ACE cookie-based slb
Hi,
I'm trying to configure a cookie-based slb method which corresponds to my current CSS11503-configuration. Basicly, my CSS performs slb purely based on the content of the arrowpoint-cookie, using the following config:
advanced-balance arrowpoint-cookie
arrowpoint-cookie name WPS6
The cookie contains the real ip of the underlying webserver and the CSS fowards traffic based on that particular content of the cookie. Whenever we need to do an unscheduled shutdown of a webserver, we gracefully take the webserver out of service by setting the weight to 0, but also, my webdepartment have implemented a feature in Websphere, that somehow sends a cookie-expire to both the SESSIONID-cookie and the WPS6 cookie. So once the subsequent http-req hits the CSS, the cookie is gone and the CSS lb'es the req to a diffent server. We've intentionally left out the sticky-option, as it didn't work well with the before mentioned Websphere-feature.
Now I'm trying to configure something similar on the ACE, but so far without luck. I did start by configuring sticky-group with the cookie-insert option and a http-parametermap with persistence-rebalance. But all attempts to recreate the above mentioned scenario, have failed. It's seems, that even with persistence-rebalance, the client-session is still stuck to the webserver and a display of the sticky-database shows, that the sticky-entry persists. Even when I manually delete the cookie-container on the client and verify with the Live-HTTP-plugin, that the subsequent http-req does not contain the WPS6 cookie, the req is still forwarded to the realserver. Even when the real-server is placed in 'inservice standby'.
Is it possible to staticly define a cookie-value for, say, 4 webservers, each with their own unique cookie? And when the initial part of the tcp is completed and the ACE decides which realserver is to be used, it sets a cookie containing that particular value and includes it in the http-response. So if any subsequent http-req's are not containing that cookie, the ACE re-balancences that req and sends it to a different webserver.
/Ulrich
PS! Merry X-mas
Ulrich,
what you're asking for is what ACE does currently.
The static cookies are created at configuration time.
You can see the values with "show sticky cookie-insert"
ie:
switch/Admin# show sticky cookie-insert group portalap
Cookie | HashKey | rserver-instance
------------+----------------------+----------------------------------------+
R4181073320 | 11105909834649097754 | vmware-http/vmware-27:80
R4181109257 | 10017312105356339124 | vmware-http/vmware-28:80
R4183409225 | 15537882249682767338 | vmware-http/vmware-46:80
R4183517036 | 1787657754489574767 | vmware-http/vmware-49:80
Whenever we see the cookie "R...." we check if the associated server is alive and forward the connection to that server.
Otherwise we loadbalance to a new server and include the new cookie in the response.
For established connections, persistence rebalance is indeed required to inspect every request and rebalance the connection to a new server if a new cookie is detected. However ACE will try not to rebalance when not needed.
If you need a new loadbalancing decision each time, you need 'persistence rebalance strict'.
An alternative could be the configuration of 'failaction purge' to force the connection to be terminated when the server goes down.
'inservice standby' is described @ http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000333
•Tears down existing non-TCP connections to the server
•Allows current TCP connections to complete
•Allows new sticky connections for existing server connections that match entries in the sticky database
•Load balances all new connections (other than the matching sticky connections mentioned above) to the other servers in the server farm
•Eventually takes the server out of service
As you can see, this option still allows connection to the server if it matches a sticky entry.
Gilles.
Similar Messages
-
ACE: SourceIP-based Loadbalancing
Hi There,
I'm new to this forum and have a question regarding ACE Loadbalancing based on Source-IP.
The customer wants there internal client having full access to the VIP, while clients from Extranet should be limited/redirected to a special URL.
Both (internal/Extranet) should use the same VIP and the same realservers (costs). So far I have only seen configuration examples where based on source-ip, requests were send to different serverfarm with different realservers.
Could I rewrite the URL based on source address as well?
