ACE HTTP loadbalancing problem
What i'm trying to achieve with the below config is
any request coming in with "programming" in the URL
will be mapped to one server and all else mapped to
a different. So what i see happening is that i can
get to the main page but not the page with "programming"
in the URL. I have to clear the connections to get
mapped to the serverfarm with that handles all requests
with "programming". I thought is was related to the
sticky serverfarm i had configured before so i reverted
to a ordinary serverfarm and it still doesn't work. Any
thoughts or suggestions????
rserver host TEST_01
ip address 10.10.204.200
inservice
rserver host TEST_02
ip address 10.10.204.201
inservice
serverfarm host TEST/PROG_SF
rserver TEST_02
inservice
serverfarm host TEST_SF
rserver TEST_01
inservice
class-map match-any TEST_VS
2 match virtual-address 10.10.215.27 tcp eq www
3 match virtual-address 10.10.215.27 tcp eq https
class-map type http loadbalance match-any TEST/PROG
3 match http url (/programming.*)
4 match http url /programming.*
policy-map type loadbalance first-match TEST_L7SLB
class TEST/PROG
serverfarm TEST/PROG_SF
class class-default
serverfarm TEST_SF
policy-map multi-match VIPS
class TEST_VS
loadbalance vip inservice
loadbalance policy TEST_L7SLB
loadbalance vip icmp-reply
interface vlan 215
service-policy input VIPS
you need to activate persistent rebalance which is not on by default so that subsequent requests inside the same tcp connection can be remapped to a different server if matching a different rule.
parameter-map type http HTTP-PARAM
persistence-rebalance
policy-map multi-match VIPS
class TEST_VS
appl-parameter http advanced-options HTTP-PARAM
Gilles.
Similar Messages
-
ACE HTTP Probe with regex
Hi,
I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
probe http HTTP-PROBE
port 43050
interval 30
passdetect interval 30
passdetect count 1
request method get url /action=help
open 43050
expect regex action=help
Q. Is there anything wrong with this configuration and what I'm trying to achive?
Thanks,
PriteshUse "expect status" under probe config. expect regex doesnt work if expect status is not configured.
expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
Specially if "content-length" header is missing from Server response.
Hope it helps
Syed Iftekhar Ahmed -
ACE http/https redirect or rewrite
Greetings,
We have a setup that requires ACE http/https redirection or rewrite.
A client connects to a secured Web portal which has its ssl termination on the ACE.
The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
In this case what would be best to use? ACE "rewrite" or "redirect"?
Will the following example config for ACE "redirect" be sufficent to implement this?
ssl-proxy service ssl-App-443-81
key app1.test.com.key
cert app1.test.com.cert
rserver redirect App-secure-redirect
webhost-redirection https://app1.test.com/Go/
inservice
serverfarm redirect App-secure-redirect-sf
rserver App-secure-redirect
inservice
serverfarm host App-81-sf
probe TCP81
rserver proxy1 81
inservice
rserver proxy2 81
inservice
parameter-map type http http_param_map
header modify per-request
sticky http-cookie App-cookie App-sticky
cookie insert
replicate sticky
serverfarm App-81-sf
class-map match-any App-443-81-cm
2 match virtual-address 10.10.10.112 tcp eq https
class-map match-any App-81-cm
2 match virtual-address 10.10.10.112 tcp eq 81
class-map type http loadbalance App-secure-redirect-cm
match http url http://app1.test.com:81/Go/
policy-map type loadbalance http first-match App-rewrite-pm
class App-secure-redirect-cm
serverfarm App-secure-redirect-sf
policy-map type loadbalance http first-match App-sticky-443-81-pm
class class-default
sticky-serverfarm App-sticky
policy-map multi-match policy-inbound
class App-81-cm
loadbalance vip inservice
loadbalance policy App-rewrite-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
class App-443-81-cm
loadbalance vip inservice
loadbalance policy App-sticky-443-81-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options http_param_map
ssl-proxy server ssl-App-443-81If you are offloading www.yoursite.com on ACE and on the backend
real servers are not ssl aware (sends URL with http://) then with
following sample config you can instruct ACE to rewrite such urls (http->https)
class-map match-all VIP-443
match virtual-address x.x.x.x tcp eq https
action-list type modify http HTTP2HTTPS-REWRITE
ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
policy-map type loadbalance first-match YOUR-POLICY
class class-default
serverfarm YOUR-SFARM
action HTTP2HTTPS-REWRITE
class VIP-443
loadbalance vip inservice
loadbalance policy YOUR-POLICY
loadbalance vip icmp-reply active
ssl-proxy server YOUR-SSL-SERVICE
You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
Syed Iftekhar Ahmed -
HTTP loadbalancing with tomcat4
hi,
first question: does tomcat4 support http loadbalancing?
second question: i have a webszenario with 80.000 visits per day. how many instances of tomcat do i need to manage this?
thx
pumpindavehttp://faqchest.dynhost.com/prgm/tomcat-l/
http://www.ubeans.com/tomcat.
