Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco ACE GSS 4400 Series Global Site Selector Appliances

Release Notes for the Cisco Global Site Selector, Release 1.1(0)

Downloads

Table Of Contents

Release Note for the Cisco Global Site Selector, Release 1.1(0)

Contents

Cisco-Supported Hardware and Software Compatibility

Upgrading from Software Version 1.0 to Version 1.1(0)

Verifying the GSSM Role in the GSS Network

Backing up and Archiving the Primary GSSM

Converting the Standby GSSM to a GSS Device

Obtaining the Software Upgrade

Upgrading Your GSS Devices

Reconfiguring the Original Standby GSSM

New Features in Software Version 1.1(0)

Operating Conditions for Software Version 1.1(0)

Open Caveats for Software Version 1.1(0)

Resolved Caveats for Software Version 1.1(0)

CLI Command Changes in Software Version 1.1(0)

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Note for the Cisco Global Site Selector, Release 1.1(0)

February 4, 2004

Note The most current Cisco GSS documentation for released products is available on Cisco.com. This release note includes the modified procedure for upgrading from GSS software version 1.0 to version 1.1(0). See the "Upgrading from Software Version 1.0 to Version 1.1(0)" section in this release note for details. If you are upgrading from software version 1.0 to v 1.1(0), this upgrade procedure supersedes the procedure in the Cisco Global Site Selector Configuration Guide.

Contents

This release note applies to software version 1.1(0) for the Cisco Global Site Selector (GSS). It contains the following sections:

Cisco-Supported Hardware and Software Compatibility

Upgrading from Software Version 1.0 to Version 1.1(0)

New Features in Software Version 1.1(0)

Operating Conditions for Software Version 1.1(0)

Open Caveats for Software Version 1.1(0)

Resolved Caveats for Software Version 1.1(0)

CLI Command Changes in Software Version 1.1(0)

Obtaining Documentation, Obtaining Support, and Security Guidelines

Cisco-Supported Hardware and Software Compatibility

Cisco Global Site Selector software operates with the following Cisco hardware:

Cisco Global Site Selector platform (configured in software as the primary GSSM, the standby GSSM, or as a GSS device)

Cisco Content Services Switch running the following recommended WebNS software releases:

Cisco 11500 Series CSS—Software releases 7.10.3.05 or greater, 7.20.1.04 or greater

Cisco 11000 Series CSS—Software releases 5.00.3.09 or greater, 6.10.1.07 or greater

Cisco Catalyst 6500 Content Switching Module Version 2.2(3) or higher

Refer to the Cisco documentation that came with each device for detailed, device-specific instructions on handling, installing, and configuring your Cisco hardware.

You can upgrade to GSS software version 1.1(0) from any GSS version 1.0 release (versions 1.0, 1.0.1, or 1.0.2).

Upgrading from Software Version 1.0 to Version 1.1(0)

Before you upgrade your GSS software from software version 1.0 to version 1.1(0), review the software upgrade procedure as described below.

Note It is important that you perform the software upgrade procedure as described in this section. If you do not follow that procedure, you may encounter the GSS operating issue described in defect CSCec88216. See the "Open Caveats for Software Version 1.1(0)" section for details on defect CSCec88216.

To take full advantage of all of the features and capabilities of software version 1.1(0), we recommend that you update all GSS devices in your network within the same time frame, starting with the primary GSSM. However, if you plan to upgrade the other GSS devices in your network over time, note that the following keepalive features of software version 1.1(0) are downgraded on the GSS software version 1.0 devices as follows:

The new TCP connect keepalive method is automatically configured as the ICMP keepalive method.

The new graceful HTTP HEAD keepalive connection termination method is automatically configured as the HTTP HEAD reset termination method.

The new Fast mode for keepalives is automatically changed to Standard mode.

To upgrade to a new software version, you must have access to the GSS download area of the Cisco software download site and to Cisco.com. You must be familiar with the proper procedure for updating your GSS devices and know the CLI commands required to execute the backup.

The GSS version 1.0 to version 1.1(0) software upgrade requires that you complete the following procedures in the exact order listed below:

1. Verifying the GSSM Role in the GSS Network

2. Backing up and Archiving the Primary GSSM

3. Converting the Standby GSSM to a GSS Device

4. Obtaining the Software Upgrade

5. Upgrading Your GSS Devices

6. Reconfiguring the Original Standby GSSM

Note Due to the scope of the new features in software version 1.1(0), certain software functions are incompatible between GSS software version 1.1(0) and version 1.0, which makes for a more involved software upgrade procedure. The GSS software upgrade procedure will be more streamlined in future releases of the software.

Verifying the GSSM Role in the GSS Network

You can reconfigure the standby GSSM to operate as an interim primary GSSM in the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance). Note that the changing of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. Before you continue with the upgrade procedure, verify that the roles of the designated primary and standby GSSMs have not changed.

