ACE behind Reverse Proxy - performance issue

Hi,
I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers. Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing. The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server. The app functions perfectly with this config; however, there is a severe performance impact. Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
Question: Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
Relevant Config for both ACE's here:
!!Front ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm ALPHA
policy-map type loadbalance first-match vip-R1A-ALPHA
class class-default
    sticky-serverfarm ALPHA-SRCIP-sticky
    insert-http SRCIP header-value "%is"
policy-map multi-match PREP-VIP
class VIP-ALPHA-R1A
    loadbalance vip inservice
    loadbalance policy vip-R1A-ALPHA
    appl-parameter http advanced-options HTTP_REBAL
    ssl-proxy server SSL_ALPHA_R1A
!!Back ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky http-header SRCIP ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm coresoms-ALPHAfarm
class-map type http loadbalance match-all SRCIP-MAP
2 match http header SRCIP header-value ".*"
policy-map type loadbalance first-match vip-lb-ALPHA
class SRCIP-MAP
    sticky-serverfarm ALPHA-SRCIP-sticky
policy-map multi-match lb-vip
class VIP-ALPHA
    loadbalance vip inservice
    loadbalance policy vip-lb-ALPHA
    appl-parameter http advanced-options HTTP_REBAL

Hi Joseph,
To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
I have one possible theory for your issue.
The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
parameter-map type connection
set tcp wan-optimization rtt 0
Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
I hope this helps
Daniel

Similar Messages

ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

Hi All,
I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
The customer wants the following:
They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
Anyone have an idea how to build this?

Hi,
It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
As per the below example:
I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
serverfarm host 1313-GIN-GWAP-SDC-80
rserver RSERVER1
    backup-rserver test1
    inservice
rserver test1
    inservice standby
rserver test2
    inservice standby
regards,
Ajay Kumar

How to change Script path for Reserved.ReportViewerWebControl.axd when working behind reverse proxy?

Hi,
My application works behind a reverse proxy which has polices for secure and unsecure areas of the application. Architecture and Infra team is not willing to allow any root level policies in any case
When report viewer control is rendered on the page, it is adding a reference to the http handler Reserved.ReportViewerWebControl.axd in the script tag and the URL is at the root level. Unfortunately like other AjaxControlToolkit web resources I cannot modify
the URL to refer to the local script using ScriptManager.
Do we have any other property / means by which I can get this altered.
It is so unfortunate that the Microsoft.ReportViewer.WebForms assembly resources like scripts etc are not exposed as webresource at the assembly level and there is no way to modify this.
Does anyone has any solution to this?
Appreciate your help
Thanks in advance
Badal

Hi Badal,
Thank you for your question.
I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated.
Thank you for your understanding and support.
Thanks,
Alisa Tang
If you have any feedback on our support, please click
here.
Alisa Tang
TechNet Community Support

O-Portal behind reverse proxy, aliasing of o-portal url to generic url.

I'd like to setup o-Portal behind a reverse proxy. This is a proxy service which accepts connections on http://a.b.com/ and gets the content from internal webservers based on the url. For example http://a.b.com/pls/DAD1 comes from an o-Portal server but http://a.b.com/depts/ comes from a webserver. The problem with o-Portal is now, that it creates pages with its servername and port in the URL of the pages it serves out. For example, if it runs on server x.b.com on the port 7777 the links on all pages are http://x.b.com:7777/pls/DAD1. To get it to work correctly with my proxy, all these links should be http://a.b.com/pls/DAD1 and then the proxy gets the pages from http://x.b.com:77777/pls/DAD1.
How do I tell o-Portal to create this different URL in its pages? You could also say, I'd like to alias http://a.b.com/pls/DAD1 to http://x.b.com:77777/pls/DAD1
I'm sure there is a configuration setting to change this. We had the same problem with Oracle HR11i and there we got it solved.
Web Single Sign On applications like IBM WebSeal or Netegrity Siteminder use these kind of proxies to protect the intranet and to create a Single Sign On domain for all web servers.
Thanks,
Rainer

I also would like overcome this issue. I could not find an answer anywhere on Metalink or OTN.
Can a reverse-proxy (i.e. using ProxyPass & Reverse) be used with and internal Portal?
John Z
Butler Mfg. Co.
[email protected]

ACE 4710, reverse proxy?

