release note for the cisco global site selector, release 1 ... · release note for the cisco global...

Release Note for the Cisco Global Site Selector, Release 1.2(2)

August 25, 2006

Note The most current Cisco GSS documentation for released products is available on Cisco.com.

ContentsThis release note applies to software version 1.2(2) for the Cisco Global Site Selector (GSS). It contains the following sections:

• Cisco-Supported Hardware and Software Compatibility

• Before Upgrading to Version 1.2(2)

• Expansion of the GSSM and GSS Recovery Procedures

• Additional Information for Building and Modifying DNS Rules

• Additional Information for Configuring DNS Sticky

• Additional Information for Building and Modifying DNS Rules

• Operating Conditions for Software Version 1.2(2)

• Software Version 1.2(2) Open Caveats, Resolved Caveats, and Command Changes

• Obtaining Documentation, Obtaining Support, and Security Guidelines

Corporate Headquarters:

Copyright © 2005. Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Cisco-Supported Hardware and Software Compatibility

Cisco-Supported Hardware and Software CompatibilityThe GSS software version 1.2(2) operates with the following Cisco hardware:

• GSS 4491, GSS 4490, and GSS 4480, configured in software as the primary GSSM, the standby GSSM, or as a GSS device

• Cisco Content Services Switch running the following WebNS software releases:

• Cisco Catalyst 6500 Content Switching Module (CSM) running the following software releases:

The GSS software version 1.2(2) network proximity and TACACS+ server features operate with the following Cisco software releases:

• For network proximity, use a Cisco IOS-based router that supports Director Response Protocol (DRP) as the probing device in each proximity zone. DRP is supported in the following Cisco IOS release trains: 12.1, 12.1E, 12.2T, 12.2, 12.3, and later releases. ICMP probing is only supported in Cisco IOS releases 12.2T, 12.3, and later releases.

The GSS operates with Cisco IOS-based routers using the following DRP RTT probing methods: TCP (“DRP Server Agent”) and ICMP (“ICMP ECHO-based RTT probing by DRP agents”). “DRP Server Agent” and “ICMP ECHO-based RTT probing by DRP agents” are the Cisco IOS feature names as shown in the Cisco Feature Navigator. The Cisco Feature Navigator is located on Cisco.com at:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

• For TACACS+ server authentication, authorization, and accounting (AAA) services, use Cisco Secure Access Control Server (ACS) version 3.2 or greater.

Cisco CSS PlatformRecommended WebNS Versions

Minimum Supported WebNS Versions

Cisco 11500 Series CSS Software releases:

• 7.40.0.04 or greater


Software releases:

• 7.20.1.04

• 7.10.3.05

Cisco 11000 Series CSS Software releases:



Software releases:

• 6.10.1.07

• 5.00.3.09

Platform Recommended CSM Versions1 Minimum Supported CSM Versions

Cisco Catalyst 6500 Content Switching Module (CSM)

Software releases:

• 3.1(10) or greater

• 3.2(1)



Software releases:

• 3.1(4)

• 3.2(1)

• 4.1(4)

• 4.2(1)

1. CSM software versions 3.2(2), 3.2(3) and 4.1(2) are not supported by the GSS when using the KAL-AP by tag keepalive method.

2Release Note for the Cisco Global Site Selector, Release 1.2(2)

OL-7308-01

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Before Upgrading to Version 1.2(2)

Before Upgrading to Version 1.2(2) You can directly upgrade to GSS software version 1.2(2) from the GSS version 1.2(1), 1.1, and 1.0 software releases.

Note Before you upgrade from GSS software version 1.1(x.x.x) to either software version 1.2(1.1.2) or 1.2(2.0.3), in addition to following the steps outlined below, please verify if you are subject to defect CSCeh87172 as described in the “Software Version 1.2(2) Open Caveats, Resolved Caveats, and Command Changes” section.

Before you upgrade your GSS software, be sure that you:

• Perform a full backup of your primary GSSM database as described:

– For software version 1.2, refer to Chapter 7, Backing Up and Restoring the GSSM, the “Backing Up the Primary GSSM” section in the Cisco Global Site Selector Administration Guide. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/administration/guide/Backup.html#wp1001791

– For software version 1.1, refer to Chapter 9, GSS Administration and Troubleshooting, the “Backing Up the GSSM” section in the Cisco Global Site Selector Configuration Guide. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.1/configuration/guide/Admin.html#wp1062428

– For software version 1.0, refer to Chapter 3, GSS Administration and Troubleshooting, the “Backing Up the GSSM” section in the Cisco Global Site Selector Configuration Guide. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_chapter09186a00800ca811.html#wp1062428

• Review the software version 1.2(1) software upgrade sequence as described in the Cisco Global Site Selector Administration Guide, Appendix A, Upgrading the GSS Software. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/administration/guide/Upgrades.html

If you are currently running GSS software version 1.0 on your GSS 4480 and you want to have the opportunity to downgrade back to version 1.0, you must first upgrade to software version 1.1 before loading software version 1.2. Downgrading directly from software version 1.2 to version 1.0 is not supported at this time.

Expansion of the GSSM and GSS Recovery ProceduresIn the Cisco Global Site Selector Administration Guide, a new section has been added to Chapter 2, Managing the GSS from the CLI, to describe the process that you can perform when you encounter problems with one of the GSS devices in your GSS network. The new “Replacing GSS Devices in Your GSS Network” section aids you in determining which GSS device exhibits the problem (primary GSSM, standby GSSM, or GSS) and the steps you can take to configure a replacement GSS device for use in your network.

You can locate the “Replacing GSS Devices in Your GSS Network” section on Cisco.com at the following URL:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/administration/guide/Man_CLI.html#wp1027087


OL-7308-01

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/administration/guide/Backup.html#wp1001791

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.1/configuration/guide/Admin.html#wp1062428

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_chapter09186a00800ca811.html#wp1062428

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/administration/guide/Upgrades.html



Additional Information for Building and Modifying DNS Rules

Additional Information for Building and Modifying DNS RulesThis information augments the information provided in Chapter 7, Building and Modifying DNS Rules in the Cisco Global Site Selector Global Server Load Balancing Configuration Guide.

The balance clauses that you configure in a DNS rule are evaluated in order, with parameters established to determine when a clause should be skipped and the next clause is to be used. A balance clause is skipped when any one of the following conditions exits:

• A least-loaded balance method is selected and the load threshold for all online answers is exceeded.

• The VIP answers in the specified VIP answer group are offline.

• Proximity is enabled for a VIP-type answer group and the DRP agents do not return any RTT values that meet the value set for acceptable-rtt.

• All answers in a CRA- or NS-type answer group are offline and keepalives are enabled to monitor the answers.

Additional Information for Configuring DNS StickyThis information augments the information provided in Chapter 8, Configuring DNS Sticky in the Cisco Global Site Selector Global Server Load Balancing Configuration Guide.

• You can configure sticky only in a DNS rule that uses a VIP-type answer group.

• Sticky is active for a DNS rule only when the following conditions exist:

– Sticky is enabled for either global or local use. In the GUI, select Global or Local for the State option in the Global Sticky Configuration details page; in the CLI, enter the enable global or enable local command.

– A sticky method option (domain or domain list) is selected. In the GUI, use the DNS Rule Builder and select By Domain or By Domain List for the Select Sticky Method option in the Create New DNS Rule window; in the CLI, enter the sticky method domain or sticky method domain list command.

– Sticky is enabled within a balance clause for the DNS rule. In the GUI, use the DNS Rule Builder and click the Sticky Enable checkbox; in the CLI, enter the sticky enable command.


