ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean
Similar Messages
-
Cache and Load Balancing with Oracle APEX Listener
Hi,
I intend to use only HTTP access.
How to implement a Cache and Load Balancing with the Oracle APEX Listener?
Is it possible to do with the the standalone running APEX Listener?
Thanks by advance for any tips/documentation/references.
Kind Regards.Hi,
I think this question is best asked in the APEX Listener forum:
ORDS, SODA & JSON in the Database
Kind regards
Sandro -
ACE 4710 SSL server LB with stickiness
I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
THANKS!In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
I dont think its currently available on ACE appliance yet.
Syed -
Configuring ACE 4710 for Load Balancing Speech servers
Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
hostname ace471001
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
rserver host nss01
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 10.20.17.21 255.255.248.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
How would I configure my speech server to isten on 554?
Thanks in advanceHello Reginald
Currently you have only basic network configuration, there is no loadbalancing config
I'm not sure what exactly you're asking about , but basically you need to have
- real servers configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
- serverfarm configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
- L7 policy map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
- L4 policy map , class-map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
And then apply it on necessary interface.
This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
links are for old config guids , but basic is pretty much the same for all versions.
Please check them and try to narrow down your question a bit. -
ACE 4710 HTTPS load balance configuration
Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later.
I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
Any configuration examples would be helpful.
Thanks.IF you terminate SSL on the ACE you need certificates and key on ace in the context in which you are doing the termination. The certs and keys need to be installed on the active and standby (manually unless using anm to manage).
when speaking of SSL
SSL termination refers to ace terminating SSL and sending to server as clear text
end to end - ACE terminates SSL (to look into payload to make a loadbalance decision or sticky decision) and then re-encrypts to the server, so to the client ACE is an ssl server and to the server the ace is an ssl client.
You can find some config examples at
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples -
HTTP Tunneling and Load Balancing with Weblogic Server 6.1
We use T3 for Java client to application server communication (Weblogic Server
6.1) and keep the session open for the life of the client. We many customers
using this with load balancers and all works fine. We have just started to use
BEA's HTTP tunneling and I have a question concerning how this will work with
load balancers. Since the single T3 connection has been replaced with a series
of stateless HTTP connections, does the BEA tunneling code put session information
in the HTTP header? If so, what information does it place in the header. If
it does we should be able to use that to make sure that the load balancer always
sends HTTP requests with that session to the same application server.
Thanks!
RickRick,
You may want to look at the Alteon and F5 configuration we have on edocs.
Take a look at the following URLs for a possible solution
http://edocs.bea.com/wls/docs61/cluster/alteon.html#591902
http://edocs.bea.com/wls/docs61/cluster/bigip.html#591902
Chuck Nelson
DRE
BEA Technical Support -
Failover and Load Balancing with JNDI Connection Pools
Hi,
I am trying to figure out how would JNDI Connection Pooling work along with failover or DNS Load Balancing.
Would connections be distributed equally among the list?
Would the pool work with multiple heterogeneous connections (i.e. connections to different but equivalent servers ), or do all the connections in the pool have to be homogeneous (i.e. to the same server)?
Thanks,
SergioHi,
I am trying to figure out how would JNDI Connection Pooling work along with failover or DNS Load Balancing.
Would connections be distributed equally among the list?
Would the pool work with multiple heterogeneous connections (i.e. connections to different but equivalent servers ), or do all the connections in the pool have to be homogeneous (i.e. to the same server)?
Thanks,
Sergio -
ACE 4710 server load balancing on ACE with routed model.
Hi experts,
Pls help me...i need server laod balance on ACE4710 with routed model sample configuration or configuration guide....thanks in advance....Here you go
-
Sticky sessions and Load Balancing in WL Clusters
We are using iPlanet Web Server 4.1 with WebLogic App Server; and would like
to implement load balancing with sticky sessions and in-memory state
replication.
The documentation in Weblogic says that -
When using in-memory state replication, your WebLogic Server Cluster must
live behind one or more proxy servers. The proxy servers are smart enough to
send servlet requests, belonging to the same HTTP session, back to the same
server in the cluster that holds the session data.