Thanks in advance,
AnkeHi Pablo,
I tried to adopt your configuration, but get an redirection error (never ending redirection). Maybe I explained not detailed enough ... I want to have a class like your "Internal" - based on source IP. These clients should use rserver like your Web-1 and Web-2 in serverfarm HTTP, but restricted to only one subdomain. Alle other should use every subdomain possible. My class ist called Wiki_Extranet.
I tried the following, but it seems not completely work as I wanted:
rserver redirect Wiki_Extranet_Redirect
webhost-redirection http://7it.wiki.intra.de
inservice
serverfarm redirect Wiki_Extranet_Redirect
rserver Wiki_Extranet_Redirect
inservice
serverfarm host Wiki_SF
probe HTTP_Wiki
probe PING_Wiki
rserver Wiki1
inservice
rserver Wiki2
inservice
rserver Wiki3
inservice
sticky http-cookie JSESSIONID Wiki_http_stickgroup
replicate sticky
serverfarm Wiki_SF
class-map type http loadbalance match-any Wiki_Extranet
10 match source-address 10.127.31.68 255.255.255.255
class-map match-all VIP_Wiki_http
description filter http traffic
2 match virtual-address 10.37.13.10 tcp eq www
policy-map type loadbalance first-match LB_Wiki_http
class Wiki_Extranet
serverfarm Wiki_Extranet_Redirect
nat dynamic 401 vlan 401 serverfarm primary
class class-default
sticky-serverfarm Wiki_http_stickgroup
nat dynamic 401 vlan 401 serverfarm primary
policy-map multi-match Wiki_Balancing
class VIP_Wiki_http
loadbalance vip inservice
loadbalance policy LB_Wiki_http
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_Parameter
If you had time to have a look, would be so helpful.
Thank you - Anke -
Hi,
We are having ACE as the load balancer
Software running on ACE
loader: Version 12.2[121]
system: Version A2(1.1a) [build 3.0(0)A2(1.1a) adbuild_22:19:41-2008/07/21_
/auto/adbu-rel3/rel_a2_1_1_throttle/REL_3_0_0_A2_1_1A]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_1a.bin
We have 2 webservers (load balanced) & 2 application servers(load balanced).Cookie based stickiness is currently used on Web & Application servers.
Ideal scenario:
1.Client opens the url http://...There is always a dual session whenever the client opens the url.One is for Java & the other for html.
2.Client--->Webserver1
3.Webserver1---->APP1
Most of the times when the client types the url, the dual sessions goes to one Webserver as per round robin (eg web server 1) & the webserver 1 communicates with Application server as per round robin (eg.application server 1).
Problem:
Now at times when the client types the url, the dual sessions gets split which means one session goes to one webserver & the other session goes to second webserver.Ideally it should not as per the application demands.
When this happens, both the webservers communicates with both the application servers.Here is where the problem happens.The client is asked for the login page again which indicates that the client has went to the second application server for the login.
What ideally should happen is the client should stick to the same application server depending up the sticky timeout.
Foll. is the output of show conns when prob occurs:
Primary-ACE/DMZ2# sh conn serverfarm SF-8888
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
1321 1 in TCP 2504 172.21.46.34:2037 172.24.51.200:8888 ESTAB
1255 1 out TCP 2704 172.24.51.33:8888 172.21.46.34:2037 ESTAB
1108 2 in TCP 2504 172.21.46.34:2036 172.24.51.200:8888 ESTAB
1144 2 out TCP 2704 172.24.51.32:8888 172.21.46.34:2036 ESTAB
Primary-ACE/APP# sh conn serverfarm SF-8888
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
959 2 in TCP 2507 172.24.51.32:58306 172.24.54.200:8888 ESTAB
115 2 out TCP 2707 172.24.54.32:8888 172.24.51.32:58306 ESTAB
651 2 in TCP 2507 172.24.51.33:51030 172.24.54.200:8888 ESTAB
901 2 out TCP 2707 172.24.54.33:8888 172.24.51.33:51030 ESTAB
I have attached the configs.