OL-7308-01

Software Behavioral Differences

Software Behavioral DifferencesThe following sections describe the software behavioral differences that apply to software version 1.2(2):

• Changes to the Primary GSSM GUI Login and Logout Process

• Changes to the Termination Method Options

• Changes to the Sticky and Proximity Database Dump Process

• Additions to the proximity database delete CLI Command

• Additions to the show proximity database CLI Command

• Changes to the GSSM Restore Warning Message

• Changes to the show tech-support core-files Command

• Addition of the logging facility CLI Command

• Addition of the ftp-client enable CLI Command

• GSS Syslog Messages and CiscoWorks RME Syslog Analyzer Compliancy

• show proximity and show sticky CLI Commands in gslb Mode

• DNS Server Not Ready Indicator Added to gss status Command Output

• Changes to Host Naming Conventions for a GSS

• Sticky and Proximity XML Schema Files

Changes to the Primary GSSM GUI Login and Logout ProcessThe primary GSSM GUI now prompts you for your username and password in a new Primary GSSM GUI Login window (Figure 1) as part of the primary GSSM GUI login process. Enter your username and password in the fields provided on the primary GSSM GUI and click Login. The Primary GSSM Welcome window appears (Figure 2).

With the GSS version software 1.2(2) release, the primary GSSM performs login authentication; you no longer enter your username and password in the client browser’s pop-up box to access the GUI. The primary GSSM GUI directly uses the SSL session to maintain the session and user state. Users are authenticated only once during login, similar to when you perform remote access to the GSS CLI using the Secure Shell (SSH), Telnet, or FTP protocols.

To log out of a primary GSSM GUI session, click Logout at the upper right of the window. The browser confirms that you want to log out of the primary GSSM GUI session. Click OK to confirm the logout (or Cancel). When you click OK, the primary GSSM logs you out of the session and redisplays the Primary GSSM GUI Login window (see Figure 1).


OL-7308-01


Figure 1 Primary GSSM GUI Login Window


OL-7308-01


Figure 2 Primary GSSM Welcome Window

Changes to the Termination Method OptionsIn the primary GSSM GUI, the Default option for the connection termination method on both the Shared Keepalive details page (Figure 3, shown for a TCP keepalive) and the VIP Answer details page (Figure 4, shown for a TCP keepalive) has been renamed to Global. The function of the Global option has not changed; this option still instructs the primary GSSM to use the keepalive connection method defined on the Configure Global KeepAlive Properties details page.


OL-7308-01


Figure 3 Creating New Shared Keepalive Details Page—TCP Keepalive


OL-7308-01


Figure 4 Answer Details Page—TCP KeepAlive VIP Answer


OL-7308-01


In addition, the Termination Method column has been added to the Shared Keepalives list page (Figure 5) to inform you of the connection termination method specified for each shared keepalive.

Figure 5 Shared Keepalives List Page


OL-7308-01


Changes to the Sticky and Proximity Database Dump ProcessWhen you enter the sticky database dump format xml and proximity database dump format xml commands, the GSS now waits to complete dumping the sticky database entries or proximity database entries in XML format before displaying the CLI prompt. A message appears upon the successful completion of a sticky or a proximity database dump. In addition, if the XML database dump is large, the GSS displays progress messages to indicate how many entries have been dumped at that point in the process.

For example, when you enter the sticky database dump format xml command at the CLI, the following progress message appears:

gssm1.example.com#sticky database dump stest.xml format xmlStarting Sticky Database dump.

As the database dump progresses, additional messages appear:

gssm1.example.com#sticky database dump stest.xml format xmlSticky Database dump is in progress...Sticky Database has dumped 12345 of 345123 entries...

Upon completion of the XML database dump, a final message appears:

gssm1.example.com#sticky database dump stest.xml format xmlSticky Database dump completed. The number of dumped entries: 182346.gssm1.example.com#

The GSS prevents you from overwriting an existing sticky database or proximity database dump output file. If you attempt to overwrite an existing file with the same filename, the GSS displays the following message: Sticky Database dump failed, a file with that name already exists.

Additions to the proximity database delete CLI CommandThe proximity database delete command has a series of additional options to provide more control over the entries you can delete from the proximity database. You may now delete proximity database entries based on a specific criteria. The proximity database delete command, however, does not delete proximity database entries saved as part of an automatic dump to a backup file on disk. To ensure that you successfully remove all or the selected proximity database entries from both GSS memory and disk, enter the specific proximity database delete command followed by the proximity database periodic-backup now command to force an immediate backup of the empty proximity database residing in GSS memory.

The syntax for this command is:

proximity database delete {all | assigned | group {name} | inactive minutes | ip {ip_address} netmask {netmask} | no-rtt | probed}

The options and variables are:

• all—Removes all proximity database entries from GSS memory. The prompt Are you sure? appears to confirm the deletion of all database entries. Specify y to delete all entries or n to cancel the deletion operation.

• assigned—Removes all static entries from the proximity database.

• group name—Removes all entries related to a named proximity group. Specify the exact name of a previously created proximity group.

• inactive minutes—Removes all dynamic entries that have been inactive for a specified period. Valid values are 0 to 43200 minutes.


OL-7308-01


• ip ip_address netmask netmask—Removes all proximity entries related to a D-proxy IP address and subnet mask. Specify the IP address of the requesting client’s D-proxy in dotted-decimal notation (for example, 192.168.9.0) and specify the subnet mask in dotted-decimal notation (for example, 255.255.255.0).

• no-rtt—Removes all entries from the proximity database that do not have valid RTT values.

• probed—Removes all dynamic entries from the proximity database.

For example, to remove the D-proxy IP address 192.168.8.0 and subnet mask 255.255.255.0, enter:

gss1.example.com# proximity database delete ip 192.168.8.0 netmask 255.255.255.0

Additions to the show proximity database CLI CommandThe show proximity database CLI command has a series of additional options to provide more control over the entries you can view in the proximity database. You may now display proximity database entries based on a specific criteria.


show proximity database {all | assigned | group {name} | inactive minutes | ip {ip_address} netmask {netmask} | no-rtt | probed}


• all—Displays all entries in the proximity database.

• assigned—Displays all static entries in the proximity database.

• group name—Displays all entries related to a named proximity group. Specify the exact name of a previously created proximity group.

• inactive minutes—Display all entries that have been inactive for specified amount of time. Valid values are 0 to 43200 minutes.

• ip ip_address netmask netmask—Displays all proximity entries related to a D-proxy IP address and subnet mask. Specify the IP address of the requesting client's D-proxy in dotted-decimal notation (for example, 192.168.9.0) and specify the subnet mask in dotted-decimal notation (for example, 255.255.255.0).

• no-rtt—Displays all entries in the proximity database that do not have valid RTT values.

• probed—Displays all dynamic entries in the proximity database.

For example, to remove the D-proxy IP address 192.168.8.0 and subnet mask 255.255.255.0, enter:

gss1.example.com# proximity database delete ip 192.168.8.0 netmask 255.255.255.0

Changes to the GSSM Restore Warning MessageThere has been a clarification to the warning message that appears when you enter the gssm restore command to restore your primary GSSM from a previous backup.This restore warning message now reads:

% WARNING WARNING WARNINGYou will be asked which portion(s) of the system configuration to overwrite. You may want to create a database backup before proceeding.

Are you sure you wish to continue? (y/n): y


OL-7308-01


Changes to the show tech-support core-files CommandThe show tech-support core-files command output has been modified to display the core file size in KB, Mb, or GB, as appropriate. For example:

gss2.example.com#show tech-support core-files/core-files/keepalive/core-keepalive-Mon-Mar-28-06.34.56 43 Mb/core-files/keepalive/core-keepalive-Mon-Mar-28-07.15.48 106 Mb/core-files/proximity/core-proximity-Mon-Mar-31-06.25.44 10 Mb/core-files/proximity/core-proximity-Mon-Mar-31-06.26.13 10 Mb

The verbose option has been added to the show tech-support core-files command to assist in troubleshooting by Cisco engineers in instances where the internal GSS applications generate core files. The verbose option provides a backtrace of the stack of all the core files.

