ACE 4710 HTTPS load balance configuration

Similar Messages

• Configuring ACE 4710 for Load Balancing Speech servers

  Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
  hostname ace471001
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  rserver host nss01
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 10.20.17.21 255.255.248.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  How would I configure my speech server to isten on 554?
  Thanks in advance

  Hello Reginald
  Currently you have only basic network configuration, there is no loadbalancing config
  I'm not sure what exactly you're asking about , but basically you need to have
  - real servers configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
  - serverfarm configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
  - L7 policy map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
  - L4 policy map , class-map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
  And then apply it on necessary interface.
  This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
  links are for old config guids , but basic is pretty much the same for all versions.
  Please check them and try to narrow down your question a bit.

• ACE 4710 and load balancing with sticky cookie

  Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

  Hi David,
  As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
  When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.
  You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.
  My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
  Sean

• ACE 4710 server load balancing on ACE with routed model.

  Hi experts,
  Pls help me...i need server laod balance on ACE4710 with routed model sample configuration or configuration guide....thanks in advance....

  Here you go

• OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer

  I have configured OAM 11gR2 to use an https load balancer on 14100 and have set my managed servers SSL listen port to 14100 (Could not use 14101 because the HTTPS VIP created was listing on 14100) everything works fine with this configuration, but my logs are filling up the the following warning.
  <Oct 3, 2012 1:41:54 PM UTC> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer 10.228.0.1 - 10.228.0.1 instead of an SSL handshake.>
  I know that 10.228.0.1 is the DNS server, but I'm not sure why this happening. Any ideas?

  What is WLS and OHS versions are you using in this environment?
  If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
  I hope this helps,
  Thiago Leoncio.

• FDM Load balancer Configuration issue

  We are doing the installation for Hyperion Planning, ODI and DRM on DEV environment
  The EPM version we are using - 11.1.2.2
  Server 1 (Windows 2008 x64)
  Foundation Services
  Calculation Manager
  Planning Web Application
  Analytical Provider Services
  Essbase Administration Services web application
  Oracle HTTP Server
  Server 2 (Windows 2008 x64)
  R & A Framework Services
  R & A Framework Web Application
  Financial Reporting Web Application
  Web analysis Web Application
  Server 3 (Windows 2008 x64)
  FDM
  EPMA
  ODI
  DRM
  Essbase Integration Services
  Essbase Studio
  IIS 7.x
  Server 4 (Windows 2008 x64)
  Essbase Server
  Server 5(Windows 2008 x64)
  SQL Server 2008
  All our services are running fine for Planning. We are in process of configuring FDM.
  FDM Application Server Configuration is completed.
  While doing FDM Load Balancer Configuration, we also able to connect to Shared Service directory successfully. But when we click ok to complete the configuration it gives following error -
  Unable to Create Load Balancer Object!
  Please verify that the user name, password, and domain are correct
  Error=Cannot create ActiveX component
  When checked in Event Log we found -
  Unable to create Load Balance Manager object! Configuration directory could not be located. Error=-2147023878 - Retrieving the COM class factory for component with CLSID *{E652643D-6CC1-48AC-915D-01842B04F292}*
  Source=TaskManagerService - at TaskManagerService.TaskItem.fGetConfigFolder()
  We tried the below steps but issue still persists -
  •     Start the ‘dcomcnfg’ tool in Windows
  •     Expand Component Services\Computers\My Computer\Dcom-Config and locate the following object: {E652643D-6CC1-48AC-915D-01842B04F292}
  •     Right-click and choose "Properties" and click on the "Security" tab
  •     Click the "Edit" button and remove all users except the default: "Everyone" and "System" and click OK, then set the radio button to "Use Default"
  •     Click the "Edit" button under Access Permissions and remove all users/groups except the default items and click OK, and set the radio button to "Use Default"
  •     Now click the "Identity" tab and remove the ID in the "This User" field and set the radio button to "The Launching User" and click "Apply" and "OK"
  •     Now try to launch the FDM Load Balance Config and all the extra tools for FDqM
  We are using hypadmin as domain account but it is part of Administrators group on FDM Server (Server 3). The administrators group is also part of -
  Act as part of the operating system
  Bypass traverse checking
  Log on as a batch job
  Log on as a service
  Please let us know in case if you encountered similar error on this version and possible solution for the issue.
  Thanks in advance.
  Regards,