The web server we are testing is 172.24.51.32 & 33 - port 8888
Application servers - 172.24.54.32 & 33-port 8888
Rgds./SachinSachin~
What is exactly your flow?
Is client hitting the Webserver farm (in web server context) and then Web servers hitting the APPs Servers in the APPS server context?
If thats the case (only Web servers are App server clients and client is not hitting application serverfarm ) then you can use source ip based sticky in APP server farm which will ensure that one web server sticks to a particular APP server and it never changes the APP server.
Following example will insert cookie named "Mycookie" in the server responses from APP1 rservers to the client
rserver host App1-Srvr1
ip address 192.168.1.1
inservice
rserver host App1-Srvr2
ip address 192.168.1.2
inservice
serverfarm host APP1-SFARM
rserver App1-Srvr1
inservice
rserver App1-Srvr2
inservice
class-map match-any APP1-VIP
2 match virtual-address 10.10.10.1 tcp eq www
sticky http-cookie MYcookie App1-sticky
cookie insert
timeout 720
replicate sticky
serverfarm App1-Sfarm
policy-map type loadbalance first-match APP1-POLICY
class class-default
sticky-serverfarm App1-sticky
policy-map multi-match VIPS
class VIP-P80
loadbalance vip inservice
loadbalance policy APP1-POLICY
loadbalance vip icmp-reply active
HTH
Syed Iftekhar Ahmed -
If 3 Real servers in a non-load balancing environmet are setting session cookies with diffrenet cookie names e.g.
server1 response
set-Cookie: SESSIDSAAAAAA=DMNNNELCECNCKDIIDCPOIMGG
Server2 response
set-Cookie: SESSIDSBBBBBB=DAAMMNELCECNCKPYTWPOIPOP
Server3 response
set-Cookie: SESSIDSCCCCCC=POHYTUOIPOPPLKJHTERIQOKJ
then how can CSM be configured with cookie based stickiness.
I tried cookie insert on CSM with NULL value Assigned to "COOKIE_INSERT_EXPIRATION_DATE".
It resulted in two set cookie responses (one from server and one from CSM).
I am wondering how csm will react ( cookie insert is used) if client request carries two cookie name-value pairs.
clients are behind megaproxy so cookie based stickiness is needed.
Thanksif you look into a http client request you will see that many times there are more than 1 cookies.
The most important is to make sure the CSM insert a cookie with a different name.
Create your own name.
The client will receive both the csm cookie and the server cookie and will send both when opening a new connection.
The CSM is able to locate its own cookie in the list and do the stickyness.
Gilles. -
Hi,
I'm using Webcache 10.1.2 as Load balance for Forms 9.0.4 Applications. I confuse about two documnents in Metalink as Note 229900.1 and Note:268830.1. While in the former it said the "OC4J-based" option with JSESSIONID is used for Forms Application, the later recommend to use "Any Set Cookie" option with Cookie-based for Form Application.
Any idea?Hi,
looks as if the latter is a work around for what is described in bug 3309696, that this is an integration issue. Forms uses jsession and there is no need for a cookie to be set. However, due to a bug in OC4J this seemed to be required
In order for web cache to sitck to a given OHS, OHS must set a cookie with the
client. (Thats what web cache uses to bind the session). By default forms uses
a cookie in the URL for session and does not set a cookie using HTTP. With the
cookie in the URL web cache does not see it and does not bind to a server
causing it to balance all requests and break forms.
Frank. -
Configuring cookie based sticky on ACE
I have an ACE and I am trying to setup stickiness based on HTTP cookies. My objective is to stick a client to one of the real servers in the server farm until the the cookie expires. I am using the same COOKIE name for all three servers but using different values that are unique to each server. On testing I discovered that each client request when stuck to the same real server always uses the same sticky database entry and a browser refresh updates the same entry...what am I doing wrong?