Addition of the logging facility CLI CommandThe GSS allows you to specify a syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. The syslog daemon uses the specified syslog facility to determine how to process messages. Each facility configures how the syslog daemon on the host handles a message. Use the new logging facility command to specify a syslog facility type.

Note For more information on the syslog daemon and facility levels, refer to your syslog daemon documentation.

The syntax for this global configuration mode command is:

logging facility type

Enter the type option to specify the syslog facility type. The default logging facility is local5. The GSS supports the following facility types:

• auth—Authorization system

• daemon—System daemon

• kernel—Kernel

• local0—Reserved for locally defined messages








• mail—Mail system

• news—USENET news

• syslog—System log

• user—User process

• uucp—UNIX-to-UNIX copy system


OL-7308-01


For example, to change the logging facility to local7, enter:

gss2.example.com(config)#logging facility local7

To restore the default logging facility back to local5, use the no form of this command. For example:

gss2.example.com(config)#no logging facility local7

The related GSS software commands include:

logging host enable

logging host ip

logging host priority

logging host subsystem

show logging

show running-config

For the procedures on how to configure logging for a GSS and view logged information, refer to the Cisco Global Site Selector Administration Guide, Chapter 8, Viewing Log Files. This chapter is located on Cisco.com at:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/administration/guide/Logging.html

Addition of the ftp-client enable CLI CommandBy default, the File Transfer Protocol (FTP) client is disabled for all users. A new configuration mode command has been created to allow you to enable access to the FTP client for different types of users.


ftp-client enable {all | admin}

Enter ftp-client enable to enable access to the FTP client and then follow it with all to enable access for all users, or admin to enable access for administrative users only. For example:

gss.example.com(config)#ftp-client enable all gss.example.com(config)#ftp-client enable admin

Issue the no ftp-client enable all or no ftp-client enable admin CLI command to remove a specific FTP client configuration and return to the default disabled state.

The show running-config and show startup-config CLI commands have been updated to provide status on the FTP client enable state, for example:

gss.example.com#show running-config...ftp-client enable all...gss.example.com#show startup-config...ftp-client enable all...


OL-7308-01

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/administration/guide/Logging.html


The show ftp CLI command has also been updated to provide status on the FTP client enable state, for example:

gss.example.com#show ftp...ftp-client is enabled for all users...

GSS Syslog Messages and CiscoWorks RME Syslog Analyzer CompliancyThe format of the host syslog messages generated by a GSS is now CiscoWorks RME Syslog Analyzer compliant. The CiscoWorks RME Syslog Analyzer reports syslog messages logged by GSS devices. The Syslog Analyzer uses embedded Cisco IOS technology to provide detailed device information. Reports are based on user-defined filters that highlight specific errors or severity conditions and help identify when specific events occurred, such as a link-down or a device reboot.

Note The GSS syslog host messages support the correct CiscoWorks RME Syslog Analyzer message format; however, these messages do not support the Syslog Analyzer MIBs. In addition, not all severity 7 debug messages are compliant with the syslog host message format.

The following is an example of the host syslog message format generated by a GSS. The fields are described in Table 1.

<IP or DNS name of Device> <BLANK> <:> <Time Stamp> <BLANK><:> %FACILITY-SEVERITY-MNEMONIC <:> Message-text

Table 1 Syslog Message Format

Field Description

IP or DNS name of Device

IP address or DNS name, followed by one BLANK space, and followed by a colon (:)

Time Stamp A non-optional timestamp in the format:

yyyy mmm dd hh:mm:ss (for example, 2005 MAY 14 19:20:10)

or

mmm dd hh:mm:ss (for example, MAY 14 19:20:10)

%FACILITY A code consisting of two or more uppercase letters that indicate the facility to which the message refers. A facility can be a hardware device, a protocol, or a module of the system software (for example, KAL, TOMCAT, SYS, STK).

Note This is not the Syslog server logging facility.

SEVERITY A single-digit code from 0 to 7 that reflects the severity of the condition. The severity maps to the GSS logging level specified using the logging host priority command.

MNEMONIC A code that uniquely identifies the error message (for example, TCPTRANS, GUIEXCEPTION, KALPING).

Message-text A text string describing the condition (for example, KAL_RSP_OK [192.168.100.1] numSuccessfulProbes:2 or Detected Ssh is stopped but should be started)


OL-7308-01


The related GSS software commands include:

logging host enable

logging host ip

logging host priority

logging host subsystem

logging facility

show proximity and show sticky CLI Commands in gslb ModeYou may now access the show proximity and show sticky CLI commands from the global server load-balancing configuration mode. The show proximity and show sticky commands include:

• show proximity group-name—Displays statistics for a specific proximity group.

• show proximity group-summary—Displays a summary of statistics for all configured proximity groups.

• show sticky—Displays general status information about the sticky subsystem.

• show sticky database—Displays sticky database entries by specifying one or more entry matching criteria.

• show sticky global—Displays the most recent sticky database message identifiers sent by the local GSS node and received from its GSS mesh peers.

• show sticky group-name—Displays statistics for a specific sticky group.

• show sticky group-summary—Displays a summary of statistics for all configured sticky groups

• show sticky mesh—Displays sticky mesh status information locally from the CLI of a GSS.

For example:

gssm1.example.com(config-gslb)#show ? proximity Display Proximity subsystem information running-config Show Running configuration sticky Display Sticky Database informationgssm1.example.com(config-gslb)#show proximity ? group-name Display configuration summary of one proximity group group-summary Display configuration summary of all proximity groups <cr> gssm1.example.com(config-gslb)#show sticky ? database Display entries in the Sticky Database. global Display status of Global Sticky group-name Display configuration summary of one sticky group group-summary Display configuration summary of all sticky groups mesh Display status of the Sticky Mesh. <cr> gssm1.example.com(config-gslb)#show sticky


OL-7308-01


DNS Server Not Ready Indicator Added to gss status Command OutputTo inform you that the DNS Server is not ready to serve DNS requests, the gss status command output displays a “Not Ready to Serve Requests” indicator. The indicator disappears once the DNS Selector is ready to serve DNS requests.

For example:

gssm1.example.com# gss statusCisco GSS - 1.2(2) GSS [Thu Mar 31 21:09:09 UTC 2005]

Registered to primary GSSM: 10.86.209.167

Normal Operation [runmode = 5]

START SERVER Mar25 Boomerang Mar25 Config Agent (crdirector) Mar25 Config Server (crm) Mar25 DNS Server [ Not Ready to Serve Requests ] Mar25 Database Mar25 GUI Server (tomcat) Mar25 Keepalive Engine Mar25 Node Manager Mar25 Proximity Mar25 Sticky Mar25 Web Server (apache)

When the DNS Server is ready to serve DNS requests, it generates the following subsystem log message and saves it in the system.log file:

Mar 25 10:45:26 gssm1.example.com DNS-5-SELREADYINFO[2073] Selector ready to start serving DNS requests

Changes to Host Naming Conventions for a GSSWhen you specify a hostname for a GSS (primary GSSM, standby GSSM, or GSS device) that is operating in a lab network environment, the top-level domain of the hostname cannot begin with a numerical value. For example, you cannot name a primary GSSM as gssm.1lab. If you attempt to create or change a hostname for a top-level domain to a name that begins with a number, the following messages appears:

Top level domains of hostnames cannot begin with a number

When you upgrade to software version 1.2(2), if one or more of your GSS devices has a hostname with a top-level domain beginning with a number, each GSS device will log the following ERROR level (3) log message in the gss.log file:

Bad hostname: top level domain should not begin with number


OL-7308-01


Sticky and Proximity XML Schema FilesThe GSS includes two XML schema files that you can use to describe and validate the sticky XML and proximity XML output files. The purpose of a schema is to define a class of XML documents. The sticky and proximity schemas consist of a series of elements, subelements, and attributes that appear in the XML output files to determine the appearance of the content in the XML file.

