ACE 4710 - show stats connection questions
Hi,
I have three questions regarding the "show stats connection" command in the ACE 4710:
1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
Thanks in advance for your help!
Best regards,
Harry
Harry,
a connection failed if the server did not respond or resonded with a RST.
As long as the connection gets establised, it is counted as a success.
The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
Gilles.
Similar Messages
-
Server-conn reuse stats on ACE 4710?
Hi,
Does anyone know if it's possible to get the server-conn reuse stats on an ACE 4710 appliance? I'd like to confirm that it's working and ideally see the number of resued connections.
Thanks,
JimScimitar1/Admin# show np 1 me-stats "-socm -v" | i [uU][sS][eE]
Reuse retrieve link update conn invalid 0 0
Reuse retrieve link update conn not on r 0 0
Reuse retrieve success but conn invalid: 0 0
Reuse retrieve miss: 0 0
Reuse conns retrieved: 0 0
Scimitar1/Admin#
The last 2 indicates if a new connection is needed (miss) or if we could retrieve an existing one.
Gilles. -
ACE 4710 - Monitoring Real Server Showing N/A
I recently installed a Cisco ACE 4710 version A4(2.0) into our test network. Load balancing across a number of web servers appears to be working ok and serving pages to users. However, when i tried to check the real time stats via device manager (Monitor> virtual contexts> context > Real servers) a number of fields specifically "current connections", "total conns", "failed conns" etc were showing N/A. Do I need to enable this somehow i.e. polling, if so how?
Hello Samson,
You may try to reboot the entire ACE 4710, probably during a maintenance window, some java process might have gotten stuck.
If the issue persists then open a TAC case since there are some software defects related to this behavior.
Jorge -
Hi All ,
I am facing problem with my ACE 4710 in active-standby environment . When I check Show ft group detail on my Active ACE , it shows peer state as
FSM_FT_STATE_STANDBY_COLD for Admin context . Below is the output :
Primary_ACE/Admin#sh ft group detail
FT Group : 1
No. of Contexts : 1
Context Name : Admin
Context Id : 0
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 120
My Net Priority : 120
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_COLD
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Jan 1 05:32:55 2002
Running cfg sync enabled : Enabled
Running cfg sync status : Peer in Cold State. Error on Standby device when
applying configuration file replicated from active
Startup cfg sync enabled : Enabled
Startup cfg sync status : Peer in Cold State. Startup configuration sync ha
[7m--More--[m
s completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group : 2
No. of Contexts : 1
Context Name : APP_Context
Context Id : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 120
My Net Priority : 120
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Jan 1 05:32:56 2002
Running cfg sync enabled : Enabled
[7m--More--[m
Running cfg sync status : Running configuration sync has completed
Startup cfg sync enabled : Enabled
Startup cfg sync status : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
Also when I give show ft config-errors on my secondary ACE it gives the following result .
Secondary_ACE/Admin#sh ft config-error
Mon Jun 10 00:04:11 IST 2002
`no 3 match virtual-address 10.40.3.15 tcp eq https`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.15 tcp eq 8082`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq www`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq https`
Error: LB action requires match vip command
`2 match virtual-address 10.40.3.21 tcp eq https`
Error: This configuration already exists
`2 match virtual-address 10.40.3.21 tcp eq www`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq 8082`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq https`
Error: This configuration already exists
Error(s) while applying config.
I am attaching the running configuration of both the ACE's . Kindly help me in resolving the issue .
Also I noticed one thing . There is configuration difference in Primary and Secondary ACE . I guess this is causing the issue .
Need help to fix this asap .
Following configuration is missing on the secondary ACE .
======================================================================
class-map match-all WEB_FARM_VIP-80
3 match virtual-address 10.40.3.15 tcp eq www
policy-map type loadbalance first-match WEB_FARM_VIP-80-l7slb
class class-default
serverfarm HTTP-2-HTTPS
class WEB_FARM_VIP-80
loadbalance vip inservice
loadbalance policy WEB_FARM_VIP-80-l7slb
Thanks ,
TusharDear all,
Pls help me out in this regard, I dont have much idea about ACE.
Regards,
Sashi -
ACE 4710 Can not confirm http cookie sticky connections
We are using a ACE 4710 with A3(2.6) software release.
I had to change our sticky load balancing method for HTTPS to cookie based.
