ACE 4710 and mangled HTTP requests

Similar Messages

• Application that receive SOAP and normal http request

  Hi Guys,
  I've been working onto web service right now using Spring. Been using this for receiving SOAP requests... Right now its working smoothly. But I want my application to cater both SOAP request and normal http request. Is that possible? If yes, can you guide me how?

  Sorry for the formatting above.  I interspersed lines between the questions, but they seem to have mostly disappeared.

• ACE 4710 and DSCP marking

  I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
  class-map type http loadbalance match-any URL-AF21
    2 match http url /aaa/.*
    4 match http url /bbb/.*
  policy-map type loadbalance http first-match LB-WITH-DSCP
    class URL-AF21
      set ip tos 72
      serverfarm MyServerFram
    class default
      set ip tos 0
      serverfarm MyServerFram
  Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
  Any idea which config might work ?

  Hi,
  If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
  The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
  If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
  parameter-map type connection SET_TOS
  set ip tos 72
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Setup WLS5.1 to accept only HTTPS requests (and not HTTP requests)...

  Greetings,
  Does anyone know how to configure Weblogic Server 5.1 so that the web server will
  only accept HTTPS requests (on port 7002) and not accept HTTP requests (on port
  7001)? I tried commenting out the HTTP ListenPort line in weblogic.properties,
  but WL still served up a page via HTTP. Thanks for any help,
  Steve

  Write a startup class which implements weblogic.security.net.ConnectionFilter
  interface
  Refer our javadocs at
  http://www.weblogic.com/docs51/classdocs/javadocs/index.html
  Also
  http://www.weblogic.com/docs51/classdocs/API_acl.html#filtering
  Kumar
  Steve wrote:
  Greetings,
  Does anyone know how to configure Weblogic Server 5.1 so that the web server will
  only accept HTTPS requests (on port 7002) and not accept HTTP requests (on port
  7001)? I tried commenting out the HTTP ListenPort line in weblogic.properties,
  but WL still served up a page via HTTP. Thanks for any help,
  Steve

• ACE 4710 and Exchange 2013

  Greetings everyone.  
  I am curious if anyone has any experiences with Exchange 2013 and ACE SLB functions.  I know they changed to RPC over HTTPS on exch side and few other items changed as well.   I do not forsee any issues just looking to see if anyone has any feedback from a production deployment.   
  Thanks
  Joel

  Joel, I checked internally and only located one case raised against ACE and Exchange 2013. The issue was resolved via defect CSCuc98599 "ACE randomly resets POST requests with SSL offloading". Use A5.2.2 or apply workaround (increase maxparselen to 65k). Matthew

• ACE 4710 and load balancing with sticky cookie

  Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

  Hi David,
  As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
  When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.
  You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.
  My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
  Sean

• ACE 4710 and Cookie problem

  I plan to load balance user traffic to a server farm. Currently, server is using cookie to generate delay/response time statistic for users from various locations. If I use ACE to load balance user traffic, I need to use NAT statement on ACE to make the design to work. However, server can no longer use cookie to generate such statictics since source address is now a NATed address. Is there a way to rectify this problem? Thank you in advance.

  You can get rid of nat - which would require a redesign (use policy routing or make ACE default gateway for servers).
  If redesign is not possible, than you have to live with NAT.
  ACE offers the http header insert function.
  You could add the src ip of the client inside the http header.
  Up to the server to retrieve the info and build whatever is needed.
  Gilles.

• ACE module and inspect http

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  I find information on Cisco.COM how to perform the deep packet inspection of Layer 7 HTTP but I don’t want to use such deep inspection so I decided to use inspect http without policy Layer7 and I don’t know what ACE performs.  Could you tell me what ACE checks? Is it possible to customize?
  I have to be honest. I found something like this “the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC “ but I couldn’t image how HTTP could be fixup and what is internal RFC.
  Regards
  Falcon

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Chris,
  I’ m so grateful to you for answering to me but I still have a problem “inspect http”. In my case I would like to check only method. I don’t want to check URL parsing or header parsing etc. Is it possible? I ask because the owner of webside is not sure about standard in URL or Header response.
  Cheers,
  Falcon