Each schema file, stickySchema.xsd and proximitySchema.xsd, resides in the /home directory upon boot up of a GSS device. The /home directory is the same directory where each XML output file resides.

The following document identifies the contents of the sticky XML schema, stickySchema.xsd:

<xsd:schema xmlns="http://www.cisco.com/gss/sticky" xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.cisco.com/gss/sticky" elementFormDefault="qualified" attributeFormDefault="unqualified">

<xsd:annotation> <xsd:documentation xml:lang="en"> Cisco GSS Sticky Database </xsd:documentation> </xsd:annotation>

<xsd:element name="Sticky_Database" type="StickyDatabaseType"/> <xsd:element name="Header" type="HeaderType"/> <xsd:element name="Source_Entries" type="SourceEntriesType"/> <xsd:element name="Source_Entry" type="SourceEntryType"/> <xsd:element name="Group_Entries" type="GroupEntriesType"/> <xsd:element name="Group_Entry" type="GroupEntryType"/>

<xsd:complexType name="StickyDatabaseType"> <xsd:sequence> <xsd:element ref="Header" minOccurs="1" maxOccurs="1"/> <xsd:element ref="Source_Entries" minOccurs="0" maxOccurs="1"/> <xsd:element name="Source_Entry_Count" type="xsd:integer" minOccurs="0" maxOccurs="1"/> <xsd:element ref="Group_Entries" minOccurs="0" maxOccurs="1"/> <xsd:element name="Group_Entry_Count" type="xsd:integer" minOccurs="0" maxOccurs="1"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="HeaderType"> <xsd:sequence> <xsd:element name="Version" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="Time_Stamp" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="Entry_Count" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="Mask" type="xsd:string" minOccurs="1" maxOccurs="1"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="SourceEntriesType"> <xsd:sequence minOccurs="0" maxOccurs="unbounded"> <xsd:element ref="Source_Entry" minOccurs="0"/> </xsd:sequence> </xsd:complexType>


OL-7308-01


<xsd:complexType name="GroupEntriesType"> <xsd:sequence minOccurs="0" maxOccurs="unbounded"> <xsd:element ref="Group_Entry" minOccurs="0"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="SourceEntryType"> <xsd:sequence> <xsd:element name="IP" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="D" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="R" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="A" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="H" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="T" type="xsd:integer" minOccurs="1" maxOccurs="1"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="GroupEntryType"> <xsd:sequence> <xsd:choice minOccurs="1" maxOccurs="1"> <xsd:element name="N" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="G" type="xsd:integer" minOccurs="1" maxOccurs="1"/> </xsd:choice> <xsd:element name="D" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="R" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="A" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="H" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="T" type="xsd:integer" minOccurs="1" maxOccurs="1"/> </xsd:sequence> </xsd:complexType>

</xsd:schema>

The following document identifies the contents of the proximity XML schema, proximitySchema.xsd:

<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<xsd:annotation> <xsd:documentation xml:lang="en"> Cisco GSS Proximity Database </xsd:documentation> </xsd:annotation>

<xsd:element name="ProximityDatabase" type="ProximityDatabaseType"/> <xsd:element name="Header" type="HeaderType"/> <xsd:element name="Entry" type="EntryType"/> <xsd:element name="ProbeTarget" type="ProbeTargetType"/> <xsd:element name="Zone" type="ZoneType"/>


OL-7308-01


<xsd:complexType name="ProximityDatabaseType"> <xsd:sequence> <xsd:element ref="Header" minOccurs="1" maxOccurs="1"/> <xsd:element ref="Entry" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="HeaderType"> <xsd:sequence> <xsd:element name="Version" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="Time_Stamp" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="EntryCount" type="xsd:integer" minOccurs="1" maxOccurs="1"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="EntryType"> <xsd:sequence> <xsd:element name="EntryID" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="ModificationTimeStamp" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="Static" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="DirectProbingInProgress" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="HitTimeStamp" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="HitCount" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element ref="ProbeTarget" minOccurs="1" maxOccurs="1"/> <xsd:element ref="Zone" minOccurs="32" maxOccurs="32"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="ProbeTargetType"> <xsd:sequence> <xsd:element name="IP" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="Method" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="Type" type="xsd:string" minOccurs="1" maxOccurs="1"/> </xsd:sequence> </xsd:complexType>

<xsd:complexType name="ZoneType"> <xsd:sequence> <xsd:element name="ID" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="RTT" type="xsd:integer" minOccurs="1" maxOccurs="1"/> <xsd:element name="RefreshTime" type="xsd:integer" minOccurs="1" maxOccurs="1"/> </xsd:sequence> </xsd:complexType>

<xsd:simpleType name="StaticType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="true"/> <xsd:enumeration value="false"/> </xsd:restriction>


OL-7308-01

Operating Conditions for Software Version 1.2(2)

</xsd:simpleType>

<xsd:simpleType name="MethodType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="TCP"/> <xsd:enumeration value="ICMP"/> <xsd:enumeration value="NotUsed"/> </xsd:restriction> </xsd:simpleType>

<xsd:simpleType name="TypeOfType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="static"/> <xsd:enumeration value="non-static"/> </xsd:restriction> </xsd:simpleType>

<xsd:simpleType name="ZoneIdType"> <xsd:restriction base="xsd:integer"> <xsd:minInclusive value="1"/> <xsd:maxInclusive value="32"/> </xsd:restriction> </xsd:simpleType>

</xsd:schema>

Operating Conditions for Software Version 1.2(2)The following operating conditions apply to software version 1.2(2):

• When you upgrade from software version 1.1 to 1.2, the default primary GSSM GUI privilege level for each GSS user is “administrator”. The assignment of the operator or observer privilege level to a primary GSSM GUI user was a new feature for GSS software version 1.2(1). To change the user privilege level to either operator or observer, modify the GUI user account and change the role of the user. Refer to the Cisco Global Site Selector Administration Guide, Chapter 3, Creating and Managing User Accounts, for details.

• If you use a GSS in a proximity zone configuration containing a Cisco router running IOS release 12.1, you must ensure that the DRP authentication configuration is identical on both devices. For example, to perform DRP authentication between a GSS and a Cisco IOS 12.1 router, ensure that you properly enable and configure authentication on both devices. The same is true if you choose not to use DRP authentication; you must disable authentication on both devices. In the case that you disable DRP authentication on a Cisco IOS 12.1 router but enable DRP authentication on a GSS, all measurement probes sent by a GSS to the Cisco IOS-based router will fail. This condition occurs because the Cisco IOS 12.1 router fails to recognize the DRP echo query packets sent by a GSS and the GSS is unable to detect a potential failure of measurement packets sent to the router. In this case, the GSS identifies the Cisco IOS-based router as being ONLINE in the show statistics proximity probes detailed output, yet the measurement response packets monitored in the Measure Rx field do not increment. Together, these two conditions may indicate a DRP authentication mismatch.

If DRP probe requests fail between the GSS and a Cisco router running IOS release 12.1, even when the GSS indicates that the router is ONLINE, verify the DRP authentication configurations on both the Cisco router and the GSS.


OL-7308-01


– To verify the Cisco router running IOS release 12.1, enter the show ip drp command. If the line Authentication is enabled, using "test" key-chain appears in the output (where “test” is the name of your key-chain), DRP authentication is configured on the router. If this line does not appear in the output, DRP authentication is not configured.

– To verify GSS version 1.2(2), access the Global Proximity Configuration details page (Traffic Mgmt tab) on the primary GSSM GUI and observe if the DRP Authentication selection is set to Enabled or Disabled (see the Cisco Global Site Selector Global Server Load-Balancing Configuration Guide, Chapter 9, Configuring Network Proximity).