Hello All,
Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.

Hi Mate,
The reverse proxy servers can perform many tasks, like:
Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
Best regards,
Ahmad

Reverse proxy j_security_check issue

Hi,
We have a Web Dynpro for Java application. It is accessed in the intranet as
http://intra.abc.com:50000/webdynpro/dispatcher/abc.com/wdapp/WDApp1
The same application is being accessed from internet as
http://inter.abc.com/app1
We use Apache Reverse Proxy. The settings defined are:
ProxyPass /app1 http://intra.abc.com:50000/webdynpro/dispatcher/abc.com/wdapp/WDApp1
ProxyPassReverse /app1 http://intra.abc.com:50000/webdynpro/dispatcher/abc.com/wdapp/WDApp1
This was working fine in NW04 version. In Netweaver 7.1 version, we get a 404 error -
http://inter.abc.com/j_security_check
What could be the reason for the error? Is there anything required to be done in Reverse Proxy server? Or anything needed to be configured in Netweaver Administrator?
Please revert immediately.
Thanks and regards,
Ravi

"Michael Young" <[email protected]> wrote in message
news:[email protected]..
Hi.
FWIW you might try posting your issue to theweblogic.developer.interest.plug-in newsgroup -
folks there may be more familiar with this issue.
Your configuration looks ok to me. You might try turning Debug to On inyour setup and take a
look at the generated /tmp/wlproxy.log file to confirm your suspicions.If the log file
confirms this then you may want to open a case with support.
Thanks,
Michael
Kevin Taylor wrote:
I am using Solaris 8, WebLogic 6.1sp2 and Apache 1.3.12. I am trying to
get j_security_check
posts to get proxied to WL. The *.jsp and *.html requests are currentlybeing
proxied correctly.
When my html login form posts to action="j_security_check" and I gothrough Apache,
Apache throws a 404 error. If I bypass Apache by using port 7001 in theURL, WL
throws a 505 error. So, it is apparent that Apache is not attempting toproxy
the j_security_check requests to WL. I have attached my settings fromhttpd.conf:
>>
<IfDefine SSL>
<Location /j_security_check>
SetHandler weblogic-handler
PathTrim /j_security_check
</Location>
</IfDefine>
<IfModule mod_weblogic.c>
WebLogicHost sun01
WebLogicPort 7001
MatchExpression *.jsp
MatchExpression *.html
</IfModule>
TIA.
--kevin--
Michael Young
Developer Relations Engineer
BEA Support

ACE SSL Reverse Proxy for multible URLs

Hi,
I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:
1. Use different VIP for each URL and do
L4 loadbalancing or use a
combination of IP address and port.
2. Use different VIP for each URL, do
SSL offloading and do L7 URL based
loadbalancing.
So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.
Any comments appreciated
George Georgiou

Geroge,
your understanding is absolutely correct.
We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.
But without decrypting, we can't see the domain name.
So, the only way to know the domain without decrypting is to allocate a single ip to each domain.
There is no other solution.
Gilles.

ACE as Reverse Proxy

Can ACE function as reverse proxy without the ACE Web application Firewall?

Hi,
If you configure source NAT on all of the client traffic, the ACE will act more or less like a reverse proxy requesting the data from the server using the configured NAT IP instead of the client original one.
Just keep in mind that the ACE won't ever do any caching whatsoever so you can forget about it if this is what you are looking for.
Regards,
Nicolas