My config is as follows:
context Admin
member STICKY
access-list ALL line 8 extended permit ip any any
rserver host SERVER1
description content server 1
ip address 134.178.51.17
inservice
rserver host SERVER2
description content server 2
ip address 134.178.51.18
inservice
rserver host SERVER3
description content server 3
ip address 134.178.51.19
inservice
serverfarm host SFARM1
predictor leastconns
rserver SERVER1
inservice
rserver SERVER2
inservice
rserver SERVER3
inservice
sticky http-cookie MYCOOKIE STICKYGroup
timeout 4
serverfarm SFARM1
class-map type http loadbalance match-any L7CLASS6
2 match http cookie MYCOOKIE cookie-value "123456"
3 match http cookie MYCOOKIE cookie-value "56789"
policy-map type loadbalance first-match L7POLICY6
class L7CLASS6
sticky-serverfarm STICKYGroup
class class-default
serverfarm SFARM1
class-map match-all V1L4VIPCLASS
2 match virtual-address 134.178.51.10 tcp eq www
policy-map multi-match V1L4SLBPOLICY
class V1L4VIPCLASS
loadbalance vip inservice
loadbalance policy L7POLICY6Cookie values are learned dynamically by ACE and sticky entries are created.So you do not need to match cookie values.
With Sticky group configuration you tell ACE which Cookie-name to look for in the HTTP traffic passing through ACE.
So following should be sufficient
sticky http-cookie MYCOOKIE STICKYGroup
timeout 4
serverfarm SFARM1
policy-map type loadbalance first-match L7POLICY6
class class-default
sticky-serverfarm STICKYGroup
Lets assume your Server1 is setting cookie value 123456 by using "SET-Cookie:MYCOOKIE=123456" & Server2 is sending ""SET-Cookie:MYCOOKIE=56789" the flow will be as follows
1. If a new client hits the VIP on ACE with no cookie set then ACE will select a Sever from the server farm as per the LB algo and forward the HTTP request to the selected server. Lets suppose ACE selects Server1.
3. Server1 will send "SET-Cookie:MYCOOKIE=123456" in the HTTP response to the client.
4. ACE on getting this response from Server1 will dynamically learn that Server1 is setting up cookie value 123456 and will create a sticky entry in the database.
(Due to this sticky db entry any subsequent http requests with "Cookie:MYCOOKIE=123456" will be directly forwarded to Server1.
5. This sticky entry in ACE sticky DB will only time out if "timeout in minutes" configured under sticky group elapses and no active conns are using this entry.With every new http request matching the sticky entry this timeout is initialized.
6. If a new client come with no cookie set in the Http request then ACE will select a server using LB logic and will learn the cookie value & will create appropriate sticky entry.
7. If a client sends a request with cookie value present then ACE will simply look into the sticky db and forward the request to the appropriate server.
HTH
Syed Iftekhar Ahmed -
Hi, I am trying to understand the ACE`s cookie-insert method of stickiness. So the ACE will always insert a cookie into the http-header when sending a response to the client/browser. Based on that if it recieves the same cookie-id in the subsequent requests it knows to which end-server to send it as it does an internal hash based on the cookie-value.
My question is, what happens if the server also sends a cookie? Does ACE dis-regards that cookie and inserts a new one on it`s own? How do the cookie-insertion from the server (which is done by default by the web-servers) co-exist with the cookie insertion by the ACE?
thnxHi,
As long as they don't both use the Same Cookie name they won't influence each other.
If you don't assign a cookie-name ACE will create a unique one per rserver.