Modify the DRP authentication configuration on either the Cisco router running IOS release 12.1 or the primary GSSM GUI and make them consistent to avoid a DRP authentication mismatch.

• When the GSS operates as a client with a TACACS+ server, the GSS may restrict user access to all CLI commands. This behavior may occur when you specify an encryption key on the GSS using the tacacs-server host command but do not specify the same encryption key on the TACACS+ server. In this case, the CLI command restriction takes place immediately on the GSS once you enter the aaa authorization commands command.

The workaround is to enter the tacacs-server host command on the GSS, and then specify the same encryption key on the TACACS+ server before you enter the aaa authorization commands CLI command on the GSS. If the GSS fails authorization on all CLI commands and you are unable to change the encryption key on the TACACS+ server, power cycle the GSS. Because the CLI commands entered prior to the power cycle were not saved in the GSS startup-configuration file, you can regain access to the GSS CLI and redo the TACACS+ configuration.

• When you use a TCP keepalive with the fast detection and graceful termination methods to test a Telnet service on a server running Windows Server 2003, port 23 may fluctuate between the Up and Down state (port flapping). If port flapping occurs on TCP port 23 of Windows Server 2003, you will notice an increase in keepalive negative probe and keepalive transition counts on the Answer Keepalive Statistics list page of the primary GSSM GUI. To resolve this issue, increase the Number of Retries value for the TCP keepalive. A retry value of three or four should be adequate to prevent flapping on port 23 when connecting to a server running Windows Server 2003.

Depending on the number of TCP keepalives you require to send on port 23 to servers running Windows Server 2003, specify the Number of Retries value as follows:

– If the GSS is transmitting numerous TCP keepalives using port 23, globally change the retry value for all TCP keepalives on the Configure Global KeepAlive Properties details page.

– If TCP keepalives are being used for different devices or ports, change the retry value on a per TCP keepalive basis using the Modifying Answer detail page.

• Cisco LocalDirector does not reply properly to TCP keepalives sent on port 23 from a GSS device. In this case, GSS keepalives fail when configured to probe LocalDirector. To resolve this behavior, specify a different keepalive method with LocalDirector or directly probe the servers located behind LocalDirector.

• The interface speed of the GSS 4490 cannot be configured to 1000 Mbps by using the interface ethernet {0 | 1} speed command. If you attempt to specify an operating speed of 1000, the GSS 4490 remains set at the previous setting (as displayed through the show interface command). To enable a GSS 4490 interface to operate at 1000 Mbps, specify a speed of auto. This selection allows the GSS 4490 autonegotiate to 1000 Mbps with other devices.

• In rare instances when a GSS runs out of user disk space, the device will stop logging messages to all log files. Logging does not automatically resume after you free up disk space on the GSS. This behavior may occur when you FTP a significant number of files to the GSS, which completely fills the available disk space on the GSS. To resolve this behavior, use the rotate-logs CLI command to replace the log files and resume logging.


OL-7308-01


• The GSS does not allow you to assign the same pre-existing access list to the two Ethernet interfaces. If you attempt to use the access-group CLI command to assign the same access list to Ethernet 0 and Ethernet 1, the following error message appears:%access-list list1 is already assigned to interface eth1.

To resolve this issue, generate an identical access list for the second Ethernet interface.

• The GSS requires a functioning nameserver to operate properly and perform DNS resolutions. If the nameserver is not properly configured using the ip name-server command, or if the configured nameservers are not reachable for any reason (down, network loss, or a firewall), the GSS will not be able to perform DNS resolutions when you attempt to log in. In this case, the timeout may take several minutes. This behavior occurs when you attempt to log in through a Telnet, SSH, or FTP connection.

There is no workaround for this behavior; the GSS always requires a functioning nameserver. To enable the GSS to perform DNS resolution, always configure more than one nameserver. For example:gss.example.com(config)#ip name-server 192.168.1.1gss.example.com(config)#ip name-server 192.168.2.2gss.example.com(config)#ip name-server 192.168.3.3

This behavior may also occur if you configure access lists for the GSS. In this case, the workaround is to create access lists that allow the DNS responses from a nameserver. For example:

gss.example.com(config)#access-list acl1 permit udp any eq 53

Another solution is to limit incoming DNS response packets only from your configured nameservers (more secure). For example:

gss.example.com(config)#access-list acl1 permit udp 192.168.1.1 255.255.255.255 eq 53gss.example.com(config)#access-list acl2 permit udp 192.168.1.2 255.255.255.255 eq 53gss.example.com(config)#access-list acl3 permit udp 192.168.1.3 255.255.255.255 eq 53

• Content and Application Peering Protocol (CAPP) may not recognize dropped fragments when a KAL-AP (KeepAlive-Appliance Protocol) keepalive spans multiple datagrams due to large payloads. When the KAL-AP keepalive spans multiple datagrams and one of the spanned packets is dropped, the GSS does not retry the request. Instead, the GSS waits until the next period and sends the packets again. This results in the dropped datagram not getting updated load values on the VIPs that expect them. This behavior typically occurs in situations where the GSS consumes the full datagram (roughly 1.4 K) with tag names or VIP addresses. Otherwise, all data fits perfectly in a single datagram.

To resolve this behavior, use the KAL-AP by VIP format when you need the GSS to send a detailed query on load for hundreds of VIPs configured to a single primary or optional secondary (backup) IP address. Another solution is to use the KAL-AP by Tag format, but to limit the length of Tag Names to ensure that the packets do not exceed 1.4K.


OL-7308-01

Software Version 1.2(2) Open Caveats, Resolved Caveats, and Command Changes

• The GSS 4491 correctly supports auto-negotiation as well as forcing the interface speed and duplex to a specific value. When the GSS 4491 is forced to 1000 Mbps full duplex through the CLI, it goes into autonegotiate mode but operates as specified by advertising only “1000-full.” When the GSS 4491 is forced to any other speed or duplex setting, it advertises “forced” rather than “negotiated.” The example below illustrates what happens when the GSS is forced to 1000 Mbps full duplex.

gss.example.com(config-eth1)#show interface eth1 Interface eth1 ip address 192.168.1.2 255.0.0.0 duplex full speed 1000

Interface State Link is up negotiated, 1000 mbps, full duplex Supported modes: 10-half, 10-full, 100-half, 100-full, 1000-full Advertised modes: 1000-full

• The GSS supports a maximum limit of 40 concurrent Telnet or FTP sessions within a 60-second window. The GSS can receive additional concurrent Telnet and FTP connections that are made outside of a 60-second window.

• The GSS supports a maximum limit of 250 SSH connections. When the GSS reaches this limit, the Connection terminated on signal 13 message may appear at the CLI of the computer where you initiated the SSH session to the GSS.


The following sections contain the open caveats, resolved caveats, and command changes in GSS software version 1.2(2):

• Open Caveats for Software Version 1.2(2)

• Resolved Caveats for Software Version 1.2(2)

• CLI Command Changes in Software Version 1.2(2)

Open Caveats for Software Version 1.2(2) This section lists the open caveats for Cisco Global Site Selector Version 1.2(2).

• CSCei10099—GSS software versions 1.2(1.1.2) and 1.2(2) fail to exchange configuration and statistic updates with GSS devices running GSS software version 1.2(1.0.3) or an earlier version. When this software version mismatch occurs, a GSS device running an incompatible software version will fail to receive configuration updates from the primary GSSM. In addition, the primary GSSM GUI will not update operating status and statistics for the GSS device. Although configuration updates do not occur between the devices, each GSS device continues to answer DNS requests and perform keepalive operations based on its current configuration.

