4 ACE's to get 64Gbps loadbalancing

Similar Messages

• ACE : can't get to loadbalance

  Hi
  I've got a ACE wich should loadbalance to 2 web servers.
  From the router itself (ssh) I can ping the 2 servers with their internal address.
  I can also ping the ACE, but when I try to telnet the router on port 80 to see if loadbalancing is functional, my request timed out.
  I used the OVH documentation (my hoster) and I cannot find what's wrong ! And I think it's a really basic configuration...
  Here is my actual configuration :
  (vlan 265 is my external interface)
  access-list ANY line 8 extended permit icmp any anyaccess-list ANY line 16 extended permit ip any anyprobe tcp PROBE_TCP  interval 30  passdetect interval 60rserver host LABS  ip address 172.16.0.1  inservicerserver host MICHELINE  ip address 172.16.0.2  inserviceserverfarm host FARM_LABS  predictor leastconns  probe PROBE_TCP  rserver LABS    inservice  rserver MICHELINE    inserviceparameter-map type http HTTP_PARAMETER_MAP  persistence-rebalanceclass-map match-all L4-WEB-IP  2 match virtual-address 178.33.159.32 tcp eq wwwclass-map type management match-all REMOTE_ACCESS  2 match protocol ssh anypolicy-map type management first-match REMOTE_MGMT_ALLOW_POLICY  class REMOTE_ACCESS    permitpolicy-map type loadbalance http first-match WEB_L7_POLICY  class class-default    serverfarm FARM_LABS    insert-http x-forward header-value "%is"policy-map multi-match WEB-to-vIPs  class L4-WEB-IP    loadbalance vip inservice    loadbalance policy WEB_L7_POLICY    loadbalance vip icmp-reply active    nat dynamic 1 vlan 2369    appl-parameter http advanced-options HTTP_PARAMETER_MAPinterface vlan 265  ip address 178.33.159.170 255.255.255.240  alias 178.33.159.169 255.255.255.240  peer ip address 178.33.159.171 255.255.255.240  access-group input ANY  service-policy input REMOTE_MGMT_ALLOW_POLICY  service-policy input WEB-to-vIPs  no shutdowninterface vlan 2369  ip address 172.31.255.250 255.240.0.0  alias 172.31.255.249 255.240.0.0  peer ip address 172.31.255.251 255.240.0.0  access-group input ANY  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat  no shutdownft track interface  VLAN265  track-interface vlan 265  peer track-interface vlan 265  priority 50  peer priority 5
  Thanks for any help !

  Hi Ahmad,
  I misunderstood by using of one IP address wich is pingable but it was a wrong lead.
  My test was to telnet the VIP on port 80 so that a connection should be opened on one of the load-balanced servers.
  These are the results :
  rbx-s1-ace/vrack2369# show conntotal current connections : 2conn-id    np dir proto vlan source                destination           state----------+--+---+-----+----+---------------------+---------------------+------+892000     2  in  TCP   265  93.17.95.165:56172    178.33.159.169:22     ESTAB3169004    2  out TCP   265  178.33.159.169:22     93.17.95.165:56172    ESTAB
  I'm trying to make http traces but since I can't reach the ACE itself I don't have any atm.
  I *think* it's ACE module, ovh give me that link
  Thanks !

• ACE - limit of GET requests in the HTTP 1.1 pipelining

  Hello. Is possible to limit the count of HTTP GET requests in the pipelining connection on the ACE?? For example when an attacker sends a lot of requests in the pipelining connection. Thank you.

  You should not worry about that.
  ACE has normalization to protect itself.
  We also limit the amount of memory each connection can consume.
  So one user will not be able to cause problem by using pipelining.
  g.

• ACE: Routing in addition to Loadbalancing

  I'm planning to route some traffic while loadbalancing other traffic.
  For guidance, what can I refer for simple routing in ACE.
  In addition, both routing and loadbalancing traffics need to pass a same Vlan in the ACE.
  In the attached Steps 1,2,3 doing loadbalancing via vlan80
  Steps 4,5,6 doing routing via same VLAN 80
  Is simple routing possible in ACE?
  Regards
  SS

  as long as you permit the traffic with an access-list inside the access-group, ace will route the traffic that does not match any class-map.
  This is the default and no particular config is required.
  Gilles.

