ACE 4710 and mangled HTTP requests
After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. Here is one example:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Rather than appearing just after the timestamp, the "POST /register/LServlet" is tacked on to header information that shouldn't even appear in the log. Also the first letter in that header information is always missing (heckoutFlag instead of checkoutFlag in this example).
The mangled request always shows up as a 501 HTTP error and shows up late in the Apache access logs (timestamp is out of chronogical order) and always appears with several duplicate POSTs:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
This is occurring for several different URLs and not just the one above and for multiple web browsers.
The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
A recent ACE software upgrade to A5(2.1) has not fixed the problem.
Has anyone seen this before?
Thanks for any insight you can provide.
-Kari
Hi Kari,
Do you have a sample of the configuration which you got with the CSS?
What is the current configuration which you got on the ACE?
Can you shows this output: # show stats http?
Jorge
Similar Messages
-
Application that receive SOAP and normal http request
Hi Guys,
I've been working onto web service right now using Spring. Been using this for receiving SOAP requests... Right now its working smoothly. But I want my application to cater both SOAP request and normal http request. Is that possible? If yes, can you guide me how?Sorry for the formatting above. I interspersed lines between the questions, but they seem to have mostly disappeared.
-
I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
class-map type http loadbalance match-any URL-AF21
2 match http url /aaa/.*
4 match http url /bbb/.*
policy-map type loadbalance http first-match LB-WITH-DSCP
class URL-AF21
set ip tos 72
serverfarm MyServerFram
class default
set ip tos 0
serverfarm MyServerFram
Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
Any idea which config might work ?Hi,
If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
parameter-map type connection SET_TOS
set ip tos 72
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Greetings,
Does anyone know how to configure Weblogic Server 5.1 so that the web server will
only accept HTTPS requests (on port 7002) and not accept HTTP requests (on port
7001)? I tried commenting out the HTTP ListenPort line in weblogic.properties,
but WL still served up a page via HTTP. Thanks for any help,
SteveWrite a startup class which implements weblogic.security.net.ConnectionFilter
interface
Refer our javadocs at
http://www.weblogic.com/docs51/classdocs/javadocs/index.html
Also
http://www.weblogic.com/docs51/classdocs/API_acl.html#filtering
Kumar
Steve wrote:
Greetings,
Does anyone know how to configure Weblogic Server 5.1 so that the web server will
only accept HTTPS requests (on port 7002) and not accept HTTP requests (on port
7001)? I tried commenting out the HTTP ListenPort line in weblogic.properties,
but WL still served up a page via HTTP. Thanks for any help,
Steve -
Greetings everyone.
I am curious if anyone has any experiences with Exchange 2013 and ACE SLB functions. I know they changed to RPC over HTTPS on exch side and few other items changed as well. I do not forsee any issues just looking to see if anyone has any feedback from a production deployment.
Thanks
JoelJoel, I checked internally and only located one case raised against ACE and Exchange 2013. The issue was resolved via defect CSCuc98599 "ACE randomly resets POST requests with SSL offloading". Use A5.2.2 or apply workaround (increase maxparselen to 65k). Matthew
-
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean -
I plan to load balance user traffic to a server farm. Currently, server is using cookie to generate delay/response time statistic for users from various locations. If I use ACE to load balance user traffic, I need to use NAT statement on ACE to make the design to work. However, server can no longer use cookie to generate such statictics since source address is now a NATed address. Is there a way to rectify this problem? Thank you in advance.
You can get rid of nat - which would require a redesign (use policy routing or make ACE default gateway for servers).
If redesign is not possible, than you have to live with NAT.
ACE offers the http header insert function.
You could add the src ip of the client inside the http header.
Up to the server to retrieve the info and build whatever is needed.
Gilles. -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
I find information on Cisco.COM how to perform the deep packet inspection of Layer 7 HTTP but I don’t want to use such deep inspection so I decided to use inspect http without policy Layer7 and I don’t know what ACE performs. Could you tell me what ACE checks? Is it possible to customize?
I have to be honest. I found something like this “the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC “ but I couldn’t image how HTTP could be fixup and what is internal RFC.
Regards
Falcon/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi Chris,
I’ m so grateful to you for answering to me but I still have a problem “inspect http”. In my case I would like to check only method. I don’t want to check URL parsing or header parsing etc. Is it possible? I ask because the owner of webside is not sure about standard in URL or Header response.
Cheers,
Falcon -
Doubts about HTTPS requests and Java proxy
Hello,
I need help about SSL connections and Java.