• Doubts about HTTPS requests and Java proxy

  Hello,
  I need help about SSL connections and Java.
  I'm developing a HTTP/S proxy with Java. To test my proxy, I use Firefox. I configure the proxy option in the browser. The proxy works good with HTTP requests, but with HTTPS requests doesn't work and I don't know why.
  I explain the steps that I do for a HTTPS request:
  * The browser sends a CONNECT message to the proxy.
  I check that the proxy receives the CONNECT request correctly.
  * The proxy establish a secure connection with the content server.
  I use an SSLSocket to connect with my content server, and the SSL handshake is succesful.
  * The proxy sends a 200 HTTP response to the client:
  I send
  HTTP/1.0 200 Connection established[CRLF]
  [CRLF]
  to the application client (Firefox)
  * The proxy sends/receive data to/from Firefox/content server
  I have a Socket between Firefox and my proxy, and a SSLSocket between my proxy and my content server. I use two threads to communicate the client and the server.
  Java code:
  //Thead server-->proxy-->application(Firefox)
  ThreadComm tpa = new ThreadComm(bis_serverSSL, bos_app);
  //Thread application(Firefox)-->proxy-->server
  ThreadComm tap = new ThreadComm(bis_app, bos_serverSSL);
  The "tpa" thread reads from the SSLSocket between the proxy and the server and sends data to the Socket between the proxy and Firefox.
  The "tap" thread reads from the Socket between the proxy and Firefox and sends data to the SSLSocket between the proxy and the server.
  This is the class ThreadComm:
  public class ThreadComm extends Thread{
      private BufferedInputStream bis = null;
      private BufferedOutputStream bos = null;
      public ThreadComm(BufferedInputStream bis, BufferedOutputStream bos) {
          this.bis = bis;
          this.bos = bos;
      @Override
      public void run() {
          int b = -1;
          FileOutputStream fos = null;
            do {
                 try {
                      b = bis.read();
                      System.out.print((char) b);
                      fos.write(b);
                      bos.write(b);
                      bos.flush();
                 } catch (Exception ex) {
                      Logger.getLogger(ThreadAplicacionProxy.class.getName()).log(Level.SEVERE, null, ex);
                      //b=-1;
            } while (b != -1);
      }But this doesn't work and I don't know why.      
  I have an Apache server with the mod_ssl enabled as content server, I can send requests (with Firefox) to the port 80(HTTP request) and 443(HTTPS request) without use my proxy and it works. If I use my proxy, HTTP request works but with HTTPS request doesn't work, I look the log of Apache and I see:
  [Tue Apr 27 17:32:03 2010] [info] Initial (No.1) HTTPS request received for child 62 (server localhost:443)
  [Tue Apr 27 17:32:03 2010] [error] [client 127.0.0.1] Invalid method in request \x80\x7f\x01\x03\x01
  [Tue Apr 27 17:32:03 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue Apr 27 17:32:03 2010] [info] [client 127.0.0.1] Connection closed to child 62 with standard shutdown (server localhost:443)
  Why it say? Invalid method in request \x80\x7f\x01\x03\x01 , my proxy sends the data that the Firefox sends.
  I think than I have follow the explanations of [1] but doesn't work, I have problems in implementation in Java but I don't know where.
  I appreciate any suggestions.
  Thanks for your time.
  [1] http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt

