ACE 4700 hash address source

Similar Messages

• Predictor Hash address

  Hi,
  The command "predictor hash address source"  "Selects the server using a hash value based on the source IP address." but it is too vague.
  What it means? How can i determine at which server on serverfarm a client connection will be redirected for?
  I would like to know how it realy works? Predictors methods like Least-Connections, Least-Loaded, Application Response etc are easy to understand.
  Thanks
  Rafael2gc

  Hi Rafael,
  For what purpose are you using "predictor hash address" or planning to use. Please share your scenario along with if it is CSM or ACE.
  Are you using it to load balance firewall.
  For FWLB, it is recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels, for example, FTP.
  Source IP hashing also provides a simple stateless way to stick a client to the same real server in SLB environments.
  A benefit of source address hashing in some environments is that the client connects to the same server for every request, causing the client to stick to the same real server for all requests to the virtual server. This benefit proves useful for e-commerce applications that store client-specific information across content requests.
  When using hash address as the predictor, the load balancer selects the real server by using a hash value that is calculated by using both the source and destination IP address. This predictor can be used to achieve session persistence when no proxy servers are in front of the clients. The proxy servers issue the requests on behalf of the clients, thus changing the client IP address. The hash value is calculated so that there is statistical distribution based on source and destination IP addresses, which works best when there is a wide range of source or destination IP addresses.
  Hashing the packet's source IP address is useful only in environments where there are vast numbers of clients, because the same keys provide the same hash value. A small number of clients may cause an over-selection of particular real servers. Additionally, some ISPs use mega-proxy servers to NAT hundreds or even thousands of clients to a single IP address. As a result, your load balancer will forward all requests from clients behind the proxy to the same real server, potentially causing that real server to overload.
  Typically, the default balancing method, round robin is used. Since support of multiconnection protocols, such as FTP as I said above, is required in firewall loadbalancing design, you have to use predictor hash address Source | Destination in your configuration. For multiconnection protocols where some connections are open by clients and others by servers and you need to make sure all the connections belonging to the same session go through the same firewall, you will have to use source IP hash for incoming connection and destination IP hash for outgoing, or vice versa.
  The hash algorithm is something like this:
  ((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))
  The _key in this case is the source ip address has an unsigned 32 bits number.
  You then do rserver_index = hash % number_of_rserver.
  Source or destination IP hash method maps the IP address in the request to a real in a server farm. The configuration options are shown below.
  predictor hash address [source | destination] [netmask]
  !--- Source/Destination IP hash or predictor hash address.
  The default (netmask) is 255.255.255.255. The hash value is produced with the following algorithm:
  ip_addr = (Src_or_Dest_Ip_addr & Cfg_Netmask) hash_index = (ip_addr) + (ip_addr >> 8) + ip_addr >> 16) + (ip_addr >> 24);
  Also for detail configuration examples for hash predictor kindly refer the below mentioned URL:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wpxref70632
  For Least connections— it selects the server with the fewest number of active connections based on the server weight. For the least-connections predictor, you can configure a slow-start mechanism to avoid sending a high rate of new connections to servers that you have just put into service.
  For Least loaded— as it selects the server with the lowest load based on information obtained from Simple Network Management Protocol (SNMP) probes. To use this predictor, you must associate an SNMP probe with it.
  You can configure stickiness when you require load balancing multiple TCP flows of a session to the same server as the original flow, to retain information stored about the flow on the server. The same principle is true with FWLB. For applications that require multiple connections in the same direction within the same application session, such as HTTP and Passive-FTP, you can use IP session stickiness or distribution via address hashing to ensure that multiple TCP sessions stick to the same firewall.
  Kindly rate.
  HTH
  Sachin Garg