Or you can configure one e.g.
rserver WebServer1 80
cookie-string "ACEWS1Cookie"
More details can be found here:
http://www.cisco.com/en/US/customer/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html -
Hi ,
My requirement is as follows
i have following url
http://x.x.x.x/abc
http://x.x.x./dce
http://x.x.x.x/fgh
only for http://x.x.x.x/abc should be using stickiness based on http cookie insert remaining all it should use ip based stickiness.
problem what i am facing is ,
if i access http://x.x.x.x/dce , it is not showing any COOKIE in the header ( which is as expected ) and when i access http://x.x.x./abc it showing the inserted COOKIE (again expected) , but when i am accessing the url http://x.x.x.x/dce or fgh again , it is still showing the INSERTED COOKIE is it a known behaviour?.
as far as i understand , before the session request , ACE maintains the insert cookie values in the cookie database and thus it is less processing intensive.
However , why is it inserting to all request , even though i am not configuring as such .
following is my configuration , is it a known behaviour or is it the way it should work?
serverfarm host SF-FOR-DCE
probe TCP_8032
rserver MYSERVER1 8032
inservice
rserver MYSERVER2 8032
inservice
serverfarm host SF-FOR-FGH
probe TCP_8083
rserver MYSERVER1 8083
inservice
rserver MYSERVER2 8083
inservice
serverfarm host SF-FOR-ABC
probe TCP_8081
rserver MYSERVER1 8081
inservice
rserver MYSERVER1 8081
inservice
sticky http-cookie COOKIE-SKYCHAIN STICKY-ABC
cookie insert browser-expire
timeout 720
replicate sticky
serverfarm SF-FOR-ABC
sticky ip-netmask 255.255.255.0 address source STICKY-DCE
timeout 720
replicate sticky
serverfarm SF-FOR-DCE
sticky ip-netmask 255.255.255.0 address source STICKY-EFG
timeout 720
replicate sticky
serverfarmSF-FOR-FGH
class-map type http loadbalance match-all CM7-1
2 match http url /dce/*.*
class-map type http loadbalance match-all CM7-2
2 match http url /fgh/*.*
class-map type http loadbalance match-all CM7-3
2 match http url /abc*.*
policy-map type loadbalance first-match PM7-1
class CM7-1
sticky-serverfarm STICKY-DCE
class CM7-2
sticky-serverfarm STICKY-EFG
class CM7-3
sticky-serverfarm STICKY-ABC
class-map match-any CM3-VIP
3 match virtual-address x.x.x.x tcp eq www
policy-map multi-match PM34-VIP
class CM3-VIP
loadbalance vip inservice
loadbalance policy PM7-1
loadbalance vip icmp-reply
Assistance appreciated.
thanks
-PMDAre you seeing the client still send the cookie when going to the other locations /DCE or /FGH, or are you seeing the ACE insert the cookie? If you are only seeing the client still sending the cookie this is expected behavior. The cookie is issued for the path / so if the client learned the cookie from the domain x.x.x.x it will send the cookie any time it goes to that domain regardless of the path that is being used.
Regards
Jim -
Hi All,
I have an issue on the ACE that is doing SSL offload to a server farm and using cookies for stickyness.
The issue is I am trying to establish what value i need to enter when trying to dynamically learn cookies in the server response?
I understand that cookie insertion is an option but is not currently being used.
I have checked the syntax
sticky http-cookiename1 name2
Where name1 is the value that needs to be matched, how do i find out this value?
Your help would be much appreciated.
KrisKris,
that a sniffer trace of the traffic going to the server.
Then check the server response for a line which looks like : set-cookie: name=value.
This means the server will always use the cookie "name" and a different "Value" for each client.
So you configure ACE to look for hte "name" and it will learn the "value" automatically.
If you really do not understand http cookies, you could simply use the "sticky cookie insert" feature.
ACE will do everything for you automatically.
Gilles. -
Is there a way for the ACE to read the cookie value if it has a period in it (.). For example the cookie is ASP.NET_SessionID. The ACE appears to be ignoring the (.). I know I can switch to cookie insert, but was curious if I can work with the (.) in case this comes up in the future.
Is there a way for the ACE to read the cookie value if it has a period in it (.). For example the cookie is ASP.NET_SessionID. The ACE appears to be ignoring the (.). I know I can switch to cookie insert, but was curious if I can work with the (.) in case this comes up in the future.
