Cisco ACE GSS 4400 Series Global Site Selector Appliances

Table Of Contents

Release Note for the Cisco Global Site Selector, Release 1.2(2)

Contents

Cisco-Supported Hardware and Software Compatibility

Before Upgrading to Version 1.2(2)

Expansion of the GSSM and GSS Recovery Procedures

Additional Information for Building and Modifying DNS Rules

Additional Information for Configuring DNS Sticky

Software Behavioral Differences

Changes to the Primary GSSM GUI Login and Logout Process

Changes to the Termination Method Options

Changes to the Sticky and Proximity Database Dump Process

Additions to the proximity database delete CLI Command

Additions to the show proximity database CLI Command

Changes to the GSSM Restore Warning Message

Changes to the show tech-support core-files Command

Addition of the logging facility CLI Command

Addition of the ftp-client enable CLI Command

GSS Syslog Messages and CiscoWorks RME Syslog Analyzer Compliancy

show proximity and show sticky CLI Commands in gslb Mode

DNS Server Not Ready Indicator Added to gss status Command Output

Changes to Host Naming Conventions for a GSS

Sticky and Proximity XML Schema Files

Operating Conditions for Software Version 1.2(2)

Software Version 1.2(2) Open Caveats, Resolved Caveats, and Command Changes

Open Caveats for Software Version 1.2(2)

Resolved Caveats for Software Version 1.2(2)

CLI Command Changes in Software Version 1.2(2)

Obtaining Documentation, Obtaining Support, and Security Guidelines

Release Note for the Cisco Global Site Selector, Release 1.2(2)

---

August 25, 2006

---

Note The most current Cisco GSS documentation for released products is available on Cisco.com.

---

Contents

This release note applies to software version 1.2(2) for the Cisco Global Site Selector (GSS). It contains the following sections:

•Cisco-Supported Hardware and Software Compatibility

•Before Upgrading to Version 1.2(2)

•Expansion of the GSSM and GSS Recovery Procedures

•Additional Information for Building and Modifying DNS Rules

•Additional Information for Configuring DNS Sticky

•Additional Information for Building and Modifying DNS Rules

•Operating Conditions for Software Version 1.2(2)

•Software Version 1.2(2) Open Caveats, Resolved Caveats, and Command Changes

•Obtaining Documentation, Obtaining Support, and Security Guidelines

Cisco-Supported Hardware and Software Compatibility

The GSS software version 1.2(2) operates with the following Cisco hardware:

•GSS 4491, GSS 4490, and GSS 4480, configured in software as the primary GSSM, the standby GSSM, or as a GSS device

•Cisco Content Services Switch running the following WebNS software releases:

Cisco CSS Platform	Recommended WebNS Versions	Minimum Supported WebNS Versions
Cisco 11500 Series CSS	Software releases: •7.40.0.04 or greater •7.30.2.03 or greater	Software releases: •7.20.1.04 •7.10.3.05
Cisco 11000 Series CSS	Software releases: •6.10.4.05 or greater •5.00.6.05 or greater	Software releases: •6.10.1.07 •5.00.3.09

•Cisco Catalyst 6500 Content Switching Module (CSM) running the following software releases:

Platform	Recommended CSM Versions1	Minimum Supported CSM Versions
Cisco Catalyst 6500 Content Switching Module (CSM)	Software releases: •3.1(10) or greater •3.2(1) •4.1(4) or greater •4.2(1) or greater	Software releases: •3.1(4) •3.2(1) •4.1(4) •4.2(1)

1 CSM software versions 3.2(2), 3.2(3) and 4.1(2) are not supported by the GSS when using the KAL-AP by tag keepalive method.

The GSS software version 1.2(2) network proximity and TACACS+ server features operate with the following Cisco software releases:

•For network proximity, use a Cisco IOS-based router that supports Director Response Protocol (DRP) as the probing device in each proximity zone. DRP is supported in the following Cisco IOS release trains: 12.1, 12.1E, 12.2T, 12.2, 12.3, and later releases. ICMP probing is only supported in Cisco IOS releases 12.2T, 12.3, and later releases.

The GSS operates with Cisco IOS-based routers using the following DRP RTT probing methods: TCP ("DRP Server Agent") and ICMP ("ICMP ECHO-based RTT probing by DRP agents"). "DRP Server Agent" and "ICMP ECHO-based RTT probing by DRP agents" are the Cisco IOS feature names as shown in the Cisco Feature Navigator. The Cisco Feature Navigator is located on Cisco.com at:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

•For TACACS+ server authentication, authorization, and accounting (AAA) services, use Cisco Secure Access Control Server (ACS) version 3.2 or greater.

Before Upgrading to Version 1.2(2)

You can directly upgrade to GSS software version 1.2(2) from the GSS version 1.2(1), 1.1, and 1.0 software releases.

---

Note Before you upgrade from GSS software version 1.1(x.x.x) to either software version 1.2(1.1.2) or 1.2(2.0.3), in addition to following the steps outlined below, please verify if you are subject to defect CSCeh87172 as described in the "Software Version 1.2(2) Open Caveats, Resolved Caveats, and Command Changes" section.

