ACE 4710 Redirect to Different Server Farm based on URL
I have a weblogic 11 serverfarm where i want to redirect to a different serverfarm based on the URL. I am able to do it and it appears to be working however I am having issues with the cookies. I seem to be getting logged out of our App when switching between the serverfarms. Is there any way to fix this issue? My configuration is below.
Thanks!
-Andy
Generating configuration....
crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe http HTTP_PROBE
port 7001
interval 10
passdetect interval 5
request method get url /login.jsp
expect status 200 299
connection term forced
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP7001_PROBE
port 7005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host WLS11Host1
ip address 192.168.211.250
inservice
rserver host WLS11Host2
ip address 192.168.211.14
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host SPEND-FARM
probe HTTP_PROBE
rserver WLS11Host1 7001
inservice
serverfarm host WLS11FARM
probe HTTP_PROBE
rserver WLS11Host2 7001
inservice
parameter-map type http HTTP-PARM
persistence-rebalance
set secondary-cookie-start none
parameter-map type http PARSE
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parameter-map type ssl SSL_MAP
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
serverfarm WLS11FARM
replicate sticky
sticky http-cookie ACE-COOKIE-SPEND SPEND_STICKY
cookie insert browser-expire
serverfarm SPEND-FARM
replicate sticky
ssl-proxy service WWW-PROD-SSLPROXY
key client_ssl.pem
cert pastar.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_MAP
class-map type http loadbalance match-any HTTP-MARKETING
2 match http url /index.html
class-map type http loadbalance match-any HTTPS-SPEND
2 match http url /spend/.*
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS-7001-CLASS
2 match virtual-address 192.168.215.28 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.215.28 tcp eq https
policy-map type loadbalance first-match HTTPS
class HTTPS-SPEND
sticky-serverfarm SPEND_STICKY
insert-http x-forward header-value "%is"
class L5
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match WLS11-7001-Policy
class HTTP-MARKETING
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
class HTTPS-SPEND
serverfarm REDIRECT-SERVERFARM
class L5
serverfarm REDIRECT-SERVERFARM
policy-map multi-match WLS11-SLB
class WLS-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options HTTP-PARM
class WLS11-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options PARSE
ssl-proxy server WWW-PROD-SSLPROXY
interface vlan 1000
ip address 192.168.215.27 255.255.255.0
access-group input allow
nat-pool 1 192.168.215.28 192.168.215.28 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.215.1
snmp-server community poweradvocaterw group Network-Monitor
Hi,
So when you come with " http url /index.html", you go to "sticky-serverfarm 7001_STICKY" and ACE must be inserting sticky "ACE_COOKIE-7001". Now when you get redirected because you match "HTTPS-Spend", ACE will loadbalance the request which will now come on HTTPS and insert sticky " ACE-COOKIE-SPEND". That's why i guess you see two sticky entries. Now i guess ACE will keep the connection to servers in "sticky-serverfarm SPEND_STICKY" or you see that ACE is not doing the same or you expected the ACE to send the requested to "sticky-serverfarm 7001_STICKY" even though it matches the HTTPS-Spend class-map condition?
Regards,
Kanwal
Similar Messages
-
Good day everyone,
I have a question in regard to real server operation with different server farms, and VIPs
Can a Real Server be associated ( for simpliciy) with two different Server Farms that have a VIP associated with each, servicing the same TCP Port (443).
Example:
SF-A
RSRV-1: 192.168.1.10 /24
RSRV-2: 192.168.1.11 /24
VIP-A: 192.168.1.20 /24
VIP-A: https:web-A
Protocol: HTTPS
SF-B
RSRV-2: 192.168.1.11 /24
RSRV-3: 192.168.1.12 /24
VIP-B: 192.168.1.30 /24
VIP-b: https:web-B
Protocol: HTTPS
Client-A: 172.16.128.10
Client-B: 172.16.128.15
I have attached an sketch depicting the connectivity.
As always any feedback/Suggestions will be greatly apprecaited.
Cheers,
Raman AzizianRaman,
This type of config is no problem. What the server is doing is virtual web hosting. The server would have two different web services running for the same IP, but each listening for a unique host header.
From an IP point of view both connections would be destined to the rserver address on port 80, but in the http header they would have two different Host headers.
one for www.example1.com and the second for www.example2.com. If the web server is configured correct so each host name is tied to one web service it will not have any issues.
The config you attached looks ok. The way you have the sticky group is ok doing source IP. If you use cookies for the sticky group I would suggest you create two sticky groups each with a different cookie name and add the same serverfarm to both groups. The client will only send a cookie for the domain it received it from so using the same cookie in two vips could cause problems if the same client hits both vips.
