ACE 4710 Redirect to Different Server Farm based on URL

Similar Messages

• Can a real Server be applied in two different server farms associated with two different VIP IP and TCP Port

  Good day everyone,
  I have a question in regard to real server operation with different server farms, and VIPs
  Can a Real Server be associated ( for simpliciy) with two different Server Farms that have a VIP associated with each, servicing the same TCP Port (443).
  Example:
  SF-A
  RSRV-1: 192.168.1.10 /24
  RSRV-2: 192.168.1.11 /24
  VIP-A: 192.168.1.20 /24
  VIP-A: https:web-A
  Protocol: HTTPS
  SF-B
  RSRV-2: 192.168.1.11 /24
  RSRV-3: 192.168.1.12 /24
  VIP-B: 192.168.1.30 /24
  VIP-b: https:web-B
  Protocol: HTTPS
  Client-A: 172.16.128.10
  Client-B: 172.16.128.15
  I have attached an sketch depicting the connectivity.
  As always any feedback/Suggestions will be greatly apprecaited.
  Cheers,
  Raman Azizian

  Raman,
  This type of config is no problem. What the server is doing is virtual web hosting. The server would have two different web services running for the same IP, but each listening for a unique host header.
  From an IP point of view both connections would be destined to the rserver address on port 80, but in the http header they would have two different Host headers.
  one for www.example1.com and the second for www.example2.com. If the web server is configured correct so each host name is tied to one web service it will not have any issues.
  The config you attached looks ok. The way you have the sticky group is ok doing source IP. If you use cookies for the sticky group I would suggest you create two sticky groups each with a different cookie name and add the same serverfarm to both groups. The client will only send a cookie for the domain it received it from so using the same cookie in two vips could cause problems if the same client hits both vips.
  Hope that helps
  Regards
  Jim

• ACE 4710 Redirection based on incoming Spanish Language

  I have a customer that wants to redirect incoming traffic to a different url or host based on the end users language. Spanish in particular. What is the best way to accomplish this task with the least amount of issues.
  Stan

  If you capture a sniffer trace of any HTTP traffic, you will see that every request contains a line like this :
  "Accept-Language: de"
  So, in this example the request contains information that the browser accept German (DE).
  If you sniff a request from a spanish browser, you should see a similar line with the "SP" letters.
  Then with ACE, you can match those requests with a class-map like below :
  AceC6k2/Admin(config)# class-map type http load Spanish
  AceC6k2/Admin(config-cmap-http-lb)# match http heade Accept-Language header-value sp
  AceC6k2/Admin(config-cmap-http-lb)#
  Then inside your policy-map you can use this class-map to differentiate spanish request from the others.
  policy-map type
  AceC6k2/Admin(config)# policy-map type loadbalance http first-match Web
  AceC6k2/Admin(config-pmap-lb)#
  AceC6k2/Admin(config-pmap-lb)# class-map Spanish
  <.....do something here for spanish browsers .....>
  AceC6k2/Admin(config-pmap-lb)# class class-default
  <..... do something here for the other browsers ......>
  gilles.

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• VIP still reachable even if primary server farm is down