---

Before you upgrade your GSS software, be sure that you:

•Perform a full backup of your primary GSSM database as described:

–For software version 1.2, refer to Chapter 7, Backing Up and Restoring the GSSM, the "Backing Up the Primary GSSM" section in the Cisco Global Site Selector Administration Guide. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_book09186a008031d76a.html

–For software version 1.1, refer to Chapter 9, GSS Administration and Troubleshooting, the "Backing Up the GSSM" section in the Cisco Global Site Selector Configuration Guide. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_book09186a00801cc5be.html

–For software version 1.0, refer to Chapter 3, GSS Administration and Troubleshooting, the "Backing Up the GSSM" section in the Cisco Global Site Selector Configuration Guide. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_book09186a00801abde7.html

•Review the software version 1.2(1) software upgrade sequence as described in the Cisco Global Site Selector Administration Guide, Appendix A, Upgrading the GSS Software. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_book09186a008031d76a.html

If you are currently running GSS software version 1.0 on your GSS 4480 and you want to have the opportunity to downgrade back to version 1.0, you must first upgrade to software version 1.1 before loading software version 1.2. Downgrading directly from software version 1.2 to version 1.0 is not supported at this time.

Expansion of the GSSM and GSS Recovery Procedures

In the Cisco Global Site Selector Administration Guide, a new section has been added to Chapter 2, Managing the GSS from the CLI, to describe the process that you can perform when you encounter problems with one of the GSS devices in your GSS network. The new "Replacing GSS Devices in Your GSS Network" section aids you in determining which GSS device exhibits the problem (primary GSSM, standby GSSM, or GSS) and the steps you can take to configure a replacement GSS device for use in your network.

You can locate the "Replacing GSS Devices in Your GSS Network" section on Cisco.com at the following URL:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_chapter09186a0080328f0a.html#wp1027087

Additional Information for Building and Modifying DNS Rules

This information augments the information provided in Chapter 7, Building and Modifying DNS Rules in the Cisco Global Site Selector Global Server Load Balancing Configuration Guide.

The balance clauses that you configure in a DNS rule are evaluated in order, with parameters established to determine when a clause should be skipped and the next clause is to be used. A balance clause is skipped when any one of the following conditions exits:

•A least-loaded balance method is selected and the load threshold for all online answers is exceeded.

•The VIP answers in the specified VIP answer group are offline.

•Proximity is enabled for a VIP-type answer group and the DRP agents do not return any RTT values that meet the value set for acceptable-rtt.

•All answers in a CRA- or NS-type answer group are offline and keepalives are enabled to monitor the answers.

Additional Information for Configuring DNS Sticky

This information augments the information provided in Chapter 8, Configuring DNS Sticky in the Cisco Global Site Selector Global Server Load Balancing Configuration Guide.

•You can configure sticky only in a DNS rule that uses a VIP-type answer group.

•Sticky is active for a DNS rule only when the following conditions exist:

–Sticky is enabled for either global or local use. In the GUI, select Global or Local for the State option in the Global Sticky Configuration details page; in the CLI, enter the enable global or enable local command.

–A sticky method option (domain or domain list) is selected. In the GUI, use the DNS Rule Builder and select By Domain or By Domain List for the Select Sticky Method option in the Create New DNS Rule window; in the CLI, enter the sticky method domain or sticky method domain list command.

–Sticky is enabled within a balance clause for the DNS rule. In the GUI, use the DNS Rule Builder and click the Sticky Enable checkbox; in the CLI, enter the sticky enable command.

Software Behavioral Differences

The following sections describe the software behavioral differences that apply to software version 1.2(2):

•Changes to the Primary GSSM GUI Login and Logout Process

•Changes to the Termination Method Options

•Changes to the Sticky and Proximity Database Dump Process

•Additions to the proximity database delete CLI Command

•Additions to the show proximity database CLI Command

•Changes to the GSSM Restore Warning Message

•Changes to the show tech-support core-files Command

•Addition of the logging facility CLI Command

•Addition of the ftp-client enable CLI Command

•GSS Syslog Messages and CiscoWorks RME Syslog Analyzer Compliancy

•show proximity and show sticky CLI Commands in gslb Mode

•DNS Server Not Ready Indicator Added to gss status Command Output

•Changes to Host Naming Conventions for a GSS

•Sticky and Proximity XML Schema Files

Changes to the Primary GSSM GUI Login and Logout Process

The primary GSSM GUI now prompts you for your username and password in a new Primary GSSM GUI Login window (Figure 1) as part of the primary GSSM GUI login process. Enter your username and password in the fields provided on the primary GSSM GUI and click Login. The Primary GSSM Welcome window appears (Figure 2).

With the GSS version software 1.2(2) release, the primary GSSM performs login authentication; you no longer enter your username and password in the client browser's pop-up box to access the GUI. The primary GSSM GUI directly uses the SSL session to maintain the session and user state. Users are authenticated only once during login, similar to when you perform remote access to the GSS CLI using the Secure Shell (SSH), Telnet, or FTP protocols.

To log out of a primary GSSM GUI session, click Logout at the upper right of the window. The browser confirms that you want to log out of the primary GSSM GUI session. Click OK to confirm the logout (or Cancel). When you click OK, the primary GSSM logs you out of the session and redisplays the Primary GSSM GUI Login window (see Figure 1).

Figure 1 Primary GSSM GUI Login Window

Figure 2 Primary GSSM Welcome Window

Changes to the Termination Method Options

In the primary GSSM GUI, the Default option for the connection termination method on both the Shared Keepalive details page (Figure 3, shown for a TCP keepalive) and the VIP Answer details page (Figure 4, shown for a TCP keepalive) has been renamed to Global. The function of the Global option has not changed; this option still instructs the primary GSSM to use the keepalive connection method defined on the Configure Global KeepAlive Properties details page.

