ACE 4710 Sticky analyzes
Hello,
I have running an ACE4710 with round 10 differnet Services what al needs stickyness because of the Apllication what is balanced.
There are also different Sticky settings setup.
Now in the last days I see the Sitcky Table much more growing than weeks ago.
That is easily to see by for exapmple "show stats sticky" or "sh np 1 me-stats "-slb -v"". There I see the summary of Sticky Table entries for all defintions at the whole context.
What I am missing is to get a view which of the 10 Sticky definitions are causing most of the counter increasing. Is there a change to get an overview
which of sticky definitions causes how much entries in the Sticky Table to get an idea by what service that big increase is done?
Any Idea or tipp is welcome
Thank you in advance for help.
Gerhard
Gerhard-
show sticky database group count
Issue this for each one, it will tell you what groups are using the most.
Show stats sticky also will tell you if you are starting to re-use sticky entries. This means that we are needing sticky entries prior to them timing out in the table.
Regards,
Chris
Similar Messages
-
ACE 4710 Stickiness Configuration
We have the ACE 4710 Ver. A3(2.0) configured and the load balancing is working fine. But we are having problem to keep a user session on one web server. The website is running on IIS, and it's created using ASP.NET. The user session is bouncing between the two load balancing servers. How can we configure stickiness to solve this issue? Or, what are the recommend solutions?
Here is an example of a sticky config. This will sticky on source address.
sticky ip-netmask 255.255.255.255 address source WebSeal_Sticky
replicate sticky
serverfarm WebSeal_Farm
Then apply it-
policy-map type loadbalance first-match WebSeal-Virtual-Server-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
policy-map type loadbalance first-match WebSeal_HTTPS-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
Also check out the configuration guide.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html
Hope that helps. -
ACE 4710 Sticky Database question
Hello,
I am considering using IP sticky timeout, but have a quick question about the database, is the 800,000 sticky connection per appliance or per context?
Thanks,
DaveHi Dave,
"Sticky table entries 800,000" this is per appliance.
You can distibute this resource based on usage per context.
regards,
Ajay Kumar -
ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?
Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
As background, we are a small company with a SaaS product and a pair of webservers.
I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
That seems to be working and session traffic is sticking to a server during the user's session.
Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
Hopefully this request makes sense.
Thanks,
Mark Steeves.Daniel,
Thanks for the reply, but I cannot reach the URL you included. It gives me a 403.
Therfore without reading the article, I wanted to ask if the proper setup would be:
1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
Type = HTTP Header: Header name = Host
2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
Using this setting in testing, it looks like all the traffic keeps going to 1 server only. Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
If you have another link for the above document, please let me know.
Thanks,
Mark Steeves. -
ACE 4710 dramatically increasing Sticky entries
Hello,
When I do a "show resource usage" on my ACE 4710 / SW Version A3(2.5) I see the Sticky entries increasing peramanently.
Resource Current Peak Min Max Denied
sticky 50758 62348 65536 0 0
When I have a look to the ANM managing the box I see the last days the current value was round about 25000 / 27000 max.
I look for a method to discover by what sticky definition or by what function / realserver the most increasing counters / entries are caused.
When I use the sh sticky database .... I see the lists for group or a special realserver / client but I miss sh show top clients / rservers / rules what generates the big sticky table....
Any good tipp how to troubleshoot that will be appreciated.
Regards
GerhardHello Surya,
Thank you for your response. I us a mix of different persistance Methods:
For some of the services source-ip based, for other, Cookie-based, and for some other I look on a special http header field... So it would be interesting to find out for what of the methods ths sticky entries grows...Because I see the counter rising since 2nd Oct 2:00 am... before it was never so high...
Regards
Gerhard -
ACE 4710 Can not confirm http cookie sticky connections
We are using a ACE 4710 with A3(2.6) software release.
I had to change our sticky load balancing method for HTTPS to cookie based.
