ACE - Load Balance insert cookie method for https

Similar Messages

• CSS Load Balancing with Cookies

  We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
  Restrictions
  ServerA is unable to accept cookies generated from ServerB.
  ServerA and ServerB are generating random cookies
  Unable to modify cookie string with a constant.
  How can we load balance based on cookies considering the above restrictions?
  We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
  The configuration we tried is written below:
  service ServerA
  ip address 192.168.10.2
  keepalive type tcp
  keepalive port 80
  active
  service ServerB
  ip address 192.168.20.2
  keepalive type tcp
  keepalive port 80
  active
  content ABC
  url "/*"
  add service ServerA
  string prefix "JSESSIONID="
  advanced-balance cookies
  port 80
  add service ServerB
  string skip-length 5
  string process-length 16
  string operation hash-xor
  protocol tcp
  vip address 172.16.32.1
  active
  Can we change the string prefix to JSESSION instead of JSESSIONID= ?
  The only place the app guys can add a constant string to match on is before the = sign.
  Is it possible for CSS to match on a constant string before = sign e.g below:
  service ServerA
  ip address 192.168.10.2
  keepalive type tcp
  keepalive port 80
  string id567=
  active
  service ServerB
  ip address 192.168.20.2
  keepalive type tcp
  keepalive port 80
  string id123=
  active
  content ABC
  url "/*"
  add service ServerA
  string prefix "JSESSION"
  advanced-balance cookies
  port 80
  add service ServerB
  string skip-length 0
  string process-length 6
  protocol tcp
  vip address 172.16.32.1
  active

  It should work.
  There is no reason for it not to work...
  This is the best method you can have on the CSS for stickyness.
  Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
  also send me the config so I can verify everything is ok.
  If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
  Gilles.

• Ask the Expert: Configuration and Troubleshooting the Cisco Application Control Engine (ACE) load balancer

  With Ajay Kumar and Telmo Pereira 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
  Ajay Kumar  is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications. 
  Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
  Remember to use the rating system to let Ajay know if you have received an adequate response.
  Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
  This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello Krzysztof,
  Another set of good/interesting questions posted. Thanks! 
  I will try to clarify your doubts.
  In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
  ACE/Context# show resource usage
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  -- outputs omitted for brevity --
    proxy-connections             0      16358      16358      16358      17872
    ssl-connections rate          0        626        626        626      23204
  Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
  On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
  So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
  ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource. 
  For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
  If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
  This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
  We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
  1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE  should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
  To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
  For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users. 
  2)  ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
  As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
  To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
  As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
  3)  If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
  The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
  I hope this makes things clearer! Uff...
  Regards,
  Telmo

• ACE load balancing and testing using soapUI

  Hey, I am trying to crowd source a solution for this problem.
  A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
  Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
  class-map match-all EAI_PWS_9083
    2 match virtual-address 10.5.68.29 tcp eq 9083
  serverfarm host EAI_PWS_9083
    description WebSphere Porduction
    failaction purge
    probe tcp9083
    rserver ESSWSPAPP01 9083
      inservice
    rserver ESSWSPAPP02 9083
      inservice
  policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
    class class-default
      serverfarm EAI_PWS_9083
  policy-map multi-match L4SLBPOLICY
  class EAI_PWS_9083
      loadbalance vip inservice
      loadbalance policy L7_POLICY_EAI_PWS_9083
      loadbalance vip icmp-reply active
      appl-parameter http advanced-options CASE_PARAM
  parameter-map type http CASE_PARAM
    case-insensitive

  Hi,
  Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
  Do you know if there is a difference while using soapUI and normal request using browser?
  Regards,
  Kanwal

• Need help with ACE Load Balancing Base on URL pattern

  This is the first time for me trying to configure something like this on the ACE load balancer.  I need help configuring a load balancing policy base on URL pattern.  URL https://ineedhelp.com base on /willuhelpme and /imlost
  Key: ineedhelp_key
  cert:  ineedhelp_cert
  serverfarmA
  serverA 10.1.1.1 443
  serverfarmB
  serverB 10.1.1.2 443
  ineedhelp.com/willuhelpme-------serverfarmA
  ineedhelp.ocm/imlost---------------serverfarmB

  This is the first time for me trying to configure something like this on the ACE load balancer.  I need help configuring a load balancing policy base on URL pattern.  URL https://ineedhelp.com base on /willuhelpme and /imlost
  Key: ineedhelp_key
  cert:  ineedhelp_cert
  serverfarmA
  serverA 10.1.1.1 443
  serverfarmB
  serverB 10.1.1.2 443
  ineedhelp.com/willuhelpme-------serverfarmA
  ineedhelp.ocm/imlost---------------serverfarmB

• Ace load balancing, inservice/no inservice serverfarms

  I've started working with an ACE load balancer and came across  something that just didn't add up to me. I can pull and put servers in  and out of rotation without a problem however when working with a  serverfarm or a group of servers I have to pull each one individually  and can't find a way to remove say the entire serverfarm via one  command. Does anyone know of a way to put a serverfarm 'inservice' or  set it to 'no inservice' that would make it easier for large groups of  servers needing to be adjusted.
  Sorry if this isn't the write forum for this kind of question. Please feel free to move it if needed.