• Using "predictor hash address" to maintain sticky sessions

  I have a question about predictor.
  We have two proxy servers balanced on the front end by a CSM. These servers then use a "backend" VIP to access two web/application servers. Each proxy server session must stay stuck to the same backend web/app server.
  Because traffic has been evenly balanced on the proxy servers we used "predictor hash address source" to balance traffic to the web/app servers. Sticky connections could have been used but the predictor method was less complex and suited our purposes (traffic balanced evenly and sessions stayed stuck).
  The proxy servers are changing from active/active to active/backup (obviously now there is no load balancing of the proxy servers). All traffic is now from a single source IP so therefore the "predictor hash address source" won't balance between the two backend servers.
  My question is can we use "predictor hash address" to balance based on a hash of source AND destination IP? This will reduce the changes required on the CSM. My primary concern is that the traffic won't be balanced to the two backend web/app servers.
  I know sticky groups can be configured for this but I want to keep changes to a minimum.
  OLD SETUP ("predictor hash address source" balanced traffic to backend servers and "stuck" the sessions)
  proxy: 10.1.1.1 or 10.1.1.2
  CSM VIP: 10.2.2.2
  Backend web/application servers: 10.3.3.3 or 10.3.3.4
  NEW SETUP ( Will "predictor hash address" still balance traffic to backend servers and keep sessions "stuck"?)
  proxy: 10.1.1.1
  CSM VIP: 10.2.2.2
  Backend web/application servers: 10.3.3.3 or 10.3.3.4

  if the src is the same 10.1.1.1 and the destination also always the same 10.2.2.2, I don't see how you can maintain stickyness and also loadbalance the connection between 2 servers.
  Only a cookie would let you identify the real source of the traffic [ a client ] and split the connection from the single proxy to different servers.
  Gilles.

• ACE 4700 load balancing Issue

  Hi,
  I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.
  Below is the running configuration. Please help me to troubleshot the problem.
  HOB-ACE-1/Admin# sh run
  Generating configuration....
  no ft auto-sync startup-config
  boot system image:c4710ace-mz.A3_2_0.bin
  hostname HOB-ACE-1
  interface gigabitEthernet 1/1
    description Man_HOB_1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    description VIP_HOB_1
    switchport access vlan 24
    no shutdown
  interface gigabitEthernet 1/3
    description HA_HOB_1
    switchport access vlan 180
    no shutdown
  interface gigabitEthernet 1/4
    shutdown
  [7m--More-- [m
  access-list ALL line 8 extended permit ip any any
  probe icmp ICMP_PROBE1
    interval 15
    faildetect 4
    passdetect interval 60
    passdetect count 5
    receive 5
  rserver host MFREFSAS497
    description MAAFAXSERVER
    ip address 10.16.12.148
    conn-limit max 4000000 min 4000000
    inservice
  rserver host MSHOFCFS489
    description HOBFAXSERVER
    ip address 10.26.12.130
    conn-limit max 4000000 min 4000000
    inservice
  [7m--More-- [m
  [K
  serverfarm host SFHOBACE-1
    description SFHOBACE-1
    predictor hash header Accept
    probe ICMP_PROBE1
    rserver MFREFSAS497 80
      conn-limit max 4000000 min 4000000
      inservice
    rserver MSHOFCFS489 80
      conn-limit max 4000000 min 4000000
      inservice
  class-map match-all VSHOBACE-1
    2 match virtual-address 10.26.24.242 any
  class-map type management match-any remote_access
    201 match protocol xml-https any
    202 match protocol icmp any
    203 match protocol telnet any
    204 match protocol ssh any
    205 match protocol http any
    206 match protocol https any
    207 match protocol snmp any
  [7m--More-- [m
  [K
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match VSHOBACE-1-l7slb
    class class-default
      serverfarm SFHOBACE-1
  policy-map multi-match global
    class VSHOBACE-1
      loadbalance vip inservice
      loadbalance policy VSHOBACE-1-l7slb
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 24
      nat dynamic 1 vlan 1000
  service-policy input global
  interface vlan 24
    description "Client VLAN"
    ip address 10.26.24.243 255.255.255.0
  [7m--More-- [m
    access-group input ALL
    no shutdown
  interface vlan 1000
    ip address 10.26.12.132 255.255.255.0
    peer ip address 10.26.12.133 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ft interface vlan 180
    ip address 192.168.180.2 255.255.255.248
    peer ip address 192.168.180.3 255.255.255.248
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 180
  ft group 1
    peer 1
    priority 140
    associate-context Admin
  [7m--More-- [m
    inservice
  ip route 0.0.0.0 0.0.0.0 10.26.12.1
  snmp-server contact "HOB_ACE"
  snmp-server location "HOB"
  snmp-server community FAXSERVER group Network-Monitor
  snmp-server user administrator Network-Monitor
  snmp-server trap-source vlan 1000
  username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI.  role Admin domain
  default-domain
  username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1  role Admin domain de
  fault-domain
  ssh key rsa 1024 force
  Thanks and Regards,
  Ashfaque