-
Cookie-based decision making in iPlanet
Hello,
My J2EE application uses iPlanet 4.1 as the web server. Requests coming to my web server contain a cookie which can have one of two possible values. I need to find out the value of the cookie in the request and then, depending on the value of the cookie, serve one of two possible htmls back to the user. For example, it the cookie value is abc, I would serve abc.html back to the browser but if the value is xyz, I would serve xyz.html back to the browser.
I need help in doing this. Do I need to write my own NSAPI Server Application Function (SAF) to achieve this? Or is it possible to do this by using one of iPlanets built in SAFs? I also need to know the changes to be made to obj.conf
Would appreciate any help in this regard.
Regards,
Dipak Jha
Noida, India
email: [email protected]You could write a SAF. Since the code needs to be maintained, it's probably a more expensive way to solve the problem.
There's no built-in functionality to do this in obj.conf with iPlanet Web Server 4.1. iPlanet Web Server 4.1 is very old and no longer supported. I think you should consider upgrading to a supported web server. If you upgraded to Sun Java System Web Server 7.0, you could do the following in obj.conf:
<If defined $cookie{'COOKIENAME'} and $cookie{'COOKIENAME'} = "abc">
NameTrans fn="rewrite" from="/page.html" path="/abc.html"
</If>
<Else>
NameTrans fn="rewrite" from="/page.html" path="/xyz.html"
</Else>Or, since you're already using J2EE, you could write a Servlet or JSP that would do the same thing. -
ACE 4710 Redirect to Different Server Farm based on URL
I have a weblogic 11 serverfarm where i want to redirect to a different serverfarm based on the URL. I am able to do it and it appears to be working however I am having issues with the cookies. I seem to be getting logged out of our App when switching between the serverfarms. Is there any way to fix this issue? My configuration is below.
Thanks!
-Andy
Generating configuration....
crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe http HTTP_PROBE
port 7001
interval 10
passdetect interval 5
request method get url /login.jsp
expect status 200 299
connection term forced
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP7001_PROBE
port 7005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host WLS11Host1
ip address 192.168.211.250
inservice
rserver host WLS11Host2
ip address 192.168.211.14
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host SPEND-FARM
probe HTTP_PROBE
rserver WLS11Host1 7001
inservice
serverfarm host WLS11FARM
probe HTTP_PROBE
rserver WLS11Host2 7001
inservice
parameter-map type http HTTP-PARM
persistence-rebalance
set secondary-cookie-start none
parameter-map type http PARSE
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parameter-map type ssl SSL_MAP
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
serverfarm WLS11FARM
replicate sticky
sticky http-cookie ACE-COOKIE-SPEND SPEND_STICKY
cookie insert browser-expire
serverfarm SPEND-FARM
replicate sticky
ssl-proxy service WWW-PROD-SSLPROXY
key client_ssl.pem
cert pastar.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_MAP
class-map type http loadbalance match-any HTTP-MARKETING
2 match http url /index.html
class-map type http loadbalance match-any HTTPS-SPEND
2 match http url /spend/.*
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS-7001-CLASS
2 match virtual-address 192.168.215.28 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.215.28 tcp eq https
policy-map type loadbalance first-match HTTPS
class HTTPS-SPEND
sticky-serverfarm SPEND_STICKY
insert-http x-forward header-value "%is"
class L5
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match WLS11-7001-Policy
class HTTP-MARKETING
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
class HTTPS-SPEND
serverfarm REDIRECT-SERVERFARM
class L5
serverfarm REDIRECT-SERVERFARM
policy-map multi-match WLS11-SLB
class WLS-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options HTTP-PARM
class WLS11-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options PARSE
ssl-proxy server WWW-PROD-SSLPROXY
interface vlan 1000
ip address 192.168.215.27 255.255.255.0
access-group input allow
nat-pool 1 192.168.215.28 192.168.215.28 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.215.1
snmp-server community poweradvocaterw group Network-MonitorHi,
So when you come with " http url /index.html", you go to "sticky-serverfarm 7001_STICKY" and ACE must be inserting sticky "ACE_COOKIE-7001". Now when you get redirected because you match "HTTPS-Spend", ACE will loadbalance the request which will now come on HTTPS and insert sticky " ACE-COOKIE-SPEND". That's why i guess you see two sticky entries. Now i guess ACE will keep the connection to servers in "sticky-serverfarm SPEND_STICKY" or you see that ACE is not doing the same or you expected the ACE to send the requested to "sticky-serverfarm 7001_STICKY" even though it matches the HTTPS-Spend class-map condition?