The following log is a symptom of this behavior:


OL-7308-01


CRD-4-EXCEPTION[3794] java.rmi.UnmarshalException: err or unmarshalling return; nested exception is: %0A%09java.io.InvalidClassExceptio n: com.sightpath.merlot.server.SslClientSocketFactory; Local class not compatible: stream classdesc serialVersionUID=1590222007190899010 local class serialVersi onUID=1656318867001291063

Workaround: Upgrade all GSS devices running an older version of GSS software to the latest GSS software version 1.2(2.0.3).

Note Before you upgrade from GSS software version 1.1(x.x.x) to either software version 1.2(1.1.2) or 1.2(2.0.3), please verify if you are subject to defect CSCeh87172 as described in this section.

• CSCeg10406—The use of the gssm restore command to restore the primary GSSM from the backup file can sometimes result in a misconfiguration or malfunction of the keepalive engine and DNS server on the standby GSSM or GSS devices. This behavior is caused as a result of the newly restored configuration not properly overwriting the previous configuration on the primary GSSM.

The following logs are symptoms of a misconfiguration in either the keepalive engine or DNS server:

KAL-4-KALSTATSNOGID[916] Could not find KAL-GID [208] KAL-4-KALGIDNOTFOUND[20077] kalDeleteVip: No KAL-GID found, removing based on GID [88]: success CRD-4-ANSWERNOTEXT[912] answer id 214 doesn't exist in selector but in kale

The presence of a core file in the /core-files/keepalive and /core-files/dnsserver is evidence of this problem.

Workaround: Ensure the standby GSSM and all GSS devices have network connectivity with the primary GSSM and perform the following procedure:

a. Log on to the CLI of the standby GSSM or a GSS.

b. Enable privileged EXEC mode.

gss1.yourdomain.com> enablegss1.yourdomain.com#

c. Enter the gss stop command to stop your GSS server.

gss1.yourdomain.com# gss stop

d. Navigate to the / directory to locate the node.state file. If you locate the node.state file in the directory, delete it.

gss1.yourdomain.com# cd /gss1.yourdomain.com# del node.stategss1.yourdomain.com# cd /home

e. Enter the gss start command to force the standby GSSM or GSS to retrieve a fresh and complete configuration from the primary GSSM.

gss1.yourdomain.com# gss start

f. Repeat this procedure for each GSS device in your network.

• CSCef27479—When the GSS operates as a client with a TACACS+ server, the GSS fails to use the TACACS+ server for authentication when a user performs a remote SSH login using private and public key pairs. In this case, the SSH private and public keys on the GSS perform the user authentication and take priority over a TACACS+ server. If SSH private and public key pair authentication fails, then the TACACS+ server performs user authentication.


OL-7308-01


Workaround: To use a TACACS+ server for user authentication, disable the use of SSH key pairs on the GSS. Use the ssh keys CLI command to enable and disable SSH private and public key pairs. Refer to the Cisco Global Site Selector Getting Started Guide for details about configuring the GSS for remote access over an SSH session that uses private and public key pairs for authentication.

• CSCef58474—A GSS CLI session may become unresponsive when you enter the enable command to access privileged EXEC mode from user EXEC mode. This condition can occur when there are seven or more concurrent CLI sessions running on the same GSS.

Workaround: Reduce the number of concurrent sessions running on the same GSS to less than seven by logging out of one or more CLI sessions.

• CSCeh87172—After you upgrade to GSS software version 1.2(2.0.3) on both the primary GSSM and standby GSSM, the status of the standby GSSM remains offline when you monitor the GSS device status from the primary GSSM GUI. In this case, when you access the primary GSSM GUI Global Site Selectors details page to view the standby GSSM status, the following improper status information appears for the upgraded standby GSSM:

– Status—The status of the device is Offline.

– IP Address—The IP address of the primary gss-communications interface has been changed to that of the standby gss-communications interface, which is incorrect.

– Version—The GSS software version number listed for the standby GSSM is the prior version.

In addition, the output of the gss status CLI command on the primary GSSM includes the following incompatibility information:

"Cisco GSS - 1.2(2) GSSM - primary [Sat May 15 23:14:52 UTC 2004] The SGSSM is running old, incompatible version. It will not backup configuration data."

Updating the GSS software from version 1.1(x.x.x) to version 1.2(2.0.3) or from version 1.1(x.x.x) to version 1.2(1.1.2) may produce the symptoms outlined above. The following GSS software upgrades do not cause this problem to occur:

– v1.1(x.x.x) to 1.2(1.0.3)

– v1.2(1.0.3) to 1.2(1.1.2)

– v1.2(1.0.3) to 1.2(2.0.3)

– v1.2(1.1.2) to 1.2(2.0.3)

After you upgrade the GSS software from version 1.1(x.x.x) to either version 1.2(1.1.2) or 1.2(2.0.3) and configuration issues occur, each GSS device continues to answer DNS requests and perform keepalive operations based on its current configuration. However, the GSS software version 1.2(2) features do not function properly until you apply one of the appropriate workaround listed below.

Workaround: Depending on whether you upgraded the GSS software to version 1.2(2), perform the applicable corrective action outlined below:

a. If you have upgraded the GSS software to version 1.2(2) and encounter the issues outlined above, perform the following actions to correct this problem:

– Reboot the primary GSSM.

– Delete the standby GSSM from the Modifying GSS details page on the primary GSSM GUI.

– On the standby GSSM, enter the gss stop and gss disable commands to stop the GSS software running on the primary GSSM and to disable the standby GSSM.

– Enter the gss enable gssm-standby command to reenable the standby GSSM and direct it to the primary GSSM.

– Activate the standby GSSM on the Modifying GSS details page.


OL-7308-01


b. If you have not upgraded the GSS to software version 1.2(2), perform one of the following workaround sequences to upgrade each GSS device in your GSS network.

Workaround 1—Upgrade each GSS device to GSS software version 1.2(2) as outlined in the “Before Upgrading to Version 1.2(2)” section. When you upgrade the standby GSSM, make the following changes during the software upgrade procedure:

– On the standby GSSM, enter the gss stop and gss disable commands to stop the GSS software running on the primary GSSM and to disable the standby GSSM.

– Delete the standby GSSM from the Modifying GSS details page on the primary GSSM GUI.

– Install gss-1.2.2.0.3-k9.upg

– Enter the gss enable gssm-standby command to reenable the standby GSSM and direct it to the primary GSSM.

– Activate the standby GSSM on the Modifying GSS details page.

Workaround 2— Upgrade each GSS device to GSS software version 1.2(2) as outlined in the “Before Upgrading to Version 1.2(2)” section. During the GSS software upgrade process, perform the following GSS software upgrade sequence:

– Upgrade from GSS software version 1.1(x.x.x) to version 1.2(1.0.3).

– Upgrade from GSS software version 1.2 (1.0.3) to 1.2(2.0.3).

• CSCef94037—The NTP service remains enabled in a GSS even if you disable the service before performing a GSS reboot. With software version 1.2(1), there is a new ntp enable command to enable the NTP service on the GSS. The ntp enable command is used with the ntp-server command to synchronize the GSS system clock with an NTP time server. To preserve backwards compatibility with previous versions of GSS software, software version 1.2(1) automatically adds the line ntp enable to the startup-configuration file created by a pre-GSS version 1.2(1) version of software. The re-occurrence of the line ntp enable in the GSS startup-configuration file happens when you define one or more NTP servers through the ntp-server command. Each time you reboot the GSS, the GSS automatically enables the NTP service if it detects an NTP server in the startup-configuration file.

Workaround: If you do not plan to use the GSS with an NTP server:

a. Enter the no ntp enable command to disable the NTP service.

gss1.yourdomain.com# no ntp enable

b. Enter the no ntp-server command to disable all configured NTP servers.

gss1.example.com(config)# no ntp-server 192.168.0.1 92.168.0.2

Resolved Caveats for Software Version 1.2(2) This section lists the resolved caveats for Cisco Global Site Selector Version 1.2(2).