To verify the role of the current primary GSSM and the standby GSSM:

1. At the CLI of the current primary GSSM, enter the following commands: 

gssm1.yourdomain.com# cd /home

gssm1.yourdomain.com# type ../props.cfg | grep -i fqdn

The following output appears: 

controllerFqdn= domain_name or ip_address

2. Based on the output value for controllerFqdn, note the following:

If the value of the domain name or IP address is the current primary GSSM in your network, then the current primary GSSM and standby GSSM configuration is the original configuration and no further action is needed. Proceed to the "Backing up and Archiving the Primary GSSM" section.

If the value of the domain name or IP address is not the current primary GSSM in your network, then the current primary GSSM and standby GSSM configuration is not the original configuration. In this case, you must reverse the roles of the primary and standby GSSM devices to those of the original GSS network deployment. Refer to the "Reversing the Roles of the Interim Primary and Standby GSSMs" section in the Cisco Global Site Selector Configuration Guide.

The next step is to ensure that you have a full (and current) backup of the primary GSSM database and that you archive this backup. Proceed to the "Backing up and Archiving the Primary GSSM" section.

Backing up and Archiving the Primary GSSM

Before you upgrade your GSS software, ensure that you have a full backup of your primary GSSM database and that you archive the backup by moving it to a remote device. The GSSM database maintains all network and device configuration information, as well the DNS rules that are used by your GSS devices to route DNS queries from users to available hosts. That way, if necessary, you can quickly restore your GSS network to its previous state. You can perform a full backup at any time. Doing so does not interfere with the functions of the primary GSSM or other GSS devices.

See the "Performing a Full GSSM Backup" section in the Cisco Global Site Selector Configuration Guide for instructions on performing a full backup of your primary GSSM. Performing a full backup requires access to the CLI.

The next step in the upgrade procedure involves converting the standby GSSM in your network to a GSS device. A version 1.0 standby GSSM cannot communicate with a version 1.1(0) primary GSSM, resulting in incompatibility problems between the two devices.

Based on your GSS network upgrade requirements, proceed to the next step in the upgrade procedure as follows:

If you intend to upgrade all devices in your GSS network to software version 1.1(0) within the same time frame, you are now ready to obtain the upgrade file and upgrade the software on a GSS device. Proceed to the "Obtaining the Software Upgrade" section.

If your GSS network includes a standby GSSM that is not to be upgraded to software version 1.1(0) along with the primary GSSM, convert the standby GSSM to a GSS device as described in the "Converting the Standby GSSM to a GSS Device" section prior to performing the software upgrade.

If you do not have a standby GSSM in your GSS network, proceed to the "Obtaining the Software Upgrade" section.

Converting the Standby GSSM to a GSS Device

This procedure is required only for a GSS network that includes a standby GSSM. A version 1.0 standby GSSM cannot communicate with a version 1.1(0) primary GSSM. If you do not intend to upgrade the version 1.0 standby GSSM to version 1.1(0) along with the primary GSSM, convert the standby GSSM to a version 1.0 GSS device to avoid incompatibility problems and to ensure that the GSS device continues to function properly while the network runs mixed versions of GSS software.

Perform this conversion process before you upgrade the primary GSSM to 1.1(0).

To convert the standby GSSM to a GSS device:

1. At the CLI of the standby GSSM, enter the following commands to stop and disable the device: 

gssm1.yourdomain.com# gss stop

gssm1.yourdomain.com# gssm database delete

gssm1.yourdomain.com# config

gssm1.yourdomain.com(config)# property set standbyCrm 0

gssm1.yourdomain.com(config)# exit

gssm1.yourdomain.com# gss status | grep node | make-certificate --overwrite

Note The CLI commands shown above are case-sensitive and must be typed exactly as shown in the example.

2. At the primary GSSM GUI, delete the standby GSSM from the network as follows:

a. Click the Resources button. The Device and Network Configuration window appears.

b. From the drop-down list, select the Global Site Selectors option. The GSS list window appears.

c. Refresh the page and wait for the standby GSSM status to switch from Online to Offline.

d. Click the Modify Global Site Selector icon located to the left of the GSS device you intend to upgrade. The Modify Global Site Selector details window for the GSS device appears.

e. Click the Delete button. The software prompts you to confirm your decision to delete the device.

f. Click OK to return to the GSS list window. The standby GSSM is removed from the list.

3. At the CLI of the standby GSSM, enter the following command to configure the standby GSSM to a GSS device 

gssm1.yourdomain.com# gss enable gss host_or_ip.of.primary

4. At the primary GSSM GUI, activate the new GSS as follows:

a. Click the Resources button. The Device and Network Configuration window appears.

b. From the drop-down list, select the Global Site Selectors option. The GSS list window appears. The GSS device appears with an Inactive status.

c. Click the Modify Global Site Selector icon located to the left of the GSS device you intend to activate. The Modify Global Site Selector details window for the GSS device appears.

d. Check the Activate check box. (This box does not appear in the Modify Global Site Selector details window after the device has been activated.)

e. Click the Save button. You return to the GSS list window. The status of the device that you activated is listed as pending. Click the Refresh button and verify that the status of the GSS device changes to online.