(Ref: http://www.weblogic.com/docs51/cluster/setup.html)
Does this mean that the sticky session configuration has to be done on the
iPlanet Web Server itself ?
Also, if WebLogic is used as the Web server, does WebLogic provide any
support for sticky sessions?
Any help, suggestions or links to useful info are welcome.
Regards,
Milind.Mike,
im curious as to why you would recomend using weblogic as a web server in 6.1?
I would not for the following reasons:
- it costs 10x more per cpu list
- it doesnt support hardware accell cards (afaik, please let me know if this has
changed)
iplanet is really good a serving up static html and gif's, especially in ssl if you
have a hardware accell card. So if you have a site with lots of graphics and you use
ssl a lot, I think its still a better solution.
-Joel
Mike Reiche wrote:
You get sticky round-robin by default.
You need to have session tracking turned on (i think it is on by default). You
need to have the WL plugin configured in iPlanet.
When WL creates an httpSession, it writes a cookie (or rewrites the URL) back
to the browser. On subsequent requests, the browser sends the cookie and iPlanet
plug-in directs the request to the correct WL instance based on the ip address
of the WL server embedded in the cookie.
If you are using WLS 6.1, I would recommend using it as a web server (and not
using iPlanet). I imagine that it supports stickly load balancing as well.
Mike
Joel Nylund <[email protected]> wrote:
you get round robin by default, if you want a different scheme you can
use one
of the other 3 options (weight, random or parameter).
-Joel
I think weight can be set in weblogic properties. I havent used any other
than
round robin.
Milind Prabhu wrote:
We are using iPlanet Web Server 4.1 with WebLogic App Server; and wouldlike
to implement load balancing with sticky sessions and in-memory state
replication.
The documentation in Weblogic says that -
When using in-memory state replication, your WebLogic Server Clustermust
live behind one or more proxy servers. The proxy servers are smartenough to
send servlet requests, belonging to the same HTTP session, back tothe same
server in the cluster that holds the session data.
(Ref: http://www.weblogic.com/docs51/cluster/setup.html)
Does this mean that the sticky session configuration has to be doneon the
iPlanet Web Server itself ?
Also, if WebLogic is used as the Web server, does WebLogic provideany
support for sticky sessions?
Any help, suggestions or links to useful info are welcome.
Regards,
Milind. -
Reverse Proxy and Load Balancer for SMP 2.3 and Agentry Application
Hi Expert,
I'm putting in place a mobile solution composed by SMP 2.3 SPS 4 and SAP ECC 6.0. In the SMP 2.3 I created the agentry server and I have deployed my agentry application.
My SMP/Agentry infrastructure is composed by two servers therefore I need a load balancer for balance the load into the several servers. Furthermore I need to use a reverse proxy in my DMZ zone.
Based on what indicated in the SAP note "1904213 - SAP Mobile Platform Server Release Information" the Apache Reverse Proxy is not supported for Agentry clients. Agentry uses nginx for Reverse Proxy.
I also found the following document How-to-Guide for Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x that explain how to set-up a reverse proxy and load balancer with nginx and apache.
Both the SAP note and the HOW to document are refereed to SMP 3.0 and not to SMP 2.3.
I would know if the NGINX must be used also for SMP 2.3.
Any suggestion/information is appreciated.
Thanks in advance
g.Please see Agentry Network Landscapes
-
Cache and Load Balancing for the Oracle APEX Listener
Hi,
I intend to use only HTTP access.
My database is Oracle 11gR2, SE, 32 bit.
How to implement a Cache and Load Balancing with the Oracle APEX Listener?
Is it possible to do with the the standalone running APEX Listener?
Thanks by advance for any tips/documentation/references.
Kind Regards.Error. To be closed.
-
Cache and Load Balancing for Oracle APEX Listener
Hi,
I intend to use only HTTP access.
The database I use is Oracle11gR2 SE 32bit.
How to implement a Cache and Load Balancing with the Oracle APEX Listener?
Is it possible to do with the the standalone running APEX Listener?