  Hi,
  I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).
  For that I have the following configuration :
  serverfarm host NCL_FARM_TEST
  probe NCL_PROBE_HTTP
  rserver CHPAUN028 443
  inservice
  policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
  description *** Load balancing rule for test in http mode ***
  class L7_CLASS_TEST
  serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
  compress default-method gzip
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  policy-map multi-match VIP_PROD_AND_TEST
  class L4_CLASS_NCL_TEST_HTTP
  loadbalance vip inservice
  loadbalance policy L7_POLICY_NCL_TEST_HTTP
  loadbalance vip icmp-reply active primary-inservice
  nat dynamic 2 vlan 115
  appl-parameter http advanced-options NCL_HTTP_PARAM
  While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).
  Here is the server farm status, while PING is still possible :
  CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail
  serverfarm : NCL_FARM_TEST, type: HOST
  total rservers : 1
  active rservers: 0
  description : *** Test Server Farm ***
  state : INACTIVE
  predictor : ROUNDROBIN
  failaction : -
  back-inservice : 0
  partial-threshold : 0
  num times failover : 27
  num times back inservice : 28
  total conn-dropcount : 0
  Probe(s) :
  NCL_PROBE_HTTP, type = HTTP
  ----------connections-----------
  real weight state current total failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: CHPAUN028
  10.240.3.128:443 8 PROBE-FAILED 0 609 8
  description : -
  max-conns : - , out-of-rotation count : -
  min-conns : -
  conn-rate-limit : - , out-of-rotation count : -
  bandwidth-rate-limit : - , out-of-rotation count : -
  retcode out-of-rotation count : -
  In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.
  I probably missed something, but what ?
  Here is the service-policy status :
  Policy-map : VIP_PROD_AND_TEST
  Status : ACTIVE
  Interface: vlan 1 115
  class: L4_CLASS_NCL_TEST_HTTP
  nat:
  nat dynamic 2 vlan 115
  curr conns : 0 , hit count : 56
  dropped conns : 0
  client pkt count : 809 , client byte count: 231750
  server pkt count : 1262 , server byte count: 1375334
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  loadbalance:
  L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP
  VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP
  VIP State: INSERVICE
  Persistence Rebalance: ENABLED
  curr conns : 0 , hit count : 56
  dropped conns : 0
  client pkt count : 809 , client byte count: 231750
  server pkt count : 1262 , server byte count: 1375334
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  compression:
  bytes_in : 1052393
  bytes_out : 309229
  Compression ratio : 70.61%
  Parameter-map(s):
  NCL_HTTP_PARAM
  Thank you for any hints,
  Yves Haemmerli

  Gilles,
  I have effectively four diferent policy maps :
  - one for PROD when the client arrives withh HTTP
  - one for PROD when the client arrives with HTTPS
  - one for TEST when the client arrives with HTTP
  one for TEST when the client arrives with HTTPS
  However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.
  Here are the four polici maps :
  policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP
  description *** Load balancing rule for production in http mode ***
  class L7_CLASS_PROD
  serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_PROD_HTTP
  policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS
  description *** Load balancing rule for production in https mode ***
  class L7_CLASS_PROD
  serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_PROD_HTTPS
  policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
  description *** Load balancing rule for test in http mode ***
  class L7_CLASS_TEST
  serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
  compress default-method gzip
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_TEST_HTTP
  policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS
  description *** Load balancing rule for test in https mode ***
  class L7_CLASS_TEST
  serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_TEST_HTTPS
  Yves

• ACE 4710 how to direct traffic by source ip

  I would like to know in the simplest terms how to use the source ip of the request to direct traffic to 2 different server farms.
  One ip address source range to one server farm and all other ip address sources to another server farm.

  Good morning,
  It is possible to match the source IP of the client as a parameter for L7 class-map. See the link below for more details
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/classlb.html#wp1117372
  For your setup, you could just create two different class-maps (one for each source range) mapped to two different serverfarms.
  I hope this helps
  Daniel

• Server 2012 R2 essentials url rewrite to exchange 2013 breaks remote web workplace

  Hi all
  Have a server 2012 r2 with essentials experience installed and an exchange 2013 sp1 on a member server.
  I have 2 certificates
  remote.domain.com for the essentials rww
  mail.domain.com for exchange owa
  I have added the administrator account to enterprise admins and have joined the exchange server with the essentials connector, so it appears on the dashboard.
  Both certificates are installed correctly.
  I have installed ARR 3.0 and created a serverfarm mail.domain.com and accepted that it created url rewrite for me.
  Server farm does not have ssl offload enabled.
  The url rewrite is setup like this:
  Requested url: matches pattern, Using: Wildcards, Pattern *
  Conditions: Match All, Input: HTTPS, Type: Matches the pattern, Pattern: ON
  Action: Route to server farm
  Scheme: https://, Server farm: mail.domain.com, Path: /{R:0}
  Stop processing of subsequent rules: checked
  Now pointing protokol 443 til the IP of the essentials server and navigating to https://mail.domain.com/owa brings the owa logon page with my trusted server certificate and all.
  Everything works fine.
  If I then navigate to https://remote.domain.com/remote then the webpage should show the login to the essentials remote web workplace. 
  But instead it shows a some what crippled version, like forms and pictures missing and it is obviously not working.
  Trying to troubleshoot i changed the url rewrite from wildcards to exact match and put owa into the pattern field.
  Then my remote web workplace showed up correctly with the matching certificate and all was fine.
  But now owa shows a 404 directory not found.
  I guess I need some help on this.
  Somehow that server farm and the url rewrite, messes up my default website, with the remote site.
  Much appreciated...
  \Lars

