ACE 4710 Redirection based on incoming Spanish Language
I have a customer that wants to redirect incoming traffic to a different url or host based on the end users language. Spanish in particular. What is the best way to accomplish this task with the least amount of issues.
Stan
If you capture a sniffer trace of any HTTP traffic, you will see that every request contains a line like this :
"Accept-Language: de"
So, in this example the request contains information that the browser accept German (DE).
If you sniff a request from a spanish browser, you should see a similar line with the "SP" letters.
Then with ACE, you can match those requests with a class-map like below :
AceC6k2/Admin(config)# class-map type http load Spanish
AceC6k2/Admin(config-cmap-http-lb)# match http heade Accept-Language header-value sp
AceC6k2/Admin(config-cmap-http-lb)#
Then inside your policy-map you can use this class-map to differentiate spanish request from the others.
policy-map type
AceC6k2/Admin(config)# policy-map type loadbalance http first-match Web
AceC6k2/Admin(config-pmap-lb)#
AceC6k2/Admin(config-pmap-lb)# class-map Spanish
<.....do something here for spanish browsers .....>
AceC6k2/Admin(config-pmap-lb)# class class-default
<..... do something here for the other browsers ......>
gilles.
Similar Messages
-
ACE 4710 Redirect to Different Server Farm based on URL
I have a weblogic 11 serverfarm where i want to redirect to a different serverfarm based on the URL. I am able to do it and it appears to be working however I am having issues with the cookies. I seem to be getting logged out of our App when switching between the serverfarms. Is there any way to fix this issue? My configuration is below.
Thanks!
-Andy
Generating configuration....
crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe http HTTP_PROBE
port 7001
interval 10
passdetect interval 5
request method get url /login.jsp
expect status 200 299
connection term forced
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP7001_PROBE
port 7005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host WLS11Host1
ip address 192.168.211.250
inservice
rserver host WLS11Host2
ip address 192.168.211.14
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host SPEND-FARM
probe HTTP_PROBE
rserver WLS11Host1 7001
inservice
serverfarm host WLS11FARM
probe HTTP_PROBE
rserver WLS11Host2 7001
inservice
parameter-map type http HTTP-PARM
persistence-rebalance
set secondary-cookie-start none
parameter-map type http PARSE
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parameter-map type ssl SSL_MAP
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
serverfarm WLS11FARM
replicate sticky
sticky http-cookie ACE-COOKIE-SPEND SPEND_STICKY
cookie insert browser-expire
serverfarm SPEND-FARM
replicate sticky
ssl-proxy service WWW-PROD-SSLPROXY
key client_ssl.pem
cert pastar.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_MAP
class-map type http loadbalance match-any HTTP-MARKETING
2 match http url /index.html
class-map type http loadbalance match-any HTTPS-SPEND
2 match http url /spend/.*
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS-7001-CLASS
2 match virtual-address 192.168.215.28 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.215.28 tcp eq https
policy-map type loadbalance first-match HTTPS
class HTTPS-SPEND
sticky-serverfarm SPEND_STICKY
insert-http x-forward header-value "%is"
class L5
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match WLS11-7001-Policy
class HTTP-MARKETING
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
class HTTPS-SPEND
serverfarm REDIRECT-SERVERFARM
class L5
serverfarm REDIRECT-SERVERFARM
policy-map multi-match WLS11-SLB
class WLS-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options HTTP-PARM
class WLS11-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options PARSE
ssl-proxy server WWW-PROD-SSLPROXY
interface vlan 1000
ip address 192.168.215.27 255.255.255.0
access-group input allow
nat-pool 1 192.168.215.28 192.168.215.28 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.215.1
snmp-server community poweradvocaterw group Network-MonitorHi,
So when you come with " http url /index.html", you go to "sticky-serverfarm 7001_STICKY" and ACE must be inserting sticky "ACE_COOKIE-7001". Now when you get redirected because you match "HTTPS-Spend", ACE will loadbalance the request which will now come on HTTPS and insert sticky " ACE-COOKIE-SPEND". That's why i guess you see two sticky entries. Now i guess ACE will keep the connection to servers in "sticky-serverfarm SPEND_STICKY" or you see that ACE is not doing the same or you expected the ACE to send the requested to "sticky-serverfarm 7001_STICKY" even though it matches the HTTPS-Spend class-map condition?