  Hello Hossain,
  Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.
  Use the
  ACE/Admin(config)# no service-policy input global
  ACE/Admin(config)# interface vlan 24
  ACE/Admin(config-if)# service-policy input global
  Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.
  Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.
  Do you happen to have a quick logical diagram of this piece of the network?
  Thnx
  Pablo

• ACE 4700 one-arm design with SSL termination

  Hi,
  We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
  1. Are there any limitations in the one-arm design and the SSL offloading
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  I would appreciate if you can share some sample configs
  Regards,
  George Georgiou

  There are two ways to implement One Arm topology.
  1. One Arm with PBR & 2.One Arm with SRC NAT
  PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
  1. Are there any limitations in the one-arm design and the SSL offloading
  The limitations/config issues I can think of are following
  One ARM with PBR:
  Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
  One ARM with SRC NAT:
  You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  Yes you can do that but wouldnt it make it routed mode topology?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
  Details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  HTH
  Syed Iftekhar Ahmed

• SNAT on ACE 4700 in bridging mode

  Hi,
  I would like to implement Source-NAT for some traffic, but not all traffic for the ACE 4700. The ACE 4700 will be configured as a bridge.
  Can I configure Source-NAT using an extended access-list when the ACE 4700 is used as a bridge? I need Source-NAT for servers that need to access the VIPs on the ACE. All VIPs and real servers are on the same IP subnet. I was going to configure the ACE as a bridge so that IP addresses don't have to change.
  Let me know how Source-NAT will work in this bridging scenario. If not, what examples or options do I have?
  Thank you.

  Thanks, Gilles!
  So, does it mean I can just use a standard access-list to identify traffic for Source-NAT? Meaning, I can just Source-NAT based on source IP addresses instead of using an extended access-list to specify both source address and destination VIP?

• ACE URL Hash

  Hi All
  I had an issue with ACE 2 year before where..sending all youtube traffic to same cache while using URL hash. I had below response from Cisco TAC..
  Any1 knows if the new image resolved this...?
  Regarding your question about the used predictor and "splitting" the requests going to youtube to be handled by two caches, please note that the URL hashing will hash the domain name up to the "?" only, so we unfortunately cannot distinguish the caches to which to send the request when using this predictor method. The "?" is the default URL parsing delimiter.
  Therefore, what we could try is changing the predictor method to another type, for example hash destination|source address or round robin to verify if the loads gets distributed among the caches more evenly.
  There, we can see that you can specify a begin- and end-pattern to look
  for a specific pattern within an URL, too, however, as already stated,
  the hashing has no effect after the "?".
  Regards
  Sameer Shah

  The ACE module and ACE 4710 appliance were enhanced so that the url hashing predictor now includes the url query seen after the '?' delimiter.
  ACE module: A2(2.1) and later (BugID CSCsq99736)
  ACE 4710: A3(2.2) and later (BugID CSCsr30433)

• ACE 4700 configuring SSL termination weblogic server 10.3.6

  Hello,
  Im trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance.
  I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine
  Was reading http://docs.oracle.com/cd/E23943_01/web.1111/e13709/load_balancing.htm#i1045186
  Can anyone point me to a working config example for doing this with the ACE4700 or give me some directions here?
  Kind regards,
  Laurens

  Hi Laurens,
  Here is a basic configuration for SSL termination:
  rserver host test
    ip address 10.198.16.98
    inservice
  rserver host test2
    ip address 10.198.16.93
    inservice
  serverfarm host test
    rserver test 80
      inservice
    rserver test2 80
      inservice
  ssl-proxy service TEST
    key cert
    cert cert
  class-map match-all VIPSSL
    2 match virtual-address 10.198.16.122 tcp eq https
  policy-map type loadbalance first-match test
    class class-default
      serverfarm test
  policy-map multi-match clients
    class VIPSSL
      loadbalance vip inservice
      loadbalance policy test
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 112
      ssl-proxy server TEST
  interface vlan 112
    ip address 10.198.16.91 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
    service-policy input NSS_MGMT
    service-policy input clients
    no shutdown
  Cesar R
  ANS Team

• ACE 4700

  How many maximum SSL Concurrent sessions can be achieved on ACE 4700 Appliance?
  Can ACE 4700 allows SSL and clear text sessions simultaneously to establish the connection to the same server farm?
  If I have to run two ACE 4700 Appliance to achieve redundancy, what would be the best mode to achieve max redundancy?