  Lars,
  RE-Run the WSE wizard to reset the Internet settings.
  Remove ARR and URLReWrite.
  Once removed reboot.
  Install ARR and URLReWrite again by downloading.
  Do NOT configure any farm settings.
  Use the ARRConfig utility that comes with WSE:
  http://technet.microsoft.com/en-us/library/jj200172.aspx
  That TN page explains how to run the utility. Make sure you have exported the mail certificate including Public Key and Extended Properties first.
  Philip Elder Microsoft Cluster MVP Blog: http://blog.mpecsinc.ca

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.

• ACE 4710: Find out the response time of a real server

  Hi to everyone,
  I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
  Is there a way for this?
  Thank you for any answer!
    giorgio romano

  Hi,
  Kindly add the following line in your serverfarm configuration:
  predictor response syn-to-synack
  Suppose your serverfarm looks like this:
  serverfarm host AAA_FARM
  predictor response syn-to-synack
  probe HTTP_PROBE
  probe TCP9001_PROBE
  rserver SC106
  inservice
  rserver SC107
  inservice
  rserver SC108
  inservice
  rserver SC109
  inservice
  rserver SC110
  inservice
  rserver SC111
  inservice
  rserver SC112
  inservice
  rserver SC113
  inservice
  rserver SC114
  inservice
  rserver SC120
  inservice
  rserver SC131
  inservice
  And then use the following command to see the average response time from your rserver as follows:
  ACE1/prod# show serverfarm AAA_FARM detail
  serverfarm     : AAA_FARM, type: HOST
  total rservers : 11
  active rservers: 11
  description    : ServerFarm AAA
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 0
  num times back inservice : 0
  total conn-dropcount : 0
  Probe(s) :
  HTTP_PROBE,  type = HTTP
  TCP9001_PROBE,  type = TCP
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC106
  x.x.x.x.:0        8      OPERATIONAL  2          1125       0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
  average response time (usecs) : 81   ----> thats what you might be looking for
  From other day :
  rserver: SC114
  x.x.x.x:0        8      OPERATIONAL  70         10903      2
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 1334                       ----> thats what you might be looking for
  For Serverfarm BBB_FARM
  serverfarm     : BBB_FARM, type: HOST
  total rservers : 1
  active rservers: 1
  description    : ServerFarm BBB
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 1
  num times back inservice : 1
  total conn-dropcount : 0
  Probe(s) :
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC208
  x.x.x.x:0        8      OPERATIONAL  0          0          0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 0   ----> thats what you might be looking for
  Use more detials for response predictor:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
  Configuring the Application Response Predictor
  To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
  To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
  The syntax of this command is as follows:
  predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
  The keywords and arguments are as follows:
  •app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
  •syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
  •syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
  •samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
  For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
  host1/Admin(config)# serverfarm SFARM1
  host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
  samples 4
  To reset the predictor method to the default of round-robin, enter:
  host1/Admin(config-sfarm-host)# no predictor
  To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
  weight connection
  For example, enter:
  host1/Admin(config)# serverfarm SF1
  host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
  samples 4
  host1/Admin(config-sfarm-host-predictor)# weight connection
  To remove the current connection count from the calculation of the average server response time, enter:
  host1/Admin(config-sfarm-host-predictor)# no weight connection
  You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
  Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
  In case if you have measures the response time from  when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server  use syn-to-close      (already discussed previously)
  If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack   (already discussed previously)
  SAMPLES parameter is optional and  specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
  Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
  Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
  final load = weighted load × static weight × current connection count
  where:
  •weighted load is the load reported by the SNMP probe
  •static weight is the configured weight of the real server
  •current connection count is the total number of active connections to the real server
  The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
  If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
  HTH
  Plz rate if u find it useful.
  Sachin