I hope these link may help u.
It is done successfully by my friend. So just dig it.
bye,
Samir -
ACE: RDP loadbalancing connection problem
I have a problem setting up RDP loadbalancing.
My setup is a WS-C6509-E with IOS 12.2(33)SXI5 and a ACE20-MOD-K9 running
A2(3.3).
I have the ACE in two-arm-mode, I can connect to the real servers via RDP. The
real servers use a MS Terminal Server Session Broker with routing tokens.
The serverfarm is operational:
# show serverfarm FARM-TSFARM1 det
serverfarm : FARM-TSFARM1, type: HOST
total rservers : 4
active rservers: 4
description : srv-f1-tsX.mydomain.de
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: RS-SRV-F1-TS1
10.7.43.201:0 8 OPERATIONAL 0 1 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS2
10.7.43.202:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS3
10.7.43.203:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS4
10.7.43.204:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
The service policy is active, it shows an increasing hit count for the VIP
connections (47 as shown below), no drop-count, no dropped connections, but
zero bytes server packets and no hit counts for the L7 policy:
# show service-policy VIP-TSFARM1 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 44
service-policy: VIP-TSFARM1
class: VIP-TSFARM1-RDP
VIP Address: Protocol: Port:
10.7.44.106 tcp eq 3389
loadbalance:
L7 loadbalance policy: VIP-TSFARM1-RDP-l7slb
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 47
dropped conns : 0
client pkt count : 221 , client byte count: 10996
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-TSFARM1-RDP-l7slb
class/match : class-default
LB action: :
primary serverfarm: FARM-TSFARM1
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
I never get a "Built TCP connection" syslog message.
When I make a VIP with "policy-map type loadbalance generic" instead of
"policy-map type loadbalance rdp" everything works as expected, apart from the
fact that users cannot be redirected to the correct server if they have an
active session on one of them.
Here is the config of the rdp setup:
rserver host RS-SRV-F1-TS1
description srv-f1-ts1.mydomain.de
ip address 10.7.43.201
conn-limit max 500 min 500
rate-limit connection 10000
rate-limit bandwidth 12500000
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS2
description srv-f1-ts2.mydomain.de
ip address 10.7.43.202
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS3
description srv-f1-ts3.mydomain.de
ip address 10.7.43.203
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS4
description srv-f1-ts4.mydomain.de
ip address 10.7.43.204
conn-limit max 500 min 500
probe PING_PROBE
inservice
serverfarm host FARM-TSFARM1
description srv-f1-tsX.mydomain.de
rserver RS-SRV-F1-TS1
inservice
rserver RS-SRV-F1-TS2
inservice
rserver RS-SRV-F1-TS3
inservice
rserver RS-SRV-F1-TS4
inservice
class-map match-all VIP-TSFARM1-RDP
2 match virtual-address 10.7.44.106 tcp eq 3389
policy-map type loadbalance rdp first-match VIP-TSFARM1-RDP-l7slb
class class-default
serverfarm FARM-TSFARM1
policy-map multi-match VIP-TSFARM1
class VIP-TSFARM1-RDP
loadbalance vip inservice
loadbalance policy VIP-TSFARM1-RDP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
interface vlan 44
service-policy input VIP-TSFARM1
Any ideas?Ralf,
You are running into the following defect:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl63354
Workaround:
use a layer 4 loadbalance policy and configure source ip sticky.
Joel Lamousnery
Cisco TAC -
Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard -
Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65 Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out. -
ACE http health probes - best practice for interval and passdetect interval?
Hi,
Is there a recommended standard for http health probes in terms of interval and passdetect interval timings, i.e. should the passdetect interval always be less than the interval or visa versa? Can a http probe be 'mis-configured', i.e. return a 'false positive' by configuring an interval timeout thats 'incompatible' with the device it's polling?
I have a http probe for a serverfarm consisting of two Apache http servers and get intermittent 'server reply timeout' probe failures. I'm keen to ensure that the configuration of the probe isn't at fault so I can be confident that a failed probe indicates a problem with the server and not my configuration.