Regards,
Kanwal -
I am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and compares to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?By adding SAML assertions to outgoing requests, the ACE XML Gateway can act as an asserting party for systems that rely on SAML credentials. The SAML assertions generated by the ACE XML Gateway can be in the form of a SAML 1.0, SAML 1.1, or SAML 2.0 credential.
The following url may help you;
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_xml_gateway/v52/user/guide/axg_ug_backendauth.html#wp1049962 -
reposted from another forum:
Am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and fails when comparing to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?You are right we are using transport encryption (SSL) to protect the WSS Password.
We then use LDAP to authenticate the username/password and create a SAML token using attributes from LDAP. The ACE Xml Gateway creates this SAML token, signs it and inserts into the SOAP header that is forwarded to our service.
At our service we are trying to verify the signed SAML token. The error we are seeing is the Xml signature digest created by the ACE XML Gateway is wrong.
With XML signature some Xml referenced by an ID is canonicalised, hashed (digest created) and then this digest is encrypted using the private key of some certificate.
On receipt we repeat the process, canonicalise and hash the Xml referenced and compare our computed digest to the one created by the ACE device. This is where we get the error. We are using the standard canonicalisation and hashing algorithms (c14n and SHA1 respectively). Our code can successfully verify SAML tokens from other sources. -
ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?
Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
As background, we are a small company with a SaaS product and a pair of webservers.
I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
That seems to be working and session traffic is sticking to a server during the user's session.
Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
Hopefully this request makes sense.
Thanks,
Mark Steeves.Daniel,
Thanks for the reply, but I cannot reach the URL you included. It gives me a 403.
Therfore without reading the article, I wanted to ask if the proper setup would be:
1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
Type = HTTP Header: Header name = Host
2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
Using this setting in testing, it looks like all the traffic keeps going to 1 server only. Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
If you have another link for the above document, please let me know.
Thanks,
Mark Steeves. -
ACE 4710: Find out the response time of a real server
Hi to everyone,
I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
Is there a way for this?
Thank you for any answer!
giorgio romanoHi,
Kindly add the following line in your serverfarm configuration:
predictor response syn-to-synack
Suppose your serverfarm looks like this:
serverfarm host AAA_FARM
predictor response syn-to-synack
probe HTTP_PROBE
probe TCP9001_PROBE
rserver SC106
inservice
rserver SC107
inservice
rserver SC108
inservice
rserver SC109
inservice
rserver SC110
inservice
rserver SC111
inservice
rserver SC112
inservice
rserver SC113
inservice
rserver SC114
inservice
rserver SC120
inservice
rserver SC131
inservice
And then use the following command to see the average response time from your rserver as follows:
ACE1/prod# show serverfarm AAA_FARM detail
serverfarm : AAA_FARM, type: HOST
total rservers : 11
active rservers: 11
description : ServerFarm AAA
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
HTTP_PROBE, type = HTTP
TCP9001_PROBE, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC106
x.x.x.x.:0 8 OPERATIONAL 2 1125 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 81 ----> thats what you might be looking for
From other day :
rserver: SC114
x.x.x.x:0 8 OPERATIONAL 70 10903 2
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 1334 ----> thats what you might be looking for
For Serverfarm BBB_FARM
serverfarm : BBB_FARM, type: HOST
total rservers : 1
active rservers: 1
description : ServerFarm BBB
state : ACTIVE
predictor : RESPONSE
method : syn-to-synack
samples : 8
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 1
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC208
x.x.x.x:0 8 OPERATIONAL 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
average response time (usecs) : 0 ----> thats what you might be looking for
Use more detials for response predictor:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
Configuring the Application Response Predictor
To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
The syntax of this command is as follows:
predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
The keywords and arguments are as follows:
•app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
•syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
•syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
•samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
samples 4
To reset the predictor method to the default of round-robin, enter:
host1/Admin(config-sfarm-host)# no predictor
To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
weight connection
For example, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
samples 4
host1/Admin(config-sfarm-host-predictor)# weight connection
To remove the current connection count from the calculation of the average server response time, enter:
host1/Admin(config-sfarm-host-predictor)# no weight connection
You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
In case if you have measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server use syn-to-close (already discussed previously)
If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack (already discussed previously)
SAMPLES parameter is optional and specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load × static weight × current connection count
where:
•weighted load is the load reported by the SNMP probe
•static weight is the configured weight of the real server
•current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
HTH
Plz rate if u find it useful.
