Release Notes for Cisco LocalDirector Version 3.3

This enhancement [in response to CSCdr24480] allows the most available LocalDirector to become the active unit in a failover implementation without intervention by the network administrator. An available LocalDirector is defined as a unit that has all network interfaces fully operational (also referred to as 100% healthy).

A new flag is used to perform a state check on LocalDirectors. This failover mechanism supports the following scenario without network administrator manual intervention to issue the failover reset command. The primary LocalDirector has an interface failure, and the standby LocalDirector becomes the active unit. If the failure on the interface is restored (and considered 100% healthy) on the primary LocalDirector and the active standby LocalDirector has an interface failure, the primary LocalDirector is switched to active without manual intervention.

This switch will not occur when both the active and the standby LocalDirector have interface failures.

New Feature for Interaction Between LocalDirector and DistributedDirector

The dynamic-feedback-agent command and the dynamic-feedback-agent-ip command have been added to LocalDirector Release 3.3 so that Cisco Systems DistributedDirector units can download availability information on virtual servers from LocalDirector. DistributedDirector units can use this information to identify load imbalances over multiple sites and distribute Internet traffic more evenly. The process is performed by a Dynamic Feedback Protocol (DFP) manager on the DistributedDirector and a DFP agent on LocalDirector. The DFP agent calculates an availability metric for specified virtual servers, and the DFP manager uses the metrics to make load-balancing decisions.

The dynamic-feedback-agent command enables listening for IP connection requests from DFP managers. If listening has not been enabled, LocalDirector does not honor the connection request. Command syntax and an example of the command follow.

[no] dynamic-feedback-agent [port]

localdirector(config)# dynamic-feedback-agent
localdirector(config)# show dynamic-feedback-agent
dynamic-feedback-agent 8080

The optional port parameter specifies the TCP port. The default port is 8080. The no-dynamic-feedback-agent command disables listening and closes any current DFP connections.

The dynamic-feedback-agent-ip command specifies DFP manager hosts (DistributedDirector units) that can connect to LocalDirector for DFP communications. If no IP address has been specified, LocalDirector does not honor the connection request. You can enter up to 256 IP addresses. LocalDirector can support up to 256 connections at one time. Command syntax and an example of the command follow.

[no] dynamic-feedback-agent-ip ip_address [password]

localdirector(config)# dynamic-feedback-agent-ip 10.10.10.200
localdirector(config)# show dynamic-feedback-agent-ip
dynamic-feedback-agent-ip 10.10.10.200

The ip_address parameter specifies the IP address of the host. The optional password parameter enables security (MD5 encryption) and specifies the security password (up to 64 ASCII characters) for the connection. The no-dynamic-feedback-agent-ip command removes an IP address (and closes the connection if one for that IP address is currently open). If the password option has been specified, you must include it in a command to remove an IP address.

Feature for Cookie-based sticky Command Options

The cookie-insert and cookie-passive options have been added to the sticky command to enable sticky connections based on a cookie in the HTTP GET request.

The sticky connection for the cookie-insert option relies on a cookie created by LocalDirector. The sticky connection for the cookie-passive option relies on a cookie created by the sticky real server. Command syntax and an example of the command follow.

Note A cookie generated by the client side does not work in cookie-passive mode.

[no] sticky virtual_id minutes [generic | ssl | cookie-insert [name] [domain] | cookie-passive name]

ld(config) 10# virtual 192.168.1.1:444:0:tcp
ld(config) 11# virtual 192.168.1.1:445:0:tcp
ld(config) 12# sticky 192.168.1.1:444:0:tcp 100 cookie-insert LDcookie
ld(config) 13# sticky 192.168.1.1:445:0:tcp 1000 cookie-passive mycookie
ld(config) 14# show sticky
Virtual Machine(s) 	Sticky
	192.168.1.1:445:0:tcp	1000	 			cookie-passive mycookie
	192.168.1.1:444:0:tcp	100	 			cookie-insert LDcookie

The sticky real server association is based on the IP address of the virtual server specified by the virtual_id parameter. The Cookie-insert option adds the minutes value to the LocalDirector clock time (set by the clock set command described below) to calculate the date in the future when the association expires. Using the optional name and domain parameters for cookie-insert, you can enter your own cookie value and domain name (which you may find useful for tracking purposes). If you do not enter a cookie name value, the default value is LocalDirector-Insert-Cookie (there is no default domain name). The Cookie-passive option requires you to enter a value for the name argument. It is a keyword used by LocalDirector to identify packets from the sticky real server. The name is limited to 128 bytes. If you enter a name that is greater than 128 bytes, LocalDirector ignores the extra bytes.