I'm developing a HTTP/S proxy with Java. To test my proxy, I use Firefox. I configure the proxy option in the browser. The proxy works good with HTTP requests, but with HTTPS requests doesn't work and I don't know why.
I explain the steps that I do for a HTTPS request:
* The browser sends a CONNECT message to the proxy.
I check that the proxy receives the CONNECT request correctly.
* The proxy establish a secure connection with the content server.
I use an SSLSocket to connect with my content server, and the SSL handshake is succesful.
* The proxy sends a 200 HTTP response to the client:
I send
HTTP/1.0 200 Connection established[CRLF]
[CRLF]
to the application client (Firefox)
* The proxy sends/receive data to/from Firefox/content server
I have a Socket between Firefox and my proxy, and a SSLSocket between my proxy and my content server. I use two threads to communicate the client and the server.
Java code:
//Thead server-->proxy-->application(Firefox)
ThreadComm tpa = new ThreadComm(bis_serverSSL, bos_app);
//Thread application(Firefox)-->proxy-->server
ThreadComm tap = new ThreadComm(bis_app, bos_serverSSL);
The "tpa" thread reads from the SSLSocket between the proxy and the server and sends data to the Socket between the proxy and Firefox.
The "tap" thread reads from the Socket between the proxy and Firefox and sends data to the SSLSocket between the proxy and the server.
This is the class ThreadComm:
public class ThreadComm extends Thread{
private BufferedInputStream bis = null;
private BufferedOutputStream bos = null;
public ThreadComm(BufferedInputStream bis, BufferedOutputStream bos) {
this.bis = bis;
this.bos = bos;
@Override
public void run() {
int b = -1;
FileOutputStream fos = null;
do {
try {
b = bis.read();
System.out.print((char) b);
fos.write(b);
bos.write(b);
bos.flush();
} catch (Exception ex) {
Logger.getLogger(ThreadAplicacionProxy.class.getName()).log(Level.SEVERE, null, ex);
//b=-1;
} while (b != -1);
}But this doesn't work and I don't know why.
I have an Apache server with the mod_ssl enabled as content server, I can send requests (with Firefox) to the port 80(HTTP request) and 443(HTTPS request) without use my proxy and it works. If I use my proxy, HTTP request works but with HTTPS request doesn't work, I look the log of Apache and I see:
[Tue Apr 27 17:32:03 2010] [info] Initial (No.1) HTTPS request received for child 62 (server localhost:443)
[Tue Apr 27 17:32:03 2010] [error] [client 127.0.0.1] Invalid method in request \x80\x7f\x01\x03\x01
[Tue Apr 27 17:32:03 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
[Tue Apr 27 17:32:03 2010] [info] [client 127.0.0.1] Connection closed to child 62 with standard shutdown (server localhost:443)
Why it say? Invalid method in request \x80\x7f\x01\x03\x01 , my proxy sends the data that the Firefox sends.
I think than I have follow the explanations of [1] but doesn't work, I have problems in implementation in Java but I don't know where.
I appreciate any suggestions.
Thanks for your time.
[1] http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txtejp, I have checked the socket between the proxy and server and ... You are right! , I was using the port 80 instead of the 443 (incredible mistake!, I'm sorry). I was convinced that I was using the port 443... Well, is a little step, but I still have not won the war :)
If I see the log files of Apache, We can see that something goes wrong.
localhost-access.log
>
127.0.0.1 - - [04/May/2010:17:44:48 +0200] "\x 80\x 7f\x01\x03\x01" 501 219
>
localhost-error.log
>
[Tue May 04 17:44:48 2010] [info] Initial (No.1) HTTPS request received for child 63 (server localhost:443)
[Tue May 04 17:44:48 2010] [error] [client 127.0.0.1] Invalid method in request \x80\x7f\x01\x03\x01
[Tue May 04 17:44:48 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
[Tue May 04 17:44:48 2010] [info] [client 127.0.0.1] Connection closed to child 63 with standard shutdown (server localhost:443)
>
I think that this happens because Apache receives the data without decrypt, this is the reason because in the log we can see the "Invalid method in request \x80\x7f\x01\x03\x01". This supposition is true?
ejp, you say that the "Termination is quite tricky." I have changed my code following yours suggestions (using the join and the shutdownOutput) but the threads don't die.
I explain you what I do:
(in time 1)
I launch the thread (threadFirefoxToApache) that reads data from Firefox and sends to Apache.