  Hi,
  >How many maximum SSL Concurrent sessions can be achieved on ACE 4700 Appliance?
  Depends on software-license.
  >Can ACE 4700 allows SSL and clear text sessions simultaneously to establish the connection to the same server farm?
  do you mean serverfarm or server?
  If you don't terminate ssl on ACE then you need 2 serverfarms. One for http and one for https.
  >If I have to run two ACE 4700 Appliance to achieve redundancy, what would be the best mode to achieve max redundancy?
  We use active/standby. Failover-time 1-2 seconds.
  Regards, Celio

• ACE virtual mac address allocation

  We're running ACE SM and seeing all the VIP addresses, NAT addresses and alias addresses in the ARP table below  being assigned the same virtual MAC address. How then would a packet find the correct source/destination if all these MAC addresses are the same?
  IP ADDRESS      MAC-ADDRESS        Interface  Type      Encap  NextArp(s) Status
  ================================================================================
  204.107.54.1    00.24.f9.03.08.00  vlan810   GATEWAY    300    263 sec      up
  204.107.54.4    00.1e.13.3c.ab.80  vlan810   LEARNED    24     7631 sec     up
  204.107.54.5    00.1e.13.3c.a6.00  vlan810   LEARNED    331    8992 sec     up
  204.107.55.5    00.1f.ca.7b.70.23  vlan810   INTERFACE  LOCAL     _         up
  204.107.55.6    00.0b.fc.fe.1b.05  vlan810   ALIAS      LOCAL     _         up
  204.107.54.20   00.0b.fc.fe.1b.05  vlan810   VSERVER    LOCAL     _         up
  204.107.54.21   00.0b.fc.fe.1b.05  vlan810   VSERVER    LOCAL     _         up
  204.107.54.22   00.0b.fc.fe.1b.05  vlan810   VSERVER    LOCAL     _         up
  204.107.54.23   00.0b.fc.fe.1b.05  vlan810   VSERVER    LOCAL     _         up
  204.107.54.31   00.0b.fc.fe.1b.05  vlan810   VSERVER    LOCAL     _         up
  204.107.54.32   00.0b.fc.fe.1b.05  vlan810   VSERVER    LOCAL     _         up
  204.107.54.33   00.0b.fc.fe.1b.05  vlan810   VSERVER    LOCAL     _         up
  Thanks.

  ACE uses the concept of Virtual Mac Addresses , which are the addresses used for VIP addresses, NAT addresses (dynamic and static), and alias addresses These will all always use a MAC address in the following form 00.0b.fc.fe.1b.
  If you are using single ACE SM in a cat6k box, and you are seeing duplicate MAC, its normal. Cat6k Supervisor is L2 Adjacent with ACE, Any traffic received by Supervisor in VLAN 810 will be sent to ACE and then ACE will determine which VIP that packet is going to.
  Real Problem will come when you are using multiple ACE modules in Same Chassis or you are doing Chassis to Chassis ACE Redundancy. In such situation your Cat6k Switch will have duplicate MAC entries.
  To avoid this, you need to keep your Contexts in diffrent context groups in each Module i.e something like this
  ft group 5
    peer 1
    priority X
    associate-context default3
    inservice