  ejp, I have checked the socket between the proxy and server and ... You are right! , I was using the port 80 instead of the 443 (incredible mistake!, I'm sorry). I was convinced that I was using the port 443... Well, is a little step, but I still have not won the war :)
  If I see the log files of Apache, We can see that something goes wrong.
  localhost-access.log
  >
  127.0.0.1 - - [04/May/2010:17:44:48 +0200] "\x 80\x 7f\x01\x03\x01" 501 219
  >
  localhost-error.log
  >
  [Tue May 04 17:44:48 2010] [info] Initial (No.1) HTTPS request received for child 63 (server localhost:443)
  [Tue May 04 17:44:48 2010] [error] [client 127.0.0.1] Invalid method in request \x80\x7f\x01\x03\x01
  [Tue May 04 17:44:48 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue May 04 17:44:48 2010] [info] [client 127.0.0.1] Connection closed to child 63 with standard shutdown (server localhost:443)
  >
  I think that this happens because Apache receives the data without decrypt, this is the reason because in the log we can see the "Invalid method in request \x80\x7f\x01\x03\x01". This supposition is true?
  ejp, you say that the "Termination is quite tricky." I have changed my code following yours suggestions (using the join and the shutdownOutput) but the threads don't die.
  I explain you what I do:
  (in time 1)
  I launch the thread (threadFirefoxToApache) that reads data from Firefox and sends to Apache.
  I launch the thread (threadApacheToFirefox) that reads data from Apache and sends to Firefox.
  (in time 2)
  threadFirefoxToApache sends the firts data to the server.
  threadApacheToFirefox is waiting that the server says something.
  (in time 3)
  threadFirefoxToApache is waiting that Firefox says something.
  threadApacheToFirefox sends data to Firefox.
  (in time 4)
  threadFirefoxToApache is waiting that Firefox says something.
  threadApacheToFirefox is waiting that Firefox says something.
  and they are waiting... and never finish.
  In time 2, these first data are encrypted. The server receives these data and It doesn't understand. In time 3, the server sends a HTTP response "501 Method Not Implemented", here there is a problem because this data must be encrypt. According to the documentation that I read, the proxy cannot "understand" this data but I can "understand" this data. What's happen?
  Firefox encrypt the data and send to the proxy. This It's correct.
  The proxy encrypt the data another time, because I use the SSLSocket to send the data to the server. Then the server receives the data encrypted two times, when decrypt the data gets the data encrypted one time. And this is the reason why the server doesn't understand the data that sends Firefox. It's correct? May be.
  Then If I want that the server receives the data encrypted one time I need to use the socketToServer, It's correct?
  I will supposed that yes. If I use the socketToServer, the proxy doesn't understand nothing, because the data received from the socketToServer are encrypted (I only see simbols), but the Apache log says that there is a problem with the version? (If I use the socketToServer the threads die)
  >
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write change cipher spec A
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write finished A
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done
  [Tue May 04 19:55:42 2010] [info] Connection: Client IP: 127.0.0.1, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO#29bd910 [mem: 29ea0a8] (BIO dump follows)
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1750): -------------------------------------------------------------------------
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1789): | 0000: 80 7f 01 03 .... |
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1793): | 0005 - <SPACES/NULS>
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1795): ------------------------------------------------------------------------
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue May 04 19:55:42 2010] [info] [client 127.0.0.1] SSL library error 1 reading data
  [Tue May 04 19:55:42 2010] [info] SSL Library Error: 336130315 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue May 04 19:55:42 2010] [info] [client 127.0.0.1] Connection closed to child 63 with standard shutdown (server localhost:443)
  >
  What option is the correct? I need use the SSLSocketToServer or socketToServer to send/read the data to/from the server?. Use the SSLSocket has sense because the data travel in a secure socket, but use the Socket also has sense because the data are encrypted and they are protected by this encription. It's complicated...

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.

• ACE 4710: Find out the response time of a real server

  Hi to everyone,
  I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
  Is there a way for this?
  Thank you for any answer!
    giorgio romano