Figure 3 Creating New Shared Keepalive Details Page—TCP Keepalive

Figure 4 Answer Details Page—TCP KeepAlive VIP Answer

In addition, the Termination Method column has been added to the Shared Keepalives list page (Figure 5) to inform you of the connection termination method specified for each shared keepalive.

Figure 5 Shared Keepalives List Page

Changes to the Sticky and Proximity Database Dump Process

When you enter the sticky database dump format xml and proximity database dump format xml commands, the GSS now waits to complete dumping the sticky database entries or proximity database entries in XML format before displaying the CLI prompt. A message appears upon the successful completion of a sticky or a proximity database dump. In addition, if the XML database dump is large, the GSS displays progress messages to indicate how many entries have been dumped at that point in the process.

For example, when you enter the sticky database dump format xml command at the CLI, the following progress message appears:

gssm1.example.com#sticky database dump stest.xml format xml

Starting Sticky Database dump. 

As the database dump progresses, additional messages appear:

gssm1.example.com#sticky database dump stest.xml format xml

Sticky Database dump is in progress...

Sticky Database has dumped 12345 of 345123 entries...

Upon completion of the XML database dump, a final message appears:

gssm1.example.com#sticky database dump stest.xml format xml

Sticky Database dump completed. The number of dumped entries: 182346.

gssm1.example.com#

The GSS prevents you from overwriting an existing sticky database or proximity database dump output file. If you attempt to overwrite an existing file with the same filename, the GSS displays the following message: Sticky Database dump failed, a file with that name already exists.

Additions to the proximity database delete CLI Command

The proximity database delete command has a series of additional options to provide more control over the entries you can delete from the proximity database. You may now delete proximity database entries based on a specific criteria. The proximity database delete command, however, does not delete proximity database entries saved as part of an automatic dump to a backup file on disk. To ensure that you successfully remove all or the selected proximity database entries from both GSS memory and disk, enter the specific proximity database delete command followed by the proximity database periodic-backup now command to force an immediate backup of the empty proximity database residing in GSS memory.

The syntax for this command is:

proximity database delete {all | assigned | group {name} | inactive minutes | ip {ip_address} netmask {netmask} | no-rtt | probed}

The options and variables are:

•all—Removes all proximity database entries from GSS memory. The prompt Are you sure? appears to confirm the deletion of all database entries. Specify y to delete all entries or n to cancel the deletion operation.

•assigned—Removes all static entries from the proximity database.

•group name—Removes all entries related to a named proximity group. Specify the exact name of a previously created proximity group.

•inactive minutes—Removes all dynamic entries that have been inactive for a specified period. Valid values are 0 to 43200 minutes.

•ip ip_address netmask netmask—Removes all proximity entries related to a D-proxy IP address and subnet mask. Specify the IP address of the requesting client's D-proxy in dotted-decimal notation (for example, 192.168.9.0) and specify the subnet mask in dotted-decimal notation (for example, 255.255.255.0).

•no-rtt—Removes all entries from the proximity database that do not have valid RTT values.

•probed—Removes all dynamic entries from the proximity database.

For example, to remove the D-proxy IP address 192.168.8.0 and subnet mask 255.255.255.0, enter:

gss1.example.com# proximity database delete ip 192.168.8.0 netmask 255.255.255.0

Additions to the show proximity database CLI Command

The show proximity database CLI command has a series of additional options to provide more control over the entries you can view in the proximity database. You may now display proximity database entries based on a specific criteria.

The syntax for this command is:

show proximity database {all | assigned | group {name} | inactive minutes | ip {ip_address} netmask {netmask} | no-rtt | probed}

The options and variables are:

•all—Displays all entries in the proximity database.

•assigned—Displays all static entries in the proximity database.

•group name—Displays all entries related to a named proximity group. Specify the exact name of a previously created proximity group.

•inactive minutes—Display all entries that have been inactive for specified amount of time. Valid values are 0 to 43200 minutes.

•ip ip_address netmask netmask—Displays all proximity entries related to a D-proxy IP address and subnet mask. Specify the IP address of the requesting client's D-proxy in dotted-decimal notation (for example, 192.168.9.0) and specify the subnet mask in dotted-decimal notation (for example, 255.255.255.0).

•no-rtt—Displays all entries in the proximity database that do not have valid RTT values.

•probed—Displays all dynamic entries in the proximity database.

For example, to remove the D-proxy IP address 192.168.8.0 and subnet mask 255.255.255.0, enter:

gss1.example.com# proximity database delete ip 192.168.8.0 netmask 255.255.255.0

Changes to the GSSM Restore Warning Message

There has been a clarification to the warning message that appears when you enter the gssm restore command to restore your primary GSSM from a previous backup.This restore warning message now reads:

% WARNING WARNING WARNING

You will be asked which portion(s) of the system configuration to overwrite. You may 
want to create a database backup before proceeding. 

Are you sure you wish to continue? (y/n): y

Changes to the show tech-support core-files Command

The show tech-support core-files command output has been modified to display the core file size in KB, Mb, or GB, as appropriate. For example:

gss2.example.com#show tech-support core-files

/core-files/keepalive/core-keepalive-Mon-Mar-28-06.34.56  43 Mb

/core-files/keepalive/core-keepalive-Mon-Mar-28-07.15.48  106 Mb

/core-files/proximity/core-proximity-Mon-Mar-31-06.25.44  10 Mb

/core-files/proximity/core-proximity-Mon-Mar-31-06.26.13  10 Mb

The verbose option has been added to the show tech-support core-files command to assist in troubleshooting by Cisco engineers in instances where the internal GSS applications generate core files. The verbose option provides a backtrace of the stack of all the core files.

