Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
2
Helpful
4
Replies

CSS - Content Rules with no available services

andrew.thomson
Level 1
Level 1

‎11-13-2003 06:24 AM

I have a requirement to ensure that when a client attempts a connection to a Rule that has no valid services behind it, the CSS sends a TCP-RST. How do I achieve this?

I have tried flow-reset-reject, but I think this only sends a reset for a flow that is already established when the backend server fails.

I want a new request to get reset if there are no backend servers.

Additional info:

We currently have multiple rules with the same IP address (using different ports) so if all the services on one rule are down the VIP address will still respond to ARP and PING as the other rules have services that are UP. Hence the client will time out rather than get a (relatively speedy) ARP failure.

It is a one-armed config with source-groups.

One dirty solution we have tried successfully but rejected is to configure a sorry-server with a keepalive type of none, valid IP address, but invalid port. When the clients are directed at this service the connection attempt is rejected by the valid IP address (TCP-RST) which is then passed back to the original client. This works but is very messy.

Labels:
0 Helpful
4 Replies 4

wong34539
Level 6
Level 6

‎11-19-2003 08:52 AM

Not sure if this is possible. This link might help.

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:CSS11000&viewall=true

andrew.thomson
Level 1
Level 1
In response to wong34539

‎11-20-2003 12:58 AM

Thanks for this,

unfortunately there is a wealth of information here and it is quite difficult to identify an example or tip that might relate to my particular issue.

I was hoping for someone to have had a similar problem ....but like you I am not at all confident.

I have also wondered whether it is sensible to allow the action I am trying to configure in terms of its impact on DOS.

Thanks anyway...

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-26-2003 05:37 AM

this does not exist currently.

But I think it is a valid request.

Therefore, I would suggest you to contact your local Cisco Sales person and ask him to introduce a feature request.

BTW, your workaround is good to know.

Gilles.

0 Helpful

andrew.thomson
Level 1
Level 1
In response to Gilles Dufour

‎12-01-2003 02:20 AM

Thanks Gilles,

I will raise the issue with our CISCO Rep.

I am also investigating another "dirty" solution....

I am considering making the content rule sticky and then giving it a sticky-serverdown-failover of "REJECT". However, the documentation does not say what "REJECT" means. I am hoping it means TCP-RST!

Andrew T

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card