  Hi,
  Kindly add the following line in your serverfarm configuration:
  predictor response syn-to-synack
  Suppose your serverfarm looks like this:
  serverfarm host AAA_FARM
  predictor response syn-to-synack
  probe HTTP_PROBE
  probe TCP9001_PROBE
  rserver SC106
  inservice
  rserver SC107
  inservice
  rserver SC108
  inservice
  rserver SC109
  inservice
  rserver SC110
  inservice
  rserver SC111
  inservice
  rserver SC112
  inservice
  rserver SC113
  inservice
  rserver SC114
  inservice
  rserver SC120
  inservice
  rserver SC131
  inservice
  And then use the following command to see the average response time from your rserver as follows:
  ACE1/prod# show serverfarm AAA_FARM detail
  serverfarm     : AAA_FARM, type: HOST
  total rservers : 11
  active rservers: 11
  description    : ServerFarm AAA
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 0
  num times back inservice : 0
  total conn-dropcount : 0
  Probe(s) :
  HTTP_PROBE,  type = HTTP
  TCP9001_PROBE,  type = TCP
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC106
  x.x.x.x.:0        8      OPERATIONAL  2          1125       0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
  average response time (usecs) : 81   ----> thats what you might be looking for
  From other day :
  rserver: SC114
  x.x.x.x:0        8      OPERATIONAL  70         10903      2
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 1334                       ----> thats what you might be looking for
  For Serverfarm BBB_FARM
  serverfarm     : BBB_FARM, type: HOST
  total rservers : 1
  active rservers: 1
  description    : ServerFarm BBB
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 1
  num times back inservice : 1
  total conn-dropcount : 0
  Probe(s) :
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC208
  x.x.x.x:0        8      OPERATIONAL  0          0          0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 0   ----> thats what you might be looking for
  Use more detials for response predictor:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
  Configuring the Application Response Predictor
  To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
  To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
  The syntax of this command is as follows:
  predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
  The keywords and arguments are as follows:
  •app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
  •syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
  •syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
  •samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
  For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
  host1/Admin(config)# serverfarm SFARM1
  host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
  samples 4
  To reset the predictor method to the default of round-robin, enter:
  host1/Admin(config-sfarm-host)# no predictor
  To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
  weight connection
  For example, enter:
  host1/Admin(config)# serverfarm SF1
  host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
  samples 4
  host1/Admin(config-sfarm-host-predictor)# weight connection
  To remove the current connection count from the calculation of the average server response time, enter:
  host1/Admin(config-sfarm-host-predictor)# no weight connection
  You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
  Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
  In case if you have measures the response time from  when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server  use syn-to-close      (already discussed previously)
  If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack   (already discussed previously)
  SAMPLES parameter is optional and  specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
  Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
  Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
  final load = weighted load × static weight × current connection count
  where:
  •weighted load is the load reported by the SNMP probe
  •static weight is the configured weight of the real server
  •current connection count is the total number of active connections to the real server
  The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
  If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
  HTH
  Plz rate if u find it useful.
  Sachin

• ACE 4710 SAML Tokens

  I am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
  The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and compares to the digest in the Xml Signature block.
  Is anybody else using SAML tokens?
  Has anyone else seen a similar problem?

  By adding SAML assertions to outgoing requests, the ACE XML Gateway can act as an asserting party for systems that rely on SAML credentials. The SAML assertions generated by the ACE XML Gateway can be in the form of a SAML 1.0, SAML 1.1, or SAML 2.0 credential.
  The following url may help you;
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_xml_gateway/v52/user/guide/axg_ug_backendauth.html#wp1049962

• ACE 4710 balance among URL

  I have ACE 4710 and I need configuration:
  I have real web-server with  folders : /1/index.html, /2/index.html, /3/index.html
  I need to  balance virtual service:
  If I try to connect URL: http://server/index.html,  then ACE balance among
  http://real_server/1/index.html,
  http://real_server/2/index.html,
  http://real_server/3/index.htm
  How can I  configure ACE ?

  ACE, can't modify the url.
  But it can send redirect.
  So you could build 3 redirect rservers, and have ACE loadbalance between them.
  rserver redirect HTTP-REDIRECT1
    webhost-redirection http://real_server/1/index.html
    inservice
  rserver redirect HTTP-REDIRECT2
     webhost-redirection http://real_server/2/index.html
     inservice
  rserver redirect HTTP-REDIRECT3
     webhost-redirection http://real_server/3/index.html
     inservice
  serverfarm redirect SF_REDIRECT
    rserver HTTP-REDIRECT1
      inservice
    rserver HTTP-REDIRECT2
      inservice
    rserver HTTP-REDIRECT3
      inservice
  But even if it works, this does not sound good.
  It seems like a design done by an application server person who does not know how network loadbalancers work.
  It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
  But this can be done differently with cookies or by just doing stickyness on source ip address.
  Gilles.

• ACE 4710 - QOS

                    I have a pair of ACE 4710 and I think I have all the failover configured correctly and it all appears to be working.  My question is regarding setting QOS on the physical interfaces that are part of my port channel.  I have qos trust cos enabled on all the interfaces in my port channel.  These interfaces are connected to a 3750 swith.  Do I need to configure QOS on the 3750 to allow the COS bit to pass through my 3750 to my peer?

  Hi
  No, default QoS configuration for 3750 is when QoS is disabled. In this situation 3750 simply doesn't touch packets at all and pass QoS values unchanged. However it doesn't do any prioritization either.
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml#concept11