  Hello Chris,
    There is no toggle to set every rserver under a serverfarm out of service.  You can only take a single rserver out of service at a global level, or under a serverfarm inividually.
    One thing to think about  - bringing down all of the servers would be the same as removing the serverfarm from under the policy map type loadbalance since it would effectively bring the vip down.
  Regards,
  Chris Higgins

• CSS 11501 Load Balancing with X-forwarded-for

  Hi,
  We have a pair of CSS 11501,
  Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
  However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .
  This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
  Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
  This way we are able to also send it back to the same server when it uses SSL.
  I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
  Regards

  Hi,
  Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
  One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
  In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
  Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
    content HTTP-HTTPS
      vip address 10.198.44.70
      advanced-balance sticky-srcip
      add service server1
      add service server2
      add service server3
      add service server4
      add service server5
      protocol tcp
      active
  Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
  Thanks,
  Rodrigo

• Cookie persistence for HTTP traffic

  hello,
  i have the following situation: on an 11506, clients connects to VIP on port 80, this VIP maps to port 7777 on 2 services. The objective is to configure cookie persistence for http. The cookie persistence should be for URI /thestring/
  I have used
  advanced-balance cookies
  string prefix "/thestring/"
  in the content rule and it did not work.
  Does this have anything to do with the port changing from 80 to 7777, or am i missing something for cookie persistence?
  Regards
  Bassam

  thx for you reply; still it sometimes work and sometimes dont
  my service config:
  service ebizsso1
  keepalive frequency 3
  keepalive port 7777
  ip address 10.10.230.82
  port 7777
  protocol tcp
  string /oiddas/
  active
  my content rule
  content ebizsso-servers
  add service ebizsso1
  vip address 10.10.231.9
  protocol tcp
  port 80
  advanced-balance cookieurl
  string prefix "/oiddas/"
  active
  is this is the required?
  thank you
  bassam

• ACE - Load Balance SMB?

  Can the ACE load balance SMB?
  Server 1 DNS is msserver1
  Server 2 DNS is msserver2
  VIP DNS is msserver
  Can the ACE replace the server name (or IP address) in a tree connect query with the actual real server name that is chosen for the request?                  

  Hi , If I understood you correctly and you're looking for intelligent way to loadbalance NetBios/Samba - I'm afraid there is no such functionality on ACE, we can only do simple L4 loadbalancing for such sessions and can't change anything.

• Is it possible to use UCS Blade Servers in ACE Load Balancing

  Hi all ,
  Is it possible to use UCS Blade Servers in ACE Load Balancing ?? Please note that UCS Blade Servers are not connected directly to 6500 Switch where ACE Module installed .i am expecting a good suggestion from whether ACE or Switching Expert
  Thanks in advance
  Sanjeevi

  There is nothing that would prevent you from loadbalancing the applications that run on UCS servers.  ACE can loadbalance applications that are directly L2 attached (bridged or routed mode) or even servers that are multiple hops L3 hops away using one-armed mode with source nat.  The key to this is that the return traffic from the server needs to make it back to the ACE.

• ACE Load Balancing Configuration For NATed User Traffic

  Hello,
  I am currently working on a requirement where the shared application services will be hosted in DC and these services will be accessed by multiple (thousands) users from different corporates/customers. The user traffic will be hidden behind customer's proxy servers or firewalls so the load balancer (ACE modules) services hosted in DC will not be able to see requests coming in from induvidual users IP addresses.
  In this scenario what are options of load balancing are available in Lyer3/4 and Layer7 ?
  Thanks in advance for your help.
  Sanjay

