Hello, Can someone confirm the meaning of SNMP counter "apCntStickyStatsNewCt" please? Does it just mean that for every new sticky table entry created that this counter gets incremented ? My understanding is that there is a finite number of sticky table entries. There is one table for all entries and these can be made up of L3, L4, SSL etc.. and it operates on a First-In-First-Out system. Assuming we fill all available sticky table slots, when this "apCntStickyStatsNewCt" counter increments and inserts a new sticky entry then the oldest sticky table entry gets removed from the end of the of the table. Is this correct ? By taking a delta of this counter every 60 seconds I'm trying to determine if this counter can be used to work out how long a sticky entry will remain in the sticky table before being purged/pushed out. The full namepsace/OID info for apCntStickyStatsNewCt is below: Name  .iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.arrowPoint.apMgmt.cntExt.apCntStickyStatsTable.apCntStickyStatsEntry.apCntStickyStatsNewCt (OID .1.3.6.1.4.1.9.9.368.1.16.25.1.2) Many thanks, Scott ... View more

Hi all, I had the below config in place so TCP 443 traffic terminated on 20.20.20.20 and unencrypted traffic was sent onto backend servers via a content rule setup to listen on TCP 80 for IP address 10.10.10.10. ssl-server 190 ssl-server 190 rsakey mysecurecert_key ssl-server 190 rsacert mysecurecert_cert ssl-server 190 cipher rsa-with-rc4-128-md5 10.10.10.10 80 weight 5 ssl-server 190 cipher rsa-with-rc4-128-sha 10.10.10.10 80 weight 4 ssl-server 190 vip address 20.20.20.20 If i used a browser and connected to the VIP 20.20.20.20:443 then all was good and everything worked as expected. However we have an application that specifies the port along with the host in the HTTP host header so rather than Host: 20.20.20.20 it would have Host: 20.20.20.20:443 For whatever reason when the host header has the port appended things brake and i'm not sure what the CSS does but the backend servers never receive any traffic. From the client end it seems to go through the client/server hello and at least sends the HTTPS request. To fix this, i just changed the 10.10.10.10 to be 20.20.20.20 so the VIP was the same as the back-end content rule IP used with the cipher suite. More out of curiosity than anything but is this a known bug or by design? I'm not sure why having the SSL VIP being different to the backend content rule IP would allow HTTP requests with just the host in the host header and not when there is a port appended ? Thanks ... View more

Hi, If i set the timeout multiplier to be 3 on a content rule so it's 48 seconds, why when i look at the 'flow-agent show fcb' information does it give me the correct inactiveTimout but then allocate a 'New FCB time' of 120 which overrides my configured 48 seconds? May timeout due to inactivity: Yes , inactiveTimeout: 48 New FCB time: 120,  will consider inactivity in 86 secs Inactive Secs: 34 Thank you, Scott ... View more

Hi, thanks for looking. I have a QA and PRODUCTION environment configured for a new project. We try to keep these environments as close a mirror image in terms of  config as possible, just with differing VLANs and IP addressing etc... For the purpose of this discussion lets say the QA VLANs are VLAN1, VLAN2, VLAN3 and for PRODUCTION they are VLAN11, VLAN12,  VLAN13. The servers in each VLAN uses Multicast PGM to communicate. The  configured MC group address is 239.0.0.239 and traffic sent to this address should be  received by all servers in each of their respective environments VLANs. The software installed on the servers that uses this PGM, uses it for a sort of keepalive and synchronization of status. All servers  use IGMPv2 to join. For this I'm using a 6500 with a FWSM. The FWSM Version is 4.0(7) and the sup720 is running s72033-advipservicesk9_wan-mz.122-18.SXF17a. Because the FWSM doesnt support PGM we had to extend the  VLAN to the 6500. The server continue to use the FWSM as their default gateway though. The SVI’s for each VLAN sit in a VRF according to their  assigned environment. So QA VLAN1,VLAN2 and VLAN3 sit in VRF_QA and PROD VLAN11,  VLAN12, VLAN13 sit in VRF_PROD. Multicast isn't enabled globally on the 6500 but each VRF has multicast routing enabled and each  SVI has PIM and PGM enabled. So one of the vlan SVIs config looks like: interface Vlan13 ip vrf forwarding MC_PGM_QA ip address 20.64.70.3 255.255.255.240 ip pim sparse-dense-mode ip pgm router ! With this config in place, igmp and mroute output looks good  and the servers can use multicast as required. So they join the group and the mroute reflects the correct egress interfaces for traffic on each VRF. The problem is that we would like  to use the same MC group address of 239.0.0.239 on both QA and PRODUCTION,  mirroring config and all that, but with the above config in place the MC traffic  from QA bleeds into PRODUCTION and vice versa which makes the developers cry. In other words when QA servers send traffic to the 239.0.0.239 MC group, the production servers receive a copy rather than it being confined to the QA vlans, which according to the mroute output should be happening. My multicast knowledge isn't great but from looking at the  output of mroute tables, igmp and some debug it looks like it should work  as desired. I’m not sure if this is a L3 issue or L2 due to the MC addresses being  common to both environments. I'm guessing the quick fix is to just give production a different MC group address but I'd rather know if this setup is possible and what could be wrong with the config, perhaps it's a bug since we're running quite an old IOS release. Any pointers apreciated. Many thanks, Scott ... View more