The syntax for the clear sticky and the show sticky commands has changed. You can now clear or show sticky associations for the virtual server or the real server.

clear | show sticky [virtual | real] [virtual_id | real_id]

If you select the virtual keyword, you must follow it with the virtual_id parameter (the virtual server IP address or name, port number, bind-id, and protocol). If you select the real keyword, you must follow it with the real_id parameter (the IP address or name of the real server, port number, bind-id, and protocol).

New Feature for Setting the Clock in Cisco LocalDirector

Use the clock set command to set the date and time for LocalDirector. You must enter the Coordinated Universal Time (UTC), which is the international time standard used by LocalDirector. You cannot disable the clock. Command syntax and an example of the command follow.

clock set hh:mm:ss month day year

localdirector(config)# clock set 17:00:00 march 21 2000
localdirector(config)# show clock set
Tues 17:00:04 Mar 21 2000 UTC

Warning You must set the date and time accurately if you are using the cookie-insert option of the sticky command.

Feature for Showing Virtual Servers, Active Connections, and Total Number of TCP SYN Packets Sent

Use the show syn command to show LocalDirector virtual servers, the number of active connections for each virtual server, and the total number of TCP SYN packets sent for the active connections. The command syntax is:

show syn virtual_id

Where virtual_id is the virtual server IP address or name, port number, bind-id, and protocol. This command displays the virtual server addresses, the total number of active connections, and the cumulative number of TCP SYN packets sent for connection attempts. The Syn Count is decremented by LocalDirector after a connection is closed. The Syn Count can be used to estimate the number of unanswered SYNs for virtual IP addresses. LocalDirector can provide limited protection against SYN attacks to the virtual IP address with the synguard command. An example of the show syn command display follows.

localdirector(config)# sh syn
       Virtual Machine(s)               Conns   Syn Count
    14.14.14.100:80:0:udp                  0           0
    14.14.14.100:21:0:tcp                  0           0

Important Notes

The following list contains important notes about Cisco LocalDirector Version 3.3.

The Gigabit Ethernet network interface cards are used only on LocalDirector 420 and 430 hardware platforms.
You must clear the ARP tables for the router adjacent to LocalDirector when you upgrade LocalDirector software from Version 2.x to 3.x.
Use Table 1 to ensure compatibility between LocalDirector and the Content Verification System (CVS) software.

Table 1: Compatible Version Numbers for Content Verification System and LocalDirector Software

Content Verification System (CVS) Version Number	LocalDirector Version Number
CVS Version 3.1.x	LocalDirector Version 3.1.x
CVS Version 3.2.x	LocalDirector Version 3.2.x
CVS Version 3.3.x	LocalDirector Version 3.3.x

There is one combination of Netscape browser and Apache Web server that does not work with the sticky Secure Socket Layer (SSL). With Version 4.04 of the Netscape browser, the SSL handshake occurs, data is sent from the client, and then the connection pauses. The server appears unable to work with the data received from the client. This problem occurs in all Netscape Version 4.04 and Apache combinations with or without Cisco LocalDirector. [CSCdk91721]

LocalDirector supports the SSL Version 2/3 hybrid client hello message. This hybrid allows the client to send a Version 2 hello message as long as the client communicates with the server using (through LocalDirector) using Version 3 after the handshake. Internet Explorer 4.0 does not work with Microsoft Internet Information Server because the server replies to the Version 2 client hello message with a Version 2 server hello message. [CSCdm46555]

Table 2 shows combinations of browsers and Web servers that perform correctly.