  I woudl clear out all users/groups on the security tab of the FDM Load Balance Server DCOm object for "Launch and Activation" and "Access" permisisons and then set the identity to the "Launching User" radio button and apply. Then re-set the config.
  If that still fails, try rebooting the server and then set it.
  Make sure the domain and password are also correct that is being entered.

• Best HTTP load balancing method

  This is probably basic, but how satisfactory is this http load balancing method:
  service http-1
  ip address 192.168.1.10
  protocol tcp
  port 80
  keepalive type tcp
  active
  service http-2
  ip address 192.168.1.9
  protocol tcp
  port 80
  keepalive type tcp
  active
  owner http
  content web-domains
  vip address 10.0.0.1
  add service http-1
  add service http-2
  protocol tcp
  port 80
  balance leastconn
  active
  Should I rather use sticky-mask 255.255.255.255 or advanced-balance sticky-srcip?

  It really depends what you are doing.
  Some people will find this acceptable and for others it will just not work.
  Do you need persistency ?
  To answer this question check with your webserver admin.
  does this website have a shopping basket ?
  Finally, changing the sticky-mask is useless if you do not have sticky-srcip. So your question should be ..or .. but .. and ..
  Anyway, it all depends what is required for your website to work.
  You can try this config and if you run into problem capture a sniffer trace and identify the problem to see if a configuration change is needed.
  Regards,
  Gilles.

• Hardware Load Balancing Configuration and Session Clustering

            I would like to know where I can find any information on Hardware Load Balancing
            Configuration in order to leverage WLS HTTPSession clustering.
            Don Ferguson mentioned white papers on this subject however I can't seem to locate
            them.
            I am particularly interested in Cisco's 11000 Content Service Switch.
            Thanks.
            Mike Jones
            

  Scroll to the bottom of this link. It discusses how to configure Alteon and Big-IP.
            The principles should apply to Cisco as well, but we don't have documentation on
            configuring it, as far as I know.
            http://e-docs.bea.com/wls/docs61/cluster/index.html
            -Don
            Michael Jones wrote:
            > I would like to know where I can find any information on Hardware Load Balancing
            > Configuration in order to leverage WLS HTTPSession clustering.
            > Don Ferguson mentioned white papers on this subject however I can't seem to locate
            > them.
            > I am particularly interested in Cisco's 11000 Content Service Switch.
            >
            > Thanks.
            >
            > Mike Jones
            

• Problem in Hyperion FDM Load Balance Configuration...

  hi all,
  I installed hyperion essbase, planning, Hfm and Fdqm 11.1.1.3 version.
  but i am getting error at configuration of fdm load balance configuration....
  error: when i click on Test Connection in authentication Providers(Shared services(CSS))..am getting error as Cannot create ActiveX Component
  Please give me reply if u know about this Issue.
  regards,
  Mady

  This error indicates that the COMJNIBRIDGE dcom object is not able to launch successfully or has not been registered properly on the FDM application server:
  a) Start > Run > DCOMCNFG
  b) Expand Component Services > Computers > My Computer > DCOM CONFIG
  c) Locate the COMJNIBRIDGE object, right-click and choose "properties"
  d) Click on the identity tab and choose "This user" and browse for the FDM Service account and enter/confirm the password
  e) Re-test