• ACE - Can not get it to work

  All,
  I am trying to configure simple load balancing to 4 servers on a ACE (ver 3.0.0A13B), but I can't get it to work.
  See config below. I have L3 vlan interfaces on my Cat6513 for vlan 22, 29 and 121.
  Can anyone spot the issue?
  Thanks, Pieter-Jon
  probe tcp TCP
  description TCP PROBE
  interval 2
  faildetect 2
  passdetect interval 2
  connection term forced
  open 2
  parameter-map type connection IDLE
  set timeout inactivity 600
  rserver host INFO-Realserver-1
  ip address 38.22.175.1
  probe TCP
  inservice
  rserver host INFO-Realserver-2
  ip address 38.22.175.2
  probe TCP
  inservice
  rserver host INFO-Realserver-3
  ip address 38.22.175.3
  probe TCP
  inservice
  rserver host INFO-Realserver-4
  ip address 38.22.175.4
  probe TCP
  inservice
  serverfarm host INFO2008
  predictor leastconns slowstart 15
  probe TCP
  rserver INFO-Realserver-1
  inservice
  rserver INFO-Realserver-2
  inservice
  rserver INFO-Realserver-3
  inservice
  rserver INFO-Realserver-4
  inservice
  class-map match-all L4_VIP_ADDRESS_CLASS
  2 match virtual-address 38.29.250.250 tcp any
  class-map type management match-any MGMT-Class
  2 match protocol icmp any
  3 match protocol ssh any
  4 match protocol telnet any
  class-map type management match-all SNMP_ALLOW_CLASS
  2 match protocol snmp any
  class-map type management match-all TELNET_ALLOW_ALL
  2 match protocol telnet any
  policy-map type management first-match MGMT-Policy
  class MGMT-Class
  permit
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class TELNET_ALLOW_ALL
  permit
  policy-map type management first-match SNMP_ALLOW_POLICY
  class SNMP_ALLOW_CLASS
  permit
  policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
  class class-default
  serverfarm INFO2008
  policy-map multi-match L4_LB_VIP_POLICY
  class L4_VIP_ADDRESS_CLASS
  loadbalance vip inservice
  loadbalance policy L7_VIP_LB_ORDER_POLICY
  loadbalance vip icmp-reply
  loadbalance vip advertise
  interface vlan 22
  description Info Servers vlan
  ip address 38.22.1.250 255.255.0.0
  no shutdown
  interface vlan 29
  description Info Front End vlan
  ip address 38.29.1.250 255.255.0.0
  service-policy input L4_LB_VIP_POLICY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface vlan 121
  ip address 38.121.6.1 255.255.0.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input SNMP_ALLOW_POLICY
  no shutdown
  ip route 0.0.0.0 0.0.0.0 38.121.1.1

  > I have L3 vlan interfaces on my Cat6513 for vlan 22, 29 and 121.
  That is your problem first of all.
  If i get it right from your config.
  VLAN 121 is your transfer network / or client side vlan
  VLAN 22 and VLAN 29 are Server VLANS?
  What you should keep in mind is that you define the server side vlans only on the ACE contexts with L3. You don't define them on the supervisor.
  If you use the ACE in routed mode you have to assign networks exclusive to the ace like routing networks to a layer 3 device in your network. If you use those vlans (22,29) on other parts of your net you should subnet them or take another network.
  Your setup should look like this.
  6513
  L3 ~ VLAN 121
  L2 ~ VLAN 22,29,121
  ACE Module
  L3 ~ VLAN 22,29,121
  You assign the 3 vlans or any other to a vlan group and assign this group to the ace module.
  Create a new context -> assign the vlan 22,29 and 121 to this context.
  6513(L3) <-- vlan 121 --> ACE (L3) /Admin Context
  6513(L3) <-- vlan 121 --> ACE(L3) / Server Context --> VLAN 22,29
  ACE Admin Context (VLAN121)
  ACE Server Context (VLAN 121,22,29)
  After you have a working L2/L3 setup start troubleshooting the ace config itself. :)
  Hope it helps
  Roble

• ACE HTTP prove get - not able to contain '?' in URL?

  Trying to put a probe together..
  probe http probeElvis
  interval 5
  passdetect interval 10
  request method get url 8888/livelink/llisapi.dll?func=LL.getlogin&NextURL=%2Flivelink%2Fllisapi%2Edll%3FRedirect%3D1
  expect status 100 404
  connection term forced
  But when typing or pasting that URL in - when it gets to the '?" after llisapi.dll the CLI is interpreting that as a query for HELP - but i want it to be part of the string!!
  Is my only choice to go to TCL scripting? I don't know how to do that! I'm a network guy!! :)

  Hello Gilles.
  is there a cance to bypass the ctrl-v into the config? The reason i ask, i genereate my configs via a script and i then copy&past the whole config on the CLI.
  So i search for a solution to embed the ctrl-v into my configuration.
  I hope you have an idea for me.
  Sven

• ACE HTTP probe get - not able to contain '?' in URL?