However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
class-map type http loadbalance match-any ghh-www-443_CLASSURL
2 match http url [.]*
policy-map type loadbalance first-match ghh-sticky-443_POLICY
class class-default
sticky-serverfarm scook-ghh
policy-map multi-match POLICY
class ghh-www-443_CLASS
loadbalance vip inservice
loadbalance policy ghh-sticky-443_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAMAnother point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
Here you have a config example for the first solution:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
Cheers,
Francesco -
High Connections within Ace 4710
Is this normal to have millions of current connections within an ace 4710? There is only 3 current connections but shows a high number?
Thanks!!TAC is claiming a bug.
Reference hitting bug ID: CSCtq39716 -
ACE 4710 Connectivity help?
I'm using an ACE 4710 in a new datacenter, with the following setup:
2/4 physical ethernet interfaces port channeled into port-channel 1
2/4 physical ethernet interfaces port channeled into port-channel 2
I have the following vlans defined:
1001 - admin - interface ip: 10.53.136.70
400 - client side - interface ip: 10.53.136.100
500 - server side - interface ip: 192.168.128.1
999 - fault tolerance - interface ip: 192.168.11.2
My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server. For example, if I ssh to 10.53.136.102, it times out. (10.53.136.102 should get nat'd to 192.168.128.2)
Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
I'm thinking there is either something wrong with the port-channels, or the access lists. On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
Any thoughts?
Thanks,
BrentI've attached the two contexts which we are using. The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
From the load balancer, I am able to ping the real server ips in the 192.168. ip range. The 4710 recognizes that they are in service.
I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going. Once I accomplish that, I will work on high availability. I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
Thanks,
Brent -
Question about ACE-4710-BAS-2PAK bundle
Hello,
I want to order ACE-4710-BAS-2PAK bundle (2 Units of ACE 4710 Hardware-1Gbps-1K SSL-100MbpsComp-5VC- 5) and then separate two units of this bundle.
I couldn't get any information about separation possibility, therefore âsome howâ i need to ensure that 2 units of ACE-4710-BAS-2PAK will be able to work separate.
Could you please provide me some suggestion about this issue.
Any advise are welcome.yes, these units can work alone.
The pak is just a sale operation.
The HW is still the same.
G. -
ACE 4710: Find out the response time of a real server
Hi to everyone,
I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
Is there a way for this?
Thank you for any answer!
giorgio romanoHi,
Kindly add the following line in your serverfarm configuration:
predictor response syn-to-synack
Suppose your serverfarm looks like this:
serverfarm host AAA_FARM
predictor response syn-to-synack
probe HTTP_PROBE
probe TCP9001_PROBE
rserver SC106
inservice
rserver SC107
inservice
rserver SC108
inservice
rserver SC109
inservice
rserver SC110
inservice
rserver SC111
inservice
rserver SC112
inservice
rserver SC113
inservice
rserver SC114
inservice
rserver SC120
inservice
rserver SC131
inservice
And then use the following command to see the average response time from your rserver as follows:
ACE1/prod# show serverfarm AAA_FARM detail
serverfarm : AAA_FARM, type: HOST
total rservers : 11
active rservers: 11
description : ServerFarm AAA
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
HTTP_PROBE, type = HTTP
TCP9001_PROBE, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC106
x.x.x.x.:0 8 OPERATIONAL 2 1125 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 81 ----> thats what you might be looking for
From other day :
rserver: SC114
x.x.x.x:0 8 OPERATIONAL 70 10903 2
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 1334 ----> thats what you might be looking for
For Serverfarm BBB_FARM
serverfarm : BBB_FARM, type: HOST
total rservers : 1
active rservers: 1
description : ServerFarm BBB
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 1
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC208
x.x.x.x:0 8 OPERATIONAL 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 0 ----> thats what you might be looking for
Use more detials for response predictor:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
Configuring the Application Response Predictor
To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
The syntax of this command is as follows:
predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
The keywords and arguments are as follows:
•app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
•syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
•syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
•samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
samples 4
To reset the predictor method to the default of round-robin, enter:
host1/Admin(config-sfarm-host)# no predictor
To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
weight connection
For example, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
samples 4
host1/Admin(config-sfarm-host-predictor)# weight connection
To remove the current connection count from the calculation of the average server response time, enter:
host1/Admin(config-sfarm-host-predictor)# no weight connection
You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
In case if you have measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server use syn-to-close (already discussed previously)
If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack (already discussed previously)
SAMPLES parameter is optional and specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load × static weight × current connection count
where:
•weighted load is the load reported by the SNMP probe
•static weight is the configured weight of the real server
•current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
HTH
Plz rate if u find it useful.