Regards,
Kanwal -
ACE load-balancing-Cookie problem
In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
There are only two possibilities how this could happen:
a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
b) The predictor in the serverfarm chooses a new realserver within the same request.
If that is really the cause of that problem this would be bug in the cisco ace.
What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
For example:
GET /ips-opdata/scripts/jquery.js HTTP/1.1
Host: www.xxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxx.com/
Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
HTTP/1.1 200 OK
Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
ETag: W/"72181-1298537508000"
Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
Content-Type: text/javascript
Content-Length: 72181
Date: Mon, 28 Mar 2011 06:15:19 GMT
As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
We hope that this helps you to figure out the reason of the problem.The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config. -
ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?
Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
As background, we are a small company with a SaaS product and a pair of webservers.
I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
That seems to be working and session traffic is sticking to a server during the user's session.
Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
Hopefully this request makes sense.
Thanks,
Mark Steeves.Daniel,
Thanks for the reply, but I cannot reach the URL you included. It gives me a 403.
Therfore without reading the article, I wanted to ask if the proper setup would be:
1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
Type = HTTP Header: Header name = Host
2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
Using this setting in testing, it looks like all the traffic keeps going to 1 server only. Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
If you have another link for the above document, please let me know.
Thanks,
Mark Steeves. -
ACE 4710 Can not confirm http cookie sticky connections
We are using a ACE 4710 with A3(2.6) software release.
I had to change our sticky load balancing method for HTTPS to cookie based.
However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
class-map type http loadbalance match-any ghh-www-443_CLASSURL
2 match http url [.]*
policy-map type loadbalance first-match ghh-sticky-443_POLICY
class class-default
sticky-serverfarm scook-ghh
policy-map multi-match POLICY
class ghh-www-443_CLASS
loadbalance vip inservice
loadbalance policy ghh-sticky-443_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAMAnother point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
Here you have a config example for the first solution:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
Cheers,
Francesco
Maybe you are looking for
-
I purchased a new PC windows 8.1. Now I need to download my iTunes libary to the new PC. The libary is in the cloud, very large libary. Can I download the entire libary to the new PC while I am away or while the PC is off? It will take 3-4 weeks to d
-
Migrating SQL Reporting Services error
Hi I followed this technet documentation for migrating the reporting services database and temp database to a new server. I got the error here below ... what i was trying to do is create a new folder however it's throwing out an error and not letting
-
Sending an e-mail from SAP to multiple e-mail IDs
I have a requirement where SAP should send e-mail to the main recipient and CC to three other recipients. The e-mail will have a PDF attachment of delivery document and the e-mail Ids are fetched from ''Storage Location'' definition maintained in cus
-
ANNC: divaLINK - convert text into links, automatically
I am happy to announce the release of a new Extension for Dreamweaver: divaLINK. Using unobtrusive javascripting, it will convert plain text urls to hyperlinks, and (optionally) plain text email addresses to mailto: links, all on-the-fly in the brows
-
The Toolbox did it's monthly hardware check today. The following errors were logged. Please help me understand what they mean and how to fix them. Thanks. I am running WinVista x64 Ultimate on a Thinkpad W700ds with a solid state hard disk (which mea