  Trying to put a probe together..
  probe http probeElvis
  interval 5
  passdetect interval 10
  request method get url 8888/livelink/llisapi.dll?func=LL.getlogin&NextURL=%2Flivelink%2Fllisapi%2Edll%3FRedirect%3D1
  expect status 100 404
  connection term forced
  But when typing or pasting that URL in - when it gets to the '?" after llisapi.dll the CLI is interpreting that as a query for HELP - but i want it to be part of the string!!
  Is my only choice to go to TCL scripting? I don't know how to do that! I'm a network guy!! :)

  Precede the question mark with Ctrl-V to prevent the question mark from being interpreted as a help command.

• Debug commands for load-balancing on ACE

  is possible to debug the load-balancing decision which is provided by ACE? For example: when the traffic comes to the VIP address I need to see which serverfarm is used for this traffic and which rserver was choosen for this traffic. Thank you.

  no, you there is no debug to see the decision.
  You could capture the queues infos and see what it contains but it is quite complicated.
  A simple way is to capture a sniffer trace of front-end and backend simultaneously and you will be able to see where the traffic was loadbalanced.
  You can also use the capture feature of the ACE module to get this info.
  Gilles.

• Cisco ACE 4710 - Health Monitoring for Real Servers

  Hi,
  I have setup the following health probe to check for the existence of a specific web page.  My intention is that when the web page is removed, the health check fails and the rserver status changes to 'out of service'.  Unfortunately, when I remove the web page, I see the health check fail, and the rserver state change to 'PROBE-FAILED', however the rserver does not go 'out of service' and continues to respond to requests.
  Can anyone see where I'am going wrong?
  Health check probe config
  probe http live_http_int
    interval 15
    passdetect interval 60
    request method get url /loadbalancer/internal.html
    expect status 199 201
    open 10
  RSERVER config
  rserver host Server1
    description Server1
    ip address 10.10.10.1
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice
  rserver host Server2
    ip address 10.10.10.2
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice

  Hi syannetwork,
  I think you have to "force" the failed server to close the connection when it has failed. Otherwise it will still serve the available HTML pages.
  Have a look at the "Configuring the ACE Action when a Server Fails" in the "Cisco Application Control Engine Module Server Load-Balancing Configuration Guide" and let me know if the following command helped:
  conf t
  serverfarm host ServerFarm
  failaction purge
  Have a good WE.
  Cheers
  LPL

• Per-ServerFarm SNAT on ACE Module.

  Dear all,
  I hace an ACE Module configured in Multiple Routed Contexts.
  My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
  Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
  I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
  Is this correct?
  The software version is A2(3,5).
  Thanks a lot!
  David

  Hi David
  Could you please calrify and maybe separate tasks you have ?
  As I understand you have such tasks for now :
  1) Don't show rserver IPs anywere outside ACE
  2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
  First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
  Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
  2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
  E.g.
  policy-map multi-match VIP_IN
  class MY-CLASS
  loadb vip ins
  loadb policy MY-L7Policy
  nat 1 dynamic vlan X << - inside interface
  and then on inside interface
  inter vlan X
  nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
  In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
  Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE.

• ACE Redirection question

  We are migrating a large application to a new serverfarm one folder at a time. the exiting applicaiton server is not loadbalanced via the ACE.
  We want to set a vip on the ACE as the primary DNS entry for host ans.company.com. When users requrest ans.company.com/dfr they will get L7 loadbalanced (via url matching) to a new local serverfarm.
  When the users request ans.company.com/cms we want to redirect them to the old application server that wull be renamed via dns as classic.ans.company.com.
  As each folder is migrated to the new servers the L7 rules will be modified to keep that traffic local
  example
  user requests ans.company.com/bfr or ans.company.com/cms they will be sent to the local new serverfarm.
  user requests ans.company.com/dma1 or ans.company.com/dma2 they will be redirected to classic.ans.company.com/dma1 or classic.ans.comapny.com/dma2 (depending on the original request).
  Does anyone have an sample script for this type of senario? I have the loadbalancing working fine. It's the redirection that is not working. I am trying to use a L7 url match to send the requrest to a redirect rserver
  Any help would be appreciated.

  It should be some thing like
  rserver redirect REDIRECT-TO-OLD
  webhost-redirection http://classic.ans.company.com/%p 302
  inservice
  serverfarm redirect REDIRECT-SERVERFARM
  rserver REDIRECT-TO-OLD
  inservice
  class-map type http loadbalance match-any local-new
  match http url /bfr
  match http url /cms
  class-map type http loadbalance match-any remote-old
  match http url /dma1
  match http url /dma2
  policy-map type loadbalance first-match L7_LOGIC
  class local-new
  serverfarm local-serverfarm
  class remote-old
  serverfarm REDIRECT-SERVERFARM
  policy-map multi-match CLIENT_VIPS
  class VIPs
  loadbalance vip inservice
  loadbalance policy L7_LOGIC
  HTH
  Syed Iftekhar Ahmed

• ACE 4710 - DM initialization failed

  When trying to get to the device manager GUI on my ACE 4710 I get to the login screen. On entering credentials I am given an error
  "DM initialization failed (Failed to import ACE configuration: Device discovery failed: unknown). Contact your technical support team."
  I have tried "dm reload" but I am still getting the error.
  Any help greatfully appreciated.