Sachin -
Redirect based on list of source IP ranges
Hi everyone
We are looking for a way to 302 redirect a client to an alternate url based on their source IP address. If they do not match the source IP, the request will be load balanced to a farm.
The list of matching IP ranges is quite large though - there are upwards of 5000.
Is there a way to do this on the ACE 4710 efficiently?
Thanks
AYes, you can use an HTTP class-map
Scimitar1/User1(config)# class-map type http loadbalance redirect_clients
Scimitar1/User1(config-cmap-http-lb)# match source-address ?
Enter client source address to match
Then you can use this class-map in your policy-map to use different serverfarm
Scimitar1/User1(config)# policy-map type load first-match WEB
Scimitar1/User1(config-pmap-lb)# class ?
class-default Specify actions for default class-map
redirect_clients
Scimitar1/User1(config-pmap-lb)# class redirect_clients
Scimitar1/User1(config-pmap-lb-c)#
<.....add your redirect serverfarm here ......>
Scimitar1/User1(config-pmap-lb-c)# ex
Scimitar1/User1(config-pmap-lb)# class class-default
Scimitar1/User1(config-pmap-lb-c)#
<.... add your loadbalancing serverfarm here .....>
This is going to be a bit tedious to configure your 5000 client ip addresses.
Maybe you could script it ?
Gilles. -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
Use ACE to redirect or insert a WWW in a client request
I am using ACE 4710s running 4.1 to load balance web traffic across our web server farms. Redirection is configured to redirect http to https. There is a new requirement to redirect a request that does not include the "www" in the URL to include the "www". In other words, if a client merely types "mytesturl.com/test1" the ACE is to redirect or rewrite and insert the www so the request becomes"www.mytesturl.com/test1". I am searching through the documentation, but thought I would pick the collective brains of the community at the same time to see who can come up with the correct answer first. Below is a sample of the working config.
Thanks in advance,
mb
rserver host RS_TEST_01
description ***Test Producation Host***
ip address 10.64.64.45
inservice
rserver redirect RD_EC
description ***TEST Sub-Site***
webhost-redirection https://www.test.com/EC/
inservice
rserver redirect http
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
inservice
serverfarm host SF_TEST
rserver RS_TEST_01 80
inservice
serverfarm redirect SF_EC
description ***Test Sub-Site***
rserver RD_EC
inservice
sticky ip-netmask 255.255.255.0 address both STICKY_TEST_1
timeout 600
replicate sticky
serverfarm SF_TEST
ssl-proxy service SSL_TEST_1
key TEST_KEY
cert TEST_CERT
chaingroup VERISIGN
ssl advanced-options SSL_TERMINATION
class-map match-any TEST_VIP_01
description ***VIP for TEST***
2 match virtual-address 10.64.74.45 tcp eq https
class-map type http loadbalance match-all TEST_EC
2 match http url /ec*
policy-map type loadbalance first-match LB_TEST_01
description ***Load Balancing Policy for Test***
class TEST_EC
serverfarm SF_EC
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class class-default
serverfarm REDIRECT
policy-map multi-match NEW_WEB_POLICY
class TEST_VIP_01
loadbalance vip inservice
loadbalance policy LB_TEST_01
loadbalance vip icmp-reply active
ssl-proxy server SSL_TEST_1
interface vlan 474
description ***Front End VIP interface***
ip address 10.64.74.254 255.255.255.0
alias 10.64.74.252 255.255.255.0
peer ip address 10.64.74.253 255.255.255.0
access-group input TEST_WEB
service-policy input TEST_WEB_POLICY
no shutdownHi Michael,
The configuration to achieve this would be something like the one below. I wrote it without trying it in the lab first, so, make sure to test it before putting it in production (specially the syntax of the regular expressions)
rserver redirect http
webhost-redirection https://%h%p 301
inservice
rserver redirect http_and_www
webhost-redirection https://www.%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
inservice
serverfarm redirect REDIRECT_and_www
rserver http_and_www
inservice
class-map type http loadbalance match-all http_with_www
2 match http header Host header-value www.*
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class http_with_www
serverfarm REDIRECT
class class-default
serverfarm REDIRECT_AND_WWW
I hope this helps
Daniel -
ACE 4710 - Internet Explorer cannot display the webpage randomly
We have a ACE 4710 with a basic config, (see below).