Hope that helps
Regards
Jim -
ACE 4710 Redirection based on incoming Spanish Language
I have a customer that wants to redirect incoming traffic to a different url or host based on the end users language. Spanish in particular. What is the best way to accomplish this task with the least amount of issues.
StanIf you capture a sniffer trace of any HTTP traffic, you will see that every request contains a line like this :
"Accept-Language: de"
So, in this example the request contains information that the browser accept German (DE).
If you sniff a request from a spanish browser, you should see a similar line with the "SP" letters.
Then with ACE, you can match those requests with a class-map like below :
AceC6k2/Admin(config)# class-map type http load Spanish
AceC6k2/Admin(config-cmap-http-lb)# match http heade Accept-Language header-value sp
AceC6k2/Admin(config-cmap-http-lb)#
Then inside your policy-map you can use this class-map to differentiate spanish request from the others.
policy-map type
AceC6k2/Admin(config)# policy-map type loadbalance http first-match Web
AceC6k2/Admin(config-pmap-lb)#
AceC6k2/Admin(config-pmap-lb)# class-map Spanish
<.....do something here for spanish browsers .....>
AceC6k2/Admin(config-pmap-lb)# class class-default
<..... do something here for the other browsers ......>
gilles. -
ACE working with IronPort WSA server farm
We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
But we don't have this entry in the arp table.
When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
Some have this kind of problem in some ocasion?
Thank you,
EveraldoHi Jorge,
The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
Follow the output the commands:
show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 304
service-policy: WSA-VIPS
class: WSA_VIP_TCP_3128
VIP Address: Protocol: Port:
10.10.193.25 tcp eq 3128
loadbalance:
L7 loadbalance policy: WSA-POLICY
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 3 , hit count : 1260
dropped conns : 4
conns per second : 0
client pkt count : 19271 , client byte count: 2326106
server pkt count : 26140 , server byte count: 16572023
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : WSA-POLICY
class/match : class-default
LB action :
primary serverfarm: WSA_FARM
state: UP
backup serverfarm : -
hit count : 1260
dropped conns : 0
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
switch/WSA# show probe WSA_TCP_3128
probe : WSA_TCP_3128
type : TCP
state : ACTIVE
port : 3128 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 10
pass count: 3 fail count: 30 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : WSA_FARM
real : WSA-01[0]
real : WSA-02[0]
10.10.193.37 3128 PROBE 15076 72 15004 SUCCESS
real : WSA-03[0]
real : WSA-04[0]
real : WSA-05[0]
real : WSA-06[0]
real : WSA-07[0]
real : WSA-08[0]
real : WSA-09[0]
real : WSA-10[0]
switch/WSA# show probe WSA_TCP_3128 detail
probe : WSA_TCP_3128
type : TCP
state : ACTIVE
description :
port : 3128 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 10
pass count: 3 fail count: 30 recv timeout: 10
conn termination : FORCED
expect offset : 0 , open timeout : 3
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : WSA_FARM
real : WSA-01[0]
real : WSA-02[0]
10.10.193.37 3128 PROBE 15088 72 15016 SUCCESS
Socket state : CLOSED
No. Passed states : 2 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Mon Sep 3 21:06:47 2012
Last fail time : Mon Sep 3 20:45:05 2012
Last active time : Mon Sep 3 20:45:57 2012
real : WSA-03[0]
real : WSA-04[0]
real : WSA-05[0]
real : WSA-06[0]
real : WSA-07[0]
real : WSA-08[0]
real : WSA-09[0]
real : WSA-10[0]
Thank you,
Everaldo -
VIP still reachable even if primary server farm is down
Hi,
I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).
For that I have the following configuration :
serverfarm host NCL_FARM_TEST
probe NCL_PROBE_HTTP
rserver CHPAUN028 443
inservice
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
policy-map multi-match VIP_PROD_AND_TEST
class L4_CLASS_NCL_TEST_HTTP
loadbalance vip inservice
loadbalance policy L7_POLICY_NCL_TEST_HTTP
loadbalance vip icmp-reply active primary-inservice
nat dynamic 2 vlan 115
appl-parameter http advanced-options NCL_HTTP_PARAM
While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).