After you convert the standby GSSM to a GSS device, you are now ready to obtain the upgrade file and upgrade the software on a GSS device. Proceed to the "Obtaining the Software Upgrade" section.

Obtaining the Software Upgrade

Before you can update your GSS software, obtain the appropriate software update file from Cisco.

To acquire the software update from Cisco, you must:

Access the Cisco.com website and locate the software update files.

Download the software update files to a server within your own organization that is accessible using FTP or SCP from your GSSs and GSSMs.

You must have a Cisco.com username and password before attempting to download a software update from Cisco.com. To acquire a Cisco.com login, go to http://www.cisco.com and click the Register link.

Note You need a service contract number, Cisco.com registration number and verification key, Partner Initiated Customer Access (PICA) registration number and verification key, or packaged service registration number to obtain a Cisco.com username and password.

To add an upgrade file for the GSS software:

1. Launch your preferred web browser and point it to the Cisco Global Site Selector download page. When prompted, log in to Cisco.com using your designated Cisco.com username and password. The Cisco GSS Software download page appears, listing the available software upgrades for the GSS software product.

2. If you do not have a shortcut to the Cisco Global Site Selector download page:

a. Log in to Cisco.com using your designated Cisco.com username and password.

b. Access the Software Center from the Technical Support link.

c. Select the Content Networking Software link from the Software Center - Software Products and Downloads page.

d. Select the Cisco Global Site Selector link from the Software Center - Content Networking page.

e. Select the Download Cisco Global Site Selector link from the Software Center - Content Networking page.

The Cisco GSS Software download page appears, listing the available software upgrades for the Cisco GSS Software product.

Note When you first access the Content Networking page of the Software Center, you must apply for eligibility for GSS software updates because it is considered a strong encryption image. Under the Cisco Content Networking Cryptographic Software section is the Apply for 3DES Cisco Cryptographic Software Under Export Licensing Controls link. Click this link and complete the Encryption Software Export Distribution Authorization Form. You must complete this step to access and download Global Site Selector software images.

3. Locate the.upg file you wish to download by referring to the Release column for the proper release version of the software.

Note The meta file (*.meta) posted for use with software version 1.0 is not a required file for use with software version 1.1(0).

4. Click the link for the .upg file. The download page appears.

5. Click the Software License Agreement link. A new browser window opens to display the license agreement.

6. After you have read the license agreement, close the browser window displaying the agreement and return to the Software Download page.

7. Click the filename link labeled Download. If prompted, reenter your username and password.

8. Click Save to file and then choose a location on your workstation to temporarily store the .upg upgrade file.

9. Post the .upg file that you downloaded to a designated area on your network that is accessible to all your GSS devices.

You are now ready to upgrade the software on a GSS device. Proceed to the "Upgrading Your GSS Devices" section.

Upgrading Your GSS Devices

You must upgrade your GSS devices in the following sequence: the primary GSSM first, followed by the other GSS devices in your network. After you upgrade the primary GSSM, ensure that the GSS device in your network being upgraded has connectivity to the primary GSSM before you perform the software upgrade procedure.

When executing an upgrade, use the CLI install command. Before proceeding with the installation of the software upgrade, the install command also performs a validation check on the upgrade file, unpacks the upgrade archive, and installs the upgraded software. Finally, the install command restarts the affected GSS device.

Note Upgrading your GSS devices causes a temporary loss of service for each affected device.

To upgrade the GSS software (starting with the primary GSSM):

1. Log on to the CLI of the GSS device.

2. Use the ftp or scp command to copy the GSS software upgrade file from the network location to a directory on the GSS. Ensure that you set the transfer type to binary.

For example, to copy an upgrade file named gss.upg from a remote host, your FTP session might look like the following: 

gssm1.yourdomain.com> ftp host.yourdomain.com

Connected to host.yourdomain.com.

220 host.yourdomain.com FTP server (Version wu-2.6.1-0.6x.21) ready.

Name (host.yourdomain.com:root): admin

331 Password required for admin.

Password: 

230 User admin logged in. Access restrictions apply.

Remote system type is UNIX.

Using ascii mode to transfer files.

ftp> binary

ftp> get 

(remote-file) gss.upg

(local-file) gss.upg

local: gss.upg remote: gss.upg

200 PORT command successful.

...

3. Enable privileged EXEC mode. For example: 

gssm1.yourdomain.com> enable

gssm1.yourdomain.com#

4. Enter the gss stop command to stop your GSS servers. For example: 

gssm1.yourdomain.com# gss stop

5. Navigate to the directory containing the node.state file. If you locate the node.state file in the directory, delete it. For example: 

gssm1.yourdomain.com# cd /

gssm1.yourdomain.com# del node.state

gssm1.yourdomain.com# cd /home

6. Enter the install command to install the upgrade. For example: 

gssm1.yourdomain.com# install gss.upg

Performing software install. This will take a few minutes.

Device will reboot when the install is complete.

7. At the Proceed with install (the device will reboot)? (y/n): prompt, type y to reboot the GSS device. When the GSS reboots, you lose any network CLI connections. Console connections remain active.