Hi, With the CSS when you enable sticky connections with a timeout, it only resets the idle timer for the sticky entry when a new connection is made and ignores the fact that there is active connections/flows that match the entry. On the ACE it seems to be differnt. The doc's say "ACE ages out a sticky table entry when the timeout  for that entry expires and no active connections matching that entry  exist. To specify that the ACE time out IP address sticky table entries  even if active connections exist after the sticky timer expires, use "TIMEOUT ACTIVECONNS". The CSS seems to miss the feature i've highlighted in bold. Is there a way on the CSS to have it behave the same with the ACE does, so if i make a single connection and the CSS creates a sticky entry and that connection is constantly active with data... then the CSS will either A) reset the idle time for the sticky entry because the flow is not idle or B) let the sticky entry drop to zero but just not delete the sticky entry because the flow is not idle. Many thanks, Scott ... View more

Hi, I have a CSS 11503 with a basic content rule for TCP 10000 going to a few backend servers. I was looking into the default timeout values for flows and when testing using telnet the flow didn't terminate as expected? For example, i have no 'timeout multiplier' specified in the config and when i look at the output of 'show flow-timeout default' it tells me the default 16 seconds timeout is in effect for *. With that in mind, i telnet to the content rule vip on TCP 10000 and on the backend server using wireshark i can see the TCP threeway handshake. With no data passing i'd expect the CSS to terminate this flow after 16 seconds.. yet it takes exactly 128 seconds before wireshark shows the RST and the flow is terminated. 128 being 8 times the default 16 second flow timeout. If i try to force the connection to close early by specifiying 'flow-timeout-multiplier 2' in the content rule, or even a multiplier of 40, it still waits 128 seconds to close the telnet connection. Am i missing missing something? What does the CSS define an idle flow to be? Thanks, Scott ... View more

Hi, I have an IPS running inline VLAN pair mode that bridges 2 x VLANs into 1 x L2 broadcast domain allowing servers in one VLAN and gateway in another to connect to each other while forcing traffic via the IPS for screening etc.. This operates over a trunk link so there is 4 pairs of VLANs in my case getting bridged by the IPS from one switch to another, with the IPS being in the middle and this works well. I unfortunately was only given budget for one IPS at the moment and would like to introduce a backup L2 path that the traffic will failover to in the event the IPS for some reason can't bridge the VLANs. I was hoping that STP would handle this so when the IPS dropped out, using PVST the VLANs would transition to forwarding on the backup link. The problem is without something bridging the VLAN pairs, i can't find any elegant solution to this problem and was wondering if anyone had any ideas? Since the gateway lives in VLAN 10 say and the server in VLAN 110, if the IPS goes offline then without manually changing the VLAN the server is in to be the same as the gateway I'm not sure if a way to make this automagic. I thought of using the 'VLAN translation' feature on  our 6513 to rewrite the VLAN tag of frames on both ingress/egress of the  secondary trunk link but when i tested the config it didn't seem to  work. If anyone has any ideas on how to make this work i'd love to hear. thanks Scott ... View more

Hi I'm not sure if my terminology is correct when using hairpinning but i was wondering if there is any special config needed when you try to access a content rule VIP from a server that's configured as a member of a source group on the same CSS? So say i have a content rule with a VIP 20.20.20.20 and i also have two servers 192.168.1.1 and 192.168.1.2 that are part of a source group with VIP of 20.20.20.21. My problem at the moment is if from the servers 192.168.1.x i try to ping the other VIP 20.20.20.20 that's configured on the same CSS then it doesn't work and ping fails. The same happens with HTTP traffic to the 20.20.20.20 VIP. I would have thought that the NAT of the source group would happen before the routing so the 192.168.1.x IP's would be natted to 20.20.20.21 and then passed over for routing where the CSS would see that the VIP 20.20.20.20 is local and it would send it on it's way. I thought it might be ACL related but i increased the verbosity of acl logging and couldn't see anything in the logs. The source group works fine on it's own and from the CSS itself i can ping the 20.20.20.20 VIP fine. It just seems that from the source group members i can't ping the VIP. Any ideas or pointers appreciated. thanks Scott ... View more