The probe is currently configured as below:-
probe http http-apache
interval 30
passdetect interval 15
passdetect count 6
request method get url /cs/images/ACE.html
expect status 200 304
Any advice on the subject woud be gratefully received.
thanks
MatthewHi Gilles,
Thanks for the advice. In another dicussion (found here https://supportforums.cisco.com/message/462397#462397) a poster has stated that:-
"(The) "Probe interval" should always be less then (open+recieve) timeout value. Default open & receive timeouts are 10 seconds."
Are you able to advise on whether the above is correct and if so, why? I currently have an interval value of 30 that obviously goes against the advice above (which I've interpretted to mean that if you leave the open & receive timeouts at their default settings your probe interval should be less than 20 seconds?).
thanks
Matthew -
This is what I want to achieve USING the ACE as a reverse proxy.
User uses the url https://abc/password - gets to the destination server & the web page
If user tries to use any thing additional then the connection is dropped at the ACE such as
https://abc/password/test or any such variation.
Following is the config I have to achieve this
class-map type http loadbalance match-any L7-CLASS-TEST
match http url /password
match http url /password/
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url .*.*
policy-map type loadbalance first-match LBP-TEST
class L7-CLASS-TEST
serverfarm FARM-TEST
ssl-proxy client TEST
class L7-CLASS-TEST-deny
drop
class class-default
serverfarm FARM-TEST
ssl-proxy client TEST
The problem with this is when the page opens I get broken links on all the images. If I use the following line
match http url /password.*
I get the images to work but the user can use the https://abc/password/test which is not what I want.
Has any one faced this issue ?
Any help will be appreciated.
Thanks in advance
PrasannaPrasanna,
What about if you try it in HTTP and apply the following change?
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url /.*
This should work in HTTP but not with HTTPS
Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
Jorge -
ACE http probe "request method type" mandatory on A3(2.6)?
Hi people,
I recently upgraded to A3(2.6) from A3(2.0) and I don't see the N/A option on the http probe "request method type".
It also has an asterisk * which means it's mandatory.
I tried to set up a new http probe for another farm I am creating and the probe shows status failed, although I can ping and telnet to the http server on port 80 from the ACE context. My probe is like that:
probe http http_probe_WWW
interval 15
passdetect interval 60
expect status 200 200
open 10
My other http probes for other farms work ok after the upgrade and they are similar.
So my question is: Do I need to set the request method type or something else causes the probe to fail?
thanks a lot.
GeorgeWhat you see is a problem with the GUI.
CSCtg78008 while creating http probe default method slected should be get as in CLI
But the request-method is not required.
So your config should work.
Do a 'show probe detail' to see the failure reason.
Get a sniffer trace as well.
Regards,
Gilles. -
ACE 4710 Loadbalancer Weblogic Issues
Hi Guys,
Having some issues with my Loadbalancer and weblogic. Eventually i want to SSL Forwarding and everything set up but as of now I can only access the VIP under port 7001 (default weblogic port.) How would i get it so I can access via HTTP. My Config is below.
PA-ACE-4700-SLB/Admin# changeto Prod-Support
PA-ACE-4700-SLB/Prod-Support# show run
Generating configuration....
access-list allow line 8 extended permit ip any any
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP443_PROBE
port 443
interval 5
passdetect interval 5
receive 5
connection term forced
open 2
probe tcp TCP7001_PROBE
port 7001
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP80_PROBE
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver host 228-WLS11host1
ip address 192.168.211.228
inservice
rserver host 229-WLS11host2
ip address 192.168.211.229
inservice
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1
inservice
rserver 228-WLS11host1 7001
rserver 229-WLS11host2
inservice
rserver 229-WLS11host2 7001
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
replicate sticky
serverfarm WLS11-7001
class-map type http loadbalance match-any L5
2 match http url .*
class-map match-all WLS11-7001-CLASS
2 match virtual-address 192.168.211.50 tcp any
policy-map type loadbalance first-match WLS11-7001-Policy
class L5
sticky-serverfarm 7001_STICKY
policy-map multi-match WLS11-SLB
class WLS11-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
interface vlan 1000
ip address 192.168.211.226 255.255.255.0
access-group input allow
nat-pool 1 192.168.211.50 192.168.211.50 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.211.235
Thanks for any help you can provide.Hummm,
Andy
1) Can you modify this?
class-map type http loadbalance match-any L5
2 match http url .*
to look like this:
class-map type http loadbalance match-any L5
2 match http url /.*
2)Can you do this:
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1 7001
inservice
rserver 229-WLS11host2 7001
inservice
3)Can you clear all the browser´s cookies and/or open a new browser window? It might be possible that some clients are stuck to the servers with does not have hardcoded the port.