Addition of the logging facility CLI Command

The GSS allows you to specify a syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. The syslog daemon uses the specified syslog facility to determine how to process messages. Each facility configures how the syslog daemon on the host handles a message. Use the new logging facility command to specify a syslog facility type.

---

Note For more information on the syslog daemon and facility levels, refer to your syslog daemon documentation.

---

The syntax for this global configuration mode command is:

logging facility type

Enter the type option to specify the syslog facility type. The default logging facility is local5. The GSS supports the following facility types:

•auth—Authorization system

•daemon—System daemon

•kernel—Kernel

•local0—Reserved for locally defined messages

•local1—Reserved for locally defined messages

•local2—Reserved for locally defined messages

•local3—Reserved for locally defined messages

•local4—Reserved for locally defined messages

•local5—Reserved for locally defined messages

•local6—Reserved for locally defined messages

•local7—Reserved for locally defined messages

•mail—Mail system

•news—USENET news

•syslog—System log

•user—User process

•uucp—UNIX-to-UNIX copy system

For example, to change the logging facility to local7, enter:

gss2.example.com(config)#logging facility local7

To restore the default logging facility back to local5, use the no form of this command. For example:

gss2.example.com(config)#no logging facility local7

The related GSS software commands include:

logging host enable

logging host ip

logging host priority

logging host subsystem

show logging

show running-config

For the procedures on how to configure logging for a GSS and view logged information, refer to the Cisco Global Site Selector Administration Guide, Chapter 8, Viewing Log Files. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_chapter09186a0080328f05.html

Addition of the ftp-client enable CLI Command

By default, the File Transfer Protocol (FTP) client is disabled for all users. A new configuration mode command has been created to allow you to enable access to the FTP client for different types of users.

The syntax for this global configuration mode command is:

ftp-client enable {all | admin}

Enter ftp-client enable to enable access to the FTP client and then follow it with all to enable access for all users, or admin to enable access for administrative users only. For example:

gss.example.com(config)#ftp-client enable all 

gss.example.com(config)#ftp-client enable admin

Issue the no ftp-client enable all or no ftp-client enable admin CLI command to remove a specific FTP client configuration and return to the default disabled state.

The show running-config and show startup-config CLI commands have been updated to provide status on the FTP client enable state, for example:

gss.example.com#show running-config

...

ftp-client enable all

...

gss.example.com#show startup-config

...

ftp-client enable all

...

The show ftp CLI command has also been updated to provide status on the FTP client enable state, for example:

gss.example.com#show ftp

...

ftp-client is enabled for all users

...

GSS Syslog Messages and CiscoWorks RME Syslog Analyzer Compliancy

The format of the host syslog messages generated by a GSS is now CiscoWorks RME Syslog Analyzer compliant. The CiscoWorks RME Syslog Analyzer reports syslog messages logged by GSS devices. The Syslog Analyzer uses embedded Cisco IOS technology to provide detailed device information. Reports are based on user-defined filters that highlight specific errors or severity conditions and help identify when specific events occurred, such as a link-down or a device reboot.

---

Note The GSS syslog host messages support the correct CiscoWorks RME Syslog Analyzer message format; however, these messages do not support the Syslog Analyzer MIBs. In addition, not all severity 7 debug messages are compliant with the syslog host message format.

---

The following is an example of the host syslog message format generated by a GSS. The fields are described in Table 1.

<IP or DNS name of Device> <BLANK> <:> <Time Stamp> <BLANK><:> %FACILITY-SEVERITY-MNEMONIC 
<:> Message-text

Table 1 Syslog Message Format 

Field	Description
IP or DNS name of Device	IP address or DNS name, followed by one BLANK space, and followed by a colon (:)
Time Stamp	A non-optional timestamp in the format: yyyy mmm dd hh:mm:ss (for example, 2005 MAY 14 19:20:10) or mmm dd hh:mm:ss (for example, MAY 14 19:20:10)
%FACILITY	A code consisting of two or more uppercase letters that indicate the facility to which the message refers. A facility can be a hardware device, a protocol, or a module of the system software (for example, KAL, TOMCAT, SYS, STK). Note This is not the Syslog server logging facility.
SEVERITY	A single-digit code from 0 to 7 that reflects the severity of the condition. The severity maps to the GSS logging level specified using the logging host priority command.
MNEMONIC	A code that uniquely identifies the error message (for example, TCPTRANS, GUIEXCEPTION, KALPING).
Message-text	A text string describing the condition (for example, KAL_RSP_OK [192.168.100.1] numSuccessfulProbes:2 or Detected Ssh is stopped but should be started)

The related GSS software commands include:

logging host enable

logging host ip

logging host priority

logging host subsystem

logging facility

show proximity and show sticky CLI Commands in gslb Mode

You may now access the show proximity and show sticky CLI commands from the global server load-balancing configuration mode. The show proximity and show sticky commands include:

•show proximity group-name—Displays statistics for a specific proximity group.

•show proximity group-summary—Displays a summary of statistics for all configured proximity groups.

•show sticky—Displays general status information about the sticky subsystem.

•show sticky database—Displays sticky database entries by specifying one or more entry matching criteria.

•show sticky global—Displays the most recent sticky database message identifiers sent by the local GSS node and received from its GSS mesh peers.

•show sticky group-name—Displays statistics for a specific sticky group.

•show sticky group-summary—Displays a summary of statistics for all configured sticky groups

•show sticky mesh—Displays sticky mesh status information locally from the CLI of a GSS.

