ACE 4710 and Cookie problem

Similar Messages

• ACE 4710 and mangled HTTP requests

  After replacing a Cisco CSS/SSL  Accelorator and PIX firewall with an ACE 4710 to do load balancing and  SSL encryption behind an ASA firewall we started seeing mangled HTTP  requests in the Apache access logs for the servers in the server farm.  Here is one example:
  XX.XX.XXX.XXX  - - [21/Oct/2012:01:42:12 -0500]  "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  Rather  than appearing just after the timestamp, the "POST /register/LServlet"  is tacked on to header information that shouldn't even appear in the  log. Also the first letter in that header information is always missing  (heckoutFlag instead of checkoutFlag in this example). 
  The  mangled request always shows up as a 501 HTTP error and shows up late  in the Apache access logs (timestamp is out of chronogical order) and  always appears with several duplicate POSTs:
  XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XX.XXX  - - [21/Oct/2012:01:42:12 -0500]   "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet"  "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  This is occurring for several different URLs and not just the one above and for multiple web browsers.
  The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
  A recent ACE software upgrade to A5(2.1) has not fixed the problem.
  Has anyone seen this before?
  Thanks for any insight you can provide.
  -Kari

  Hi Kari,
  Do you have a sample of the configuration which you got with the CSS?
  What is the current configuration which you got on the ACE?
  Can you shows this output: # show stats http?
  Jorge

• Shouldn't ACE 4710 ignore cookie stickiness when the server is down?

  Hello,
  I have implemented sticky load balancing with cookies. The problem is that if one of my two servers in the server farm is down (and even if the ace recognizes it as down via a probe) it keeps sending the requests to the server that is down, obviously because it has set a cookie for this server,
  Shouldn't the ACE ignore the cookie when the server is down?
  Is there a command to ignore cookie stickiness if the server is down? Is there another workaround?
  an example of my config is
  serverfarm host SF_Ebanking
    rserver RS_IAS_1 XXXX
      conn-limit max 4000000 min 4000000
      probe http_probe_ebanking
      inservice
    rserver RS_IAS_2 XXXX
      conn-limit max 4000000 min 4000000
      probe http_probe_ebanking
      inservice
  sticky http-cookie ACE_COOKIE ebanking_sticky
    cookie insert
    replicate sticky
    serverfarm SF_Ebanking
    16 static cookie-value "server01" rserver RS_IAS_1
    24 static cookie-value "server02" rserver RS_IAS_2
  thanks,
  george

  This is not as obvious as you seem to believe.
  ACE will not select a server that is down !!!! Even if the cookie points to that server.
  What might be happening is that the connection from the browser to the ACE has not been killed, so when client sends a new request it reuses the existing connection and ACE does allow an existing connection to be maintain with a dead server by default.
  Try the command 'failaction purge' under the serverfarm.
  This should kill the active connections with the dead server and allow a new connection to be open with the other server even if the cookie points to the dead one.
  Regards,
  Gilles.

• ACE 4710 and DSCP marking

  I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
  class-map type http loadbalance match-any URL-AF21
    2 match http url /aaa/.*
    4 match http url /bbb/.*
  policy-map type loadbalance http first-match LB-WITH-DSCP
    class URL-AF21
      set ip tos 72
      serverfarm MyServerFram
    class default
      set ip tos 0
      serverfarm MyServerFram
  Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
  Any idea which config might work ?

  Hi,
  If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
  The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
  If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
  parameter-map type connection SET_TOS
  set ip tos 72
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE 4710 upgrading software problem

  I logged into ACE 4710 to upgrade the image to c4710ace-mz.A1_8_0.bin. I logged in with Admin status and I got the following message, "
  ACE4710/Admin# delete image:c4710ace-mz.3.0.0_A1_7a.bin
  delete: cannot remove 'c4710ace-mz.3.0.0_A1_7a.bin': Permission denied"
  Is this a bug? Is there a workaround? Thank you.

  I am getting the same message again when i tried to delete an image and put a new image on.
  ACE4710/Admin# dir image:
  180784189 May 20 07:52:18 2008 c4710ace-mz.A1_8_0.bin
  176933319 May 6 07:10:04 2008 c4710ace-mz.A1_7b.bin
  Usage for image: filesystem
  714985472 bytes total used
  167362560 bytes free
  882348032 bytes total
  ACE4710/Admin# delete image:4710ace-mz.A1_7b.bin
  delete: cannot remove '4710ace-mz.A1_7b.bin': No such file or directory
  How can this issue be resolved?