4)Can you do: clear stats loadbalance?(won´t affect anything)
5)Then generate traffic
6)Then get:
#show service-policy WLS11-SLB class-map WLS11-7001-CLASS detail
#show stat http
Jorge -
ACE: HTTP followed by HTTPs/SSL termination, stickiness
Dear Helpers,
I'm trying to figure out the best sticky/persistence method for the following for ACE,
Client X ----(HTTP)--------------------------------------------ACE LB ---to----Server 1
Client X -----(HTTPs)---ACE/SSL termination ------ACE LB ---to---- Server1
Both HTTP and HTTPs use the same VIP for HTTP and HTTPs)
The same client to stick/persist to the same server using both HTTP and HTTPs. HTTPs/SSL is terminated by ACE.
Could you point me to sample configurations for this requirement, please.
Thank you
SSHI Gilles,
thanks for the response. Sorry had gotten distracted with a bunch of other things, didn't get a chance to get back to this. Anyway, so, I can generate the 302 response in my web-servers except I need to turn it around to a different domain name. Now assuming I use URL re-write when I see this coming back from the web-server, I can rewrite this to https and send to the client? A few questions about this and the links you sent above with using redirect service.
a) can I do a a redirect to an https address or does it only do http (considering I only saw examples configs only using www.domain.com/index.html type redirects without specifying the protocol to use)?
b) If not, then I use URL rewrite in conjunction with the 302 from the web-servers. But for my SSL off-load in a pair of CSS using VIP and Virtul Interface redundancy, do I buy 2xSSL Certs for the same domain-name or do I buy ONE (i.e. generate the key-pair/CSR in Master CSS) and import the same rsakey and SSL Cert recd. from CA into both CSSs?
c) Does the CSS handle a wildcard SSL Cert without problems?
Thanks again,
\R -
I have a problem understanding how ACE handels the Firewall Loadbalancing.
In the Doumentation is an example for a secure side and an insecure side.
serverfarm INSEC_SF
transparent
predictor hash address source 255.255.255.255
rserver FW_INSEC_1
inservice
rserver FW_INSEC_2
inservice
rserver FW_INSEC_3
inservice
serverfarm SEC_SF
predictor hash address destination 255.255.255.255
transparent
rserver FW_SEC_1
inservice
rserver FW_SEC_2
inservice
rserver FW_SEC_3
inservice
The ACE on the insecure side makes a hash of the source IP and selects one of 3 firewalls.
The ACE on the secure side makes a hash of the destination IP and selects one of 3 firewalls.
On what Information the ACE makes the hash? IP Adress of the firewalls on secure/insecure side are different.
Names of the real server are also different.
Best Regards
SvenHi Gilles,
thanks for your reply. You are right. But my question was on what the Hash does match?
There are 3 Firewalls.
The ACE only knows the local IP Address and name of the Firewall.
So the ACE on the Secure side knows a different IP-Adress than the ACE on the insecure side.
The Names are also different on both sides!
So how does the ACE modules know that rserver FW_INSEC_1 and rserver FW_SEC_1 are the same Firewalldevice? So it is not clear on what the ACE does match the computed HASH Value for SRC or DST IP.
On CSS Systems it is clear. The CSS knows local and remote IP of Firewall + Firewall Index and can compute the hash for both sides to the same firewall.
But on the ACE System i can not see where the match is done.
Is it done by the order of Configuration in the serverfarm? -
CISCO ACE "http connection persistence issue"
Hello Friends,
Need an urgent help to resolve my issue, i have two physical server running with 2 instances each serving same data so totally logical servers.
Application is java based url:- www.10.12.x.x.com/x/x/x.jsp
My client requirement is to load balance the each instance on each physical server.
Main problem is client traffic is coming through proxy server, so all request to VIP is coming from a single IP address.
Whenever user access an URL it will open the page but after entering the username/password its giving an 404 error, direct access to rserver with port is working fine. i believe error is boz of session persistence issue.
I have tried many options but still i am getting the same error.
Successful,
option1:- using source and destination sticky but the issue is load balancing is not happening between instances.
failer,
Option1:- sticky with static cookie
Option2:- header insert
I have attached the diagram and config for the reference.
QUICK HELP TO RESOLVE THE ISSUE WILL BE MUCH APPRECIATED
Regards,
NarenHi Paul,
Thanks for your reply, i tried with dynamic cookie JSESSIONID, all my traffic are going to single real server its load balaced within serverfarm.
for example i have open 10 from my machine and from different machine, all traffic are going to single real server.