• ACE 4700 - Cannot Ping the Alias

  I cannot ping my alias addresses. I can ping the actual interface addresses but not the alias. When I look at the ARP entry on the switch it's connected to for the alias, it comes up INCOMPLETE.
  Below is my config.
  interface gigabitEthernet 1/1
  description Fault Tolerant Port
  ft-port vlan 990
  no shutdown
  interface gigabitEthernet 1/2
  shutdown
  interface gigabitEthernet 1/3
  shutdown
  interface gigabitEthernet 1/4
  switchport trunk allowed vlan 10,112,200,254
  no shutdown
  resource-class RC1
  limit-resource all minimum 20.00 maximum unlimited
  limit-resource sticky minimum 8.00 maximum unlimited
  boot system image:c4710ace-mz.A1_7b.bin
  hostname atl-ace-01
  access-list ALL line 8 extended permit ip any any
  class-map type management match-any PING
  2 match protocol icmp any
  class-map type management match-all SNMP-ALLOW_CLASS
  2 match protocol snmp source-address 10.150.100.202 255.255.255.255
  class-map type management match-any remote_access
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  9 match protocol snmp any
  policy-map type management first-match AllowICMP
  class PING
  permit
  policy-map type management first-match SNMP-ALLOW_POLICY
  class SNMP-ALLOW_CLASS
  policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
  permit
  interface vlan 200
  ip address 10.10.200.110 255.255.254.0
  alias 10.10.200.120 255.255.254.0
  peer ip address 10.10.200.111 255.255.254.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input SNMP-ALLOW_POLICY
  service-policy input AllowICMP
  no shutdown
  ft interface vlan 990
  ip address 192.168.254.1 255.255.255.0
  peer ip address 192.168.254.2 255.255.255.0
  no shutdown
  ft peer 1
  heartbeat interval 250
  heartbeat count 10
  ft-interface vlan 990
  ip route 0.0.0.0 0.0.0.0 10.10.201.254
  context Exchange-CAS
  allocate-interface vlan 112
  allocate-interface vlan 254
  member RC1
  ft group 1
  peer 1
  priority 200
  peer priority 190
  associate-context Exchange-CAS
  inservice

  Nevermind. I found an old Context on the redundant ACE with overlapping info.

• Blank From Address Source IP 255.255.255.255

  hi,
  I tested Exchange 2007 for open relay and it shows relay closed on all the tests.
  even then, I see a really large amount of emails per minute (SPAM) stuck in the message queue.
  they all have 3 thing in common besides being SPAM.
  - From Address is BLANK. shows as <> in Exchange Queue Viewer
  - Source IP of those emails is all the same and it's not valid 255.255.255.255
  - 95% say Undeliverable: in the Subject line
  Anyone else is having this issue? how do I block emails originating from IP 255.255.255.255 or all emails with a blank From Address.
  if those emails are simply emails sent by the my server to spammers to notify  them the addresses it sent to are invalid, is there a way to not send a NDR for flagged spams? or everything in general?
  thank you in advance for any help.
  CF

  We are having this issue as well.
  I tried setting up the following Transport Rule, but still had the problem:
  Apply rule to message
  when the Subject field contains Undeliverable:
  silently drop the message
  except when the From address contains @
  I thought this would have resolved the issue, but it has not.
  I suspect these are emails sent from an external source (for example spamdomain.com) using a spoofed email address that is in my domain (for example [email protected]). If it turns out that it can't be delivered, the Undeliverable message comes back to our server but cannot be delivered to bob because he doesn't exist on our system.
  Anybody have any ideas? TIA!

• ACE FT Multicast Address

  Hello,
  does anyone know the multicast address which the ace use to sync the
  connection entries over his ft vlan ?
  Greeting
  Ed

  ACE will use unicast ip address and broadcast mac-address.
  Gilles.

• ACE: conn-limit by source?

  Is it possible to limit the number of concurrent connections to a set number per source IP?

  no.
  Unless you know the ip address you want to limit.
  In this case, you can match that traffic with a class-map and use a separate serverfarm for each ip where you can specify a conn-limit.
  Gilles.

• ACE 4710 MAC Address

  All physical interfaces on ACE 4710 share the same MAC address. Also, VIP addresses share the same MAC address. ACE 4710 is connected to a switch. How is the switch supposed to know which interface to send the packet to if it is doing layer2 switching.
  Thank you in advance for the explanation.

  You can't put 2 interfaces in the same vlan
  switch/Admin(config-if)# switchport access vlan 20
  vlan 20 is associated with GigabitEthernet 1/3.
  switch/Admin(config-if)#
  So, the L2 switch will have an entry for the mac-address in each vlan and this entry can point to different interfaces.
  Gilles.