ACE 4710 Load Balancer

Hello,
I have a requirement to load balance between real servers on different subnets, but I need to preserve the original source IP address through the ACE.  I know the ACE can do Asymmetric server normalization but that appears to require the servers to be on the same subnet.  The traffic is just generic TCP and I don't want the ACE to take any action on the traffic other than to do basic balancing and allow me to direct all traffic to one server or the other for maintenance.  Is there any way to accomplish routed load balancing that preserves the original source IP?

Hi B-Cunningham,
Very simple !!
When you need the same user to be always sent to the same server, you need some sort of stickyness.
There are many different ways to achieve this.
Some predictor algorithms will by definition always select the same server for a given client.  This is the case with the source ip hashing predictor.
But very often you will need to configure a sticky method in combination with your predictor algorithm.
What is the source ip hash predictor a sticky method ?
Actually, this is not a sticky method.  But since the hash algorithm always give the same result for a given source ip address, it guarantees that a client using the same ip address will always be sent to the same server.
The advantage is that it does not require to configure a specific sticky method.  It also works without the need for a sticky table.  So it does preserve resources.
But the hash function will have different results when you add or remove a server.  Therefore, when your rserver list is modified your clients might be sent to different servers breaking stickyness.
Is sticky source ip a good solution ?
Because of the changing hash results mentioned above, most people will prefer to use a standard predictor (roundrobin , leastconn, ...) and add a sticky source ip option.
The idea is to also use the source ip address to identify the client and select the corresponding server.
Unlike the hash method, the stick source ip solution will need sticky resources to save the information necessary for ACE to remember which client uses which server.
The advantage of the sticky option is that the sticky table is not affected when the rserver list is modified.
Why not use sticky source ip ?
Very often this solution is enough to guarantee stickyness.
But because a lot of clients do not have a static ip address, this method does not work.
There is also the problem of proxy servers hiding many clients behind a single ip address resulting in rserver overload when using sticky source ip.
For HTTP the solution is to use information contained in the client HTTP request and server HTTP response.
An HTTP Cookie is an object used by a server to identify HTTP clients.  A loadbalancer can therefore also use this information to map a client to a server.
One drawback of hash predictor is that the hash predictor methods do not recognize the weight value you configure for real servers. The ACE uses the weight that you assign to real servers only in the round-robin and least-connections predictor methods.
Here is the hash algorithm
((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))The _key in this case is the source ip address has an unsigned 32 bits number.You then do rserver_index = hash % number_of_rserver.
Session persistence (stickiness) based on client source IP address or HTTP cookies are recommended to be configured on the Cisco ACE for this flow.
IP Address Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.
Here can be the sample configuration:
resource-class websrv
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 20.00 maximum equal-to-min
rserver host webserver1
ip address 10.10.10.1
inservice
rserver host webserver2
ip address 10.10.10.2
inservice
rserver host webserver3
ip address 10.10.10.3
inservice
serverfarm host werbsrv1only
probe websrv
rserver webserver1 1000
inservice
serverfarm host werbsrv123
probe websrv
rserver webserver1 1000
inservice
rserver webserver2 1000
inservice
rserver webserver3 1000
inservice
ACE receives requests to the VIP on port 80 and translates them to port 1000 using the server farm configuration shown above.
The link to the websrv home page is http://websrv:1000/index.html. A probe to this link is configured on ACE as follows:
probe http websrv
port 1000
interval 2
faildetect 2
passdetect interval 2
request method get url /index.html
expect status 200 200
Session persistence can be established by tying the session to an IP address,  that uniquely identifies the client.
Create a sticky-group
sticky ip-netmask 255.255.255.255 address source Client_subnet_1
timeout 10
serverfarm werbsrv1only
Change the server farm to the sticky-group:
policy-map type loadbalance first-match basic-slb
class class-default
sticky-serverfarm werbsrv1only
sticky ip-netmask 255.255.255.255 address source Client_subnet_2
timeout 10
serverfarm werbsrv123
sticky ip-netmask 255.255.255.255 address source Client_subnet_3
timeout 10
serverfarm werbsrv123
Here you can find the details in the below url :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
I have also attached a jpeg for your reference.
Hope you will get the idea how to use the sticky based on IP address.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
Here you can find sample config of similar type:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html
HTH .
Please rate if you find it useful.
Thanks and regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
http://www.hclcomnet.co.in
A-10, Sector 3, Noida- 201301
INDIA