For example:

gssm1.example.com(config-gslb)#show ?

  proximity       Display Proximity subsystem information

  running-config  Show Running configuration

  sticky          Display Sticky Database information

gssm1.example.com(config-gslb)#show proximity ?

  group-name     Display configuration summary of one proximity group

  group-summary  Display configuration summary of all proximity groups

  <cr>           

gssm1.example.com(config-gslb)#show sticky ?  

  database       Display entries in the Sticky Database.

  global         Display status of Global Sticky

  group-name     Display configuration summary of one sticky group

  group-summary  Display configuration summary of all sticky groups

  mesh           Display status of the Sticky Mesh.

  <cr>           

gssm1.example.com(config-gslb)#show sticky 

DNS Server Not Ready Indicator Added to gss status Command Output

To inform you that the DNS Server is not ready to serve DNS requests, the gss status command output displays a "Not Ready to Serve Requests" indicator. The indicator disappears once the DNS Selector is ready to serve DNS requests.

For example:

gssm1.example.com# gss status

Cisco GSS - 1.2(2) GSS [Thu Mar 31 21:09:09 UTC 2005]

Registered to primary GSSM: 10.86.209.167

Normal Operation [runmode = 5]

START  SERVER

 Mar25  Boomerang                  

 Mar25  Config Agent (crdirector)  

 Mar25  Config Server (crm)        

 Mar25  DNS Server [ Not Ready to Serve Requests ]

 Mar25  Database                   

 Mar25  GUI Server (tomcat)        

 Mar25  Keepalive Engine           

 Mar25  Node Manager               

 Mar25  Proximity                  

 Mar25  Sticky                     

 Mar25  Web Server (apache) 

When the DNS Server is ready to serve DNS requests, it generates the following subsystem log message and saves it in the system.log file:

Mar 25 10:45:26 gssm1.example.com DNS-5-SELREADYINFO[2073] Selector ready to start serving 
DNS requests

Changes to Host Naming Conventions for a GSS

When you specify a hostname for a GSS (primary GSSM, standby GSSM, or GSS device) that is operating in a lab network environment, the top-level domain of the hostname cannot begin with a numerical value. For example, you cannot name a primary GSSM as gssm.1lab. If you attempt to create or change a hostname for a top-level domain to a name that begins with a number, the following messages appears:

Top level domains of hostnames cannot begin with a number

When you upgrade to software version 1.2(2), if one or more of your GSS devices has a hostname with a top-level domain beginning with a number, each GSS device will log the following ERROR level (3) log message in the gss.log file:

Bad hostname: top level domain should not begin with number

Sticky and Proximity XML Schema Files

The GSS includes two XML schema files that you can use to describe and validate the sticky XML and proximity XML output files. The purpose of a schema is to define a class of XML documents. The sticky and proximity schemas consist of a series of elements, subelements, and attributes that appear in the XML output files to determine the appearance of the content in the XML file.

Each schema file, stickySchema.xsd and proximitySchema.xsd, resides in the /home directory upon boot up of a GSS device. The /home directory is the same directory where each XML output file resides.

The following document identifies the contents of the sticky XML schema, stickySchema.xsd:

<xsd:schema xmlns="http://www.cisco.com/gss/sticky"

            xmlns:xsd="http://www.w3.org/2001/XMLSchema"

            targetNamespace="http://www.cisco.com/gss/sticky"

            elementFormDefault="qualified"

            attributeFormDefault="unqualified">

  <xsd:annotation>

    <xsd:documentation xml:lang="en">

      Cisco GSS Sticky Database

    </xsd:documentation>

  </xsd:annotation>

  <xsd:element name="Sticky_Database" type="StickyDatabaseType"/>

  <xsd:element name="Header" type="HeaderType"/>

  <xsd:element name="Source_Entries" type="SourceEntriesType"/>

  <xsd:element name="Source_Entry" type="SourceEntryType"/>

  <xsd:element name="Group_Entries" type="GroupEntriesType"/>

  <xsd:element name="Group_Entry" type="GroupEntryType"/>

  <xsd:complexType name="StickyDatabaseType">

    <xsd:sequence>

      <xsd:element ref="Header" minOccurs="1" maxOccurs="1"/>

      <xsd:element ref="Source_Entries" minOccurs="0" maxOccurs="1"/>

      <xsd:element name="Source_Entry_Count" type="xsd:integer"

                   minOccurs="0" maxOccurs="1"/>

      <xsd:element ref="Group_Entries" minOccurs="0" maxOccurs="1"/>

      <xsd:element name="Group_Entry_Count" type="xsd:integer"

                   minOccurs="0" maxOccurs="1"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="HeaderType">

    <xsd:sequence>

      <xsd:element name="Version" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="Time_Stamp" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="Entry_Count" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="Mask" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="SourceEntriesType">

    <xsd:sequence minOccurs="0" maxOccurs="unbounded">

      <xsd:element ref="Source_Entry" minOccurs="0"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="GroupEntriesType">

    <xsd:sequence minOccurs="0" maxOccurs="unbounded">

      <xsd:element ref="Group_Entry" minOccurs="0"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="SourceEntryType">

    <xsd:sequence>

      <xsd:element name="IP" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="D" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="R" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="A" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="H" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="T" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="GroupEntryType">

    <xsd:sequence>

      <xsd:choice minOccurs="1" maxOccurs="1">

        <xsd:element name="N" type="xsd:string"

                     minOccurs="1" maxOccurs="1"/>

        <xsd:element name="G" type="xsd:integer"

                     minOccurs="1" maxOccurs="1"/>

      </xsd:choice>

      <xsd:element name="D" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="R" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="A" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