• ACE 4710 and load balancing with sticky cookie

  Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

  Hi David,
  As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
  When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.
  You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.
  My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
  Sean

• ACE load-balancing-Cookie problem

  In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
  We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
  There are only two possibilities how this could happen:
  a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
  But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
  b) The predictor in the serverfarm chooses a new realserver within the same request.
  If that is really the cause of that problem this would be bug in the cisco ace.
  What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
  For example:
  GET /ips-opdata/scripts/jquery.js HTTP/1.1
  Host: www.xxxxx.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
  Accept: */*
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 115
  Connection: keep-alive
  Referer: http://www.xxxxx.com/
  Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
  HTTP/1.1 200 OK
  Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
  Server: Apache-Coyote/1.1
  X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
  ETag: W/"72181-1298537508000"
  Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
  Content-Type: text/javascript
  Content-Length: 72181
  Date: Mon, 28 Mar 2011 06:15:19 GMT
  As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
  We hope that this helps you to figure out the reason of the problem.

  The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
  For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config.

• ACE 4710 and Exchange 2013

  Greetings everyone.  
  I am curious if anyone has any experiences with Exchange 2013 and ACE SLB functions.  I know they changed to RPC over HTTPS on exch side and few other items changed as well.   I do not forsee any issues just looking to see if anyone has any feedback from a production deployment.   
  Thanks
  Joel

  Joel, I checked internally and only located one case raised against ACE and Exchange 2013. The issue was resolved via defect CSCuc98599 "ACE randomly resets POST requests with SSL offloading". Use A5.2.2 or apply workaround (increase maxparselen to 65k). Matthew

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.

• ACE 4710 balance among URL

  I have ACE 4710 and I need configuration:
  I have real web-server with  folders : /1/index.html, /2/index.html, /3/index.html
  I need to  balance virtual service:
  If I try to connect URL: http://server/index.html,  then ACE balance among
  http://real_server/1/index.html,
  http://real_server/2/index.html,
  http://real_server/3/index.htm
  How can I  configure ACE ?

  ACE, can't modify the url.
  But it can send redirect.
  So you could build 3 redirect rservers, and have ACE loadbalance between them.
  rserver redirect HTTP-REDIRECT1
    webhost-redirection http://real_server/1/index.html
    inservice
  rserver redirect HTTP-REDIRECT2
     webhost-redirection http://real_server/2/index.html
     inservice
  rserver redirect HTTP-REDIRECT3
     webhost-redirection http://real_server/3/index.html
     inservice
  serverfarm redirect SF_REDIRECT
    rserver HTTP-REDIRECT1
      inservice
    rserver HTTP-REDIRECT2
      inservice
    rserver HTTP-REDIRECT3
      inservice
  But even if it works, this does not sound good.
  It seems like a design done by an application server person who does not know how network loadbalancers work.
  It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
  But this can be done differently with cookies or by just doing stickyness on source ip address.
  Gilles.

• ACE 4710 SAML Tokens

  I am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
  The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and compares to the digest in the Xml Signature block.
  Is anybody else using SAML tokens?
  Has anyone else seen a similar problem?

  By adding SAML assertions to outgoing requests, the ACE XML Gateway can act as an asserting party for systems that rely on SAML credentials. The SAML assertions generated by the ACE XML Gateway can be in the form of a SAML 1.0, SAML 1.1, or SAML 2.0 credential.
  The following url may help you;
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_xml_gateway/v52/user/guide/axg_ug_backendauth.html#wp1049962

• ACE 4710 using SAML Tokens

  reposted from another forum:
  Am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
  The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and fails when comparing to the digest in the Xml Signature block.
  Is anybody else using SAML tokens?
  Has anyone else seen a similar problem?

  You are right we are using transport encryption (SSL) to protect the WSS Password.
  We then use LDAP to authenticate the username/password and create a SAML token using attributes from LDAP. The ACE Xml Gateway creates this SAML token, signs it and inserts into the SOAP header that is forwarded to our service.
  At our service we are trying to verify the signed SAML token. The error we are seeing is the Xml signature digest created by the ACE XML Gateway is wrong.
  With XML signature some Xml referenced by an ID is canonicalised, hashed (digest created) and then this digest is encrypted using the private key of some certificate.
  On receipt we repeat the process, canonicalise and hash the Xml referenced and compare our computed digest to the one created by the ACE device. This is where we get the error. We are using the standard canonicalisation and hashing algorithms (c14n and SHA1 respectively). Our code can successfully verify SAML tokens from other sources.