Hi, I am trying to setup a new vlan pair on a IDSM-2 module but when i add some rules to intentionally block traffic to test the flow of traffic it isn't blocking traffic as expected. I have a server that lives in VLAN 20 and I've configured VLAN21 on the FWSM and it's interface address is the default gateway for the server in VLAN 20. I've setup a VLAN pair on the IDSM-2 module to bridge these VLANs. The 6500 has the uplinks to our ISP and routes are on the msfc to send traffic to the fwsm. As i see it, traffic flows in to the msfc, routed to fwsm where it lands on interface VLAN 21 and screened then if permitted the fwsm will arp for the server in VLAN 20 IP which will go back up the FWSM->MSFC trunk and over the bridged IPS pair to VLAN 20 and on to the servers port. so flow of traffic is Internet-->msfc-->fwsm-->msfc-->ips-->msfc-->server. Based on this config, traffic does appear to flow via the IPS ok. If I setup a continuous ping and remove the vlan pair then traffic to the servers is broken, and if i enable IP Logging i can see the ICMP traffic being logged. But if i add a ‘host block’ or ‘denied attacker’ entry, i can see the traffic count interment in IME but the traffic isn't blocked. Same thing with the polices, if i enable the ICMP echo reply/request rule and set it to block the connection.. it still doesnt block the traffic. Based on this setup can anyone see a reason why traffic that appears to be flowing through the IDSM isn't being blocked by any of the rules? thanks Scott ... View more

Hi I have been testing a WCCP setup with a Debian 6.0 server running squid and a 6500 with SUP720 running  12.2(18)SXF17a. So far so good and it's working fine. At the moment the squid config is setup to use the SVI IP of the VLAN that the squid servers live in. But since we have two 6500 chassis and the squid servers are connected to both i setup HSRP for the VLAN and tried pointing the squid config to the HSRP VIP. Sadly this doesn't work and i was wondering if it should/am i doing something wrong? When i use the HRSP VIP i only see these log entries Apr 14 10:09:23 cest: WCCP-PKT:S00: Sending I_See_You packet to 10.64.9.116 w/ rcv_id 0000D105 Apr 14 10:09:33 cest: WCCP-EVNT:S00: Here_I_Am packet from 10.64.9.116 w/bad rcv_id 00000000 Apr 14 10:09:33 cest: WCCP-PKT:S00: Sending I_See_You packet to 10.64.9.116 w/ rcv_id 0000D106 Apr 14 10:09:43 cest: WCCP-EVNT:S00: Here_I_Am packet from 10.64.9.116 w/bad rcv_id 00000000 but when i use the SVI IP, the squid web cache correctly registers with the 6500 i get this in the log: Apr 14 10:12:25 cest: WCCP-PKT:S00: Sending I_See_You packet to 10.64.9.116 w/ rcv_id 0000D114 Apr 14 10:12:40 cest: WCCP-PKT:S00: Sending Removal_Query packet to 10.64.9.116w/ rcv_id 0000D115 Apr 14 10:12:45 cest: WCCP-EVNT:S00: Built new router view: 0 routers, 0 usable web caches, change # 0000073C Apr 14 10:13:02 cest: WCCP-PKT:S00: Sending I_See_You packet to 10.64.9.116 w/ rcv_id 0000D116 Apr 14 10:13:12 cest: WCCP-EVNT: GRE adjacency added for 10.64.9.116 Apr 14 10:13:12 cest: %WCCP-5-SERVICEFOUND: Service web-cache acquired on Web Cache 10.64.9.116 Apr 14 10:13:12 cest: WCCP-PKT:S00: Received valid Here_I_Am packet from 10.64.9.116 w/rcv_id 0000D116 Apr 14 10:13:12 cest: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change # 0000073D Apr 14 10:13:12 cest: WCCP-PKT:S00: Sending I_See_You packet to 10.64.9.116 w/ rcv_id 0000D117 I don't know but maybe using the HRSP VIP stops the GRE adjacency forming so it brakes ? Does anyone know if this is possible? thanks Scott ... View more

Hi, I was wondering if anyone knew what the support for WCCP on a FWSM running 4.0(7) is like, if there is any at all ? I've read that the earliest PIX release that supports WCCP was 7.2(1) but I'm not sure how FWSM 4.0(7) aligns with the PIX versions. The only doc's i can find refrencing WCCP on a 6500 with FWSM is in the 6500 12.2 IOS guide. Thanks, Scott ... View more