       <xsd:element name="H" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="T" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

   </xsd:sequence>

  </xsd:complexType>

</xsd:schema>

The following document identifies the contents of the proximity XML schema, proximitySchema.xsd:

<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <xsd:annotation>

    <xsd:documentation xml:lang="en">

      Cisco GSS Proximity Database

    </xsd:documentation>

  </xsd:annotation>

  <xsd:element name="ProximityDatabase" type="ProximityDatabaseType"/>

  <xsd:element name="Header" type="HeaderType"/>

  <xsd:element name="Entry" type="EntryType"/>

  <xsd:element name="ProbeTarget" type="ProbeTargetType"/>

  <xsd:element name="Zone" type="ZoneType"/>

  <xsd:complexType name="ProximityDatabaseType">

    <xsd:sequence>

      <xsd:element ref="Header" minOccurs="1" maxOccurs="1"/>

      <xsd:element ref="Entry" minOccurs="0" maxOccurs="unbounded"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="HeaderType">

    <xsd:sequence>

      <xsd:element name="Version" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="Time_Stamp" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="EntryCount" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="EntryType">

    <xsd:sequence>

      <xsd:element name="EntryID" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="ModificationTimeStamp" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="Static" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="DirectProbingInProgress" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="HitTimeStamp" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="HitCount" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element ref="ProbeTarget" minOccurs="1" maxOccurs="1"/>

      <xsd:element ref="Zone" minOccurs="32" maxOccurs="32"/>

    </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="ProbeTargetType">

    <xsd:sequence>

      <xsd:element name="IP" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="Method" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="Type" type="xsd:string"

                   minOccurs="1" maxOccurs="1"/>

   </xsd:sequence>

  </xsd:complexType>

  <xsd:complexType name="ZoneType">

    <xsd:sequence>

       <xsd:element name="ID" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="RTT" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

      <xsd:element name="RefreshTime" type="xsd:integer"

                   minOccurs="1" maxOccurs="1"/>

   </xsd:sequence>

  </xsd:complexType>

  <xsd:simpleType name="StaticType">

    <xsd:restriction base="xsd:string">

      <xsd:enumeration value="true"/>

      <xsd:enumeration value="false"/>

    </xsd:restriction>

  </xsd:simpleType>

  <xsd:simpleType name="MethodType">

    <xsd:restriction base="xsd:string">

      <xsd:enumeration value="TCP"/>

      <xsd:enumeration value="ICMP"/>

      <xsd:enumeration value="NotUsed"/>

    </xsd:restriction>

  </xsd:simpleType>

  <xsd:simpleType name="TypeOfType">

    <xsd:restriction base="xsd:string">

      <xsd:enumeration value="static"/>

      <xsd:enumeration value="non-static"/>

    </xsd:restriction>

  </xsd:simpleType>

  <xsd:simpleType name="ZoneIdType">

    <xsd:restriction base="xsd:integer">

      <xsd:minInclusive value="1"/>

      <xsd:maxInclusive value="32"/>

    </xsd:restriction>

  </xsd:simpleType>

</xsd:schema>

Operating Conditions for Software Version 1.2(2)

The following operating conditions apply to software version 1.2(2):

•When you upgrade from software version 1.1 to 1.2, the default primary GSSM GUI privilege level for each GSS user is "administrator". The assignment of the operator or observer privilege level to a primary GSSM GUI user was a new feature for GSS software version 1.2(1). To change the user privilege level to either operator or observer, modify the GUI user account and change the role of the user. Refer to the Cisco Global Site Selector Administration Guide, Chapter 3, Creating and Managing User Accounts, for details.

•If you use a GSS in a proximity zone configuration containing a Cisco router running IOS release 12.1, you must ensure that the DRP authentication configuration is identical on both devices. For example, to perform DRP authentication between a GSS and a Cisco IOS 12.1 router, ensure that you properly enable and configure authentication on both devices. The same is true if you choose not to use DRP authentication; you must disable authentication on both devices. In the case that you disable DRP authentication on a Cisco IOS 12.1 router but enable DRP authentication on a GSS, all measurement probes sent by a GSS to the Cisco IOS-based router will fail. This condition occurs because the Cisco IOS 12.1 router fails to recognize the DRP echo query packets sent by a GSS and the GSS is unable to detect a potential failure of measurement packets sent to the router. In this case, the GSS identifies the Cisco IOS-based router as being ONLINE in the show statistics proximity probes detailed output, yet the measurement response packets monitored in the Measure Rx field do not increment. Together, these two conditions may indicate a DRP authentication mismatch.

If DRP probe requests fail between the GSS and a Cisco router running IOS release 12.1, even when the GSS indicates that the router is ONLINE, verify the DRP authentication configurations on both the Cisco router and the GSS.

–To verify the Cisco router running IOS release 12.1, enter the show ip drp command. If the line Authentication is enabled, using "test" key-chain appears in the output (where "test" is the name of your key-chain), DRP authentication is configured on the router. If this line does not appear in the output, DRP authentication is not configured.

–To verify GSS version 1.2(2), access the Global Proximity Configuration details page (Traffic Mgmt tab) on the primary GSSM GUI and observe if the DRP Authentication selection is set to Enabled or Disabled (see the Cisco Global Site Selector Global Server Load-Balancing Configuration Guide, Chapter 9, Configuring Network Proximity).

Modify the DRP authentication configuration on either the Cisco router running IOS release 12.1 or the primary GSSM GUI and make them consistent to avoid a DRP authentication mismatch.