Here is the server farm status, while PING is still possible :
CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail
serverfarm : NCL_FARM_TEST, type: HOST
total rservers : 1
active rservers: 0
description : *** Test Server Farm ***
state : INACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 27
num times back inservice : 28
total conn-dropcount : 0
Probe(s) :
NCL_PROBE_HTTP, type = HTTP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: CHPAUN028
10.240.3.128:443 8 PROBE-FAILED 0 609 8
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.
I probably missed something, but what ?
Here is the service-policy status :
Policy-map : VIP_PROD_AND_TEST
Status : ACTIVE
Interface: vlan 1 115
class: L4_CLASS_NCL_TEST_HTTP
nat:
nat dynamic 2 vlan 115
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP
VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 1052393
bytes_out : 309229
Compression ratio : 70.61%
Parameter-map(s):
NCL_HTTP_PARAM
Thank you for any hints,
Yves HaemmerliGilles,
I have effectively four diferent policy maps :
- one for PROD when the client arrives withh HTTP
- one for PROD when the client arrives with HTTPS
- one for TEST when the client arrives with HTTP
one for TEST when the client arrives with HTTPS
However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.
Here are the four polici maps :
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP
description *** Load balancing rule for production in http mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS
description *** Load balancing rule for production in https mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTPS
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS
description *** Load balancing rule for test in https mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTPS
Yves -
ACE 4710 how to direct traffic by source ip
I would like to know in the simplest terms how to use the source ip of the request to direct traffic to 2 different server farms.
One ip address source range to one server farm and all other ip address sources to another server farm.Good morning,
It is possible to match the source IP of the client as a parameter for L7 class-map. See the link below for more details
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/classlb.html#wp1117372
For your setup, you could just create two different class-maps (one for each source range) mapped to two different serverfarms.
I hope this helps
Daniel -
Server 2012 R2 essentials url rewrite to exchange 2013 breaks remote web workplace
Hi all
Have a server 2012 r2 with essentials experience installed and an exchange 2013 sp1 on a member server.
I have 2 certificates
remote.domain.com for the essentials rww
mail.domain.com for exchange owa
I have added the administrator account to enterprise admins and have joined the exchange server with the essentials connector, so it appears on the dashboard.
Both certificates are installed correctly.
I have installed ARR 3.0 and created a serverfarm mail.domain.com and accepted that it created url rewrite for me.
Server farm does not have ssl offload enabled.
The url rewrite is setup like this:
Requested url: matches pattern, Using: Wildcards, Pattern *
Conditions: Match All, Input: HTTPS, Type: Matches the pattern, Pattern: ON
Action: Route to server farm
Scheme: https://, Server farm: mail.domain.com, Path: /{R:0}
Stop processing of subsequent rules: checked
Now pointing protokol 443 til the IP of the essentials server and navigating to https://mail.domain.com/owa brings the owa logon page with my trusted server certificate and all.
Everything works fine.
If I then navigate to https://remote.domain.com/remote then the webpage should show the login to the essentials remote web workplace.
But instead it shows a some what crippled version, like forms and pictures missing and it is obviously not working.
Trying to troubleshoot i changed the url rewrite from wildcards to exact match and put owa into the pattern field.
Then my remote web workplace showed up correctly with the matching certificate and all was fine.
But now owa shows a 404 directory not found.
I guess I need some help on this.
Somehow that server farm and the url rewrite, messes up my default website, with the remote site.
Much appreciated...
\LarsLars,
RE-Run the WSE wizard to reset the Internet settings.
Remove ARR and URLReWrite.
Once removed reboot.
Install ARR and URLReWrite again by downloading.
Do NOT configure any farm settings.
Use the ARRConfig utility that comes with WSE:
http://technet.microsoft.com/en-us/library/jj200172.aspx
That TN page explains how to run the utility. Make sure you have exported the mail certificate including Public Key and Extended Properties first.
Philip Elder Microsoft Cluster MVP Blog: http://blog.mpecsinc.ca -
ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?
Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
As background, we are a small company with a SaaS product and a pair of webservers.
I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
That seems to be working and session traffic is sticking to a server during the user's session.
Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
Hopefully this request makes sense.
Thanks,
Mark Steeves.Daniel,
Thanks for the reply, but I cannot reach the URL you included. It gives me a 403.
Therfore without reading the article, I wanted to ask if the proper setup would be:
1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
Type = HTTP Header: Header name = Host
2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
Using this setting in testing, it looks like all the traffic keeps going to 1 server only. Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
If you have another link for the above document, please let me know.
Thanks,
Mark Steeves. -
ACE 4710: Find out the response time of a real server
Hi to everyone,
I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
Is there a way for this?