However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
class-map type http loadbalance match-any ghh-www-443_CLASSURL
2 match http url [.]*
policy-map type loadbalance first-match ghh-sticky-443_POLICY
class class-default
sticky-serverfarm scook-ghh
policy-map multi-match POLICY
class ghh-www-443_CLASS
loadbalance vip inservice
loadbalance policy ghh-sticky-443_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAMAnother point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
Here you have a config example for the first solution:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
Cheers,
Francesco -
ACE 4710 SSL server LB with stickiness
I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
THANKS!In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
I dont think its currently available on ACE appliance yet.
Syed -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
ACE 4710 - Internet Explorer cannot display the webpage randomly
We have a ACE 4710 with a basic config, (see below).
When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
Thanks in advance for any advice.
HOST-1/Admin# show run
Generating configuration....
logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6
resource-class SLB_ResourceClass_T_R
limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
description LB003
switchport access vlan 1
shutdown
interface gigabitEthernet 1/4
description LB004
switchport access vlan 2
shutdown
interface port-channel 1
port-channel load-balance src-dst-port
no shutdown
clock timezone standard GMT
switch-mode
context Admin
description SUTLB01
member SLB_ResourceClass_T_R
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe tcp probe_tcp_80
port 80
rserver host Server_S_W301
description Server_S_W301
ip address x.x.32.152
inservice
rserver host Server_S_W302
description Server_S_W302
ip address x.x.32.154
inservice
serverfarm host sfarm_T_R
description sfarm_T_R
predictor leastconns
probe probe_tcp_80
rserver Server_S_W301 80
rserver Server_S_W302 80
inservice
sticky http-cookie Cookie1 T_R_sticky_cookie
cookie insert browser-expire
timeout 3600
serverfarm sfarm_T_R
class-map match-any T_R_L4Class
2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match T_R_L7policy
class class-default
sticky-serverfarm T_R_sticky_cookie
policy-map multi-match T_R_L4Policy
class T_R_L4Class
loadbalance vip inservice
loadbalance policy T_R_L7policy
loadbalance vip icmp-reply active
nat dynamic 2 vlan 1000
interface vlan 1000
ip address x.x.33.148 255.255.254.0
access-group input ALL
nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input T_R_L4Policy
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.32.1
ssh key rsa 1024 force+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 421347 , TCP data msgs sent : 2099597
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 6169 , TCP rst msgs sent: : 769
Bounced fin msgs sent : 5 , Bounced rst msgs sent: : 1
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 337811 , Particles read : 5040829
Reuse msgs sent : 0 , HTTP requests : 342499
Reproxied requests : 183422 , Headers removed : 37475
Headers inserted : 342124 , HTTP redirects : 0
HTTP chunks : 224859 , Pipelined requests : 71466
HTTP unproxy conns : 267246 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 71302 , Analysis errors : 0
Header insert errors : 22 , Max parselen errors : 215
Static parse errors : 99 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0 , Unproxy msgs sent : 267246
HTTP passthrough stat : 0
NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off -
ACE 4710 HTTPS load balance configuration
Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later.
I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
Any configuration examples would be helpful.
Thanks.IF you terminate SSL on the ACE you need certificates and key on ace in the context in which you are doing the termination. The certs and keys need to be installed on the active and standby (manually unless using anm to manage).
when speaking of SSL
SSL termination refers to ace terminating SSL and sending to server as clear text
end to end - ACE terminates SSL (to look into payload to make a loadbalance decision or sticky decision) and then re-encrypts to the server, so to the client ACE is an ssl server and to the server the ace is an ssl client.
You can find some config examples at
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples -
Configuring ACE 4710 for Load Balancing Speech servers
Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
hostname ace471001
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
rserver host nss01
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 10.20.17.21 255.255.248.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
How would I configure my speech server to isten on 554?
Thanks in advanceHello Reginald
Currently you have only basic network configuration, there is no loadbalancing config
I'm not sure what exactly you're asking about , but basically you need to have
- real servers configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
- serverfarm configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
- L7 policy map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
- L4 policy map , class-map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
And then apply it on necessary interface.