•When the GSS operates as a client with a TACACS+ server, the GSS may restrict user access to all CLI commands. This behavior may occur when you specify an encryption key on the GSS using the tacacs-server host command but do not specify the same encryption key on the TACACS+ server. In this case, the CLI command restriction takes place immediately on the GSS once you enter the aaa authorization commands command.

The workaround is to enter the tacacs-server host command on the GSS, and then specify the same encryption key on the TACACS+ server before you enter the aaa authorization commands CLI command on the GSS. If the GSS fails authorization on all CLI commands and you are unable to change the encryption key on the TACACS+ server, power cycle the GSS. Because the CLI commands entered prior to the power cycle were not saved in the GSS startup-configuration file, you can regain access to the GSS CLI and redo the TACACS+ configuration.

•When you use a TCP keepalive with the fast detection and graceful termination methods to test a Telnet service on a server running Windows Server 2003, port 23 may fluctuate between the Up and Down state (port flapping). If port flapping occurs on TCP port 23 of Windows Server 2003, you will notice an increase in keepalive negative probe and keepalive transition counts on the Answer Keepalive Statistics list page of the primary GSSM GUI. To resolve this issue, increase the Number of Retries value for the TCP keepalive. A retry value of three or four should be adequate to prevent flapping on port 23 when connecting to a server running Windows Server 2003.

Depending on the number of TCP keepalives you require to send on port 23 to servers running Windows Server 2003, specify the Number of Retries value as follows:

–If the GSS is transmitting numerous TCP keepalives using port 23, globally change the retry value for all TCP keepalives on the Configure Global KeepAlive Properties details page.

–If TCP keepalives are being used for different devices or ports, change the retry value on a per TCP keepalive basis using the Modifying Answer detail page.

•Cisco LocalDirector does not reply properly to TCP keepalives sent on port 23 from a GSS device. In this case, GSS keepalives fail when configured to probe LocalDirector. To resolve this behavior, specify a different keepalive method with LocalDirector or directly probe the servers located behind LocalDirector.

•The interface speed of the GSS 4490 cannot be configured to 1000 Mbps by using the interface ethernet {0 | 1} speed command. If you attempt to specify an operating speed of 1000, the GSS 4490 remains set at the previous setting (as displayed through the show interface command). To enable a GSS 4490 interface to operate at 1000 Mbps, specify a speed of auto. This selection allows the GSS 4490 autonegotiate to 1000 Mbps with other devices.

•In rare instances when a GSS runs out of user disk space, the device will stop logging messages to all log files. Logging does not automatically resume after you free up disk space on the GSS. This behavior may occur when you FTP a significant number of files to the GSS, which completely fills the available disk space on the GSS. To resolve this behavior, use the rotate-logs CLI command to replace the log files and resume logging.

•The GSS does not allow you to assign the same pre-existing access list to the two Ethernet interfaces. If you attempt to use the access-group CLI command to assign the same access list to Ethernet 0 and Ethernet 1, the following error message appears:

%access-list list1 is already assigned to interface eth1. 

To resolve this issue, generate an identical access list for the second Ethernet interface.

•The GSS requires a functioning nameserver to operate properly and perform DNS resolutions. If the nameserver is not properly configured using the ip name-server command, or if the configured nameservers are not reachable for any reason (down, network loss, or a firewall), the GSS will not be able to perform DNS resolutions when you attempt to log in. In this case, the timeout may take several minutes. This behavior occurs when you attempt to log in through a Telnet, SSH, or FTP connection.

There is no workaround for this behavior; the GSS always requires a functioning nameserver. To enable the GSS to perform DNS resolution, always configure more than one nameserver. For example:

gss.example.com(config)#ip name-server 192.168.1.1

gss.example.com(config)#ip name-server 192.168.2.2

gss.example.com(config)#ip name-server 192.168.3.3

This behavior may also occur if you configure access lists for the GSS. In this case, the workaround is to create access lists that allow the DNS responses from a nameserver. For example:

gss.example.com(config)#access-list acl1 permit udp any eq 53

Another solution is to limit incoming DNS response packets only from your configured nameservers (more secure). For example:

gss.example.com(config)#access-list acl1 permit udp 192.168.1.1 

255.255.255.255 eq 53

gss.example.com(config)#access-list acl2 permit udp 192.168.1.2 

255.255.255.255 eq 53

gss.example.com(config)#access-list acl3 permit udp 192.168.1.3 

255.255.255.255 eq 53

•Content and Application Peering Protocol (CAPP) may not recognize dropped fragments when a KAL-AP (KeepAlive-Appliance Protocol) keepalive spans multiple datagrams due to large payloads. When the KAL-AP keepalive spans multiple datagrams and one of the spanned packets is dropped, the GSS does not retry the request. Instead, the GSS waits until the next period and sends the packets again. This results in the dropped datagram not getting updated load values on the VIPs that expect them. This behavior typically occurs in situations where the GSS consumes the full datagram (roughly 1.4 K) with tag names or VIP addresses. Otherwise, all data fits perfectly in a single datagram.

To resolve this behavior, use the KAL-AP by VIP format when you need the GSS to send a detailed query on load for hundreds of VIPs configured to a single primary or optional secondary (backup) IP address. Another solution is to use the KAL-AP by Tag format, but to limit the length of Tag Names to ensure that the packets do not exceed 1.4K.