Similar Messages

  • ACE to load balance Citrix servers

    Hello,
    Have anyone configured ACE Modules to load balance Citrix Servers (HTTP) ?
    Any special considerations needed?
    Many thanks,

    HI Javier,
    There is one complete design guide available on ciso site.
    Kindly go through the below mentioned URL for complete config for ACE to load balance CITRIX as follows:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/citrixdg_final.html
    You will get othe design guides also which can be very useful:
    http://www.cisco.com/en/US/netsol/ns751/networking_solutions_design_guidances_list.html
    Sachin Garg

  • Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080

    Folks,
    I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology.  ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name.  Traffic then gets load balanced between the Websense servers.  The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.  
    ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
    So the problem I have is this:
    How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
    The ACE hardware being used is ACE20-MOD-K9  -  MODULE
    I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.  
    I believe I am on the correct track.  The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
    I'm looking for ideas!  I'm hopeful someone must have solved this problem previously!!
    Regards,
    Simon

    Hi Simon,
    The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
    You can class-map match-any xxxxx
    2 match virtual-address x.x.x.x tcp any
    and then you configure further classification on the basis of L7 like  url, header etc. 
    But again, you will still need SSL termination on ACE.
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful.

  • Cisco ACE - Firewall load balancing

    I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
    The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
    The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
    Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
    Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
    access-list ALL line 8 extended permit ip any any
    probe icmp ICMP-Probe
      interval 15
      passdetect interval 60
    rserver host FW1-ASA
      ip address 10.11.71.10
      inservice
    rserver host FW2
      ip address 10.11.71.11
      inservice
    serverfarm host Firewalls
      transparent
      predictor leastconns
      rserver FW1-ASA
        inservice
      rserver FW2
        inservice
    serverfarm host Firewalls-NO-LB
      rserver FW1-ASA
        inservice
    serverfarm host Firewalls-NO-LB1
      rserver FW2
        inservice
    sticky ip-netmask 255.255.255.255 address source new-sticky
      timeout activeconns
      serverfarm Firewalls
    This is my workaround for connection to the IP address of the firewalls (for management)
    class-map match-any FW-Real
      2 match virtual-address 10.11.71.254 any
    class-map match-any FW-Real2
      2 match virtual-address 10.11.71.253 any
    class-map type management match-any Remote-Access
      201 match protocol telnet any
      202 match protocol http any
      203 match protocol https any
      204 match protocol ssh any
      205 match protocol snmp any
      206 match protocol icmp any
    class-map match-any fwlb
      2 match virtual-address 0.0.0.0 0.0.0.0 any
    policy-map type management first-match Remote-Management-Policy
      class Remote-Access
        permit
    policy-map type loadbalance first-match FWLB-No-LB
      class class-default
        serverfarm Firewalls-NO-LB
    policy-map type loadbalance first-match FWLB-No-LB1
      class class-default
        serverfarm Firewalls-NO-LB1
    policy-map type loadbalance first-match FWLB-l7slb
      class class-default
        serverfarm Firewalls
    policy-map multi-match Firewall-No-LB
      class FW-Real
        loadbalance vip inservice
        loadbalance policy FWLB-No-LB
    policy-map multi-match Firewall-No-LB1
      class FW-Real2
        loadbalance vip inservice
        loadbalance policy FWLB-No-LB1
    policy-map multi-match int70
      class fwlb
        loadbalance vip inservice
        loadbalance policy FWLB-l7slb
    interface vlan 70
      description "Client side"
      ip address 10.11.70.2 255.255.255.0
      no icmp-guard
      access-group input ALL
      access-group output ALL
      service-policy input Remote-Management-Policy
      service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
      service-policy input Firewall-No-LB1  --> connect to the real IP address of the firewall for management
      service-policy input int70
      no shutdown
    interface vlan 71
      description "Firewall side"
      ip address 10.11.71.2 255.255.255.0
      mac-sticky enable
      no icmp-guard
      access-group input ALL
      access-group output ALL
      service-policy input Remote-Management-Policy
      no shutdown