8. If you did not previously save changes to the startup-configuration file, the Save current configuration? [y/n]: prompt appears. Type y to continue. The GSS reboots.

9. After the GSS device reboots, log on to the device and enable privileged EXEC mode.

10. Enter the gss status command and verify that the GSS device reaches a Normal Operation state of runmode 4 or 5.

11. Enter the reload command to perform a cold restart of the GSS device.

12. At the Proceed with reload? (y/n): prompt, type y to perform a cold restart.

13. After the GSS device reboots, log on to the device and enable privileged EXEC mode.

14. Enter the gss status command and verify that the GSS device reaches a Normal Operation state of runmode 4 or 5.

15. Log on to the CLI of each GSS device in your network, enable privileged EXEC mode, and repeat this procedure for the remaining GSS devices in your network.

If, during the upgrade procedure, you converted the standby GSSM to a GSS device, proceed to the "Reconfiguring the Original Standby GSSM" section to change the GSS back to the standby GSSM role in the GSS network.

Reconfiguring the Original Standby GSSM

If you temporarily converted your standby GSSM to a GSS and upgraded to software version 1.1(0), refer to the following procedures to reconfigure the device as a standby GSSM:

Logically remove the GSS from the network as described in the "Logically Removing a GSS or Standby GSSM from the Network" section in the Cisco Global Site Selector Configuration Guide.

Configure the GSS as a standby GSSM as described in the "Configuring a Primary GSSM or Standby GSSM" section in the Cisco Global Site Selector Configuration Guide.

Activate the standby GSSM from the primary GSSM as described in the "Activating GSS Devices" section in the Cisco Global Site Selector Configuration Guide.

New Features in Software Version 1.1(0)

The Cisco Global Site Selector software version 1.1(0) provides the following new features and enhancements:

Cisco Standard Graphical User Interface Look and Feel—The look and feel of the primary GSSM graphical user interface has been completely revised to match the Cisco Systems standard for graphical user interface design.

Fast Keepalive Rate—Each type of VIP-answer GSS keepalive can support a Fast or Standard keepalive rate. The Fast keepalive rate can be as fast as four seconds, while the Standard keepalive rate is 40 to 255 seconds. For the Fast keepalive rate, you can adjust the number of retries for the ICMP, TCP, HTTP HEAD, and KAL-AP keepalive types, which adjusts the detection time determined by the GSS. The Fast keepalive rate also allows you to specify the number of consecutive successful keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (PERS request 8139).

TCP Connect Keepalive Method—The GSS now supports the TCP connect keepalive type. The TCP keepalive is used when the GSS answer that you are testing is transmitted to GSLB devices other than a Cisco Content Services Switch (CSS) or Content Switching Module (CSM). GSLB remote devices may include webservers, LocalDirectors, WAP gateways, and other devices that can be checked using a TCP keepalive. The TCP keepalive initiates a TCP connection to the remote device by performing the three-way handshake sequence. The TCP termination connection method can be Graceful (FIN) or Reset (RST). The choice in termination connection method has been also been added for HTTP-HEAD keepalives.

DNS Rate Monitoring—Using the show statistics dns CLI command, you can monitor the number of DNS requests over a one-minute, five-minute, 30-minute, or 4-hour time interval.

Configuration Export—Using the show tech-support config CLI command, you can export the output of all configured fields from the primary GSSM GUI to the screen or a file.

Miscellaneous Enhancements—The GSS software version 1.1(0) also includes the following miscellaneous enhancements:

Primary GSSM GUI Saves Sort Method and List Position—The primary GSSM GUI remembers sorting method and list position when you press the Refresh button, or when an item is modified and returns you to the list page (PERS request 8122).

DNS over TCP—The GSS provides basic support for DNS requests that arrive over TCP to port 53.

Ability to Access the GSS CLI Using a Private and Public Key Pair—The GSS supports remote login to the device over an SSH session using private and public key pairs for authentication. With this method of remote connection, you use a generated private/public key pair to participate in a secure communication by encrypting and decrypting messages.

CLI Setup Script—A setup script for the CLI steps you through basic GSS network and device configurations. This setup capability is offered by default for a new GSS device, and can also be run at any time with the setup CLI command.

SSL Certificate Modification Support—The certificate set-attributes command allows you to customize the X.509 fields, extensions, and properties found on the security certificate issued by Cisco Systems for the primary GSSM GUI.

Telnet Client Allows Port Option—The telnet CLI command allows you to change the port number for the Telnet session to a port other than port 23 (the Telnet port) (PERS request 8265).

CLI Commands for Configuring SNMP—The GSS allows you to specify the SNMP community name, the name of the contact person, and the physical location of a GSS device.

GUI Session Inactivity Timeout—A check box on the GUI Configuration details page enables or disables the use of the GUI Session Inactivity Timeout function (PERS request 8117).

For details on the new features and enhancements included in GSS software version 1.1(0), refer to the Cisco Global Site Selector Configuration Guide and Cisco Global Site Selector Command Reference.