  Hi Sanjay,
  In a set up where all users are coming from behind a proxy, all users will be loadbalanced to same server thus overloading it. This is when you are doing standard L3/L4 LB.
  In the situation of proxies, for HTTP applications you shall use L7 LB and use information(cookie) in HTTP client request or server response. The ace will use this information to stick the user to same server for persistence. If a client comes with no cookie it will be loadbalanced according to the predictor method configured. Below is the link for L7 configuration example and other TS steps you can take while configuring L7 policies on ACE. For more informatin i would suggest reading ACE user guide too.
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_-_Troubleshooting_Layer_7_Load_Balancing
  If you have any questions please feel free to ask.
  Regards,
  Kanwal

• ACE load-balancing-Cookie problem

  In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
  We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
  There are only two possibilities how this could happen:
  a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
  But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
  b) The predictor in the serverfarm chooses a new realserver within the same request.
  If that is really the cause of that problem this would be bug in the cisco ace.
  What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
  For example:
  GET /ips-opdata/scripts/jquery.js HTTP/1.1
  Host: www.xxxxx.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
  Accept: */*
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 115
  Connection: keep-alive
  Referer: http://www.xxxxx.com/
  Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
  HTTP/1.1 200 OK
  Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
  Server: Apache-Coyote/1.1
  X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
  ETag: W/"72181-1298537508000"
  Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
  Content-Type: text/javascript
  Content-Length: 72181
  Date: Mon, 28 Mar 2011 06:15:19 GMT
  As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
  We hope that this helps you to figure out the reason of the problem.

  The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
  For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config.

• Cisco ace Load balancer not maintaining session persistence

  Hi All,
  We have observed from the IIS logs on the internal webservers that loadbalancer is not maintaining session persistence for two specific request for the internal servers.
  https://123.xyz.com/Webresource.axd
  https://123.xyz.com/ScriptResource.axd
  Error
  Webresource.axd : 500
  Scriptresource.axd: 404
  Session persistence is maintained for all other requests hitting loadbalancer.
  Issue is observerd on hits for these two specified components. WebResource.axd and ScriptResource.axd are Http Handlers used by ASP.NET and Ajax to add client-side scripting to the outgoing web page.
  For e.g /WebResource.axd d=t2GXfySdqWmJ-lZSI0KVbw2&t=634868473645172160 is valid for server 1 and return 200 response but the same request is seen on few other servers where the response is 404 even though load balancer cookie is same. This means that if the request for the both the axd contains a valid decrypter and it connects to the right server then the response seen is 200.
  The url passed by the user contains d and t parameters when are unique for each user session.
  Solution tried:
  Accessed website via another VIP without http redirect rule but could not see difference.
  Tried to match machine key across all servers : Failed . Could see the ‘d’ value different for each server.
  Load balancer VIP :
  x.x.x.x
  redirect: http > https
  SSL Offload : ON
  Poool:
  WEB1
  WEB2
  WEB3
  WEB4
  WEB5
  All servers listening on port 80
  sticky config:
  sticky ihttp-cookie cookie1 vip-1.1.1.1-80-stickyfarm
    cookie insert browser-expire
    replicate sticky
    serverfarm vip-1.1.1.1_80
  sticky http-cookie cookie1 vip-farm:1.1.1.1:443
    cookie insert browser-expire
    replicate sticky
    serverfarm farm:1.1.1.1:443
  Has anyone else come across similar issue?
  Can you plese check if there is any config on cisco ace that will ensure that session persistence is maintained for these 2 requests.
  Thank you for all the help.
  regards,
  Sangram

  Hello Sangram,
  We would need simultanous packet traces before and after the ACE to get to the root cause of this issue so I would recommend that you open a cisco tac case for more in depth troubleshooing of this issue.
  Joel Lamousnery
  CCIE R&S - 36768
  Engineer, Customer Support
  Technical Services

• Site behind load balancer - Key not valid for use in specified state

  Hi,
  I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
  state exception. Stickiness is enabled on load balancer. verified that.
  I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
  Any pointers would help.
  Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76

  Hi,
  As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
  In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
  and with the IIS’ user profile load turned off.
  1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
  2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
     <securityTokenHandlers>
       <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, 
               System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
              System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
  There is a similar case:
  http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• ACE load balancing based on URL

  I am trying to send traffic to one server or another based on the URL. I want traffic to foo.com/selfserv to direct to server A and traffic to foo.com/webui to direct to server B. I found URL inspection etc but I am not sure how to apply it the scenario as I do not want the ACE to inspect all inbound HTTP requests.

  The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. To configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the HTTP method, use the match http url command in class-map HTTP load balance configuration mode.
  The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP URL string. You can configure a class map to make Layer 7 SLB decisions based on the URL name and optionally, the RTSP method, by using the match rtsp url command in class-map RTSP load balance configuration mode.
  Configuring Traffic Policies for Server Load Balancing:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html