    Hello,
    as i know, there is no others ways.
    You can only reduce your configuration by puting all your class undert the same policy-map:
    policy-map multi-match int70
      class FW-Real
        loadbalance vip inservice
        loadbalance policy FWLB-No-LB
      class FW-Real2
        loadbalance vip inservice
        loadbalance policy FWLB-No-LB1
      class fwlb
        loadbalance vip inservice
        loadbalance policy FWLB-l7slb
    interface vlan 70
      description "Client side"
      ip address 10.11.70.2 255.255.255.0
      no icmp-guard
      access-group input ALL
      access-group output ALL
      service-policy input Remote-Management-Policy
      service-policy input int70
      no shutdown

  • ACE 4700 load balancing Issue

    Hi,
    I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.
    Below is the running configuration. Please help me to troubleshot the problem.
    HOB-ACE-1/Admin# sh run
    Generating configuration....
    no ft auto-sync startup-config
    boot system image:c4710ace-mz.A3_2_0.bin
    hostname HOB-ACE-1
    interface gigabitEthernet 1/1
      description Man_HOB_1
      switchport access vlan 1000
      no shutdown
    interface gigabitEthernet 1/2
      description VIP_HOB_1
      switchport access vlan 24
      no shutdown
    interface gigabitEthernet 1/3
      description HA_HOB_1
      switchport access vlan 180
      no shutdown
    interface gigabitEthernet 1/4
      shutdown
    [7m--More-- [m
    access-list ALL line 8 extended permit ip any any
    probe icmp ICMP_PROBE1
      interval 15
      faildetect 4
      passdetect interval 60
      passdetect count 5
      receive 5
    rserver host MFREFSAS497
      description MAAFAXSERVER
      ip address 10.16.12.148
      conn-limit max 4000000 min 4000000
      inservice
    rserver host MSHOFCFS489
      description HOBFAXSERVER
      ip address 10.26.12.130
      conn-limit max 4000000 min 4000000
      inservice
    [7m--More-- [m
    [K
    serverfarm host SFHOBACE-1
      description SFHOBACE-1
      predictor hash header Accept
      probe ICMP_PROBE1
      rserver MFREFSAS497 80
        conn-limit max 4000000 min 4000000
        inservice
      rserver MSHOFCFS489 80
        conn-limit max 4000000 min 4000000
        inservice
    class-map match-all VSHOBACE-1
      2 match virtual-address 10.26.24.242 any
    class-map type management match-any remote_access
      201 match protocol xml-https any
      202 match protocol icmp any
      203 match protocol telnet any
      204 match protocol ssh any
      205 match protocol http any
      206 match protocol https any
      207 match protocol snmp any
    [7m--More-- [m
    [K
    policy-map type management first-match remote_mgmt_allow_policy
      class remote_access
        permit
    policy-map type loadbalance first-match VSHOBACE-1-l7slb
      class class-default
        serverfarm SFHOBACE-1
    policy-map multi-match global
      class VSHOBACE-1
        loadbalance vip inservice
        loadbalance policy VSHOBACE-1-l7slb
        loadbalance vip icmp-reply
        nat dynamic 1 vlan 24
        nat dynamic 1 vlan 1000
    service-policy input global
    interface vlan 24
      description "Client VLAN"
      ip address 10.26.24.243 255.255.255.0
    [7m--More-- [m
      access-group input ALL
      no shutdown
    interface vlan 1000
      ip address 10.26.12.132 255.255.255.0
      peer ip address 10.26.12.133 255.255.255.0
      access-group input ALL
      service-policy input remote_mgmt_allow_policy
      no shutdown
    ft interface vlan 180
      ip address 192.168.180.2 255.255.255.248
      peer ip address 192.168.180.3 255.255.255.248
      no shutdown
    ft peer 1
      heartbeat interval 300
      heartbeat count 10
      ft-interface vlan 180
    ft group 1
      peer 1
      priority 140
      associate-context Admin
    [7m--More-- [m
      inservice
    ip route 0.0.0.0 0.0.0.0 10.26.12.1
    snmp-server contact "HOB_ACE"
    snmp-server location "HOB"
    snmp-server community FAXSERVER group Network-Monitor
    snmp-server user administrator Network-Monitor
    snmp-server trap-source vlan 1000
    username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI.  role Admin domain
    default-domain
    username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1  role Admin domain de
    fault-domain
    ssh key rsa 1024 force
    Thanks and Regards,
    Ashfaque