Operating Conditions for Software Version 1.1(0)

The following operating conditions exist for software version 1.1(0):

A software version 1.1(0) database backup is not backwards compatible with software version 1.0. However, a software version 1.0 database backup is compatible with software version 1.1(0). Before upgrading to software version 1.1(0), be sure to perform a full database backup and archive your software version 1.0 database.

The GSS supports only HTTP-HEAD and TCP keepalives on a single Ethernet interface. Use the gss-tcp-keepalive CLI command to choose the interface. The default is interface ethernet 0. If the configured IP routing results in HTTP-HEAD or TCP packets transmitted out the other interface, these packets will not have proper checksums and will fail to reach their destination. This is a known restriction of the current GSS software releases. You can determine if this routing problem exists by entering the show statistics keepalive command and verifying that the keepalives reach the ONLINE status. Make sure the routing in your network is properly set up for the interface configuration and keepalive addresses.

The GSS 1.1(0) software release supports several important new keepalive features, as described in the "New Features in Software Version 1.1(0)" section. Due to the nature and the variety of applications, as well as the software and hardware platforms on which they run, not all of the keepalive methods may be appropriate for all applications and platforms. It is important that you understand the specific device health detection requirements and choose the most appropriate keepalive for each situation. For example, certain older versions of the Linux operating system running the internet superserver application (inetd) prevent a large number of Telnet connections during a short period of time. If you configure the GSS with default Fast TCP keepalive timing to the Telnet port, the Fast keepalive timing could cause inetd to shut down the port for a period of time. If one keepalive method does not work, try other settings and methods to find the appropriate combinations for your application.

Open Caveats for Software Version 1.1(0)

This section lists the open caveats for Cisco Global Site Selector Version 1.1(0).

CSCec01715—When creating a VIP-type answer for a TCP or HTTP-HEAD keepalive in the Creating New Answer details page of the primary GSSM GUI, configuration issues may occur when you perform the following sequence:

a. Deselect the VIP Address check box.

b. Choose a Shared Keepalive from the drop-down list.

In this instance, the GSS still allows you to specify entries in the Port Number, Connection Termination Method, and the Host Tag and Path fields (for HTTP HEAD keepalive only), which are ignored by the GSS. This behavior occurs with Netscape Navigator 4.78, but is not reproducible with Microsoft Internet Explorer.

CSCec10915—The exec-timeout CLI command does not log you out of the GSS, but takes you from privileged EXEC mode to user EXEC mode. The exec-timeout command should log you out of the GSS to prevent another user from gaining access to the available GSS CLI session. This is especially important for a dial-up modem connected to the console port on the Cisco GSS 4490. If you get disconnected from the GSS 4490 console while connected to the device over a dial-up modem, another user could then connect to the GSS 4490 without having to log in to the device.

CSCeb24053—Attempting to log in to the GSS by Telnet, SSH, or FTP may take several minutes if an associated nameserver is unreachable. The GSS requires a functioning nameserver to function properly. If the nameserver is not configured using ip name-server commands or the configured nameservers are not reachable for any reason (down, network loss, firewall issues), the GSS is unable to perform DNS resolutions when users log in. When this problem occurs, the timeout may take several minutes to occur.

Workaround: There is no workaround, the GSS requires a functioning nameserver. To avoid problems, always configure more than one nameserver. For example: 

gss.yourdomain.com(config)#ip name-server 192.168.1.1 

gss.yourdomain.com(config)#ip name-server 192.168.2.2 

gss.yourdomain.com(config)#ip name-server 192.168.3.3

If the GSS has access lists configured, this problem may also occur. The workaround is to create access lists to allow the DNS responses from a nameserver. This can be done through the access-list command. For example: 

gss.yourdomain.com(config)#access-list <name> permit udp any eq 53

Another workaround is to only allow DNS response packets received from your configured nameservers. For example: 

gss.yourdomain.com(config)#access-list <name> permit udp 192.168.1.1 255.255.255.255 
eq 53 

gss.yourdomain.com(config)#access-list <name> permit udp 192.168.1.2 255.255.255.255 
eq 53 

gss.yourdomain.com(config)#access-list <name> permit udp 192.168.1.3 255.255.255.255 
eq 53

CSCec34850—On rare occasions, the FTP client on the GSS software may perform a core dump to the GSS /home directory and terminate the FTP process. This behavior has no impact on GSS performance or on subsequent FTP attempts.

CSCec45409—The RSA libraries in the GSS are potentially vulnerable to an SSL exploit. It is unknown whether the RSA BSAFE SSL-J libraries are exploitable.

CSCec46317—Attempting to enable a standby GSSM or GSS devices on the network immediately after enabling the primary GSSM may result in the primary GSSM failing to register the other GSS devices. Symptoms of this problem include: the standby GSSM or GSS devices not appearing in the primary GSSM GUI Global Site Selectors list page (Resources tab) and errors reported in the log files of the standby GSSM or GSS device. If this problem occurs, enter the gss disable and gss enable commands on the other GSS devices.