Thanks by advance for any tips/documentation/references.
Kind Regards.Error. To be closed.
-
CSS Load Balancing with Cookies
We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
Restrictions
ServerA is unable to accept cookies generated from ServerB.
ServerA and ServerB are generating random cookies
Unable to modify cookie string with a constant.
How can we load balance based on cookies considering the above restrictions?
We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
The configuration we tried is written below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSIONID="
advanced-balance cookies
port 80
add service ServerB
string skip-length 5
string process-length 16
string operation hash-xor
protocol tcp
vip address 172.16.32.1
active
Can we change the string prefix to JSESSION instead of JSESSIONID= ?
The only place the app guys can add a constant string to match on is before the = sign.
Is it possible for CSS to match on a constant string before = sign e.g below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
string id567=
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
string id123=
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSION"
advanced-balance cookies
port 80
add service ServerB
string skip-length 0
string process-length 6
protocol tcp
vip address 172.16.32.1
activeIt should work.
There is no reason for it not to work...
This is the best method you can have on the CSS for stickyness.
Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
also send me the config so I can verify everything is ok.
If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
Gilles. -
Cisco 2811 Router with 3 ADSL card and load balancing
Dear All,
I have few queries:
1. Does Cisco 2811 Router support 3 ADSL card?
2. We are the ISP. I want to do load balancing with 3 dsl
line on Cisco 2811 Router.
Please send me the linke for this configuration.
Thanks/Regards
Atulhi
In 2811 you have 4 HWIC and 1 NME you can install 1-port ADSL WAN Interface Cardon the HWIC slots.
Also just enable 3 default (equal cost) routes towards the interfaces which will take care of the load balancing.
if you need more info and inputs do post out with ur requirements along with network topology in place at present..
regds -
VPN device with dual ISP, fail-over, and load balancing
We currently service a client that has a PIX firewall that connects to multiple, separate outside vendors via IPSEC VPN. The VPN connections are mission critical and if for any reason the VPN device or the internet connection (currently only a T1) goes down, the business goes down too. We're looking for a solution that allows dual-ISP, failover, and load balancing. I see that there are several ASA models as well as the IOS that support this but what I'm confused about is what are the requirements for the other end of the VPN, keeping in mind that the other end will always be an outside vendor and out of our control. Current VPN endpoints for outside vendors are to devices like VPN 3000 Concentrator, Sonicwall, etc. that likely do not support any type of fail-over, trunking, load-balancing. Is this just not possible?
Unless I am mistaken the ASA doesn't do VPN Load Balancing for point-to-point IPSec connections either. What you're really after is opportunistic connection failover, and/or something like DMVPN. Coordinating opportunistic failover shouldn't be too much of an issue with the partners, but be prepared for lot of questions.
Maybe you are looking for
-
How to get the values of bdcmsgcoll to be printed in report
hi experts, I am updating Va02 using BDc .. this is done however i m struck at this point.. I want to display the log i.e messages like data was updated ,, or any error ... As far as i know these logs are stored in BDcmsgcoll but how to get these
-
Error writing file name which contain both English and non-English name
Hello I have this simple vbscript code which suppose to write all file names in some directory to a text file Dim FSO Dim FileDirectory FileDirectory = "C:\temp" Dim FileList FileList = "list.txt" Dim Fname Set FSO = CreateObject("Scripting.FileSyste
-
Numpy package installs in the $HOME
I wanted to compile numpy with Atlas support, so I downloaded the package and edited the PKGBUILD adding the lib names: # $Id: PKGBUILD 169025 2012-10-17 10:20:51Z allan $ # Maintainer: Jan de Groot <[email protected]> # Contributor: Douglas Soares d
-
Automated email to buyer, when email/FAX fail to vendor for a PO
Hi All, If an email/FAX failed to transmit to the vendor for a PO, will there be a way (method) to give an email notification in buyer's inbox ?? Please provide details. Thanks!! Vivek.
-
My firefox crashes on some pages. This happens when I make a selection in a drop-down box or when I log on to some pages. This happen even if I have unloaded all of my extensions.