• ACE Redirect. Configuration Problem?

  Hi,
  I´m configuring Redirect in ACE 4710 and it doesn´t work fine. The client has two real servers and he wants redirect the traffic when both real servers are down.
  They have other server with static content (http) for redirect the trafic.
  The configuration is  (complete configuration is attached):
  rserver host Backup_Rserver
    ip address 192.168.0.212
    inservice
  rserver host achs-tamw01
    ip address 192.168.0.217
    inservice
  rserver host achs-tamw02
    ip address 192.168.0.205
    inservice
  rserver host achs-tamw03
    ip address 192.168.0.203
    inservice
  serverfarm host SF_Backup
    rserver Backup_Rserver 80
      inservice
  serverfarm host TAMW_80
    predictor leastconns
    probe PROBE_TAMW:80
    rserver achs-tamw01 80
      inservice
    rserver achs-tamw02 80
      inservice
    rserver achs-tamw03 80
      inservice
  sticky ip-netmask 255.255.255.255 address source TAMW_80_STICKY
    replicate sticky
    serverfarm TAMW_80 backup SF_Backup
  policy-map type loadbalance first-match VIP-POLICY-TAMW_80
    class class-default
     sticky-serverfarm TAMW_80_STICKY
  policy-map multi-match LB-VIP
    class VIP_TAMW_80
      loadbalance vip inservice
      loadbalance policy VIP-POLICY-TAMW_80
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 10
  interface vlan 10
    nat-pool 1 172.16.10.39 172.16.10.39 netmask 255.255.255.255 pat
    service-policy input LB-VIP
  When both real servers are down, the VIP remains operational and the backup real servers is operational and I can see statistics increase in this server:
  ACE-CC/Contexto_B# sh rserver
  rserver              : Backup_Rserver, type: HOST
  state                : OPERATIONAL (by default, unverified)
                                                  ----------connections-----------
         real                  weight state        current    total              
     ---+---------------------+------+------------+----------+--------------------
     serverfarm: SF_Backup
        192.168.0.212:0       8      OPERATIONAL  4          66                 
  In these moment both real servers were down and I could see connections, but when user from Internet o LAN try to connect it can´t see static content.
  ACE-CC/Contexto_B# sh service summ
  service-policy: LB-VIP
  Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop
  VIP_TAMW_80                      172.16.10.150   tcp   eq 80       1,10           IN-SRVC          21         903          0
  VIP remains operational.
  Regards,
  Jaime

  Hi Peter,
  I did test only in HTTP mode. In the configurations you can see that I applied a backup server only the port 80:
  serverfarm host SF_Backup
     rserver Backup_Rserver 80
      inservice
  I didn´t create a SF_Backup_443 because we were testing only with services in HTTP.
  I still can´t do labs test, although it seems that configuration is well. 
  Regards.
  Jaime.

• VIP not reachable on ACE 4710

  Hi All,
  I am not able to connect to a virtual IP address of ACE 4710 and either i am able to ping it. Kindly let me know if anything wrong here.
  Regards,
  Neha.

  Hi Yahb/Neha,
  Please try and confirm this:-
  1) See if you have permited the traffic:-
  access-list ALL line 8 extended permit ip any any
  class-map match-all L4_VIP_ADDRESS_CLASS
  2 match virtual-address 1.1.1.1 any
  class-map type management match-any REMOTE_ACCESS
  201 match protocol ssh any
  202 match protocol icmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
  class class-default
  serverfarm SFARM1
  policy-map multi-match L4_LB_VIP_POLICY
  class L4_VIP_ADDRESS_CLASS
  loadbalance vip inservice
  loadbalance policy L7_VIP_LB_ORDER_POLICY
  loadbalance vip icmp-reply
  2)
  Apply the ACL on to the correct vlan:-
  interface vlan 20
  description Server-side Interface
  ip address 2.2.2.2 255.255.255.0
  access-group input ALL --->make sure you have applied the ACL.
  service-policy input L4_LB_VIP_POLICY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface vlan 30
  description Client side connectivity
  ip address 3.3.3.3. 255.255.255.0
  access-group input ALL
  service-policy input L4_LB_VIP_POLICY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  ip route 0.0.0.0 0.0.0.0 x.x.x.x
  Let us know if you have done this.
  Regards
  Shariff