Sachin -
Hi, We have two ACE-4710-K9 (named LB01 and LB02) configured in HA mode. Besides Admin, on each of them there are tree context configured, named, ACADEMIC, COMMERCIAL, STREAMING. On LB01 the active context is ACADEMIC. On LB02 the active contexts are COMMERCIAL and STREAMING. Each context is configured with a FrontEnd and a BackEnd Vlan interface, and a "management" Vlan interface used for accessing and monitoring the device and for the downloading of the needed ssl certificates. Recently we upgraded the devices to Version A3(2.6) form a previous A3(2.4). After that upgrade we experienced some strange behaviour. From the context in STANDBY state we are not able to ping the host on the "management" Vlan interface, while there is no problem on the other Vlans. We see that the ICMP packets are sent to the Vlan, are replayed by the remote host BUT are not received at all on the LB01 or LB02. No messages in the log. Trying with 5 consecutive (failed) ping we can see that the counters of unicast packet output on LB01/LB02 Vlan is incremented by 5 BUT the unicast packets input counters is unchanged even if the remote host sent the replays. In the STREAMING context this behaviour isn't constant, ie the ping *sometimes* starts working for a few second and then returns to stop. In the other standby context the ping never works instead. In the active context all works fine. This strange problem prevents us to load the ssl certificates in the STANDBY context from the "management" Vlan. We was not able to find any reference to a similar problem in the Cisco documentation or Tac collection, so we are curious to know wheter someone else experienced such a behaviour. Thank you and best regards. Alessandro Asson - CINECA
Thanks,
I see you are using shared VLAN config in both ACE.
Same VLAN 1000 is used for both Admin and streaming context.
In this config, you may need to use the shared-vlan-host-id command as explained here:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/vlansif.html#wp1025243
In fact as explained:
'By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.'
This would also reply to your question in the readme file:
SHOW ARP TABLE ON THE D01,D02,D07 ROUTERS SHOWS THE SAME MAC ADDRESS FOR
BOTH IP ADDRESSES OF LB01 AND LB02: is that normal ??
Hope this helps,
Dom. -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
This started for me 1/17/2011 on the savingsbank.com website:
Firefox (latest versions) on both Mac 10.6 and Windows 7 show "this Connection is Untrusted" on my bank site https://www.savingsbank.com
NO other browsers - Explorer, Chrome, Safari - give this error box on this site. Please advise if this has to do with the bank site? or Firefox compatibility.
Saw in a forum someone else having this problem and they were told it had to do with their Date and time being off?? I've been on several computers, all with the correct date and time and they've all shown this Insecure Certificate statement on my bank site with Firefox and no other browser.I've looked at the banking site with IE8 and it does NOT show me that "This connection is Untrusted" window. (please see attached screen shot of viewing the site with IE8) It opens fine and has "Identified by Network Solutions" showing on the address bar as it always does.
The latest version of Opera (not earlier ones) does show a problem with the website's security certificate.
We've contacted the bank about this, and they say there's no problem with their certificate but are looking into it.
My question remains, why only Firefox and one version of Opera claim this and NO other browser? -
ACE 4710. Unable to clear ssh sessions
Hi.
Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:38
13732 200.44.158.70:46172 67:43:36
13735 200.44.158.70:46174 67:43:36
13737 200.44.158.70:46177 67:43:36
ACE/CONTEXTO_A#
ACE/CONTEXTO_A# clear ssh 13728
ACE/CONTEXTO_A# clear ssh 13732
ACE/CONTEXTO_A# clear ssh 13735
ACE/CONTEXTO_A# clear ssh 13737
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:54
13732 200.44.158.70:46172 67:43:52
13735 200.44.158.70:46174 67:43:52
13737 200.44.158.70:46177 67:43:52Hello,
Seems to be working for me in my tests. Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 1:42
25100 161.44.77.245:1589 0: 0:27
25116 161.44.77.245:1590 0: 0:16
ace-appliance-15/CTX1# clear ssh 25116
ace-appliance-15/CTX1#
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 2: 5
25100 161.44.77.245:1589 0: 0:50
What version of software are you running on your 4710? I am running the latest A3(2.4). Can you try this version?
Thanks,
Sean -
ACE 4710 and mangled HTTP requests
After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. Here is one example:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Rather than appearing just after the timestamp, the "POST /register/LServlet" is tacked on to header information that shouldn't even appear in the log. Also the first letter in that header information is always missing (heckoutFlag instead of checkoutFlag in this example).
