ACE: conn-limit by source?
Is it possible to limit the number of concurrent connections to a set number per source IP?
no.
Unless you know the ip address you want to limit.
In this case, you can match that traffic with a class-map and use a separate serverfarm for each ip where you can specify a conn-limit.
Gilles.
Similar Messages
-
ACE, max conns limit and oversubscription issue
Hi,
I have a question regarding the following output:
show serverfarm SFARM detail
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: REAL_1
10.0.0.1:80 8 MAXCONNS 10435 65590 130
description : -
max-conns : 10000
min-conns : 9950
There is a sticky source ip configured for primary serverfarm + backup serverfarm (with no sticky). Do you know why we can see more current connections than max-conns limit?
The sticky for primary serverfarm could cause that issue?
Regards,
KrzysztofHi Krzysztof,
Normally the current connection counter is number of ESTABLISHED + EMBRYONIC connections. So as soon as ACE forwards the SYN, the current counter is incremented and if the connection establishes, total connection counter is incremented or else failure.
Having said that, i still believe it should not show more than MAX-CONNS limit unless Max-conns is only for ESTABLISHED.
I would suggest opening a TAC case to further investigate this. There have many issues related to these counters which all were cosmetic and had no real impact on the functionality of device itself.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Hi,
I would like to limit the overloading of servers and redirect to a backup server if the first is full. I thought to use "max-connect" and "backup-reserved".
Now I would also ensure that if the client is already on the platform he continued to surf and not be impacted by the max-connect.
The aim is to focus clients on the farm and put on hold the new.
To know that a client is already on the platform I thought to use the sticky.
Do not know if you know of a solution to my need
Regards,
Charlyyes, it's conn-limit sorry and backup-reserved is backup-rserver (problem copy paste ).
I already used sticky with insert cookie, but when the server is full the client go to the new server.
Resource class : you thought the ressource class on the admin context ? -
I need to know the differnece between the Numeric Limit Test between the TestStand version 3.0 to 3.1. If there is any differnec in the source code how to find it out? If somebody has the code can you share it?
Thanks,
JeyanHi,
I don't believe there are any differences between the two versions. But you can check the source code for the Numeric Limit Test in TestStand\Components\NI\StepTypes\CommonSubsteps. But the main part of the step is the Code Module and this bit the users supplies this.
What has prompted this question?
Regards
Ray Farmer
Regards
Ray Farmer -
ACE connection limit and remote TCP security scans
We are currently running remote TCP security scans on our networks and are running into a major problem where when the scans are taking place the ACE connection resource usage sky rockets and easily reaches the maximum 4 million connections. This means that anyone can run a simple TCP scan and take down our ACE by maxing the connection limit. We have the following parameter-map applied to all of our policies but it does not help to clear the connection count on the ACE in a reasonable amount of time. parameter-map type connection CONNECTION_TIMEOUT set timeout inactivity 300 set tcp timeout half-closed 60 I should note that we do have normalization turned off because it causes way more problems then it's worth (no resolution with TAC). Does anyone have an tips on how to accommodate security scan's on networks behind the ACE while not saturating the connection count limit?
For vips, this particular context only has one class C applied to a class-map. Not all IP's are in use but regardless the ACE creates connections for those as well. I've set the timeout inactivity to 120 seconds and I still see connections from the remote scanning host idling well over 45mins for connections destined to the vip's. Is turning on normalization my only option? I know there are others who have turned off normalization due to performance and connectivity issues so there must be other ways around this. Thanks for your help.
-
Hello I'm using an ACE4700 to redirect connection toward 2 Cache boxes (cache2 and cache3).
I'm using "predictor hash address source".
On the cache boxes I see that on the first one I have 400 src IP and on the second one i have 200 src IP.
I was expecting to have half ip src on one cache and half on other one.
Since the predictor is based on "hash address source" the two cache should be loaded with the same number of ip src.