This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
links are for old config guids , but basic is pretty much the same for all versions.
Please check them and try to narrow down your question a bit. -
SIP load balancing issue with ACE 4710
SIP Load balancing Issue with ACE 4710
I have a Cisco ace 4710 with vesion Version A4(2.2). i configued simple SIP load balancing first without stickiness. without stikeiness we are having a problem because bye packet at the was not going to the same server all the time that left our port in used even though user hang up the phone. its happen randmly. i have a total 20 licenced ports and its fill out very quickly. so i dicided to use the stickiness with call-ID but still same issue. below is the config
rserver host CIN-VOX-31
ip address 172.20.130.31
inservice
rserver host CIN-VOX-32
ip address 172.20.130.32
inservice
serverfarm host CIN-VOX
probe SIP-5060
rserver CIN-VOX-31
inservice
rserver CIN-VOX-32
inservice
sticky sip-header Call-ID VOX_SIP_GROUP
timeout 1
timeout activeconns
replicate sticky
serverfarm CIN-VOX
class-map match-all CIN_VOX_L4_CLASS
2 match virtual-address 172.22.12.30 any
class-map match-all CIN_VOX_SIP_L4_CLASS
2 match virtual-address 172.22.12.30 udp eq sip
policy-map type loadbalance sip first-match CIN_VOX_LB_SIP_POLICY
class class-default
sticky-serverfarm VOX_SIP_GROUP
policy-map multi-match GLOBAL_DMZ_POLICY
class CIN_VOX_SIP_L4_CLASS
loadbalance vip inservice
loadbalance policy CIN_VOX_LB_SIP_POLICY
loadbalance vip icmp-reply
class CIN_VOX_L4_CLASS
loadbalance vip inservice
loadbalance policy CIN_VOX_LB_SIP_POLICY
loadbalance vip icmp-reply
interface vlan 20
description VIP_DMZ_VLAN
ip address 172.22.12.4 255.255.255.192
alias 172.22.12.3 255.255.255.192
peer ip address 172.22.12.5 255.255.255.192
access-group input PERMIT-ANY-LB
service-policy input GLOBAL_DMZ_POLICY
could you please help me on this...
thanks
Rakesh PatelI mean there should be one more statement-
class-map type sip loadbalance match-any CIN_VOX_LB_SIP_POLICY
match sip header Call_ID header-value sip:
and that will be called under-
policy-map multi-match GLOBAL_DMZ_POLICY
class CIN_VOX_SIP_L4_CLASS
loadbalance vip inservice
loadbalance policy CIN_VOX_LB_SIP_POLICY
loadbalance vip icmp-reply
is that missing in your config ? -
Hi,
Pls can you help me find out where is my error in the below:
I have an ACE 4710. Also I have 2 Bluecoat Proxy SG working in proxy mode. I want the ACE to be the Load Balancer for these 2 Proxy SG. I configure the ACE as below and put the vip-address in the Internet Explorer LAN Settings but it did not work. Also I configure Policy-based Routing on the Core Switch (for any http or https traffic going through core apply set ip next-hop vip-address).