Table 2: Working Combinations of Web Browsers and Web Servers

Browser	Apache Web Server	IIS Web Server
Netscape Navigator	Works	Works
Opera	Works	Works
Microsoft Internet Explorer	Works	Works if SSL Version 2 is turned off. Refer to CSCdm46555 Release Note Enclosure or Microsoft customer service document Q187498 for instructions.

Browser

Apache Web Server

IIS Web Server

Netscape Navigator

Works

Opera

Works

Microsoft Internet Explorer

Works

Works if SSL Version 2 is turned off.

Refer to CSCdm46555 Release Note Enclosure or Microsoft customer service document Q187498 for instructions.

To assign a relative value to the distribution of connections for a real server, use the weight command. Use the optional time_value to specify the length of time before LocalDirector reverts to the static weight. Use the no weight command to remove a weight value from a real server. Command syntax and an example of the command follow.

[no] weight real_id number [time_value{s|m}]

time_value (Optional) The length of time before LocalDirector reverts to the static weight. An "s" for seconds or an "m" for minutes appended to the time_value input determines the time denomination. The default input time denomination is seconds.

localdirector(config)# weight 1.1.1.1 10 20s

The Opera browser does not always use the same SSL session ID from the server. Consecutive connections to a secure virtual server using SSL sticky do not guarantee a return to the same real server because of the way Opera handles session IDs. Opera uses a new session ID and creates a new sticky association. [CSCdm49617]
The resolution for setting the default interval for User Data Protocol (UDP) connections on real servers is the adjustment of the TIMEOUT knob for the real machines. [CSCdm15526]
Using the older format for the port parameter (ip_address port) causes some commands, including the no sticky command, to be ignored without generating error messages. Check older configuration files to ensure that the new format is used (ip_address:port). This problem is due to the way the CLI reads virtual machine types. Use the following syntax to remove a sticky timer:
no sticky virtual_id:port:bind_id. [CSCdk90873]
When two identical cookies (two cookies with the same NAME and VALUE) exist on two different servers, cookie-passive mode in LocalDirector Version 3.3.x cannot work properly. LocalDirector makes decisions on the sticky relationship based on the cookie received from the Web server. The second identical cookie breaks the first sticky relationship on LocalDirector. [CSCdr23613]

Caveats

Caveats describe unexpected behavior in Cisco LocalDirector 3.3. This section contains open and resolved caveats for Cisco LocalDirector Version 3.3.

Warning If two servers have the same cookie name and value, the client sessions do not stick with one particular server. [CSCdr23613]

Open Caveats--LocalDirector Releases 3.3.1, 3.3.2, and 3.3.3

CSCdr83742

: Sticky associations do not follow reassigned connections.

CSCdr55437

: LocalDirector clock occasionally stops running after the clock set command.

CSCdr72359

: LocalDirector detects that a UDP real server is not available, but cannot infer when the UDP real server should be taken out of testing mode.

CSCdr22912

: For FTP data, LocalDirector is not forwarding SYN/ACK flags from the client out of the server port.

CSCdr24904

: In cookie-sticky mode, the cookie timer should be at least 10 minutes.

CSCdr32478

: LocalDirector reports wrong information to DistributedDirector after a change in bind-id.

CSCdr00327

: LocalDirector locks up with configuration net command if configuration on the tftp server is different from that on LocalDirector.

CSCdm44441

: LocalDirector does not rotor UDP traffic with the source port of 0.

CSCdr35852

: Replication of a connection that is freed bythe primary LocalDirector crashes the standby LocalDirector.

CSCdr37219 [Duplicate of CSCdr74300]

: LocalDirector crashes when it completely runs out of connection objects.

CSCdr45475

: Real server MAC addresses in the LocalDirector ARP table disappear and reappear.

CSCdr53755

: LocalDirector loses configuration after the reload command.

CSCdr55231

: LocalDirector does not implement round-robin with the predictor command.

CSCdr33978

: When the dfp agent is active on LocalDirector and all virtual servers have been removed, LocalDirector does not send out preference information message as required by the DFP specification. This causes DistributedDirector to continuously try to re-establish the connection.

CSCdp06649

: Long-term connections are not preserved after stateful failover on LocalDirector.