    Hello Hossain,
    Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.
    Use the
    ACE/Admin(config)# no service-policy input global
    ACE/Admin(config)# interface vlan 24
    ACE/Admin(config-if)# service-policy input global
    Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.
    Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.
    Do you happen to have a quick logical diagram of this piece of the network?
    Thnx
    Pablo

  • ACE to load balance proxy servers

    Hi,
    i have a set of 4 proxy servers that are already load balanced. But they are using a incorrectly configured health probe on the ace. I need to know a good configuration for a heath probe that will send a http request over port 80 , wait for response, and read it?  I searched the forum and the cisco pages but could not find a proper answer.        
    the current probe is as follows:
    probe http HTTPGET
      description Tests that www.gmail.com returns 302 redirect
      interval 10
      request method get url http://www.gmail.com
      expect status 302 302
    -Gordon

    Hi Gordon,
    This is what you want to achieve :
    I need to know a good configuration for a heath probe that will send a  http request over port 80 , wait for response, and read it?
    So ideally you have to choose what content you want to request and what you expect as response.
    Any HTTP request will assume that the request is going to the web server or the device can understand HTTP and respond accordingly.
    If you ask me I would say that the probes which you are using make sense.
    If the probe fails that means the proxy is unable to reach "www.gmail.com" which is almost as good as proxy is not working.
    Let me know your thought about it.
    regards,
    Ajay Kumar

  • ACE to Load Balance SurfControl/Win App

    According to SurfControl is it possible to use a L4 - L7 load balancer to bear the 10000 per server limitation.
    Is the any know option to do this using the ACE module?

    Thx for the reply Gilles.
    Is it possible to select only www, https, dns traffic to be sent to the farm and leave the rest to follow the way out to the next upstream devive?
    Gus

  • ACE Routing Load-Balance problem

    I'm trying to configure a routing load-balance with Cisco ACE Module based on the following scenario:
    local users has a router (R1) as it default gateway, this router (R1) has a default route to the VIP that represent the serverfarm with two linux servers that should be used for Data Shaping over the WAN. I need to balance the traffic over the two linux servers and not necessary over the WAN.
    The problem is that when I set up the local network router default route to VIP the routing process simply stop work ! If I change the route to the real server ip address everything start working again without any problem.
    Follow the configs:
    Local network Router - Static route
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Follow the ACE configs:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    access-list 100 line 8 extended permit ip any any
    rserver host rout001
    ip address 10.0.0.32
    inservice
    rserver host rout002
    ip address 10.0.0.31
    inservice
    serverfarm host BLC_ROUTING
    predictor leastconns
    rserver rout001
    inservice
    rserver rout002
    inservice
    class-map match-any VIP
    2 match virtual-address 10.0.0.1 any
    class-map type management match-any mgmt
    2 match protocol icmp any
    3 match protocol telnet any
    4 match protocol ssh any
    policy-map type management first-match access
    class mgmt
    permit
    policy-map type loadbalance first-match INT_router
    class class-default
    serverfarm BLC_ROUTING
    policy-map multi-match VIP
    class VIP
    loadbalance vip inservice
    loadbalance policy INT_router
    loadbalance vip icmp-reply
    interface vlan 6
    bridge-group 10
    access-group input 100
    service-policy input access
    service-policy input VIP
    no shutdown
    interface vlan 8
    bridge-group 10
    access-group input 100
    service-policy input access
    service-policy input VIP
    no shutdown
    interface bvi 10
    ip address 10.0.0.5 255.255.255.0
    no shutdown
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    I tried to change some parameters like "transparent" at serverfarm config and change the "predictor" method to "hash address source" but there was no good results at all.
    Anyone has any idea why this process is not working ?
    Is there any special configuration for this scenario ?
    Regards,
    Ricardo