How can I view on the ACE the src IPs redirected to cache1 and the src IPs redirected to chache2 ?
serverfarm host proxiesAC
description Batteria dei BlueCoat
transparent
failaction purge
predictor hash address source
rserver cache1
probe probe_ICMP
rserver cache2
probe probe_ICMP
inservice
rserver cache3
probe probe_ICMP
inservice
rserver cache4
probe probe_ICMP
rserver cache5
probe probe_ICMP
rserver cache6
probe probe_ICMPWhen described like this, it sounds easy to find a hash algorithm which will split 600 ip addresses in 2 equal size groups.
But this is actually very complicated.
First because when we designed the ACE code, we didn't know how many ip, which ip ... would be used.
Morever, this information changes with every customer of ours.
In conclusion we made a generic algorithm which works most of the time.
But this algorithm can't guarantee that you will have equal loadbalancing.
If you need equal load on your caches, you need to switch to leastconn or roundrobin.
Finally, I don't see the need to use hash address source.
Usually when using ACE with caches, we use either hash url (if we want to make sure one object only exists on one cache - save disk space) or roundrobin/leastconn to have equal load on the caches.
Regards,
Gilles. -
Limit result source to site column
I have a site column "BusinessArea" and created managed property with same name "BusinessArea" which at the moment has 4 possible values: "Property", "WC", "LA", "MA". In my default page,I have
a dropdown with these 4 possible value. based on selection of dropdown item, i am passing it as query string parameter to load the cutom landing page .for example :
.aspx?BusinessArea=Property. so my custom landing page has 4 possible value.
My custom landing page has a search box in the master page. So when user clicks the search button ,I want to limit search to this specific BusinessArea site column selected by the user not the entire site. For example if user is in "Property" landing
page and types "Payment" in search box and hits search button then the searchcenter page should return the all the list items where site column BusinessArea="Property" and any other property matches "Payment".
Thanks in advance!!i dont think you can restrict an admin to change it. check this http://en.share-gate.com/blog/sharepoint-2013-search-settings-and-search-box-drop-down-menu
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Issues with BW conn. while upgrading source system from R/3 4.6 to ECC 6.0
Hello
We are upgrading our existing R/3 4.6 system to an ECC 6.0 system. In this regard, I have a few questions concerning R/3 to BW extractions.
Question 1: If we have a PROD BW system PB1 mapped to a PROD 4.6 R/3 system PR1. And then we make a copy of PB1 and call it DB1. Will we get all the transfer rules mapped between DB1 and PR1 automatically.. or do we need to re-create all the transfer rules again?
Question 2: Lets say we now want to connect our ECC 6.0 DEV system ie DE1 to DB1, do we need to re-create all the transfer rules between these 2 clients?
Thanks.
Srinivas.Hi Srinivas,
questions 1:
no need to create again...they will link up that..it is nothing but Mirror concept...
question 2 :
This one laso no need to craeted....
So your issue is solved,post me if you have any furthur...
Regards
Srinivas -
Hi,
I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.
Below is the running configuration. Please help me to troubleshot the problem.