• ACE Load Balancing Configuration For NATed User Traffic

  Hello,
  I am currently working on a requirement where the shared application services will be hosted in DC and these services will be accessed by multiple (thousands) users from different corporates/customers. The user traffic will be hidden behind customer's proxy servers or firewalls so the load balancer (ACE modules) services hosted in DC will not be able to see requests coming in from induvidual users IP addresses.
  In this scenario what are options of load balancing are available in Lyer3/4 and Layer7 ?
  Thanks in advance for your help.
  Sanjay

  Hi Sanjay,
  In a set up where all users are coming from behind a proxy, all users will be loadbalanced to same server thus overloading it. This is when you are doing standard L3/L4 LB.
  In the situation of proxies, for HTTP applications you shall use L7 LB and use information(cookie) in HTTP client request or server response. The ace will use this information to stick the user to same server for persistence. If a client comes with no cookie it will be loadbalanced according to the predictor method configured. Below is the link for L7 configuration example and other TS steps you can take while configuring L7 policies on ACE. For more informatin i would suggest reading ACE user guide too.
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_-_Troubleshooting_Layer_7_Load_Balancing
  If you have any questions please feel free to ask.
  Regards,
  Kanwal

• Office Web Apps Load Balancing Configuration Issue for SharePoint 2013

  I have load balanced servers dedicated for Office Web Apps with name “md1xxxwfe1” and “md1xxxwfe2” 
  , both this servers are load balanced by CISCO Load balancer. And I have mapped Load Balancer Virutal IP with host name officeapps.jda.corp.local in the DNS records.
   Things are working fine if I add new farm by using New-OfficeWebAppsFarm
   with server name as internalurl in PowerShell console
   as like “  -internalurl http://
  md1xxxwfe1  but when I use –internalurl officeapps.jda.corp.local it is not working at all. I’m not getting what to do at this point.
  I have gone through following blogs but no luck.
  http://blogs.technet.com/b/meamcs/archive/2013/03/27/office-web-apps-2013-multi-servers-nlb-installation-and-deployment-for-sharepoint-2013-step-by-step-guide.aspx
  http://blogs.technet.com/b/office_resource_kit/archive/2012/09/11/introducing-office-web-apps-server.aspx
  http://davidlimsharepoint.blogspot.in/2013/02/installing-and-configuring-office-web.html 
  http://sps2013.blogspot.in/2013/09/office-web-apps-with-sharepoint-2013.html
  The output of the wfe1 server is attached with this. When I open http:// /hosting/discovery in wfe1 I’m getting following result (attached
  screenshot) but it should show hostname rather than server name.
  Please help me
  Thanks, Ram Ch

  Hi  Ram ,
  For  troubleshooting your issue, please take steps as below:
  Just about any load balancing solution will work, including a server that runs the Web Server (IIS) role running Application Request Routing (ARR):Install
  Application Request Routing
  Install the certificate on the load balancer as described under Securing Office Web Apps Server communications by using
  HTTPS.
  Make sure you have configured the cluster correctly for full internet name:
  Reference:
  http://technet.microsoft.com/en-us/library/jj219435.aspx#loadbalancer
  Thanks,
  Eric
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
  contact [email protected]
  Eric Tao
  TechNet Community Support

• Interesting ACE URL Header & Load-balance & SSL on 2 VIPs

  Hi There
  I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
  So, RSERVER = SERVER = 192.168.0.1
  Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
  But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
  OUTSIDE:
  website1.abc.com = 172.16.0.1:443
  website2.abc.com = 172.16.0.1:443
  website3.abc.com = 172.16.0.2:443
  website4.abc.com = 172.16.0.2:443
  On the server we have:
  INSIDE: 192.168.0.1
  SERVER:8001 = website1.abc.com
  SERVER:8002 = website2.abc.com
  SERVER:8003 = website3.abc.com
  SERVER:8004 = website4.abc.com
  So, in a nutshell what I need to do is:
  Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
  But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
  I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
  Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
  I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
  But .... things are going hey-wire.
  So, steps are:
  RSERVER
  SFARMs = RSERVER:PORTs
  ACLs = VIPs
  CMAP = HEADER = URL
  LB PMAP = HEADER CMAP & SFARM
  PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
  SVC-POL = PMAP MULTIM