    Ricardo,
    What is this route ??
    ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
    You can't have 0.0.0.0/24.
    You must be missing something ?
    Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
    It should normally be directly connected to your router.
    With the static route, do you see traffic coming to the ACE module ?
    Does it loadbalance to the server ?
    'show service-policy detail' check the packet counters
    Gilles.

  • TCP SYNSEEN with load balancing Cisco ACE 4710

    I have a Cisco ACE 4710 load balancing the traffic to two proxy servers, the configuration is the same since December 2012,  but yesterday it stated to show SYNSEEN in the show conn command, and the hosts cannot browse. I think that means that the three-way-handshake is not complete.
    If I bypass the ACE the hosts can browse without problems. 
    I have tested with another ACE appliance and the same configuration but the behaviour is the same.
    I need help as soon as possible,
    thanks,
    I've attached the Show conn, show conn detail and show run.

    Hi Cesar,
    Thank you for your answer,
    The issue was solved,
    We were running an A3 software version, it seems to have a Bug so it doesn't show the NAT commands in the "show run", so when we made the configuration backup we didn't noticed it.
    The ACE reloaded because an electrical failure so it losted the NAT config.
    We just upgraded to an A4 version and also added a NAT/PAT to enable the communication between the Clients and the Proxy.
    Regards,

  • Regarding ACE load balancing

    Hi,
    I have one server application with two physical servers clustered with one virtual IP address . I have total six ip addresses for one server : details are given below
    Cluster IP’s :
    Node 1 :
    NIC 1 : 10.10.x.x : physical IP address
    NIC 2 : 172.16.x.x : heartbeat address used in between server
    Node 2 :
    NIC 1 : 10.10.x.x : physical ip address
    NIC 2 : 172.16.x.x : heartbeat address used in between server
    Cluster IP : 10.10.x.x : clustered IP address used to access server
    SQL IP : 10.10.x.x : clustered IP address used to access SQL application .
    now i want to achieve server load-balancing using ACE module. Please suggest to me fulfil this requirement. how to do this ?
    whether i need to remove the virtual IP and directly bind two physical ip to ace virtual ip add.
    How do i check ace server load-balancing configuration with live server .... do we have any tool to check the packet behaviour to confirm that load-balancing is happening properly in between two physical servers :
    Please guide me and share the knowledge .....................

    Hi Vinod,
    You are correct. In order to achieve load-balancing with an ACE blade, you need to configure the addresses of the two severs separately. If you look at the documentation page on cisco.com for ACE (http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html) you will find sample configuration for the most commont topologies.
    As for how to verify if the load-balancing is working correctly, you can use the command "show serverfarm ", which will list you all the servers in a serverfarm, along with the current and total connection numbers for each of them.

  • How to properly load balance between diffrent server farms.

    Hi experts,
    We are using an ACE 4710. We chose for our server farms to load balance using the least_connections predictor. it seems to work fine inside the same server farm but is it working properly between server farms? It doesn't seem because some of my real servers seems to be more loaded than others. Each server farm are using the same real servers.
    Any idea about what is the problem or any suggestion regarding the best load balancing predictor we should use using this kind of configuration?
    Thank's to all.