Workaround: Perform the following sequence to enable the primary GSSM and the other GSS devices and properly register those devices with the primary GSSM:

a. Enable the primary GSSM using the gss enable gssm-primary command.

b. Repeatedly enter the gss status command and observe when the primary GSSM reaches the
Normal Operation [runmode = 5] state, then wait an additional minute. The primary GSSM is now ready to properly register the other GSSs devices within the network.

c. Register the other GSSs in the network with the primary GSSM using the gss enable gssm-standby primary_GSSM_IP_address or gss enable gss primary_GSSM_IP_address commands.

CSCec46406—Restoring the database backup file from one primary GSSM to another primary GSSM can cause the latter primary GSSM to malfunction if you incorrectly answer certain restore questions. When moving a primary GSSM backup file from one primary GSSM to a different primary GSSM, even in a different GSS network configuration, it is important to properly answer the following network restore question: Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n):

Answer y (yes) at the prompt if you intend for the new primary GSSM to completely replace the primary GSSM on which the backup was created.

Answer n (no) at the prompt if the backup is being copied onto a different primary GSSM in a different GSS network configuration.

Incorrectly answering y (yes) for the wrong GSS configuration may result in improper behavior of the other GSSs in the network after you enter the gss enable command to register those devices with the new primary GSSM. As a general rule, if you only intend to copy elements such as DNS rules, keepalives, answers, and answer groups from the primary GSSM backup file, and not the GSS network relationships, always answer n to the database network restore question.

CSCeb46763—When you make an Ethernet interface configuration change to either the bandwidth speed or duplex operation of one of the two Ethernet interfaces (0 or 1) on a Cisco GSS 4490, both interfaces are temporarily brought offline and then back online. This behavior occurs because the two Ethernet interfaces on the Cisco GSS 4490 are not independent of one another when configuring the link bandwidth speed or a duplex operation. The temporary offline state does not interfere with the GSS 4490 servicing DNS requests because interface commands cannot be executed while the GSS is running. You must issue the gss stop command before executing the interface command.

Note The Cisco GSS 4480 does not exhibit this behavior.

CSCec46971—In rare instances, when you use the DNS Rule Wizard to create a DNS rule and click Finish to create the DNS rule, the following message appears in the right pane of the wizard: java.lang.NullPointerException. When this message appears, the GSS does not create the DNS rule. This is a spurious defect and has no impact on GSS performance. Workaround: From the primary GSSM GUI, click the DNS Rules tab, the DNS Rules navigation link, and then click the DNS Rule Wizard icon. Recreate the DNS rule using the DNS Rule Wizard.

CSCdx58395—Content and Application Peering Protocol (CAPP) may not recognize dropped fragments when a KAL-AP keepalive spans multiple packets. When the KAL-AP keepalive spans multiple datagrams due to large payloads, if one of the spanned packets is dropped, the GSS does not `retry' the request. This results in the dropped datagram not getting updated load values on the VIPs that are expecting them. Instead, the GSS waits until the next period and sends the packets again. This behavior only occurs in situations where the GSS consumes the full datagram (roughly 1.4K) with tag names or VIPs. Otherwise, all data fits in one single datagram. Workaround: Use the KAL-AP by VIP format if there is a need to query the load on hundreds of VIPs configured to a single primary or secondary IP address. Alternately, use the KAL-AP by Tag format, but limit the length of Tag Names so that the packets do not exceed 1.4K.

CSCdx59427—Displays that show CRA RTT should also show a one-way delay. Round Trip Time values are displayed for the CRAs (Content Router Agents) in the show stat kale cra list and show stat kale cra commands, and on the primary GSSM GUI Answer Keepalive Statistics list page. To be consistent with other Cisco products, such as the CR 4430B, these should show the one-way delay values. The one-way delay value is simply RTT/2.

CSCeb67314—The GSS does not allow you to assign the same pre-existing access list to the two Ethernet interfaces. If you attempt to use the access-group CLI command to assign the same access list to Ethernet 0 and Ethernet 1, the following error message appears: %access-list list1 is already assigned to interface eth1. To resolve this issue, generate an identical access list for the second Ethernet interface.

CSCec79027—A GSS 4490 device failure occurs the first time you enter the gss disable CLI command to disable the selected device and then enter the gss enable CLI command to reenable it. This behavior occurs once, and only on the GSS 4490 hardware.

Note The Cisco GSS 4480 does not exhibit this behavior.

The following example illustrates the CLI output when this specific problem occurs: 

# gss enable gssm primary      !GSS 4490 functions normally, database is created 

# gss stop 

# gss disable 

# gss enable gssm primary 

Note: GSSM database is required only on the primary GSSM and the standby GSSM.

Creating database. This may take a few minutes...

Deploying certificates for interbox communications.

EXT2-fs error (device ide0(3,12)): ext2_add_entry: bad entry in

directory #2: rec_len is smaller than minimal - offset=0, inode=0,

rec_len=0, name_len=0

EXT2-fs error (device ide0(3,12)): ext2_add_entry: bad entry in

directory #2: rec_len is smaller than minimal - offset=0, inode=0,

rec_len=0, name_len=0

% Error creating the database

#

Workaround: Enter the reload CLI command to halt and perform a cold restart on your GSS device. During the boot sequence, the "fsck" utility corrects this problem on the GSS 4490 and the problem will not occur again.