MAIN THING:- i am accessing the java url directely its going proxy server.
example jave url :- TEST123.com/game.jsp
my ip:- 10.1.1.1 ------> proxy server mapped ip :- 20.1.1.1 ----------> ACE VIP for jave url :- 10.23.16.115(TEST123.com/game.jsp).
my current config,
==============
action-list type modify http TANcS-HTTP
header insert Toth HTTP header-value "%ps:%pd"
class-map type http loadTalance match-any TANcS-LAYER7CMAP
10 match http url /.*.
sticky http-cookie ACE-COOKIE TANcS-STICKY
cookie insert
timeout 15
replicate sticky
serverfarm TANCS-CORE-PRIMARY-SWN Tackup TANCS-CORE-SECONDARY-PRL
sticky
parameter-map type http BANcS
persistence-rebalance strict
header modify per-request
rserver host AAA-IN-PR
ip address 10.21.16.47
inservice
rserver host AAA-IN-SW
ip address 10.23.16.47
inservice
serverfarm host TANCS-CORE-PRIMARY-SWN
proTe TANCS-CORE
rserver AAA-IN-SW 12111
inservice
rserver AAA-IN-SW 12112
inservice
serverfarm host TANCS-CORE-SECONDARY-PRL
proTe TANCS-CORE
rserver AAA-IN-PR 12111
inservice
rserver AAA-IN-PR 12112
inservice
policy-map type loadbalance first-match
BANCS-CORE-SERVER-SERVERFARM-L3&4SLB
class BANcS-LAYER7CMAP
sticky-serverfarm BANcS-STICKY
action BANcS-HTTP
insert-http BANCS header-value "%is:%ps"
policy-map multi-match VIP-TANCS-CORE-SERVER
class TANCS-CORE-SERVER-SWN
loadTalance vip inservice
loadTalance policy TANCS-CORE-SERVER-SERVERFARM-L3&4SLT
loadTalance vip icmp-reply active
nat dynamic 23 vlan 241
appl-parameter http advanced-options TANcS
Regards,
Naren -
Sharepoint foundation 2010 externel https access problems
I have a very strange problem with my sharepoint foundation 2010 site.
I have a site which is accessible from outside on https (we have a valid certificate). I configured IIS for http and https.
Also I configured internal and externel access for this site on sharepoint.
But sometimes, the site is not accessible from outside on https with (externe.site.fr), BUT it will be accessible with public ip !!!
And also accessible from inside. (with interne.intranet.site.fr)
Any Idea ?
thanksHi,
According to your post, my understanding is that your site is not accessible from outside using external host name with https sometimes.
As your site can be accessible with public IP, however it can’t be accessible from outside using external host name with https sometimes, the issue could be caused by the gateway server in your environment.
I suggest that you need to check the gateway server configuration.
For more information, you can refer to:
http://community.bamboosolutions.com/blogs/sharepoint-2013/archive/2012/12/05/how-to-set-up-microsoft-forefront-unified-access-gateway-environment-for-sharepoint-2013.aspx
http://nhutcmos.wordpress.com/2013/07/26/configure-ssl-certificate-for-sharepoint-external-https-access/
http://sharepointdotnetwiki.iblogger.org/2009/12/dns-setup-in-sharepoint/
http://underthehood.ironworks.com/2010/06/making-a-sharepoint-2010-site-externally-available-alternate-access-mappings-host-header-bindings.html
Best Regards,
Yumi Fu
Maybe you are looking for
-
100+ Views & 0 Replies Can someone help me..?
Hello There, Is it possible to delete Level 0 Members in a dimension using Rule files? I did read this thread (HOW can i delete the members in dim using MAXL and tried the Remove Unspecified option but it removes all the members in the dimension. For
-
There is a problem communicating with the printer.
I have a Lexmark Interpret S405. I am using a MBP laptop with WiFi, running 10.5.8. I have a cabled (non-wifi) Linsys router. I am using an Airport Express. I was finally able to get the WiFi light on the Lexmark to be static green after reinstalling
-
Third party gratis order and cost centre allocation
Hi all I have a problem with third party sales. When the sales order is gratis, the cost centre allocation is determined by our gratis order reason. This particular cost centre is locked for invoice receipt posting (as it is gratis), and so we cannot
-
Can I download iPhoto from another Mac?
Hi guys, I have an iMac running Mavericks, and also a MacBook Pro 2011. I accidentally deleted iPhoto on the iMac, and since iPhoto comes pre-installed, I have it on the MacBook Pro. Do you think it is a good idea for me to copy the .app file and pla
-
Hi SAP-ABAP Experts . (a.) What is ranked list ? How it is different from simple list disply or ALV display . May some body give any small example of ranked list ? (b.) Difference b/t Report Painter and Sql Query ? Regards : Rajneesh