Thank you for any answer!
giorgio romanoHi,
Kindly add the following line in your serverfarm configuration:
predictor response syn-to-synack
Suppose your serverfarm looks like this:
serverfarm host AAA_FARM
predictor response syn-to-synack
probe HTTP_PROBE
probe TCP9001_PROBE
rserver SC106
inservice
rserver SC107
inservice
rserver SC108
inservice
rserver SC109
inservice
rserver SC110
inservice
rserver SC111
inservice
rserver SC112
inservice
rserver SC113
inservice
rserver SC114
inservice
rserver SC120
inservice
rserver SC131
inservice
And then use the following command to see the average response time from your rserver as follows:
ACE1/prod# show serverfarm AAA_FARM detail
serverfarm : AAA_FARM, type: HOST
total rservers : 11
active rservers: 11
description : ServerFarm AAA
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
HTTP_PROBE, type = HTTP
TCP9001_PROBE, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC106
x.x.x.x.:0 8 OPERATIONAL 2 1125 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 81 ----> thats what you might be looking for
From other day :
rserver: SC114
x.x.x.x:0 8 OPERATIONAL 70 10903 2
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 1334 ----> thats what you might be looking for
For Serverfarm BBB_FARM
serverfarm : BBB_FARM, type: HOST
total rservers : 1
active rservers: 1
description : ServerFarm BBB
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 1
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC208
x.x.x.x:0 8 OPERATIONAL 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 0 ----> thats what you might be looking for
Use more detials for response predictor:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
Configuring the Application Response Predictor
To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
The syntax of this command is as follows:
predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
The keywords and arguments are as follows:
•app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
•syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
•syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
•samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
samples 4
To reset the predictor method to the default of round-robin, enter:
host1/Admin(config-sfarm-host)# no predictor
To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
weight connection
For example, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
samples 4
host1/Admin(config-sfarm-host-predictor)# weight connection
To remove the current connection count from the calculation of the average server response time, enter:
host1/Admin(config-sfarm-host-predictor)# no weight connection
You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
In case if you have measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server use syn-to-close (already discussed previously)
If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack (already discussed previously)
SAMPLES parameter is optional and specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load × static weight × current connection count
where:
•weighted load is the load reported by the SNMP probe
•static weight is the configured weight of the real server
•current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
HTH
Plz rate if u find it useful.
Sachin -
ACE with sticky http-cookies across two server farms issue
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
e.g.
Farm1 (front end HTTP service) - StickyGroup1
rserver1 - 192.168.0.1:80
rserver2 - 192.168.0.2:80
rserver3 - 192.168.0.3:80
Farm2 (SSL front end authentication service) - StickyGroup2
rserver1 - 192.168.0.1:443
rserver2 - 192.168.0.2:443
rserver3 - 192.168.0.3:443
We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
Our service is behind a single virtual server configured as follows (example URL and addresses):
Virtual Server Configuration
Virtual server name: www.somedomain.com
Virtual IP: 2.2.2.2
TCP/443 (https)
SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).* Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
Default L7 Load Balancing action : Sticky, Group: StickyGroup1
So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
Any suggestions or solutions appreciated.
Thanks
PaulThe issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping. -
Access Server through VIP (ACE 4710) but very slow
Re: Access Server through VIP (ACE 4710) but very slow
Hi Shiva
Kindly Help .....Accessing the server very slow.., Plz check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version.??? without probe server will work but very slow. And plz guide Nat-pool is required
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging host 172.29.91.112 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
member RC1
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
webhost-redirection / 302
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 192.168.10.3
inservice
rserver host web2
ip address 192.168.10.4
inservice
rserver host web3
ip address 192.168.10.5
inservice
serverfarm host http
rserver web1
inservice
rserver web2
inservice
rserver web3
inservice
serverfarm redirect https_redirect_farm
description Redirect traffic to https
serverfarm redirect maintenance_farm
description send user to maintenance page
parameter-map type connection paramap_http
description parameter connection tcp
exceed-mss allow
sticky ip-netmask 255.255.255.0 address source Sticky_http
timeout activeconns
serverfarm http
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 172.16.15.8 tcp eq www
policy-map type management first-match remote_access
class class-default
permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
permit
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
inspect http policy slb-vip-http
connection advanced-options paramap_http
interface vlan 30
description "Client Side"
ip address 172.16.15.24 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
ip address 192.168.10.1 255.255.255.0
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.15.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/ role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0 role Admin domain d
efault-domain
ssh key rsa 1024 force
banner motd # "ro" #
Regards,
PremHi Shiva,
plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
Regards,
Prem -
ACE 4710 Probes on other servers than the real server
Hi,
I wanted to know if there is a means to configure a probe that is independent of the real servers.