CSCdx82760—When receiving a high volume of logging activity (for example from applications in debug mode), the GSS lags behind the message activity. The timestamp on logged messages is delayed and logging continues after messages have ceased.

CSCeb82870—The GSS may fail to service DNS requests after restoring the database on a primary GSSM. Workaround: Entering the gss stop and gss start CLI commands on the GSS device may restore DNS service. If the problem continues, reboot the GSS device.

CSCec88216—You upgraded the GSS software from 1.0 to 1.1(0) by following the upgrade procedure outlined in the previous version of the v 1.1(0) Cisco Global Site Selector Configuration Guide (dated October 21, 2003) and the DNS server on the GSS entered an invalid state. In this instance, the DNS server may send out 0.0.0.0 answers or other wrong answers. Certain applications included in GSS software version 1.1(0) reference a version 1.0 configuration file (the node.state file) that is not upgraded properly for use with software version 1.1(0).

Workaround: If your GSS exhibits this condition, perform the following actions to resolve the issue:

a. Ensure that your primary GSSM is upgraded to software version 1.1(0) and that all GSS devices in your network have connectivity to the primary GSSM.

b. Log on to the CLI of each GSS device that has been upgraded to software version 1.1(0). Enable privileged EXEC mode at each device.

c. At the CLI of the primary GSSM, enter the reload command to perform a cold restart of the device. Repeat this procedure for the remaining GSS devices in your network that have been upgraded to software version 1.1(0).

Resolved Caveats for Software Version 1.1(0)

This section lists the resolved caveats for Cisco Global Site Selector Version 1.1(0).

CSCdy25566—The procedure for enabling a GSS may fail if the device was previously configured as a GSSM.

CSCec27618—After installing GSS v 1.1 software, the primary and standby GSSMs may not be fully operational. For example, the standby GSSM operates as if it is a primary GSSM, and the primary GSSM may not properly reflect the status of itself or the failing standby GSSM.

CSCdy28039—Certain combinations of the HTTP Path and Host Tags that are greater than 170 characters can cause HTTP HEAD requests to fail to come online correctly. An HTTP HEAD request is a combination of HTTP Path and Host Tag strings as follows: 

HEAD /index.html HTTP/1.0\r\nHost: www.cisco.com\r\n\r\n

An HTTP HEAD Path can safely be set to a length of 170 characters. A Host Tag string maximum length should be 128 characters, but 127 is the highest value the GSS accepts. The combined length of the HTTP HEAD Path and the Host Tag should not exceed 170 characters.

CSCdy29537—The domain query string has no maximum length in the primary GSSM GUI. The GUI accepts domain query strings (either global or per answer) that can cause the Global Site Selector to become unstable.

CSCdy29555—The keepalive subsystem cannot configure a DNS keepalive correctly for a DNS query that exceeds 100 characters. The subsystem generates an error log entry when this event occurs.

CSCec32245—New vulnerabilities in the OpenSSH implementation for SSH servers have been announced. An affected network device, running an SSH server based on the OpenSSH implementation, may be vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the same device.

CSCec45380—New vulnerabilities in the OpenSSL implementation for SSL have been announced. An affected network device, running an SSL server based on the OpenSSL implementation, may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable, to this vulnerability, even if it is configured to not authenticate certificates from the client.

CSCeb49788—The GSS software does not provide user-accessible CLI commands to configure the SNMP community string, contact, and location properties.

CSCdx54156—When you operate the primary GSSM GUI from Netscape Navigator, the GUI may not require you to select an answer type before configuring their answer. As a result, you have to re-enter answer information to complete the operation. The GSSM GUI prompts you to re-enter missing fields if the answer type is not selected when you click Submit.

CSCeb62408—If the clock is set back on a GSS device, configured keepalives may stop working until the GSS is restarted, rebooted, or until the clock catches up with the original time.

CSCdx64544—Web clients issue a security warning while you are logged in to an active primary GSSM GUI session. SSL certificates contain the hostname of the GSSM at the time the device is enabled, but are not updated if the hostname subsequently changes. As a result, Web clients issue a warning to the GSSM user during login.

CSCdx68188—The Load field may be missing from the output for the show statistics keepalive kalap list command display.

When issuing the show statistics keepalive kalap list CLI command, a list of all VIPs (virtual internet protocol addresses) is displayed with their load values in parenthesis. However if a load value is not yet known (or has the value of zero) the load will not be displayed. The VIP displays 'no load' because it may not have been obtained or the remote host is not sending a value between 2 and 254.

CSCdx72509—Outbound FTP connections can hang the GSS CLI session. When using FTP to connect the GSS to a site that only accepts passive FTP, the GSS CLI becomes suspended. The CTRL-C key combination does not break the connection.

