you to configure the global properties for HTTPS HEAD keepalives (see ).

Figure 2 Global HTTPS HEAD Keepalive Configuration Window

Creating New Answer window for VIP answers (DNS Rules > Answers > Create Answer > VIP)—This window now includes the option to create a VIP answer with a keepalive of the type HTTPS HEAD (see ).

Figure 3 Create Answer HTTPS HEAD Option

Creating New Shared Keepalive window (DNS Rules > Shared Keepalive > Create Shared Keepalive)—This window now includes the option to create a shared keepalive of the type HTTPS Head (see ).

Figure 4 HTTPS HEAD Shared Keepalive

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html