    The ACE uses load-balancing algorithms or predictors to determine how to balance the traffic among the devices configured in the server farms, independent of the device type. For FWLB, we recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels.
    Here is the configuration guide for the Cisco ACE 4700 Series Appliance Server Load-Balancing.
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/fwldbal.html

  • Cisco ACE20 Load balancing issues

    Dear All,
    I have a problem with the ACE 20 load balance
    To start with following is our architectural request flow:
    Load Balancer --> Webseal /(reverse proxy) --> HTTP Server --> Portal Server
    We have Hardware Load Balancer Cisco ACE20.
    When we access our portal from Webseal server it works totally fine without any issue, but when we access the same application using ACE we face the following issues:
    1) Some of the links on do not work. For eg: We have a link "subscribe" which points to https://intranet/abc/wps/portal/subscription , whenever we click on this link, the request is directed to https://intranet/abc/wps/portal i.e homepage
    2) URL redirection does not work We have some links which have a url forwarding or redirection for example when we open https://intranet/ef/quickplace it forwards the requests to https://intranet/ef/quickplace/Main.nsf?opendocument....., but this redirection fails and again the request is thrown to homepage i.e https://intranet/abc/wps/portal
    3) The response of the request and the overall portal when accessed via ACE is very sluggish and it takes 20 seconds for homepage to load, whereas the homepage loads in 4 secs when accessed via webseal.
    below is the ACE details. Kindly provide the your inputs to resolve this issue. will rate all the suggestions
    Hardware Product Number: ACE20-MOD-K9
      Card Index:     207
      Hardware Rev:   2.3
      Feature Bits:   0000 0002
      Slot No. :      7
      Type:           ACE
    Software
      loader:    Version 12.2[120]
      system:    Version A2(1.4) [build 3.0(0)A2(1.4) adbuild_11:54:12-2009/03/05_/a
    uto/adbu-rel2/rel_a2_1_4_throttle/REL_3_0_0_A2_1_4]
      system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_4.bin
      installed license: ACE-SEC-LIC-K9

    Dear all,
    Please suggest on this issue.
    BS

  • Load balancing across 4 web servers in same datacentre - advice please

    Hi All
    Im looking for some advice please
    The apps team have asked me about load balancing across some servers but im not that well up on it for applications
    Basically we have 4 apache web servers with about 2000 clients connecting to them, they would like to load balance connections to all these servers, they all need the same DNS name etc.
    what load balancing methods would I need for this, I believe they run on Linux
    Would I need some sort of device, or can the servers run some software that can do this, how would it work? and how would load balancing be achieved here?
    cheers

    Carl,
    What you have mentioned sounds very straightforward then everything should go well.
    The ACE is a load balancer which takes a load balancing decisions based on different matching methods like matching virtual address, url, source address, etc then once the load balance decision has been taken then the ACE will load balance the traffic based on the load balance method which you have configured (if you do not configure anything then it will use the default which is "round robin"), then it will send the traffic to the servers which it has available and finally the client should get the content.
    If you want to get some details about the load balancing methods here you have them:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/overview.html#wp1000976
    For ACE deployments the most common designs are the following.
    Bridge Mode
    One Arm Mode
    Routed Mode
    Here you have a link for Bridge Mode and a sample for that:
    http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
    Here you have a link for One Arm Mode and a sample for that:
    http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
    Here you have a link for Routed Mode and a sample for that:
    http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
    Then as you could see in all those links you may end up having a configuration like this:
    interface vlan 40
      description "Default gateway of real servers"
      ip address 192.168.1.1 255.255.255.0
      service-policy input remote-access
      no shutdown
    ip route 0.0.0.0 0.0.0.0 172.16.1.1
    class-map match-all slb-vip
      2 match virtual-address 172.16.1.100 any
    policy-map multi-match client-vips
      class slb-vip
        loadbalance vip inservice
        loadbalance policy slb
    policy-map type loadbalance http first-match slb
      class class-default
        serverfarm web
    serverfarm host web
      rserver lnx1
        inservice
      rserver lnx2
        inservice
      rserver lnx3
        inservice
    rserver host lnx1
      ip address 192.168.1.11
      inservice
    rserver host lnx2
      ip address 192.168.1.12
      inservice
    rserver host lnx3
      ip address 192.168.1.13
      inservice
    Please mark it if it answered you question then other users can use it as reference in the future.
    Hope this helps!
    Jorge