CSS110501 - CE590 (ACNS 5.1), reverse proxy config issue

Guys,
I'm trying to get the following to work:
Client on internet (no explicit proxy config) is connecting to a webserver. The VIP resides on the CSS which has a reverse proxy config pointing to the CE590.
|Client|
|
|
| CSS |----------| CE590 |
|
|
| Web |
I used the config from the Cisco web, but I can't get it to work.
I can connect to the webserver, but it looks like the CE590 is not acting as a proxy, at least not completely.
Because it looks like it 'hangs' on collecting the graphics.
This is my config on the CSS:
service bktpce1
protocol tcp
port 80
no cache-bypass
ip address 192.168.0.2
type transparent-cache
active
eql cacheable
description "This EQL contains extensions of cacheable content"
extension pdf "Acrobat"
extension fdf "Acrobat Forms Document"
extension au "Sound audio/basic"
extension bmp "Bitmap Image"
extension z "Compressed data application/x-compress"
extension gif "GIF Image image/gif"
extension html "Hypertext Markup Language text/html"
extension htm
extension js "Java script application/x-javascript"
extension mocha
extension jpeg "JPEG image image/jpeg"
extension jpg
extension jpe
extension jfif
extension pjpeg
extension pjp
extension mp2 "MPEG Audio audio/x-mpeg"
extension mpa
extension abs
extension mpeg "MPEG Video video/mpeg"
extension mpg
extension mpe
extension mpv
extension vbs
extension m1v
extension pcx "PCX Image"
extension txt "Plain text text/plain"
extension text
extension mov "QuickTime video/quicktime"
extension tiff "TIFF Image image/tiff"
extension tar "Unix Tape Archive application/x-tar"
extension avi "Video for Windows video/x-msvideo"
extension wav "Wave File audio/x-wav"
extension gz "application/x-gzip"
extension zip "ZIP file application/x-zip-compressed"
content p_cm_vip-prod-appl-www
protocol tcp
port 80
vip address 123.13.112.56
add service x-appl-server1
active
content p_nc_vip-prod-appl-www
sticky-inact-timeout 15
add service x-appl-server1
port 80
url "/*"
protocol tcp
vip address 123.13.112.55
active
content p_rp-vip-http-web
protocol tcp
port 80
url "/*" eql cacheable
add service bktpce1
vip address 123.13.112.55
active
This is the config on the CE590:
! ACNS version 5.1.15
http proxy outgoing host 123.13.112.56 80 primary
http l4-switch enable
interface FastEthernet 0/0
ip address 192.168.0.2 255.255.255.248
no autosense
bandwidth 100
full-duplex
no cdp enable
exit
ip default-gateway 192.168.0.1
no bypass load enable
rule action use-proxy 123.13.112.56 80 pattern-list 1 protocol all
Do I need to configure something else?
Regards,
Edwin

I can see traffic hitting the VIPs:
p_cm_vip-prod-ap Active x-appl-server1 5827
p_nc_vip-prod-ap Active x-appl-server1 1574
p_rp-vip-http-we Active bktpce1 1149
When I look in the apache error logs there are no entries.
When I look in the appache access logs I only see the following entries from my client host:
82.4.195.39 - - [02/Aug/2005:10:24:37 +0200] "GET / HTTP/1.1" 200 5296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
82.4.195.39 - - [02/Aug/2005:10:24:37 +0200] "GET /outerframe.php?language=NL&strSiteCountry=NL&BRCHERKOMST=BRC HTTP/1.1" 200 3624 "http://preprod.daarginds.nl/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
82.4.195.39 - - [02/Aug/2005:10:24:37 +0200] "GET /main.php?language=NL&strSiteCountry=NL&BRCHERKOMST=BRC HTTP/1.1" 200 36569 "http://preprod.daarginds.nl/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
82.4.195.39 - - [02/Aug/2005:10:24:37 +0200] "GET /js/dropdown_initialize.js.php?language=NL&strSiteCountry=NL&BRCHERKOMST=BRC HTTP/1.1" 200 228 "http://preprod.daarginds.nl/main.php?language=NL&strSiteCountry=NL&BRCHERKOMST=BRC" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
82.4.195.39 - - [02/Aug/2005:10:24:37 +0200] "GET /js/dropdownC.js.php?language=NL&strSiteCountry=NL&BRCHERKOMST=BRC HTTP/1.1" 200 15928 "http://preprod.daarginds.nl/main.php?language=NL&strSiteCountry=NL&BRCHERKOMST=BRC" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
82.4.195.39 - - [02/Aug/2005:10:24:37 +0200] "GET /css/daarginds.css HTTP/1.1" 304 - "http://preprod.daarginds.nl/main.php?language=NL&strSiteCountry=NL&BRCHERKOMST=BRC" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
When I do a tcpdump on destination port 80 on the server, I see the following:
preprod.daarginds.nl.http: . ack 52149 win 64860 (DF)
10:34:05.957776 82.4.195.39.6242 > preprod.daarginds.nl.http: . ack 10204 win 64860 (DF)
10:34:06.058767 82.4.195.39.6242 > preprod.daarginds.nl.http: P 1403:1905(502) ack 10204 win 64860 (DF)
10:34:06.058777 82.4.195.39.6243 > preprod.daarginds.nl.http: R 1064:1064(0) ack 53295 win 0 (DF)
10:34:06.070434 82.4.195.39.6242 > preprod.daarginds.nl.http: R 1905:1905(0) ack 10372 win 0 (DF)
10:34:27.020617 192.168.0.2.55444 > preprod.daarginds.nl.http: S 1662943048:1662943048(0) win 5840 (DF)
10:34:27.020866 192.168.0.2.55444 > preprod.daarginds.nl.http: . ack 155787170 win 5840 (DF)
10:34:27.020889 192.168.0.2.55444 > preprod.daarginds.nl.http: F 0:0(0) ack 1 win 5840 (DF)
10:34:27.021240 192.168.0.2.55444 > preprod.daarginds.nl.http: . ack 2 win 5840 (DF)
So the CE is hitting the webserver (although not shown in the apache log files).
But the 192.168.0.2 you see with the tcpdump is listed every 60 sec, and this is the is-a-live test of the CE.....
You don't see an entry in tcpdump or in the apache log files when hitting the server with a browser.
Edwin