When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
Thanks in advance for any advice.
HOST-1/Admin# show run
Generating configuration....
logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6
resource-class SLB_ResourceClass_T_R
limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
description LB003
switchport access vlan 1
shutdown
interface gigabitEthernet 1/4
description LB004
switchport access vlan 2
shutdown
interface port-channel 1
port-channel load-balance src-dst-port
no shutdown
clock timezone standard GMT
switch-mode
context Admin
description SUTLB01
member SLB_ResourceClass_T_R
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe tcp probe_tcp_80
port 80
rserver host Server_S_W301
description Server_S_W301
ip address x.x.32.152
inservice
rserver host Server_S_W302
description Server_S_W302
ip address x.x.32.154
inservice
serverfarm host sfarm_T_R
description sfarm_T_R
predictor leastconns
probe probe_tcp_80
rserver Server_S_W301 80
rserver Server_S_W302 80
inservice
sticky http-cookie Cookie1 T_R_sticky_cookie
cookie insert browser-expire
timeout 3600
serverfarm sfarm_T_R
class-map match-any T_R_L4Class
2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match T_R_L7policy
class class-default
sticky-serverfarm T_R_sticky_cookie
policy-map multi-match T_R_L4Policy
class T_R_L4Class
loadbalance vip inservice
loadbalance policy T_R_L7policy
loadbalance vip icmp-reply active
nat dynamic 2 vlan 1000
interface vlan 1000
ip address x.x.33.148 255.255.254.0
access-group input ALL
nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input T_R_L4Policy
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.32.1
ssh key rsa 1024 force+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 421347 , TCP data msgs sent : 2099597
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 6169 , TCP rst msgs sent: : 769
Bounced fin msgs sent : 5 , Bounced rst msgs sent: : 1
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 337811 , Particles read : 5040829
Reuse msgs sent : 0 , HTTP requests : 342499
Reproxied requests : 183422 , Headers removed : 37475
Headers inserted : 342124 , HTTP redirects : 0
HTTP chunks : 224859 , Pipelined requests : 71466
HTTP unproxy conns : 267246 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 71302 , Analysis errors : 0
Header insert errors : 22 , Max parselen errors : 215
Static parse errors : 99 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0 , Unproxy msgs sent : 267246
HTTP passthrough stat : 0
NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off -
Hi,
Pls can you help me find out where is my error in the below:
I have an ACE 4710. Also I have 2 Bluecoat Proxy SG working in proxy mode. I want the ACE to be the Load Balancer for these 2 Proxy SG. I configure the ACE as below and put the vip-address in the Internet Explorer LAN Settings but it did not work. Also I configure Policy-based Routing on the Core Switch (for any http or https traffic going through core apply set ip next-hop vip-address).