The mangled request always shows up as a 501 HTTP error and shows up late in the Apache access logs (timestamp is out of chronogical order) and always appears with several duplicate POSTs:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
This is occurring for several different URLs and not just the one above and for multiple web browsers.
The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
A recent ACE software upgrade to A5(2.1) has not fixed the problem.
Has anyone seen this before?
Thanks for any insight you can provide.
-KariHi Kari,
Do you have a sample of the configuration which you got with the CSS?
What is the current configuration which you got on the ACE?
Can you shows this output: # show stats http?
Jorge -
ACE 4710 Web Optimization Licnesing
I currently have a 4710 running the 1Gbps package. We are utilizing Application Acceleration and are comg very close to hitting our 10,000 Web Optimization connection limit. I am trying to find out how to upgrade that.
I see in our license usage an option of ACE-AP-OPT-UP1-K9 but can find no information on this part number. Does anyone know if this is even available and what it brings you connection limit to?
ACE01/Admin# show license usage
License Ins Lic Status Expiry Date Comments
Count
ACE-AP-C-UP1 No - Unused -
ACE-AP-C-UP2 No - Unused -
ACE-AP-C-UP3 No - Unused -
ACE-AP-01-LIC No - Unused -
ACE-AP-01-UP1 No - Unused -
ACE-AP-02-LIC No - Unused -
ACE-AP-02-UP1 No - Unused -
ACE-AP-04-LIC No - Unused -
ACE-AP-04-UP1 No - Unused -
ACE-AP-04-UP2 No - Unused -
ACE-AP-VIRT-5 No - Unused -
ACE-AP-500M-LIC No - Unused -
ACE-AP-VIRT-020 No - Unused -
ACE-AP-C-100-LIC No - Unused -
ACE-AP-C-500-LIC Yes 1 In use never -
ACE-AP-C-500-UP1 No - Unused -
ACE-AP-OPT-50-K9 No - Unused -
ACE-AP-C-1000-LIC No - Unused -
ACE-AP-C-2000-LIC No - Unused -
ACE-AP-OPT-LIC-K9 Yes 1 In use never -
ACE-AP-OPT-UP1-K9 No - Unused -
ACE-AP-SSL-05K-K9 Yes 1 In use never -
ACE-AP-SSL-07K-K9 No - Unused -
ACE-AP-SSL-100-K9 No - Unused -
ACE-AP-SSL-UP1-K9 No - Unused -
ACE-AP-SSLUP-5K-K9 No - Unused -
ACE-AP-VIRT-020-UP No - Unused -Unfortunately, ACE-AP-OPT-LIC-K9 is not available on ACE4710 and
ACE 4710 cannot handle more than 10,000 concurrent connections..
When you use the ACE to perform a specific set of application
acceleration and optimization functions, and the ACE reaches the
maximum of 10,000 concurrent connections, the appliance stops
accepting any additional concurrent connections until the count
drops below 10,000.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/optimize.html#wp1048813
Regards,
Yuji
Maybe you are looking for
-
Field's content is not fully visible in Sap Transaction iview
Hello Friends, I have deployed a Sap Transaction iview on my portal. I am facing a issue. When i do F4 help on a field, the content of columns is not fully visible in the opened up popup window. Is there any way to adjust the col
-
Archive Source Files with Errors is Missing
Hi I don't have this option or "Handling of Empty Files" available in ID on my Live or QA Servers although I do have on my Dev. They are all on the same SP and Patch Level 7.0 SP 14. Any suggestions ? Thanks
-
WebLogic Server 9.2 MP3 compatibility with WLS 9.2
My companies product currently supports WebLogic Server 9.2.x. Is WebLogic Server 9.2 fully compatibile with WebLogic Server 9.2 MP3? And, what does the MP3 acronym stand for, please. Edited by: [email protected] on Feb 6, 2009 2:01 PM
-
Feedback after the error in SWEL after creating the PO
Hi! After creating the PO, it says in SWEL.. "Feedback after error" . When I double clicked it, it said that the EVENT releasestepcreated, Import container contains errors (are any obligatory elements missing?) What could be the possible error in thi
-
Does bridge search all folders and subfolders by default?
Many documents and folders are not being found with Bridge's search feature. What do I need to do to have Bridge A) find files in specific folders and B) search newly added folders? Does bridge search every folder on my computer by default or just