Reverse proxy weblogic issue

Dear All,
I had a working setup with libprxoy.so and weblogic8.1 version, after the upgrade of my weblogic version to 11g my web server is not working with libproxy.so
Then i have tried the option through the iplanet console and created the new instance
i had went to the option reverse proxy from uri pri fix i have gave / and server name as appserver:8111
now my problem is when i try through my web server https://mywebserver.com/ its responding but i am not getting the correct page
i want it to redirect https://mywebserver.com to https://mywebserver.com/test and its should get the page from my orgin server appserver:8111/test
i was tried to put while creating the reverse proxy as appserver:8111/test but its not allowing to create through the console.
if any one can help me out please.

i am able to do the configuration but i am getting strange error its looping in inter explorer and mozilla its working with out any problem. please see the logs
10.129.12.15 - - [14/Aug/2011:16:20:05 +0400] "GET /testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestblank.htm HTTP/1.1" 302 0
10.129.12.15 - - [14/Aug/2011:16:20:05 +0400] "GET /test/images/whatsnewtop.jpg HTTP/1.1" 304 0
10.129.12.15 - - [14/Aug/2011:16:20:05 +0400] "GET /test/images/new2.gif HTTP/1.1" 304 0
10.129.12.15 - - [14/Aug/2011:16:20:05 +0400] "GET /test/arrow.gif HTTP/1.1" 304 0
10.129.12.15 - - [14/Aug/2011:16:20:10 +0400] "GET /test/EBISessionInvalidator.jsp HTTP/1.1" 302 269
10.129.12.15 - - [14/Aug/2011:16:20:10 +0400] "GET /test/logout.jsp HTTP/1.1" 200 727
My obj.conf
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="map" from="/test" name="reverse-proxy-/test" to="http:/test"
NameTrans fn="redirect" from="/" url-prefix="/test"
PathCheck fn="uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index-j2ee"
PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
ObjectType fn="type-j2ee"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Error fn="error-j2ee"
AddLog fn="flex-log"
</Object>
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi"
</Object>
<Object name="send-precompressed">
PathCheck fn="find-compressed"
</Object>
<Object name="compress-on-demand">
Output fn="insert-filter" filter="http-compression"
</Object>
<Object name="reverse-proxy-/test">
Route fn="set-origin-server" server="http://appserver:8111"
</Object>

ACE SSL Proxy performance issue

Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
Sent from Cisco Technical Support iPad App

Hi Craig,
The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
To make sure that ACE doesn't renegotiate you can try and use this command:
(config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
This is basically to enable SSL session reuse. A little explanation below for your reference:
When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
Regards,
Kanwal

Help Required - File to Proxy (Performance Issue)

Hi All,
One of my file to proxy scenario is taking 3 to 4 days to execute.
Basically XI picks up a file of 2-3 lakh records and pushing it to SAP via ABAP proxy. On the ABAP side, a BDC call is made to process the data. But the whole scenario takes 3 to 4 days for execution.
The scenario is an Asynch scenario and BPM is not used as its a very straight forward scenario.. Also the file can't be splitted as say each 10,000 records bcoz all of these records are interrelated and has to go to SAP end in a single shot.
Is there anything which can be done on either XI or ABAP side to optimize the scenario?.
Thanks,
Joe.