  • ACE 4710 and Cookie problem

    I plan to load balance user traffic to a server farm. Currently, server is using cookie to generate delay/response time statistic for users from various locations. If I use ACE to load balance user traffic, I need to use NAT statement on ACE to make the design to work. However, server can no longer use cookie to generate such statictics since source address is now a NATed address. Is there a way to rectify this problem? Thank you in advance.

    You can get rid of nat - which would require a redesign (use policy routing or make ACE default gateway for servers).
    If redesign is not possible, than you have to live with NAT.
    ACE offers the http header insert function.
    You could add the src ip of the client inside the http header.
    Up to the server to retrieve the info and build whatever is needed.
    Gilles.

  • FTPS with ACE 4710

    Hi,
    I need to configure ACE for load-balancing FTPS. And simply deploying L4 policies are not helping either. Configured the FTPS servers and both of them are working fine when accessed via physical IP, but do not work when accessed via the VIP.
    if it is possible, a reference URL would really be a great help.

    Hi Rajiv,
    Do you want to loadbalance SFTP ?
    Or just have it pass through ??
    Loadbalancing SFTP is difficult because it starts as regular FTP and switches over to SSL which ACE can't do and fails to understand.
    you don't need anything to have it passthrough.
    As long as you don't ask ACE to inspect the traffic, and assuming this traffic is permitted in your access-group, then there is nothing to do to have it go through.
    I think your goal is to distribute inbound file deposits evenly across SFTP servers.
    High-level Overview
    Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
    I would like to tell you that SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
    So you are good.
    On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
    FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
    Kindly find these examples for FTP load balance method in cisco ACE:
    1. FTP serverfarm on Cisco ACE
    http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html
    2. FTP Load Balancing on ACE in Routed Mode Configuration Example
    http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example
    3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example
    http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example
    Kindly refer the folowing URL for Layer4 policies:
    http://cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html
    http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Troubleshooting_Layer_4_Load_Balancing
    http://snippets101.blogspot.com/2008/08/cisco-ace-and-private-vlans-in-switch.html
    http://snippets101.blogspot.com/2008/08/asymmetric-server-normalization-on.html
    http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Configuring_Server_Load_Balancing
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/tcpipnrm.html#wpmkr1116809
    Hope it will help you furhter in configuring the ACE load balancing L4 policies.
    Kindly rate
    Sachin Garg

Maybe you are looking for

  • Will I be able to open a Captivate 8 file in Captivate 7 without any problems?

    I should say the project is not a responsive one, so it really shouldn't be that different. Just wondering if this is a good idea before attempting, thanks! -Inna

  • Migration from MySql to Derby

    I am currently migrating from MySql to Derby. I have been developing a MRPII package for a while now and whilst my classes worked with MySql I am finding difficulty with implementing them using Derby. I have developed a GUI interface for MRPII functi

  • No content e-mails

    After setting up a new iPhone 5 with e-mail accounts I now have numerous e-mails showing "this message has no content".  All are dated 12/31/00 or 12/31/69.  Some show "(No Sender)".  I have not been unable to delete these messages and they do not sh

  • Start and Stop Listener

    Hi, Can someone please tell me the commands to stop and start listener? I can't find them anywhere. Thanks,

  • E mail won't accept password

    My e mail provider direcway.com was purchased by hughes.net and I am being "forced" to change my e mail address. I managed to follow there twisted instructions and set up my new account on the web and to get my old e mails forwarded to my new e mail