  Hi Surya
  Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
  It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
  regards
  Sent from Cisco Technical Support iPad App

• 11i load balancing web nodes without use of Hardware http load balancer

  I am looking at note 217368.1 (Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i) and some other notes on load balancing but some aspects are not clear.
  Aim is to implement load balancing traffic to web nodes without using Hardware ( BigIP, cisco etc) for HTTP layer load balancing.
  Which is more preferable between dns or Apache Jserv load balancer ?
  Need details like failover capabilities, death detection of node, functionality testing and ways to monitor Apache Jserv load balancer.
  Any help in this regard is welcome .
  thx
  arun

  Oracle recommends using loadbalancing hardware rather than using DNS. If you want the features you mention above, you will need a hardware loadbalancer.
  http://blogs.oracle.com/stevenChan/2006/06/indepth_loadbalancing_ebusines.html
  http://blogs.oracle.com/stevenChan/2009/01/using_cisco_ace_series_hardware_load-balancers_ebs12.html
  HTH
  Srini

• Best way for HTTP load balancing in OSB

  Hi everybody,
  We have setup an OSB cluster and we need to load balance HTTP requests across managed servers. Looking for info about load balancing in OSB I found that there are mainly two options: using a hardware load balancer or a software solution like Weblogic HttpClusterServlet. At the moment we have no hardware balancer available so we will have to take the software option. I found some articles about configuring HttpClusterServlet like http://redstack.wordpress.com/2010/12/20/using-weblogic-as-a-load-balancer.
  But I have a question about this configuration. If we use a managed server as an HTTP proxy that balances requests between OSB managed servers, what would happen if this server goes down? I think one of the main goals of a clustered deployment is avoiding a single point of failure but with that setup all requests would depend on the availability of the proxy managed server.
  Could you recommend us a setup for implementing load balancing in OSB?
  Thank you in advance,
  Daniel.

  Load balancing in a cluster for http requests can be achieved using atleast 4 different ways:
  (1)- use a hardware load balancer like F5 BigIP LTM
  (2)- use a web server with weblogic plugin to frontend the cluster
  (3)- use weblogic with HTTPClusterServlet
  (4)- use DNS round robin - this works if you have managed servers running on 2 machines (say mach1, mach2) but on the same port. HTTP clients use hostname 'mach' to access the URL's and the dns does a round robin name resolution of mach to mach 1 and mach2 IP addresses..
  All the options except (1) achieve only load balancing and not auto failover on all instances.. Hardware load balancers has the extra feature of probing [ sending periodic pings to the targets] , by which it can detect whether the target resource is alive and if not send the traffic to other nodes which are alive.. this is why hardware load balancers are worth their investment..
  other options may work if client is coded to do retrying on failure.. so on 2nd or subsequent attempt, the routing is done to the machine which is alive..
  For options (1),(2) and (3), you also need some redundancy of load balancing device ( web server, weblogic or hardware load balancer) to prevent single point of failure.. Hardware load balancers are usually deployed in redundant pairs to achieve this..
  Edited by: atheek1 on 22/11/2011 15:31

• CSS 11501 http load balancing

  Hi,
  i have configured to load balancing the http traffic to 2 servers, servers have the ip address 10.10.50.100 and 10.10.50.101 resp and the vip is 10.10.46.10
  iam not able to access the http through the vip, can some one help on this
  am i required to the nating, below is the connectivity
  User -->SW->ASA->CSS->SW->server1 & server2
  iam not able to access the server through vip
  Please help
  Thanks
  Ravi
  Ravi

  What is the default gateway defined on Servers?
  Is it CSS circuit IP or the ASA?
  How is CSS conected? Are there diff vlans connected to servers and ASA? Or CSS is connected to the Switch in one arm mode?
  You need to make sure that the return traffic from Servers should pass through the CSS.
  Syed