CSCdx91076—Keepalives are in an incorrect state (INIT, OFFLINE) or show many transitions. The primary GSSM GUI should enforce a limit of 500 unique keepalives each for the ICMP and HTTP-HEAD keepalive types. It does not currently do this. Configuring more than 500 HTTP-HEAD or 500 ICMP keepalives causes the keepalive subsystem to operate incorrectly and adversely affects the behavior of other subsystems.

CLI Command Changes in Software Version 1.1(0)

Table 1 lists the commands and options that have been added or modified in GSS software version 1.1(0). For detailed information about the CLI commands in GSS software version 1.1(0), refer to the Cisco Global Site Selector Command Reference.

Table 1 CLI Commands Added or Modified in Version 1.1(0) 

Command and Syntax
Description

certificate set-attributes

no certificate set-attributes

The new certificate set-attributes command allows you to customize the X.509 fields, extensions, and properties found on the security certificate issued by Cisco Systems. The attribute changes that you make affect the fields on the Details tab of the certificate.

clear statistics {boomerang | dns | keepalive {all | cra | http-head | icmp | kalap | ns | tcp}}

The tcp option for the clear statistics command allows you to reset statistics for the new TCP-type keepalive maintained by the GSS.

duplex {auto | full | half}

The duplex command replaces the fullduplex and halfduplex commands to configure an interface for duplex operation.

gss {disable | enable {gssm-primary | gssm-standby {gssm_hostname | gssm_IP_address} | gss {gssm_hostname | gssm_IP_address}} | restart | start | status [verbose] | stop | tech-report filename}

The disable option for the gss command disables the selected device (GSSM or GSS) and removes an existing configuration, including deleting the GSSM database from the GSS device. This option replaces the gssm database {create | delete} options. The disable option returns the GSS device to the initial, unenabled state. Disabling a GSS device is only necessary when you want to switch the role of a GSS within a network (for example, change a GSS to a GSSM or if you need to move a GSS or GSSM to a different network of GSS devices.

interface ethernet {0 | 1}{autosense | duplex {auto | full | half} | ip address {ip-address netmask} | no | gss-communications | gss-tcp-keepalives | shutdown | speed {mbits | auto}

The duplex option replaces the fullduplex and halfduplex options to configure an interface for duplex operation.

The speed option replaces the bandwidth option to set the bandwidth on Fast Ethernet interfaces only.

reset-gui-admin-password [password text]

The new reset-gui-admin-password command enables you to restore the default administration password used to log in to the primary GSSM GUI, or to change the administration password.

rotate-logs [delete-rotated-logs]

The delete-rotated-logs option for the rotate-logs command instructs the GSS device to save archive copies of all existing log files in the $STATE directory and subdirectories and replace them with current log files. The GSS does not delete active logs.

setup

The new setup command initiates a special setup script to guide you through the basic process of configuring the GSS. Use this command when the GSS boots without a startup-configuration file.

show disk

The new show disk command displays information about the GSS hard disk, including the available user space on the disk and the size of the database.

show statistics {boomerang {domain domain_name | global} | dns {answer {list | answer_name} | answer-group {list | group_name [verbose]} | domain {list | domain_name} | domain-list{list | domain_list_name [verbose]}| global | rule {list | rule_name} | source-address {list | sa_name} | source-address-list {list | sa_list_name [verbose]} | keepalive {cra {ip_address | all | list} | global | http-head {ip_address | all | list} | icmp {ip_address | all | list} | kalap {ip_address | all | list} | ns {ip_address all | list} | tcp {ip_address | all | list}}}

There were a number of option changes to the show statistics command, including:

The addition of the dns {answer {list | answer_name} options

The renaming of the domain-group option (from GSS version 1.0) to domain-list

The addition of the source-address {list | sa_name} options

The renaming of the source-address-group option (from GSS version 1.0) to source-address-list

The addition of the tcp option to the keepalive options

With GSS software version 1.1(0), you can now individually monitor the GSS answer, host domain, source-address, and source-address-group statistics over a one minute, five minute, 30 minute or 4 hour time interval.

show tech-support {config | core}

The config option for the show tech-support command exports the output of all configured fields from the primary GSSM GUI (intended for use by a Cisco technical support representative).

The core option displays a listing of all core files that may be useful to the Cisco Technical Assistance Center.

show version [verbose]

The verbose option for the show version command allows you to view detailed GSS software version information.

In addition, the show version command output now displays three digits for builds posted to CCO, such as 1.1(0) . GSS Maintenance release builds will be in parentheses, such as 1.1(1).

snmp {community-string | contact | enable | location}

The community string, contact, and location options to the snmp command allow you to specify the following SNMP parameters:

community string—Specifies the SNMP community name for a GSS device.

contact—Specifies the name of the contact person for a GSS device.

location—Specifies the physical location of a GSS device.

speed

The speed command replaces the bandwidth command to set the bandwidth on Fast Ethernet interfaces only.

telnet [enable] [hostname | ip-address] [port_number]

The port_number variable for the telnet command allows you to change the port number for the Telnet session to a port other than 23 (the Telnet port).


Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Copyright © 2004 Cisco Systems, Inc. All rights reserved.