I launch the thread (threadApacheToFirefox) that reads data from Apache and sends to Firefox.
(in time 2)
threadFirefoxToApache sends the firts data to the server.
threadApacheToFirefox is waiting that the server says something.
(in time 3)
threadFirefoxToApache is waiting that Firefox says something.
threadApacheToFirefox sends data to Firefox.
(in time 4)
threadFirefoxToApache is waiting that Firefox says something.
threadApacheToFirefox is waiting that Firefox says something.
and they are waiting... and never finish.
In time 2, these first data are encrypted. The server receives these data and It doesn't understand. In time 3, the server sends a HTTP response "501 Method Not Implemented", here there is a problem because this data must be encrypt. According to the documentation that I read, the proxy cannot "understand" this data but I can "understand" this data. What's happen?
Firefox encrypt the data and send to the proxy. This It's correct.
The proxy encrypt the data another time, because I use the SSLSocket to send the data to the server. Then the server receives the data encrypted two times, when decrypt the data gets the data encrypted one time. And this is the reason why the server doesn't understand the data that sends Firefox. It's correct? May be.
Then If I want that the server receives the data encrypted one time I need to use the socketToServer, It's correct?
I will supposed that yes. If I use the socketToServer, the proxy doesn't understand nothing, because the data received from the socketToServer are encrypted (I only see simbols), but the Apache log says that there is a problem with the version? (If I use the socketToServer the threads die)
>
[Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A
[Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write change cipher spec A
[Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write finished A
[Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
[Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done
[Tue May 04 19:55:42 2010] [info] Connection: Client IP: 127.0.0.1, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO#29bd910 [mem: 29ea0a8] (BIO dump follows)
[Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1750): -------------------------------------------------------------------------
[Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1789): | 0000: 80 7f 01 03 .... |
[Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1793): | 0005 - <SPACES/NULS>
[Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1795): ------------------------------------------------------------------------
[Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
[Tue May 04 19:55:42 2010] [info] [client 127.0.0.1] SSL library error 1 reading data
[Tue May 04 19:55:42 2010] [info] SSL Library Error: 336130315 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
[Tue May 04 19:55:42 2010] [info] [client 127.0.0.1] Connection closed to child 63 with standard shutdown (server localhost:443)
>
What option is the correct? I need use the SSLSocketToServer or socketToServer to send/read the data to/from the server?. Use the SSLSocket has sense because the data travel in a secure socket, but use the Socket also has sense because the data are encrypted and they are protected by this encription. It's complicated... -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?
Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
As background, we are a small company with a SaaS product and a pair of webservers.
I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
That seems to be working and session traffic is sticking to a server during the user's session.
Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
Hopefully this request makes sense.
Thanks,
Mark Steeves.Daniel,
Thanks for the reply, but I cannot reach the URL you included. It gives me a 403.
Therfore without reading the article, I wanted to ask if the proper setup would be:
1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
Type = HTTP Header: Header name = Host
2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
Using this setting in testing, it looks like all the traffic keeps going to 1 server only. Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
If you have another link for the above document, please let me know.
Thanks,
Mark Steeves. -
ACE 4710: Find out the response time of a real server
Hi to everyone,
I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
Is there a way for this?
Thank you for any answer!
giorgio romanoHi,
Kindly add the following line in your serverfarm configuration:
predictor response syn-to-synack
Suppose your serverfarm looks like this:
serverfarm host AAA_FARM
predictor response syn-to-synack
probe HTTP_PROBE
probe TCP9001_PROBE
rserver SC106
inservice
rserver SC107
inservice
rserver SC108
inservice
rserver SC109
inservice
rserver SC110
inservice
rserver SC111
inservice
rserver SC112
inservice
rserver SC113
inservice
rserver SC114
inservice
rserver SC120
inservice
rserver SC131
inservice
And then use the following command to see the average response time from your rserver as follows:
ACE1/prod# show serverfarm AAA_FARM detail
serverfarm : AAA_FARM, type: HOST
total rservers : 11
active rservers: 11
description : ServerFarm AAA
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
HTTP_PROBE, type = HTTP
TCP9001_PROBE, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC106
x.x.x.x.:0 8 OPERATIONAL 2 1125 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 81 ----> thats what you might be looking for
From other day :
rserver: SC114
x.x.x.x:0 8 OPERATIONAL 70 10903 2
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 1334 ----> thats what you might be looking for
For Serverfarm BBB_FARM
serverfarm : BBB_FARM, type: HOST
total rservers : 1
active rservers: 1
description : ServerFarm BBB
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 1
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC208
x.x.x.x:0 8 OPERATIONAL 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 0 ----> thats what you might be looking for
Use more detials for response predictor:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
Configuring the Application Response Predictor
To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
The syntax of this command is as follows:
predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
The keywords and arguments are as follows:
•app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
•syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
•syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
•samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
samples 4
To reset the predictor method to the default of round-robin, enter:
host1/Admin(config-sfarm-host)# no predictor
To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
weight connection
For example, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
samples 4
host1/Admin(config-sfarm-host-predictor)# weight connection
To remove the current connection count from the calculation of the average server response time, enter:
host1/Admin(config-sfarm-host-predictor)# no weight connection
You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
In case if you have measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server use syn-to-close (already discussed previously)
If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack (already discussed previously)
SAMPLES parameter is optional and specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load × static weight × current connection count
where:
•weighted load is the load reported by the SNMP probe
•static weight is the configured weight of the real server
•current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
HTH
Plz rate if u find it useful.