Core SW SVI:
interface Vlan56
description BC Proxy
ip address 10.0.1.33 255.255.255.224
interface Vlan57
description ACE-LB-Alias
ip address 10.0.1.65 255.255.255.224
ACE 4710:
hostname VSS-ACE-BC-01
interface gigabitEthernet 1/1
description Management
speed 1000M
duplex FULL
switchport access vlan 101
no shutdown
interface gigabitEthernet 1/2
description User Side
speed 1000M
duplex FULL
switchport access vlan 56
no shutdown
interface gigabitEthernet 1/3
description BC Proxy Side
speed 1000M
duplex FULL
switchport access vlan 57
no shutdown
interface gigabitEthernet 1/4
description Failover
speed 1000M
duplex FULL
ft-port vlan 900
no shutdown
context Admin
member sticky
access-list external line 10 extended permit ip any any
access-list external line 20 extended permit icmp any any
access-list external line 30 extended permit tcp any any
access-list external line 40 extended permit udp any any
access-list internal line 10 extended permit ip any any
access-list internal line 20 extended permit icmp any any
access-list internal line 30 extended permit tcp any any
access-list internal line 40 extended permit udp any any
probe tcp web443
port 443
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
probe tcp web8080
port 8080
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
rserver host BC01
ip address 10.0.1.41
inservice
rserver host BC02
ip address 10.0.1.42
inservice
serverfarm host web443
probe web443
rserver BC01
inservice
rserver BC02
inservice
serverfarm host web8080
probe web8080
rserver BC01
inservice
rserver BC02
inservice
sticky ip-netmask 255.255.255.255 address source group1
replicate sticky
serverfarm web8080
sticky ip-netmask 255.255.255.255 address source group2
replicate sticky
serverfarm web443
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol snmp any
class-map match-all external-web
2 match virtual-address 10.0.1.70 any
class-map match-all external-web443
2 match virtual-address 10.0.1.70 any
class-map match-any nat-class
2 match access-list external
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
permit
policy-map type loadbalance http first-match slb
class class-default
sticky-serverfarm group1
policy-map type loadbalance http first-match slb443
class class-default
sticky-serverfarm group2
policy-map multi-match external-access
class nat-class
nat dynamic 1 vlan 57
class external-web
loadbalance vip inservice
loadbalance policy slb
class external-web443
loadbalance vip inservice
loadbalance policy slb443
timeout xlate 120
interface vlan 56
description Server-Side
ip address 10.0.1.43 255.255.255.224
ip verify reverse-path
alias 10.0.1.40 255.255.255.224
peer ip address 10.0.1.44 255.255.255.224
mac-address autogenerate
access-group input internal
service-policy input REMOTE_MGMT
no shutdown
interface vlan 57
description VIP-Interface
ip address 10.0.1.67 255.255.255.224
alias 10.0.1.66 255.255.255.224
peer ip address 10.0.1.68 255.255.255.224
mac-address autogenerate
access-group input external
service-policy input external-access
service-policy input REMOTE_MGMT
no shutdown
interface vlan 101
description Management
ip address 10.220.1.131 255.255.255.0
alias 10.220.1.133 255.255.255.0
peer ip address 10.220.1.132 255.255.255.0
mac-address autogenerate
service-policy input REMOTE_MGMT
no shutdown
ft interface vlan 900
ip address 172.20.100.1 255.255.255.252
peer ip address 172.20.100.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 900
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.0.1.65I see that you used:
nat dynamic 1 vlan 57
Where is the nat pool on Vlan 57 ?
May be you can try to assign that and that should help.
Something like below:
Interface vlan 57
nat-pool 1 10.0.1.93 10.0.1.93 netmask 255.255.255.224 pat
regards,
Ajay Kumar
Maybe you are looking for
-
any one knows what is the different between JDK and Java SDK? or Java 2 SDK? what is their different generally? what are their general function? a beginner to this area
-
There's an area on iPad 4 display, where the device stopped responding to my touch.
An area on my iPad (4th gen) stopped responding to my finger touch three days ago. When I type, it multiplies the letters. I can't choose the hidden ones. I use Sketchbook, and in that 1cm wide area, I can't fill up the space with colour, and in game
-
While entering the details on Assignment form, the screen froze and eventually it stopped responding due to which I had to close the application. Now I am not able to key in any info. I keep getting a CAUTION dialogue box with message *'Could not res
-
Need help to reinstahl CS3+ jpg CS5 in Mavevick?
I Need help to reinstahl CS3+ jpg CS5 in Mavevick, apple site says is ok, adobe site also but my cds do not instal, cmputer Imac2,66 GHz intel core i5- 4GB 1067 mhz DDR r ?
-
Code to load VRML into java3d (10 dukes availble) please
Im trying to load a VRML file into java 3d but have had no sucess if someone please pots some code to do this it would be a massive help. Ive been struggling for a long time now trying to do this so theres 10 duke points up for grabs if your interest