•The GSS 4491 correctly supports auto-negotiation as well as forcing the interface speed and duplex to a specific value. When the GSS 4491 is forced to 1000 Mbps full duplex through the CLI, it goes into autonegotiate mode but operates as specified by advertising only "1000-full." When the GSS 4491 is forced to any other speed or duplex setting, it advertises "forced" rather than "negotiated." The example below illustrates what happens when the GSS is forced to 1000 Mbps full duplex.

gss.example.com(config-eth1)#show interface eth1

  Interface eth1

     ip address 192.168.1.2 255.0.0.0

     duplex full

     speed 1000

  Interface State

     Link is up

     negotiated, 1000 mbps, full duplex

     Supported modes:  10-half, 10-full, 100-half, 100-full, 1000-full

     Advertised modes: 1000-full

•The GSS supports a maximum limit of 40 concurrent Telnet or FTP sessions within a 60-second window. The GSS can receive additional concurrent Telnet and FTP connections that are made outside of a 60-second window.

•The GSS supports a maximum limit of 250 SSH connections. When the GSS reaches this limit, the Connection terminated on signal 13 message may appear at the CLI of the computer where you initiated the SSH session to the GSS.

Software Version 1.2(2) Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in GSS software version 1.2(2):

•Open Caveats for Software Version 1.2(2)

•Resolved Caveats for Software Version 1.2(2)

•CLI Command Changes in Software Version 1.2(2)

Open Caveats for Software Version 1.2(2)

This section lists the open caveats for Cisco Global Site Selector Version 1.2(2).

•CSCei10099—GSS software versions 1.2(1.1.2) and 1.2(2) fail to exchange configuration and statistic updates with GSS devices running GSS software version 1.2(1.0.3) or an earlier version. When this software version mismatch occurs, a GSS device running an incompatible software version will fail to receive configuration updates from the primary GSSM. In addition, the primary GSSM GUI will not update operating status and statistics for the GSS device. Although configuration updates do not occur between the devices, each GSS device continues to answer DNS requests and perform keepalive operations based on its current configuration.

The following log is a symptom of this behavior:

CRD-4-EXCEPTION[3794] java.rmi.UnmarshalException: err or unmarshalling return; nested 
exception is: %0A%09java.io.InvalidClassExceptio n: 
com.sightpath.merlot.server.SslClientSocketFactory; Local class not compatible: stream 
classdesc serialVersionUID=1590222007190899010 local class serialVersi 
onUID=1656318867001291063 

Workaround: Upgrade all GSS devices running an older version of GSS software to the latest GSS software version 1.2(2.0.3).

---

Note Before you upgrade from GSS software version 1.1(x.x.x) to either software version 1.2(1.1.2) or 1.2(2.0.3), please verify if you are subject to defect CSCeh87172 as described in this section.

---

•CSCeg10406—The use of the gssm restore command to restore the primary GSSM from the backup file can sometimes result in a misconfiguration or malfunction of the keepalive engine and DNS server on the standby GSSM or GSS devices. This behavior is caused as a result of the newly restored configuration not properly overwriting the previous configuration on the primary GSSM.

The following logs are symptoms of a misconfiguration in either the keepalive engine or DNS server:

 KAL-4-KALSTATSNOGID[916] Could not find KAL-GID [208]

 KAL-4-KALGIDNOTFOUND[20077] kalDeleteVip: No KAL-GID found, removing based on GID 
[88]: success

 CRD-4-ANSWERNOTEXT[912] answer id 214 doesn't exist in selector but in kale

The presence of a core file in the /core-files/keepalive and /core-files/dnsserver is evidence of this problem.

Workaround: Ensure the standby GSSM and all GSS devices have network connectivity with the primary GSSM and perform the following procedure:

a. Log on to the CLI of the standby GSSM or a GSS.

b. Enable privileged EXEC mode.

gss1.yourdomain.com> enable

gss1.yourdomain.com#

c. Enter the gss stop command to stop your GSS server.

gss1.yourdomain.com# gss stop

d. Navigate to the / directory to locate the node.state file. If you locate the node.state file in the directory, delete it.

gss1.yourdomain.com# cd /

gss1.yourdomain.com# del node.state

gss1.yourdomain.com# cd /home

e. Enter the gss start command to force the standby GSSM or GSS to retrieve a fresh and complete configuration from the primary GSSM.

gss1.yourdomain.com# gss start

f. Repeat this procedure for each GSS device in your network.

•CSCef27479—When the GSS operates as a client with a TACACS+ server, the GSS fails to use the TACACS+ server for authentication when a user performs a remote SSH login using private and public key pairs. In this case, the SSH private and public keys on the GSS perform the user authentication and take priority over a TACACS+ server. If SSH private and public key pair authentication fails, then the TACACS+ server performs user authentication.

Workaround: To use a TACACS+ server for user authentication, disable the use of SSH key pairs on the GSS. Use the ssh keys CLI command to enable and disable SSH private and public key pairs. Refer to the Cisco Global Site Selector Getting Started Guide for details about configuring the GSS for remote access over an SSH session that uses private and public key pairs for authentication.

•CSCef58474—A GSS CLI session may become unresponsive when you enter the enable command to access privileged EXEC mode from user EXEC mode. This condition can occur when there are seven or more concurrent CLI sessions running on the same GSS.

Workaround: Reduce the number of concurrent sessions running on the same GSS to less than seven by logging out of one or more CLI sessions.

•CSCeh87172—After you upgrade to GSS software version 1.2(2.0.3) on both the primary GSSM and standby GSSM, the status of the standby GSSM remains offline when you monitor the GSS device status from the primary GSSM GUI. In this case, when you access the primary GSSM GUI Global Site Selectors details page to view the standby GSSM status, the following improper status information appears for the upgraded standby GSSM:

–