HOB-ACE-1/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
boot system image:c4710ace-mz.A3_2_0.bin
hostname HOB-ACE-1
interface gigabitEthernet 1/1
description Man_HOB_1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description VIP_HOB_1
switchport access vlan 24
no shutdown
interface gigabitEthernet 1/3
description HA_HOB_1
switchport access vlan 180
no shutdown
interface gigabitEthernet 1/4
shutdown
[7m--More-- [m
access-list ALL line 8 extended permit ip any any
probe icmp ICMP_PROBE1
interval 15
faildetect 4
passdetect interval 60
passdetect count 5
receive 5
rserver host MFREFSAS497
description MAAFAXSERVER
ip address 10.16.12.148
conn-limit max 4000000 min 4000000
inservice
rserver host MSHOFCFS489
description HOBFAXSERVER
ip address 10.26.12.130
conn-limit max 4000000 min 4000000
inservice
[7m--More-- [m
[K
serverfarm host SFHOBACE-1
description SFHOBACE-1
predictor hash header Accept
probe ICMP_PROBE1
rserver MFREFSAS497 80
conn-limit max 4000000 min 4000000
inservice
rserver MSHOFCFS489 80
conn-limit max 4000000 min 4000000
inservice
class-map match-all VSHOBACE-1
2 match virtual-address 10.26.24.242 any
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
[7m--More-- [m
[K
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VSHOBACE-1-l7slb
class class-default
serverfarm SFHOBACE-1
policy-map multi-match global
class VSHOBACE-1
loadbalance vip inservice
loadbalance policy VSHOBACE-1-l7slb
loadbalance vip icmp-reply
nat dynamic 1 vlan 24
nat dynamic 1 vlan 1000
service-policy input global
interface vlan 24
description "Client VLAN"
ip address 10.26.24.243 255.255.255.0
[7m--More-- [m
access-group input ALL
no shutdown
interface vlan 1000
ip address 10.26.12.132 255.255.255.0
peer ip address 10.26.12.133 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 180
ip address 192.168.180.2 255.255.255.248
peer ip address 192.168.180.3 255.255.255.248
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 180
ft group 1
peer 1
priority 140
associate-context Admin
[7m--More-- [m
inservice
ip route 0.0.0.0 0.0.0.0 10.26.12.1
snmp-server contact "HOB_ACE"
snmp-server location "HOB"
snmp-server community FAXSERVER group Network-Monitor
snmp-server user administrator Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI. role Admin domain
default-domain
username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1 role Admin domain de
fault-domain
ssh key rsa 1024 force
Thanks and Regards,
AshfaqueHello Hossain,
Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.
Use the
ACE/Admin(config)# no service-policy input global
ACE/Admin(config)# interface vlan 24
ACE/Admin(config-if)# service-policy input global
Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.
Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.
Do you happen to have a quick logical diagram of this piece of the network?
Thnx
Pablo -
Ace - connection reset (Error 101)
Hi, I have a problem with a Cisco ACE, after approximately an hour being in production, for all new connections
it gives the message: connection reset. The message on any web browser is: connection reset (Error 101)
It blocks any backend server (Apache).I get same error also when I try to connect direcly to the backend address.
This error saturates the connections on the servers (in the log of the DB I found error connection reset)
Without ACE all work fine, it's not a load traffic issue.
It seems like once opened a connection the ace does not close it anymore!
But the graphical snmp servers do not report the increase in connections, what is mistake ?
The balancer manages two physical servers and is configured in stickyness mode
Please find attached the configuration
logging enable
logging timestamp
logging trap 4
logging buffered 3
logging host 172.16.0.2 udp/514 format emblem
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe http HTTP_PROBE1
request method get url /index.php
expect status 200 206
expect status 300 307
expect status 400 417
probe tcp PROBE_TCP
interval 30
rserver host 03a.it
ip address 172.16.0.1
conn-limit max 50000 min 40000
inservice
rserver host 03b.it
ip address 172.16.0.2
conn-limit max 50000 min 40000
inservice
serverfarm host FARM_WEB
predictor leastconns
probe HTTP_PROBE1
rserver 03a.it
inservice
rserver 03b.it
inservice
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
sticky http-cookie session StickyGroup1
timeout 3600
serverfarm FARM_WEB
class-map type management match-all ICMP-ALLOW_CLASS
2 match protocol icmp source-address x.x.x.x
class-map match-all L4-WEB-IP
2 match virtual-address x.x.x.x tcp eq www
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
sticky-serverfarm StickyGroup1
insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2541
appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 125
ip address
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input WEB-to-vIPs
no shutdown
interface vlan 254
ip address
access-group input ANY
nat-pool
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
At the moment this happens, the simultaneous connections (command: show conn) on the server are around 350
the CPU load is 2%
sticky database has approximately 24000 records.
Log level is set to 4. But no error report.
Do you need more info to resolve the problem?