Core SW SVI:
interface Vlan56
description BC Proxy
ip address 10.0.1.33 255.255.255.224
interface Vlan57
description ACE-LB-Alias
ip address 10.0.1.65 255.255.255.224
ACE 4710:
hostname VSS-ACE-BC-01
interface gigabitEthernet 1/1
description Management
speed 1000M
duplex FULL
switchport access vlan 101
no shutdown
interface gigabitEthernet 1/2
description User Side
speed 1000M
duplex FULL
switchport access vlan 56
no shutdown
interface gigabitEthernet 1/3
description BC Proxy Side
speed 1000M
duplex FULL
switchport access vlan 57
no shutdown
interface gigabitEthernet 1/4
description Failover
speed 1000M
duplex FULL
ft-port vlan 900
no shutdown
context Admin
member sticky
access-list external line 10 extended permit ip any any
access-list external line 20 extended permit icmp any any
access-list external line 30 extended permit tcp any any
access-list external line 40 extended permit udp any any
access-list internal line 10 extended permit ip any any
access-list internal line 20 extended permit icmp any any
access-list internal line 30 extended permit tcp any any
access-list internal line 40 extended permit udp any any
probe tcp web443
port 443
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
probe tcp web8080
port 8080
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
rserver host BC01
ip address 10.0.1.41
inservice
rserver host BC02
ip address 10.0.1.42
inservice
serverfarm host web443
probe web443
rserver BC01
inservice
rserver BC02
inservice
serverfarm host web8080
probe web8080
rserver BC01
inservice
rserver BC02
inservice
sticky ip-netmask 255.255.255.255 address source group1
replicate sticky
serverfarm web8080
sticky ip-netmask 255.255.255.255 address source group2
replicate sticky
serverfarm web443
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol snmp any
class-map match-all external-web
2 match virtual-address 10.0.1.70 any
class-map match-all external-web443
2 match virtual-address 10.0.1.70 any
class-map match-any nat-class
2 match access-list external
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
permit
policy-map type loadbalance http first-match slb
class class-default
sticky-serverfarm group1
policy-map type loadbalance http first-match slb443
class class-default
sticky-serverfarm group2
policy-map multi-match external-access
class nat-class
nat dynamic 1 vlan 57
class external-web
loadbalance vip inservice
loadbalance policy slb
class external-web443
loadbalance vip inservice
loadbalance policy slb443
timeout xlate 120
interface vlan 56
description Server-Side
ip address 10.0.1.43 255.255.255.224
ip verify reverse-path
alias 10.0.1.40 255.255.255.224
peer ip address 10.0.1.44 255.255.255.224
mac-address autogenerate
access-group input internal
service-policy input REMOTE_MGMT
no shutdown
interface vlan 57
description VIP-Interface
ip address 10.0.1.67 255.255.255.224
alias 10.0.1.66 255.255.255.224
peer ip address 10.0.1.68 255.255.255.224
mac-address autogenerate
access-group input external
service-policy input external-access
service-policy input REMOTE_MGMT
no shutdown
interface vlan 101
description Management
ip address 10.220.1.131 255.255.255.0
alias 10.220.1.133 255.255.255.0
peer ip address 10.220.1.132 255.255.255.0
mac-address autogenerate
service-policy input REMOTE_MGMT
no shutdown
ft interface vlan 900
ip address 172.20.100.1 255.255.255.252
peer ip address 172.20.100.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 900
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.0.1.65I see that you used:
nat dynamic 1 vlan 57
Where is the nat pool on Vlan 57 ?
May be you can try to assign that and that should help.
Something like below:
Interface vlan 57
nat-pool 1 10.0.1.93 10.0.1.93 netmask 255.255.255.224 pat
regards,
Ajay Kumar -
I have ACE 4710 and I need configuration:
I have real web-server with folders : /1/index.html, /2/index.html, /3/index.html
I need to balance virtual service:
If I try to connect URL: http://server/index.html, then ACE balance among
http://real_server/1/index.html,
http://real_server/2/index.html,
http://real_server/3/index.htm
How can I configure ACE ?ACE, can't modify the url.
But it can send redirect.
So you could build 3 redirect rservers, and have ACE loadbalance between them.
rserver redirect HTTP-REDIRECT1
webhost-redirection http://real_server/1/index.html
inservice
rserver redirect HTTP-REDIRECT2
webhost-redirection http://real_server/2/index.html
inservice
rserver redirect HTTP-REDIRECT3
webhost-redirection http://real_server/3/index.html
inservice
serverfarm redirect SF_REDIRECT
rserver HTTP-REDIRECT1
inservice
rserver HTTP-REDIRECT2
inservice
rserver HTTP-REDIRECT3
inservice
But even if it works, this does not sound good.
It seems like a design done by an application server person who does not know how network loadbalancers work.
It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
But this can be done differently with cookies or by just doing stickyness on source ip address.
Gilles. -
ACE 4710 dramatically increasing Sticky entries
Hello,
When I do a "show resource usage" on my ACE 4710 / SW Version A3(2.5) I see the Sticky entries increasing peramanently.