Joe,
Can you give more details?
Is this an Asynch call or a synch call?
Are you using a BPM, etc, maybe there is something wrong in the way you have designed your interface.
Proxies are supposed to provide the best perfromance and the fact that it is taking such a long time is really strange, and so maybe if you can give us details on your interface , some reason for this issue can be found out.
Meanwhile also look into this guide,
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/70ada5ef-0201-0010-1f8b-c935e444b0ad
Regards
Bhavesh

11g Fusion Middleware through reverse proxy..?

Hi All,
We are using 11g Discoverer in our environment, our client is having a reverse proxy server .Now my question is..
How to configure 11g Discoverer to use existing reverse proxy server...?
please help with any documents ,links or suggestions...!!!!
Thanks
RB

Reports 11.1.1.3 doesn't work correctly behind reverse proxy:
Oracle Reports 11g gives the machine hostname instead of the proxy hostname in rwservlet/showjobs.
Oracle Fusion Middleware 11g 11.1.1.3 Forms & Reports on Solaris 10 64 bit.
http://machinename:9002/reports/rwservket/getjobs
returns Job Name URLs such as
http://machinename:9002/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
more asinst_1/config/OHS/ohs1/moduleconf/reports_ohs.conf
#mod_weblogic related entry
#<IfModule mod_weblogic.c>
<Location /reports>
SetHandler weblogic-handler
WebLogicHost machinename
WebLogicPort 9002
</Location>
#</IfModule>
http://machinename/reports/rwservket/getjobs
returns Job Name URLs such as
http://machinename/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
Now I place machinename behind a proxy server proxyname.
http://proxyname/reports/rwservket/getjobs
returns Job Name URLs such as
http://machinename/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
instead of the correct URL
http://proxyname/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
The above is only one problem, there are many others that I have found.
Ken

Performance issues in Proxy-XI-Jdbc scenario

Hello,
I have developed a proxy to JDBC synchronous scenario.
My scenario works like this.
*i run an abap program which calls a client proxy,
the proxy fetches the data from database table and returns the data in the ABAP program.(select query)
there are serious performance issues when we are running the report
it is taking around 2-5 minutes and at times multiple users are logged in , it takes around 5-20 minutes.
it seems that most of the time is consumed in the data fetching.
please help me to find some solution so that we can fine tune the performance on the PI side.
Are there any options on JDBC CC which can help us in making the queries faster
thanks
kannu.

Kanu16 ,
Issue seems to be at r/3 end..
1. Make sur ethat report program is using select query in proper fashion .
2. avoid using nested loops.
3. Hope not much validations are being done on selected data .
Abaper can help you optimizing this .
By debugging you can find out the exact reason behind.
Regards ,

Iview capable of performing reverse proxy for application integration.

Is there a iview in EP capable of reverse proxying a web application. We are attempting to setup
our production landscape. We can of course use apache to reverse proxy applications hidden behind our dmz by punching a bunch of holes through our firewall. This is not something we wish wish to do as it totally circumvents the safety imposed by our firewalls and dmz. Not having this capability causes all sorts of difficulties with application integration, cross domain scripting issues as well as administrative burden by having to maintain, secure and expose these internally hosted applications.
If this functionality does not exist in out of the box EP, does anyone know a third
party that offers this?
Thanks
Cliff Baeseman

Cliff,
I am not sure I understood your question correctly.
EP is an application running on NetWeaver Application Server. This AS has a component called as Web dispatcher which works like a reverse proxy but isn't meant to proxy applications running on a different server other than NetWeaver AS.
Where is your web application deployed?
More info needed.
Regards,
Kiran

ACE behind Reverse Proxy - performance issue

Similar Messages

Maybe you are looking for