Thank you
Best Regards
N.Hello Nicolas,
I wonder if you can include these values:
parameter-map type http HTTP_PARAMETER_MAP
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
parsing non-strict
I also noticed a lot of errors which might be caused also due to these denied under the #show resource usage all which may indicate you are reaching the license limits, but you should discuss it with your Cisco SE, please see below:
Allocation
Resource Current Peak Min Max Denied
Context: vrack254
conc-connections 4 1267 60000 60000 0
mgmt-connections 2 28 748 748 0
proxy-connections 0 1255 7864 7864 0
xlates 0 0 7864 7864 0
bandwidth 572 3824781 3740624 127490624 1416859
throughput 96 3712886 3740624 3740624 1416859
mgmt-traffic rate 476 111895 0 123750000 0
connection rate 1 1729 4500 4500 0
ssl-connections rate 0 0 224 224 0
mac-miss rate 0 15 16 16 4
inspect-conn rate 0 0 1800 1800 0
http-comp rate 0 0 5898240 5898240 0
to-cp-ipcp rate 0 11 36 36 0
acl-memory 8216 10568 744800 744800 0
sticky 22978 22978 31456 31456 0
regexp 19 23 7864 7864 0
syslog buffer 30720 30720 30720 30720 0
syslog rate 0 6 750 750 0
Can you upload the specific error which you are getting also?
Jorge -
ACE 4710 - Internet Explorer cannot display the webpage
Hi,
We have implemented HTTPS redirection and SSL termination in ACE for one server-farm. The webpage is not getting displayed in internet explorer and even the redirection is not taking place. Whereas, with Firefox and chrome browsers, the website displays properly. Please suggest a solution to this issue.
The ACE configuration is as below.
crypto chaingroup STAR_GRP_CHAINGRP
cert star_exe_edu_sa.crt
cert star_TrustedRoot.crt
cert DigiCertCA.crt
probe tcp PROBE_8000
port 8000
interval 5
passdetect interval 10
open 10
rserver host PMCRAGRPWEB01_172.18.13.48
description SBM PMCRAGRPWEB01_172.18.13.48
ip address 172.18.13.48
conn-limit max 4000000 min 4000000
inservice
rserver host PMCRBGRPWEB01_172.18.13.49
description SBM PMCRBGRPWEB01_172.18.13.49
ip address 172.18.13.49
conn-limit max 4000000 min 4000000
inservice
rserver redirect REDIRECT-GRPTEST
webhost-redirection https://%h%p 302
inservice
serverfarm host SF_GRP_TEST_SERVER
description GRP test sererfarm for irecruitment
probe ICMP_PROBE
probe PROBE_8000
rserver PMCRAGRPWEB01_172.18.13.48 8000
conn-limit max 4000000 min 4000000
inservice
rserver PMCRBGRPWEB01_172.18.13.49 8000
conn-limit max 4000000 min 4000000
inservice
serverfarm redirect SRV-REDIRECT-GRPTEST
rserver REDIRECT-GRPTEST
inservice
parameter-map type ssl Star_GRP_PARAMMAP
sticky ip-netmask 255.255.255.255 address source GRPTEST_sticky
serverfarm SF_GRP_TEST_SERVER
timeout 120
replicate sticky
sticky ip-netmask 255.255.255.255 address source REDIRECT-GRPTEST-STICKY
serverfarm SRV-REDIRECT-GRPTEST
timeout 120
replicate sticky
ssl-proxy service STARGRP_SERVER
key star.exe.edu.sa.key
cert star_exe_edu_sa.crt
chaingroup STAR_GRP_CHAINGRP
ssl advanced-options Star_GRP_PARAMMAP
class-map type http loadbalance match-any MATCH-WEBSITEURL-GRPTEST
4 match http header Host header-value ".*grp.exe.edu.sa.*"
class-map match-any VIP_GRP_TEST_SERVER
5 match virtual-address 172.18.13.58 tcp eq https
6 match virtual-address 172.18.13.58 tcp eq 8000
class-map match-any class-REDIRECT-GRPTEST-HTTPS
5 match virtual-address 172.18.13.58 tcp eq www
policy-map type loadbalance first-match VIP_GRP_TEST_SERVER-SLB
class class-default
sticky-serverfarm GRPTEST_sticky
policy-map type loadbalance first-match VIP_REDIRECT_GRPTEST-SLB-HTTPS
class MATCH-WEBSITEURL-GRPTEST
sticky-serverfarm REDIRECT-GRPTEST-STICKY
policy-map multi-match INT228-228
class class-REDIRECT-GRPTEST-HTTPS
loadbalance vip inservice
loadbalance policy VIP_REDIRECT_GRPTEST-SLB-HTTPS
loadbalance vip icmp-reply
nat dynamic 1 vlan 228
class VIP_GRP_TEST_SERVER
loadbalance vip inservice
loadbalance policy VIP_GRP_TEST_SERVER-SLB
loadbalance vip icmp-reply
nat dynamic 1 vlan 228
ssl-proxy server STARGRP_SERVER
interface vlan 228
service-policy input INT228-228
Regards,
Madhan kumar GHi Madhan,
If it is working with Mozilla and Chrome, the configuration seems to be fine. Which version on IE are you facing issues with? Have you tried different versions of IE?