Sachin -
I am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and compares to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?By adding SAML assertions to outgoing requests, the ACE XML Gateway can act as an asserting party for systems that rely on SAML credentials. The SAML assertions generated by the ACE XML Gateway can be in the form of a SAML 1.0, SAML 1.1, or SAML 2.0 credential.
The following url may help you;
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_xml_gateway/v52/user/guide/axg_ug_backendauth.html#wp1049962 -
I have ACE 4710 and I need configuration:
I have real web-server with folders : /1/index.html, /2/index.html, /3/index.html
I need to balance virtual service:
If I try to connect URL: http://server/index.html, then ACE balance among
http://real_server/1/index.html,
http://real_server/2/index.html,
http://real_server/3/index.htm
How can I configure ACE ?ACE, can't modify the url.
But it can send redirect.
So you could build 3 redirect rservers, and have ACE loadbalance between them.
rserver redirect HTTP-REDIRECT1
webhost-redirection http://real_server/1/index.html
inservice
rserver redirect HTTP-REDIRECT2
webhost-redirection http://real_server/2/index.html
inservice
rserver redirect HTTP-REDIRECT3
webhost-redirection http://real_server/3/index.html
inservice
serverfarm redirect SF_REDIRECT
rserver HTTP-REDIRECT1
inservice
rserver HTTP-REDIRECT2
inservice
rserver HTTP-REDIRECT3
inservice
But even if it works, this does not sound good.
It seems like a design done by an application server person who does not know how network loadbalancers work.
It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
But this can be done differently with cookies or by just doing stickyness on source ip address.
Gilles. -
I have a pair of ACE 4710 and I think I have all the failover configured correctly and it all appears to be working. My question is regarding setting QOS on the physical interfaces that are part of my port channel. I have qos trust cos enabled on all the interfaces in my port channel. These interfaces are connected to a 3750 swith. Do I need to configure QOS on the 3750 to allow the COS bit to pass through my 3750 to my peer?
Hi
No, default QoS configuration for 3750 is when QoS is disabled. In this situation 3750 simply doesn't touch packets at all and pass QoS values unchanged. However it doesn't do any prioritization either.
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml#concept11
Maybe you are looking for
-
Acrobat Pro 9.1 no longer creates PDFs from Word 2007
I upgraded from Acrobat 7 to 9 specifically to gain more control over settings when making PDFs from Word 2007. This worked as I had hoped until the 9.1 vulnerability upgrade was installed. Now it will no longer create PDFs from Word 2007 documents a
-
Firefox, google chrome, and IE8 all have the same error. The search and find functions for certain on-line archive books does not work on these browsers. They claim that text does not exist. In IE7 the text is found. I can be typing in a word I see o
-
E-mail verification doesn't work
hi, I am still waiting for my mail(3 days now) and i am not amused with this. Maybe someone can send me the password in mail([email protected]) i hope someone will respond now. grtz
-
Iphone is disabled, try again in 1 minute
Yesterday I updated to 8.1.2. Today I received a phone call, and near the end I could hear buzzing of a notification -- two of them. When I hung up the phone (maybe 5-10 seconds later) it had the message "iphone is disabled, try again in 1 minute"
-
I have a file from a client that needs to be resized to a few different dimensions. The problem I'm having is that I can select the the layer but the drop shadow doesn't get selected along with the main shape. I've cut and pasted the file into a dif