• ACE with sticky http-cookies across two server farms issue

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
  e.g.
  Farm1 (front end HTTP service) - StickyGroup1
  rserver1 - 192.168.0.1:80
  rserver2 - 192.168.0.2:80
  rserver3 - 192.168.0.3:80
  Farm2 (SSL front end authentication service) - StickyGroup2
  rserver1 - 192.168.0.1:443
  rserver2 - 192.168.0.2:443
  rserver3 - 192.168.0.3:443
  We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
  Our service is behind a single virtual server configured as follows (example URL and addresses):
  Virtual Server Configuration
  Virtual server name: www.somedomain.com
  Virtual IP: 2.2.2.2
  TCP/443 (https)
  SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
  L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).*  Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
  Default L7 Load Balancing action : Sticky, Group: StickyGroup1
  So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
  We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
  Any suggestions or solutions appreciated.
  Thanks
  Paul

  The issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
  With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping.

• Access Server through VIP (ACE 4710) but very slow

  Re:  Access Server through VIP (ACE 4710) but very slow
  Hi Shiva
  Kindly  Help .....Accessing the server very slow.., Plz check my real  configuration... this configuration is for application server and after  this i have to configure more serverfarm for different server like  webmail etc. in this ACE 4710. I have only one ACE 4710 .
  ACE Version A4(2.0) = is there supports Probe with this version.???  without probe server will work but very slow. And plz guide Nat-pool is required
  VIP :-- 172.16.15.8
  LB/Admin# sh run
  Generating configuration....
  no ft auto-sync startup-config
  logging enable
  logging host 172.29.91.112 udp/514
  resource-class RC1
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A4_2_0.bin
  hostname LB
  interface gigabitEthernet 1/1
    description Management
    speed 1000M
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    description clientside
    switchport access vlan 30
    no shutdown
  interface gigabitEthernet 1/3
    description serverside
    switchport access vlan 31
    no shutdown
  interface gigabitEthernet 1/4
    no shutdown
  context Admin
    description Management
    member RC1
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe http probe1
    description health check
    interval 5
    passdetect interval 10
    request method head
    expect status 200 200
    open 1
  rserver redirect https_redirect
    description redirect traffic to https
    webhost-redirection / 302
    inservice
  rserver redirect maintenance_page
    description maintenance page displayed
    webhost-redirection /sry.html 301
    inservice
  rserver host web1
    ip address 192.168.10.3
    inservice
  rserver host web2
    ip address 192.168.10.4
    inservice
  rserver host web3
    ip address 192.168.10.5
    inservice
  serverfarm host http
    rserver web1
      inservice
    rserver web2
      inservice
    rserver web3
      inservice
  serverfarm redirect https_redirect_farm
    description Redirect traffic to https
  serverfarm redirect maintenance_farm
    description send user to maintenance page
  parameter-map type connection paramap_http
    description parameter connection tcp
    exceed-mss allow
  sticky ip-netmask 255.255.255.0 address source Sticky_http
    timeout activeconns
    serverfarm http
  class-map match-all REMOTE-ACCESS
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  class-map match-all slb-vip
    2 match virtual-address 172.16.15.8 tcp eq www
  policy-map type management first-match remote_access
    class class-default
      permit
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match slb
    class class-default
      serverfarm http
  policy-map type inspect http all-match slb-vip-http
    class class-default
      permit
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply active
      inspect http policy slb-vip-http
      connection advanced-options paramap_http
  interface vlan 30
    description "Client Side"
    ip address 172.16.15.24 255.255.255.0
    access-group input everyone
    service-policy input client-vips
    no shutdown
  interface vlan 31
    description "Server Side"
    ip address 192.168.10.1 255.255.255.0
    service-policy input remote_access
    no shutdown
  interface vlan 1000
    description managment
    ip address 172.29.91.110 255.255.255.0
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.15.1
  snmp-server contact "PHQ"
  snmp-server community phq group Network-Monitor
  snmp-server trap-source vlan 1000
  username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/  role Admin domain
  default-domain
  username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR.  role Admin domain de
  fault-domain
  username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0  role Admin domain d
  efault-domain
  ssh key rsa 1024 force
  banner motd # "ro" #
  Regards,
  Prem