Can you take a quick client capture and see where the connection fails and why?
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Dear Gents,
Attached is the current setup & configuration for both ACE & FWSM.
we can ping the VIP from the user side, but we are not able to open the web application using the VIP.
Appreciate your kind support to solve the issue when trying to open the application using the VIP.
Best Regards,Pierre this is babu.
Can you please forward ACE ONE ARM MODE current configuration which is working fine. Check my configuration and please replay if any modification require.
boot system image:c4710ace-mz.A4_2_0.bin
interface gigabitEthernet 1/1
switchport access vlan 255
no shutdown
interface gigabitEthernet 1/2
switchport access vlan 110
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe http HTTP
port 80
interval 20
passdetect interval 40
receive 3
expect status 0 499
connection term forced
open 1
probe icmp PING
description Probe PING
interval 2
faildetect 2
passdetect interval 2
passdetect count 2
receive 1
probe snmp SNMP-PROBE
description SNMP-PROBE
interval 15
passdetect interval 10
version 2c
community MODA-MSD-RW
oid .1.3.6.1.2.1.4.3.0
type absolute max 1000000000
weight 6000
rserver host SERVER1
description msd-hq-sp01
ip address 10.0.160.14
conn-limit max 2000000 min 1500000
rate-limit connection 100000
rate-limit bandwidth 10000000
inservice
rserver host SERVER2
description msd-hq-sp02
ip address 10.0.160.15
conn-limit max 2000000 min 1500000
fail-on-all
weight 20
inservice
rserver host SERVER3
conn-limit max 2000000 min 1500000
fail-on-all
weight 30
inservice
rserver host SERVER4
conn-limit max 2000000 min 1500000
fail-on-all
weight 40
inservice
serverfarm host MoDA-MSD-SFARM
description MoDA-MSD-SERVERS
probe PING
rserver SERVER1 80
conn-limit max 2000000 min 1500000
rate-limit connection 100000
rate-limit bandwidth 5000000
inservice
rserver SERVER2 80
conn-limit max 2000000 min 1500000
rate-limit connection 100000
rate-limit bandwidth 5000000
inservice
sticky ip-netmask 255.255.255.255 address source STKY_WEB1
timeout 60
replicate sticky
serverfarm MoDA-MSD-SFARM
class-map match-all frontend
2 match virtual-address 10.0.160.17 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match frontend
class class-default
serverfarm MoDA-MSD-SFARM
policy-map multi-match CLIENT-VIPS
class frontend
loadbalance vip inservice
loadbalance policy frontend
loadbalance vip icmp-reply
nat dynamic 1 vlan 110
class class-default
interface vlan 110
ip address 10.110.10.101 255.255.255.0
access-group input ALL
nat-pool 1 10.110.10.200 10.110.10.200 netmask 255.255.255.0 pat
service-policy input CLIENT-VIPS
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 255
ip address 10.0.255.245 255.255.255.0
no shutdown
ft interface vlan 115
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 115
query-interface vlan 110
ft group 1
peer 1
priority 120
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.110.10.254
snmp-server community MODA-MSD-RO group Network-Monitor
snmp-server host 10.0.160.144 traps version 2c MODA-MSD-RW
snmp-server enable traps snmp coldstart
snmp-server enable traps virtual-context
snmp-server enable traps license
snmp-server enable traps slb vserver
snmp-server enable traps slb real
snmp-server enable traps syslog
snmp-server enable traps snmp authentication
snmp-server enable traps snmp linkup
snmp-server enable traps snmp linkdown
username admin password 5 $1$D1e1pS1d$KBuTV0Oe195u3b3dW9RQF/ role Admin domain
default-domain
username www password 5 $1$JfHnQdU/$0FLEMgeJIuAzIKGc3Xv.p1 role Admin domain de
fault-domain
ssh key rsa 1024 force
Thank you,
Babu.S -
Hello,
I currently have a Serverfarm consisting of 6 Servers Load Balancing HTTP requests (Port 80) from the VIP to the Real Servers.