Resource Current Peak Min Max Denied
sticky 50758 62348 65536 0 0
When I have a look to the ANM managing the box I see the last days the current value was round about 25000 / 27000 max.
I look for a method to discover by what sticky definition or by what function / realserver the most increasing counters / entries are caused.
When I use the sh sticky database .... I see the lists for group or a special realserver / client but I miss sh show top clients / rservers / rules what generates the big sticky table....
Any good tipp how to troubleshoot that will be appreciated.
Regards
GerhardHello Surya,
Thank you for your response. I us a mix of different persistance Methods:
For some of the services source-ip based, for other, Cookie-based, and for some other I look on a special http header field... So it would be interesting to find out for what of the methods ths sticky entries grows...Because I see the counter rising since 2nd Oct 2:00 am... before it was never so high...
Regards
Gerhard -
HTTP Redirect based upon SRC IP Address
Is there a way to perform an http redirect based upon user's source IP address on the CSM/GSS environment?
Logic:
IF < src ip address is within exception list > THEN
http redirect to URL2
ELSE
http to URL1
ENDIs there a version of this solution (redirect by client source IP) for the CSS?
I'm attempting to redirect clients from a few specific networks (source IP's) to the VIP of a second CSS using a service-type redirect and "prefer " ACL commands:
clause 10 permit any 1.1.1.0 255.255.252.0 destination content owner/content-rule prefer service-type-redirect
There is an "any any destination any" last clause in the ACL for the remaining source IPs. The ACL is applied to the incoming circuits leading to the webservers.
A show of the ACL's shows all responses - no matter the client source IP - being caught by the permit any clause at the end of the ACL.
Extra points: this is a one-arm design with source group destination applied (to return server traffic to the CSS) and traffic is https with SSL terminating at the servers (no SSL module). Content rules are set to be sticky for srcip. Both CSSs are answering content-based DNS queries for the same URL with their local VIP address (but controlling which DNS server clients query isn't readily possible, so static proximity using DNS didn't provide the answer).
Each CSS is in a different data center: the idea is to keep traffic local by redirecting non-local traffic to its "local" (the other) CSS if services are active (and to keep traffic on the first CSS if the services at the redirected-to CSS are down).
Don't want too much, do I? ;-)
Thanks for everyone's time -
-K. -
Full URL re-direct with ACE 4710
Is there anyway to perform a redirect on the ACE 4710 so that it will redirect a request sent to the domain mydomain.com be redirected to www.mydomain.com, this is so that an installed SSL certificate will match.
ThanksThank you for your response, but the redirect would occur before any encyption.. for example today this is what happens
someone goes to
http://www.mydomain.com
and the ACE redirects the connection to
https://www.mydomain.com
What I want is for someone to go to
http://mydomain.com (without the www) and for it to redirect to
http://www.mydomain.com which will inturn redirect to https://www.mydomain.com
or it can just redirect to https://www.mydomain.com
So the encryption will not occur until it is redirected to teh correct websit
Maybe you are looking for
-
Hi All, I am in need of a report to display list of open Sales orders, Requirement Date or Requested Delivery Date and Requirement Qty for given Materials (Multiple Input) and Plant. Please guide me, Is there any Standard Report Available t
-
I want to clarify that I do not want to be automatically LOGGED IN to the websites, so this is not a problem with the "remember me" cookie. I simply want firefox to auto-fill my username and password into these sites, as it should! please help
-
I want to be able to watch "Breaking Bad" Season 5 on iTunes since Dish Network dropped AMC. I don't want to watch it on my computer when I have a 64" plasma with computer sharing capability (same as my Integra receiver has). Can I pull up my compu
-
Feature Requests (Obvious?)
There are a few ways I wish I could do more actions at a time. For example, to delete items in the library, after I resized as a batch, I must click on each item, and then the trash can each time. I can not use 'shift' to select many items and ditt
-
How do I store all iPhoto libraries on the iCloud?
I believe I can save my photos to the iCloud in case of disaster. How do I store ALL of my iPhoto libraries/events/photos on the iCloud? It doesn't appear there are there when I look at iCloud.com. Thank you.