• CSCeh02440—With proximity and proximity wait enabled in a DNS rule, the GSS may wait indefinitely to perform a proximity selection. In this case, an applicable number of DRP probes fail to return RTT data. Because the GSS does not have sufficient RTT data to make a proximity decision, it will wait forever to receive that data. If you then disable the proximity Wait parameter, the requests will continue to fail, even though there may be a valid second clause available, because the GSS is still waiting for a sufficient number of RTT values to make the proximity decision.

The GSS now uses a set of criteria to determine if it should ignore the proximity Wait setting and return an empty (no zone) request to the DNS server process. The GSS evaluates if it has received sufficient probing results for all applicable zones to make a decision. For example, if a request contains four zones and the GSS receives one valid RTT and two failed probes, the GSS waits for


OL-7308-01


the last probe from the fourth zone to make a decision. If the GSS receives probing results from all applicable zones but is unable to satisfy the proximity Wait parameter, the GSS ignores the proximity wait setting and returns an empty (no zone) request to the DNS server process. In this case, the GSS can then proceed to the next clause in the DNS rule.

• CSCeg03056—With global sticky enabled, each GSS in a sticky peer mesh uses only the Lookup Fast queue and does not use the Lookup Slow queue. The output of the show statistics sticky global and show sticky global commands include Lookup Fast and Lookup Slow fields in their show output, however no value will appear in the Lookup Slow field.

For the version 1.2(1) software release, the GSS does not use the Lookup Slow queue. In this case, the GSS sends all inter-GSS global sticky messages to the Lookup Fast queue, including all sticky lookups with transmission interval greater than five seconds. Note that this behavior does not impact global sticky operation. The use of the lower priority Lookup Slow queue is most beneficial when operating under a very heavy DNS request rate load with four or more GSS devices in a global sticky peer mesh.

• CSCeg13386—With proximity enabled in a DNS rule, if you do not enable authentication on the primary GSSM GUI but you enable authentication on a Cisco IOS-based router, DNS requests sent to the GSS will fail. The DNS request failures are a direct result of a DRP authentication misconfiguration between the GSS and the router. The DNS requests may continue to fail even if you later enable authentication on the primary GSSM.

To verify a DRP authentication misconfiguration, use the following tools for monitoring network proximity status and statistics:

– Primary GSSM GUI—Access the Proximity Probe Mgmt Statistics list page, located in the Traffic Mgmt section of the Monitoring tab. Review the DRP echo and measurement packets sent and received by each GSS device. If the statistics on the list page do not increment, this can indicate a DRP authentication misconfiguration.

– GSS CLI—Enter the show statistics proximity probes detailed CLI command for each GSS in your network and view the output. Verify if DRP authentication is enabled and review the DRP echo and measurement requests sent and received by the GSS device per probe device. If the statistics on the show output do not increment, this can indicate a DRP authentication misconfiguration.

• CSCeg14268—When you enter the Help prompt (?) after including either the | (pipe) or the > (redirect) command with a GSS CLI command, the CLI command may fail to execute and the % Invalid pipe. Allowed commands... message, or a similar error message, appears.

For example:

gss1# show version >? verbose Display additional system information <cr> gss1# show version sh: -c: line 1: syntax error near unexpected token `|'sh: -c: line 1: `/cisco/merlot/bin/spen cli-show --version > |more -40'

or

gss1# show version | ? verbose Display additional system information <cr>gss1# show version % Invalid pipe. Allowed commands are: grep, sort, wc, monitor

• CSCeg15299—One or more GSS keepalives (ICMP, TCP, HTTP-HEAD, KAL-AP, CRA, and Name Server) may exhibit the following behaviors:

• Keepalive status incorrect


OL-7308-01


• Keepalive remains in OFFLINE or ONLINE state indefinitely

• Keepalive status is inconsistent between GSS devices in a GSS network

• Keepalive statistics not incrementing at either the CLI or primary GSSM GUI

• Keepalive packets not being transmitted keepalive packet transmission interval incorrect

A system timer in GSS software versions 1.1(1.4.0) and earlier, and in versions 1.2(1.0.3) and earlier becomes unreliable after 24 days of uptime. The system timer is used for calculating keepalive transmission intervals. If certain events occur after 24 days, then keepalive detection may not accurately reflect the status of keepalive targets and the failure may not be properly reported by the GSS.

• CSCeh20083—A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled “ICMP Attacks Against TCP” (draft-gont-tcpm-icmp-attacks-03.txt).

These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:

• Attacks that use ICMP “hard” error messages

• Attacks that use ICMP “fragmentation needed and Don't Fragment (DF) bit set” messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks

• Attacks that use ICMP “source quench” messages

Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.

Multiple Cisco products are affected by the attacks described in this Internet draft. Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.

The PSIRT advisory is posted at :

http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml

The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected.

With the release of software version 1.2(2), the GSS ignores inbound ICMP source quench error packets.

• CSCeg27309—With global sticky enabled in a DNS rule, when you use an option in the sticky database delete CLI global configuration command other than the all option to remove a large number of entries from the sticky database of a GSS device, the following two error messages may appear on the CLI:

Nov 9 19:00:01 SYSDB_ITEM_FAIL prox rc=50, mConnId=7, on the 1 attemptNov 9 19:00:02 SYS-4-CLIDSNODATA[18919] No buffer from DataServer for delete request

These two messages indicate that the GSS CLI timed out prior to instructing you that the GSS successfully deleted the sticky entries. Although these two messages appear, the GSS successfully deleted the specified sticky database entries. You may ignore these two messages.

• CSCeg35087— In some cases, a GSS declares a resource to be online after it receives a single successful keepalive, regardless of the setting of the Number of Successful Probes parameter (Fast KAL mode). When a GSS sends keepalives to a resource and a resource goes offline, for that resource to declared online once again the GSS must receive a successful reply from this resource for a


OL-7308-01

http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml


user-configured number of times. You define the number of successful replies using the Number of Successful Probes parameter on the Configure Global KeepAlive Properties details page or the Shared KeepAlives details page. A GSS should declare a device to be online only when the user-specified number of successful probes has been successfully received by the GSS.

• CSCeh36760—The GSS does not respond to SRV queries to non-existent domains. Currently, the GSS only sends a NXDOMAIN for SOA, NS, MX, CNAME, TXT, and PTR types of queries. To properly address SRV queries to non-existent domains, the GSS should send an NXDOMAIN response to SRV queries.

• CSCeh41727—The GSS improperly responds to SNMP requests for the MIB-2.system.sysObjectID (OID 1.3.6.1.2.1.1.2.0), such that the application that you use to perform the SNMP query cannot map the response to the correct Cisco Systems GSS product ID.

• CSCeg43113—As the GSS administrator, if you use the Netscape, Mozilla, or Firefox Internet browsers to access the Modifying User details page in the primary GSSM GUI (Tools tab, the User Administration navigation link), the GUI may randomly change the user’s password setting after you click Submit. This behavior occurs even if you did not modify the user’s password. If the modified password is for the current logged in user or for the administrator, the user or administrator will be automatically logged out within a few seconds of the change. This behavior does not occur when using the Internet Explorer browser.

• CSCeg47641—In some instances, the GSS may not resolve the most specific, or the longest, domain name match when using wildcard characters. Wildcard domain name matching, as performed by the active DNS rule, may function incorrectly when domain names use overlapping wildcard domains. The following example illustrates overlapping wildcard domain names through the use of regular expressions:

.*

.*\.com

.*\.example\.com

.*\.eng\.example\.com

For background details on configuring wildcard domains, refer to the “Hosted Domains and Domain Lists” section in Chapter 1, Introducing the Global Site Selector in the Cisco Global Site Selector Global Server Load-Balancing Configuration Guide.