I now have a requirement to load balance another application on the same Real Servers using the same VIP however the URL to be used is using Port 1880 within HTTP.
http://10.10.90.1:1880/Service.asmx
Any advice on how to configure this on the ACE would be appreciated.
thanks
Ian.Ian,
Maybe something like this:
policy-map multi-match int56
class VIP_Plumtree_1880
loadbalance vip inservice
loadbalance policy VIP_WEB-l7slb_1880
loadbalance vip icmp-reply
class-map match-all VIP_WEB_1880
2 match virtual-address 10.10.90.1 tcp eq 1880
class-map type http loadbalance match-all MATCH-URL-1880
2 match http url /Service.asmx.*
sticky ip-netmask 255.255.255.255 address source Sticky_Group_WEB_1880
serverfarm SF_WEB_1880
replicate sticky
policy-map type loadbalance first-match VIP_WEB-l7slb_1880
class MATCH-URL-1880
sticky-serverfarm Sticky_Group_WEB_1880
class class-default
sticky-serverfarm Sticky_Group_WEB_1880
serverfarm host SF_WEB_1880
description WEB1&2
rserver RS_WEB1 1880
conn-limit max 4000000 min 4000000
inservice
rserver RS_WEB2 1880
conn-limit max 4000000 min 4000000
inservice
Jorge -
ACE: RDP loadbalancing connection problem
I have a problem setting up RDP loadbalancing.
My setup is a WS-C6509-E with IOS 12.2(33)SXI5 and a ACE20-MOD-K9 running
A2(3.3).
I have the ACE in two-arm-mode, I can connect to the real servers via RDP. The
real servers use a MS Terminal Server Session Broker with routing tokens.
The serverfarm is operational:
# show serverfarm FARM-TSFARM1 det
serverfarm : FARM-TSFARM1, type: HOST
total rservers : 4
active rservers: 4
description : srv-f1-tsX.mydomain.de
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: RS-SRV-F1-TS1
10.7.43.201:0 8 OPERATIONAL 0 1 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS2
10.7.43.202:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS3
10.7.43.203:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS4
10.7.43.204:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
The service policy is active, it shows an increasing hit count for the VIP
connections (47 as shown below), no drop-count, no dropped connections, but
zero bytes server packets and no hit counts for the L7 policy:
# show service-policy VIP-TSFARM1 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 44
service-policy: VIP-TSFARM1
class: VIP-TSFARM1-RDP
VIP Address: Protocol: Port:
10.7.44.106 tcp eq 3389
loadbalance:
L7 loadbalance policy: VIP-TSFARM1-RDP-l7slb
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 47
dropped conns : 0
client pkt count : 221 , client byte count: 10996
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-TSFARM1-RDP-l7slb
class/match : class-default
LB action: :
primary serverfarm: FARM-TSFARM1
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
I never get a "Built TCP connection" syslog message.
When I make a VIP with "policy-map type loadbalance generic" instead of
"policy-map type loadbalance rdp" everything works as expected, apart from the
fact that users cannot be redirected to the correct server if they have an
active session on one of them.