The aim is to configure a probe a real server but also probe another intermediate server which is not in the server farm.
The objective is to declare the real server down if its probe fails but also the probe to an intermediate server fails as well as a or condition.
From the document, there is no mention of it.
But is there a means to do it.
Thanks.Hi Ashley,
i see it is not mentioned anywhere in document but i think ou should be able to bind two probes with real server of which one probe is actually probing another server.
I would configure one probe let's say TCP based and bind it with serverfarm. Then i would configure another probe TCP based and define IP address in that probe (the other server IP which we need to probe) and bind this probe with same serverfarm. Serverfarm will not have this rserver added. And then i would configure "fail-on-all" and test if that works for you.
i know you can set probe on redirect server/serverfarm which actually probes another real server so logically should work for normal host rserver as well. But i have never tested it myself.
Regards,
Kanwal -
ACE 4710 A3 outbound static NAT with Port redirection
Hi
I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
When I try to configure this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
I get the error: Error: Invalid real port configured for NAT static
Any ideas what it means anyone?Right. Forget about the previous question. I have an update.
I get this output on show nat policies at the moment:
NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
ID:64 Static port translation
Real addr:172.21.7.11 Real port:26 Real interface:18
Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
Netmask:255.255.255.255
where x.x.x.x - is the Public, external IP address on the ACE.
I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
Something is telling me I am looking at it from a wrong direction altogether.
This is the config I have at the moment:
access-list 130 line 20 extended permit ip any any
access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
class-map match-any Class_Port26
2 match access-list Source_NAT
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
interface vlan 107
ip address 172.21.7.2 255.255.255.240
peer ip address 172.21.7.1 255.255.255.240
access-group input 130
service-policy input Policy_Port26_Static
no shutdown
No server farms, no load balancing. Just that.
Any ideas? -
ACE 4710 - need help configuring backend server monitoring
Currently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru
to backend web servers. This all works fine.
My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should
a web server crash or become unavailable I need to redirect that backend connection to another web server.
Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point
have all the connections forwarded to 2nd server.
Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
Any help would be appreciated.
Cheers
DaveHi Dave,
You can use sorry-server or backup server feature. details can be found at
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000264 -
I have a SBS 2008 DC I would like to be able to change the Folder Redirection to a different server. I also would like to be able to test with one user. I read on the forums that it is best to use the wizards for SBS2008. The only problem
I have with using the wizards is that I am unable to test and I am also unable to use a network share for my redirection location.Hi,
I am sure you would get some help from :
http://blogs.technet.com/b/sbs/archive/2010/10/08/folder-redirection-in-small-business-server-2008.aspx
https://social.technet.microsoft.com/Forums/en-US/448583ca-471e-4a0c-9d26-aa9181e73962/folder-redirection-changing-location?forum=smallbusinessserver
User setting can be found:
Windows SBS Console > Shared Folders and Web Sites > Shared Folders - in Tasks panel click on Redirect folders for user accounts to the server.
Under Folder Names Select folder(s) you want to redirect (e.g. Documents).
Under User Accounts select accounts you want to have folders redirected.
Click OK
Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Maybe you are looking for
-
How to store data from Host.vi in cRIO-9074
TejasKumar Patel I implemented a advance Measurement and Control system using cRIO-9074 with c-Series I/O cards( NI 9217, 9411, 9264) I have some questions about it, (1)- Data rate from FPGA targate to host vi is too low. how can I increase it, when
-
I just recently had a new hardrive installed and now i cant transfer my data
I just recently had a new harddrive installed and I cant seem to start it up properly
-
Calculation in crosstab report
Hi i am using visual studio 2003 to devlop reports. In a cross tab report i took description, aspect as row and id as column and pointvalue in summarized field. now my report look likes d1 a1 0 1 1(total) 50%( percentage 1/2) how to
-
Lumia 620 - connection speed to router ( BT (UK) H...
I have a UK BT Home Hub 2b. My nettbook connects to it at either 54Mbps or occasionally 104Mbps, as reported by the router. The speed is usually 54 but occasionally when close to the router (or maybe on 'low noise' days) it hits 104. My 620 always co
-
Hi, I want to schedule some backups for certain tables at night... any idea about use cron with exp.... i tried as follows: crontab -ei made the next line: 00 20 * * * exp userid=system/manager file=tt00.dmp tables=product when i confirm the schedule