• CSCee59028—When the GSS operates as a client with a TACACS+ server, it may prompt you for your TACACS+ password followed by your local password. This dual password prompting occurs when all configured TACACS+ servers are down and you attempt to perform local authentication with the GSS using either the console port or a Telnet connection.

• CSCeh71834—All domain names configured in a domain list should be treated as case-insensitive by each GSS device in the network when responding to DNS queries with domain names of lower, upper, or mixed case. For example, if you configure a domain list with a domain name of www.foo.com, the GSS should respond to DNS queries requesting WWW.foo.com or WwW.FoO.CoM as well as www.foo.com. However, for GSS software version 1.2(2.0.2), the GSS is case-sensitive to domain names and will ignore domain names that differ in case. This issue has been resolved and the GSS is now case-insensitive to DNS queries with domain names of lower, upper, or mixed cases.

• CSCeg72641—The GSS may display one or more of the following behaviors:

• The CLI gss status command output indicates that one or more subsystems restarted

• The GSS reports Java exception memory errors in a log file


OL-7308-01


• CLI or GUI operation fails

• The GSS fails to operate properly after you enter the gss stop and gss start commands

The GSS may exhibit these symptoms when it loses memory over a period of time due to a memory leak. Eventually, this malfunction can cause one or more GSS subsystems to fail, and the GSS to restart. You may notice this behavior when you perform an action that causes a temporary spike in memory usage, such as making a configuration change through the primary GSSM GUI. The failure time is approximately 40 days since the GSS software was last restarted.

• CSCeg73821—When you specify a hostname for a GSS (primary GSSM, standby GSSM, or GSS device) that is operating in a lab network environment, the top-level domain of the hostname cannot begin with a numerical value. For example, you cannot name a primary GSSM as gssm.1lab. The primary GSSM GUI may exhibit performance issues if the hostname's top level domain starts with a numerical value. The following error message appears:

System Error Occurred Please contact Cisco Systems support. Error Time: Mon April 4 08:00:52 GMT 2005 Page Name: menu Error Message: java.lang.NullPointerException - null

• CSCeg79571—In some cases, a GSS may not failover a DNS request when sticky is enabled. This behavior can occur when you enable sticky in the first clause of a DNS rule and you also include a failover clause in the DNS rule with name server (NS) type answer. Non-resolvable DNS queries (for example, MX or TXT) will not use the failover clause and are automatically sent to the configured name server.

• CSCef88373 & CSCee05872—When using a TACACS+ server that is connected to an RSA SecurID server to perform primary GSSM GUI authentication, after approximately a two-minute interval the user’s administrative session times out and requires reauthentication by the TACACS+ server. By default, the Internet browser automatically attempts to perform a second login based on the credentials initially entered when the session was first established. Ultimately, the user gets prompted because the password has changed. However, the user's session with the primary GSSM GUI is blocked because the passcode entered has now changed and the administrator’s RSA token status has been placed into NEXT PASSCODE mode. Due to this behavior, the administrator cannot access the primary GSSM GUI until the RSA token is reset. This behavior has been corrected in the version 1.2(2) software release; the GSS does not directly support the SecurID New Pin mode and Next Token mode.

• CSCef93647—The previous version of the net-snmp agent, included as part of the GSS software versions 1.0 and 1.1, failed to enforce the default security model and allowed access to all MIBs. With the release of software version 1.2(1), an updated version of the net-snmp agent eliminated access to all MIBs except for the system MIBs. With the release of software version 1.2(2), the security model has been changed to allow access to MIBs that were available in the original GSS 1.0 and 1.1 software releases.

• CSCef93973—If you set up an NTP server after enabling NTP on a GSS, the following message may appear:

% Failed to set the clock via NTP using 192.168.0.1

This message appears erroneously even though you properly enabled and configured the NTP server on the GSS and the NTP service is functioning properly. You may ignore this message.


OL-7308-01


CLI Command Changes in Software Version 1.2(2)Table 2 lists the commands and options that have been added or changed in GSS software version 1.2(2). For detailed information about the CLI commands in the GSS software, refer to the Cisco Global Site Selector Command Reference.

Table 2 CLI Commands Added or Changed in Version 1.2(2)

Command and Syntax Description

logging facility The new logging facility global configuration mode command enables you to specify a syslog facility type to identify the behavior of the syslog daemon (syslogd) on the host. The syslog daemon uses the specified syslog facility to determine how to process messages. Each facility configures how the syslog daemon on the host handles a message.


logging facility type

Enter the type option to specify the syslog facility type. The type option supports the following facility types:

• auth—Authorization system

• daemon—System daemon

• kernel—Kernel









• mail—Mail system

• news—USENET news

• syslog—System log

• user—User process

• uucp—UNIX-to-UNIX copy system


OL-7308-01


ftp-client enable The new ftp-client enable CLI command allows you to enable access to the FTP client for different types of users. The all option allows you to enable access for all users, while the admin option allows you to enable access command for administrative users only.


ftp-client enable {all | admin}

The no form of this command allows you to remove a specific FTP client configuration and return to the default disabled state.

show tech-support core-files [verbose] The show tech-support core-files command output has been modified to display the core file size in KB, Mb, or GB, as appropriate.

The verbose option has been added to the show tech-support core-files command to assist in troubleshooting by Cisco engineers in instances where the internal GSS applications generate core files. The verbose option provides a backtrace of the stack of all the core files.

proximity database delete The proximity database delete CLI command has a series of additional options to provide more control over the entries you can delete from the proximity database. You may now delete proximity database entries based on a specific criteria.


proximity database delete {all | assigned | group {name} | inactive minutes | ip {ip_address} netmask {netmask} | no-rtt | probed}


• all—Removes all proximity database entries from GSS memory. The prompt Are you sure? appears to confirm the deletion of all database entries. Specify y to delete all entries or n to cancel the deletion operation. This command does not delete proximity database entries saved as part of an automatic dump to a backup file on disk.

• assigned—Removes all static entries from the proximity database.

• group name—Removes all entries related to a named proximity group. Specify the exact name of a previously created proximity group.

• inactive minutes—Removes all dynamic entries that have been inactive for a specified period. Valid values are 0 to 43200 minutes.

• ip ip_address netmask netmask—Removes all proximity entries related to a D-proxy IP address and subnet mask. Specify the IP address of the requesting client’s D-proxy in dotted-decimal notation (for example, 192.168.9.0) and specify the subnet mask in dotted-decimal notation (for example, 255.255.255.0).

• no-rtt—Removes all entries from the proximity database that do not have valid RTT values.

• probed—Removes all dynamic entries from the proximity database.




OL-7308-01


show proximity database The show proximity database CLI command has a series of additional options to provide more control over the entries you can view in the proximity database. You may now display proximity database entries based on a specific criteria.


show proximity database {all | assigned | group {name} | inactive minutes | ip {ip_address} netmask {netmask} | no-rtt | probed}


• all—Displays all entries in the proximity database.

• assigned—Displays all static entries in the proximity database.

• group name—Displays all entries related to a named proximity group. Specify the exact name of a previously created proximity group.

• inactive minutes—Display all entries that have been inactive for specified amount of time. Valid values are 0 to 43200 minutes.

• ip ip_address netmask netmask—Displays all proximity entries related to a D-proxy IP address and subnet mask. Specify the IP address of the requesting client's D-proxy in dotted-decimal notation (for example, 192.168.9.0) and specify the subnet mask in dotted-decimal notation (for example, 255.255.255.0).

• no-rtt—Displays all entries in the proximity database that do not have valid RTT values.

• probed—Displays all dynamic entries in the proximity database.




OL-7308-01

Obtaining Documentation, Obtaining Support, and Security Guidelines


For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Copyright © 2005 Cisco Systems, Inc. All rights reserved.

CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn isa service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the CiscoCertified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (0711R)


OL-7308-01

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html



OL-7308-01

release note for the cisco global site selector, release 1 ... · release note for the cisco global...

Documents