Here is the config of the rdp setup:
rserver host RS-SRV-F1-TS1
description srv-f1-ts1.mydomain.de
ip address 10.7.43.201
conn-limit max 500 min 500
rate-limit connection 10000
rate-limit bandwidth 12500000
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS2
description srv-f1-ts2.mydomain.de
ip address 10.7.43.202
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS3
description srv-f1-ts3.mydomain.de
ip address 10.7.43.203
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS4
description srv-f1-ts4.mydomain.de
ip address 10.7.43.204
conn-limit max 500 min 500
probe PING_PROBE
inservice
serverfarm host FARM-TSFARM1
description srv-f1-tsX.mydomain.de
rserver RS-SRV-F1-TS1
inservice
rserver RS-SRV-F1-TS2
inservice
rserver RS-SRV-F1-TS3
inservice
rserver RS-SRV-F1-TS4
inservice
class-map match-all VIP-TSFARM1-RDP
2 match virtual-address 10.7.44.106 tcp eq 3389
policy-map type loadbalance rdp first-match VIP-TSFARM1-RDP-l7slb
class class-default
serverfarm FARM-TSFARM1
policy-map multi-match VIP-TSFARM1
class VIP-TSFARM1-RDP
loadbalance vip inservice
loadbalance policy VIP-TSFARM1-RDP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
interface vlan 44
service-policy input VIP-TSFARM1
Any ideas?Ralf,
You are running into the following defect:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl63354
Workaround:
use a layer 4 loadbalance policy and configure source ip sticky.
Joel Lamousnery
Cisco TAC -
Limit number connections by IP
Hello, I have an ACE 4710 to balance some aplications exposed to Internet. But one of them has problem with concurrence, the question is, Are there a way to limit the number of connections to this application by public IP address?
Thanks,
Haiver BermonHi Haiver,
You can limit the number of concurent connections to a real server. For instance:
ACE(config)# serverfarm host SF1
ACE(config-sfarm-host)# rserver SRV1
ACE(config-sfarm-host-rs)# ?
Configure rserver instance:
backup-rserver Configure backup-rserver for this rserver
conn-limit Configure max/min connection limits for the server <<<
description Configure description string for real server
do EXEC command
end Exit from configure mode
exit Exit from this submode
fail-on-all Fail real when all probes fail
inservice Activate rserver instance
no Negate a command or set its defaults
probe Associate probe with rserver instance
rate-limit Configure rate limit per second <<<
Or you can limit the connection rate to a vip by configuring something similar to this:
ACE(config)# parameter-map type connection pmap
ACE(config-parammap-conn)# ?
Configure connection parameters:
description Configure description string for this parameter-map
do EXEC command
end Exit from configure mode
exceed-mss Configure behavior if a packet exceeds MSS
exit Exit from this submode
nagle Enable Nagle TCP optimization algorithm
no Negate a command or set its defaults
random-sequence-number Enable TCP sequence number randomization <<<
But i guess you rater like to limit the number of connections from a single source ip. This is not possible.
Thanks,
Olivier
Maybe you are looking for
-
Safari quit unexpectedly while using the Fast Browser Search Plugin plug-in
Hello, I had an automatic software update a few days ago which was fine but also doing an Itunes update yesterday as I was prompted to do so, I was using version 10 and updated to 10.1 which has also gone wrong as it is saying that my itunes library
-
Hi Is Cycle counting inventory process used only in Warehouse Management ? Can't we use this for std MM ? Regards, A
-
Is there a way to automatically ID &/or delete copies/doubles of songs?
I have several copied versions of my iTunes library on external HD's, and when I travel with my music, I use my laptop and then add music, and so I have several copies of my library, but none of them are complete. I am concerned re consolidating them
-
How do I disable the master canvas window in photoshop cc?
I like to work in Photoshop in the old style with floating windows and palettes above my desktop and files appearing in their own window and not as tabs. I have turned off the new interface in Photoshop CC, but I still get a large "Master Window" app
-
Is there any news about 'Belle Refresh' update coming to the first gen of symbian^3 devices such as Nokia N8?