  You are probably hitting CSCsv95366. This is fixed in A3(2.2).
  You can get the details about this bug at
  http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  HTH
  Syed Iftekhar Ahmed

• BRIDGE IP address on ACE

  Hi gyus.
  I have a doubt with IP Adresses in BVI interfaces:
  Why we need IP addresses? I have configures MAC STICKY on client VLAN.
  I need alias in BVI in a HA deploy?
  Thanks!

  Hi David,
  If you will not define an IP address on BVI, ACE won't get enabled and pass traffic. To initiate traffic, such as ARP requests, from the ACE or for management traffic, a bridge group requires an interface with an IP address on the same subnet. From user guide:
  A BVI is associated with a corresponding bridge group to routed interfaces within the router but acts as a routed interface that does not support bridging. The BVI is assigned with the number of the associated bridge group. Only one BVI is supported for each bridge group. The MAC address of the BVI is the same as the addresses of the associated bridge-group interfaces. You must enable the BVI and the associated bridge-group interfaces to forward traffic.
  You don't need an alias IP in HA deployment since ACE is not the DG of the servers.
  Regards,
  Kanwal

• ACE module routed mode

  Hi,
  I have a scenario where I have a pair of 6509 switches and I need to add an ACE module on both of them. All clients Default gateway are on internal 5580 ASAs so there are no SVI interfaces on the 6509 switches, it's only doing layer 2 switching.
  I need to add an ACE module to the above setup, what's the ideal scenario in terms of routing without having to modify and add SVIs on the 6509?
  Regards

  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/getting/started/guide/one_arm.pdf

• ACE ipsec issue

  Hello,
  we are using the ACE to establish a redundancy for our vpn devices.
  In this setup there is one aktiv and one standby box.
  If the primary box goes down all the tunnels are put to the standby box, this is working as expected.
  Now we have the Problem that If the primary box comes back online the tunnel is not correctly balanced back to the primary box.
  On the backup box the tunnel is still in qm idle and on the no back in service primäry box the tunnel is stucked in the state ag_init_exch.
  To get the tunnel back to the primary box the connection table on the ace need to get cleared. (clear conn all)
  Thus we do have an active/standby construct stickiness is not required. (and its not working either i tried it)
  Here the snipets of the config
  serverfarm host backup_1
  transparent
  failaction purge
  probe ICMP
  rserver ONE
       backup-rserver TWO
       inservice
  rserver TWO
       inservice standby
  class-map match-any IPSEC
       match virtual-address 1.1.1.1 50    
       match virtual-address 1.1.1.1 udp eq 500
       match virtual-address 1.1.1.1 udp eq 4500
  policy-map type loadbalance first-match IPSEC
           class class-default
            serverfarm serverfarm host backup_1
  Same setup but with two serverfarms
  serverfarm host backup_1
  transparent
  failaction purge
  probe ICMP
  rserver ONE
         inservice
  serverfarm host backup_2
  transparent
  failaction purge
  probe ICMP
  rserver TWO
         inservice
  class-map match-any IPSEC
       match virtual-address 1.1.1.1 50    
       match virtual-address 1.1.1.1 udp eq 500
       match virtual-address 1.1.1.1 udp eq 4500
  policy-map type loadbalance first-match IPSEC
           class class-default
             serverfarm host backup_1 backup backup_2
  Thanks for any help in advanced

  Hi again,
  @Joo you are right if a scenario is used with an primary and a backup rserver, but if you use a primary and backup serverfarm it should work in theory, but it does not work in practice.
  Enabling Load Balancing to a Server Farm (Configuring a Backup Server Farm)
  You can load balance a client request for content to a server farm by using the serverfarm command in policy-map class configuration mode. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location. The syntax of this command is as follows:
  serverfarm name1 [backup name2 [sticky] [aggregate-state]]
  The keywords, arguments, and options are as follows:
  •name1—Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
  •backup name2—(Optional) Designates an existing server farm as a backup server farm in case all the servers in the original server farm become unavailable. When at least one server in the primary server farm becomes available again, the ACE sends all connections to the primary server farm. Enter the name of an existing server farm that you want to specify as a backup server farm as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
  regards
  ed