  Hi Shiva,
  plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
  Regards,
  Prem

• ACE 4710 Probes on other servers than the real server

  Hi,
  I wanted to know if there is a means to configure a probe that is independent of the real servers.
  The aim is to configure a probe a real server but also probe another intermediate server which is not in the server farm.
  The objective is to declare the real server down if its probe fails but also the probe to an intermediate server fails as well as a or condition.
  From the document, there is no mention of it.
  But is there a means to do it.
  Thanks.

  Hi Ashley,
  i see it is not mentioned anywhere in document but i think ou should be able to bind two probes with real server of which one probe is actually probing another server.
  I would configure one probe let's say TCP based and bind it with serverfarm. Then i would configure another probe TCP based and define IP address in that probe (the other server IP which we need to probe) and bind this probe with same serverfarm. Serverfarm will not have this rserver added. And then i would configure "fail-on-all" and test if that works for you.
  i know you can set probe on redirect server/serverfarm which actually probes another real server so logically should work for normal host rserver as well. But i have never tested it myself.
  Regards,
  Kanwal

• ACE 4710 A3 outbound static NAT with Port redirection

  Hi
  I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
  I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
  When I try to configure this:
  ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
  I get the error: Error: Invalid real port configured for NAT static
  Any ideas what it means anyone?

  Right. Forget about the previous question. I have an update.
  I get this output on show nat policies at the moment:
  NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
  ID:64 Static port translation
  Real addr:172.21.7.11 Real port:26 Real interface:18
  Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
  Netmask:255.255.255.255
  where x.x.x.x - is the Public, external IP address on the ACE.
  I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
  Something is telling me I am looking at it from a wrong direction altogether.
  This is the config I have at the moment:
  access-list 130 line 20 extended permit ip any any
  access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
  class-map match-any Class_Port26
  2 match access-list Source_NAT
  policy-map multi-match Policy_Port26_Static
  class Class_Port26
  nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
  interface vlan 107
  ip address 172.21.7.2 255.255.255.240
  peer ip address 172.21.7.1 255.255.255.240
  access-group input 130
  service-policy input Policy_Port26_Static
  no shutdown
  No server farms, no load balancing. Just that.
  Any ideas?

• ACE 4710 - need help configuring backend server monitoring

  Currently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru
  to backend web servers. This all works fine.
  My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should
  a web server crash or become unavailable I need to redirect that backend connection to another web server.
  Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point
  have all the connections forwarded to 2nd server.
  Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
  Any help would be appreciated.
  Cheers
  Dave                  

  Hi Dave,
  You can use sorry-server or backup server feature. details can be found at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000264

• Is it possible to manually setup a Folder Redirection Policy on SBS 2008 for one user? Also are you able to set up folder redirection on a different server than you have SBS 2008 on?

  I have a SBS 2008 DC I would like to be able to change the Folder Redirection to a different server.  I also would like to be able to test with one user.  I read on the forums that it is best to use the wizards for SBS2008.  The only problem
  I have with using the wizards is that I am unable to test and I am also unable to use a network share for my redirection location.  

  Hi,
  I am sure you would get some help from :
  http://blogs.technet.com/b/sbs/archive/2010/10/08/folder-redirection-in-small-business-server-2008.aspx
  https://social.technet.microsoft.com/Forums/en-US/448583ca-471e-4a0c-9d26-aa9181e73962/folder-redirection-changing-location?forum=smallbusinessserver
  User setting can be found:
  Windows SBS Console > Shared Folders and Web Sites > Shared Folders - in Tasks panel click on Redirect folders for user accounts to the server.
  Under Folder Names Select folder(s) you want to redirect (e.g. Documents).
  Under User Accounts select accounts you want to have folders redirected.
  Click OK
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.