Resolved Caveats--LocalDirector Release 3.3.3

CSCdr53739

: The show syn command is not documented in LocalDirector help, CCO, or manuals.

CSCdr05020

: The cookie-passive mode never times out after the second real server is selected.

CSCdp94409

: A cut in the Gigabit Ethernet cable does not recover automatically and shuts down all other interfaces.

CSCdr31452

: The secondary LocalDirector crashed with a virtual server configured with the generic option of the sticky command and the replicate command for stateful failover.

CSCdr91101

: LocalDirector runs out of 4-byte blocks in cookie-passive mode.

CSCdr53157

: Unlock code block does not work on LocalDirector 420 with a single four-port interface card.

CSCdr39126

: Maintenance mode on the real server is not being replicated to the standby LocalDirector.

CSCdr91185

: The cookie-insert option does not work.

CSCdr50684

: Unknown message in CASA (fillout_action_seqadj:).

CSCdr83313

: LocalDirector does source SNMP traps using port 0.

CSCdr54346

: LocalDirector crashes with the backup command.

CSCdr02476

: LocalDirector sends CASA packets with incorrect CASA header information.

CSCdm76980

: SNMP walk enters an infinite loop if two real servers or two virtual servers have different protocol designators.

CSCdp74850

: SNMP state-change traps are incorrect.

CSCdm76995

: LocalDirector does not forward the last ACK from the server, causing retransmits.

CSCdr52014

: LocalDirector does not update SNMP community name and continues to send public name to SNMP management console.

CSCdr89848

: LocalDirector assertion error occurs with the cookie-insert option in the sticky command.

CSCdr84804

: The Cookie-insert option in the sticky command crashes both LocalDirectors.

CSCdr73827

: LocalDirector increments the RST count for an illegal TCP sequence from the client.

CSCdr68689

: LocalDirector crashes with the cookie-insert option in the sticky command.

CSCdr91166

: Crash using cookie-insert option in the sticky command.

CSCdr90874

: DUPB crash in Version 3.3.2.109 with cookie-insert option in the sticky command.

CSCdr57066

: The default redirect dispatch casa command stops the wildcard (MNLB) to the Forwarding Agent.

Platform-Specific Documents

The following documents are specific to Cisco LocalDirector Version 3.3 and are located on CCO and the Documentation CD-ROM:

Cisco LocalDirector Installation and Configuration Guide, Version 3.3

: On CCO at:
: Cisco Product Documentation: Internet Service Unit (ISU) Documentation:LocalDirector Documentation:Cisco LocalDirector Installation and Configuration Guide Version 3.3
: On the Documentation CD-ROM at:
: Cisco Product Documentation:LocalDirector Documentation:LocalDirector Version 3.3 Documentation

Release Notes for Cisco LocalDirector Version 3.3.

Obtaining Documentation

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.

Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).

Obtaining Technical Assistance

Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.

Cisco Connection Online

Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.

You can access CCO in the following ways:

WWW: www.cisco.com
Telnet: cco.cisco.com
Modem using standard connection rates and the following terminal settings: VT100 emulation; 8 data bits; no parity; and 1 stop bit.
- From North America, call 408 526-8070
- From Europe, call 33 1 64 46 40 82

You can e-mail questions about using CCO to cco-team@cisco.com.

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.

To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.

To contact by e-mail, use one of the following:


`Language`	`E-mail Address`
`English`	`tac@cisco.com`
`Hanzi (Chinese)`	`chinese-tac@cisco.com`
`Kanji (Japanese)`	`japan-tac@cisco.com`
`Hangul (Korean)`	`korea-tac@cisco.com`
`Spanish`	`tac@cisco.com`
`Thai`	`thai-tac@cisco.com`

In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate and value your comments.

This document is to be used in conjunction with the documents listed in the Related Documentation section.

Access Registrar, AccessPath, Any to Any, Are You Ready, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, IQ Breakthrough, IQ Expertise, IQ FastTrack, IQ Readiness Scorecard, The IQ Logo, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, RateMux, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, CollisionFree, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0005R)

Table of Contents

Release Notes for Cisco LocalDirector Version 3.3