ACE load balancing based on URL
I am trying to send traffic to one server or another based on the URL. I want traffic to foo.com/selfserv to direct to server A and traffic to foo.com/webui to direct to server B. I found URL inspection etc but I am not sure how to apply it the scenario as I do not want the ACE to inspect all inbound HTTP requests.
The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. To configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the HTTP method, use the match http url command in class-map HTTP load balance configuration mode.
The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP URL string. You can configure a class map to make Layer 7 SLB decisions based on the URL name and optionally, the RTSP method, by using the match rtsp url command in class-map RTSP load balance configuration mode.
Configuring Traffic Policies for Server Load Balancing:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html
Similar Messages
-
Need help with ACE Load Balancing Base on URL pattern
This is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmBThis is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmB -
ACE load balance based on Source IP Address
Hi Cisco Support,
I have question related to Cisco ACE behavior in term to taking a decision based on source address
I currently have two servers sits behind ACE part of one server farm, these servers are load balanced via one VIP on ACE module and every things looks fine.
Now service owners want to replace these old servers with new hardware hence before the migration we need to make sure these new servers are working as required standard hence need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we can't engage all our partner to participate in this test therefore decided to engage only one partner to carry our test with us.
For that reason can we some how configure the ACE so when packet arrive on ACE from one test partner mentioned above, ACE send only that partner's traffic based on it's source address (define via class/policy map on ACE if possible) towards new servers in the existing server farm and not to the old server in the same server farm.
Thanks for your supportHi,
Just to put some config sample that might help you to get this done.
First create the new rservers and include them under a new serverfarm (New-APP)/
serverfarm host Webfarm
rserver SVR1
inservice
rserver SVR2
inservice
serverfarm host New-APP
rserver New-1
inservice
rserver New-2
inservice
- Same VIP already working.
class-map match-all VIP-HTTP
2 match virtual-address 10.10.10.10 tcp eq www
- Create a new class that will include your partner's IP(s).
class-map type http loadbalance match-any 3rd-Party
2 match source-address 200.200.200.1 255.255.255.255
3 match source-address 200.200.200.10 255.255.255.255
Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
policy-map type loadbalance first-match L7-SLB
class 3rd-Party
serverfarm New-APP
class class-default
serverfarm Webfarm
Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
HTH
Pablo -
ACE load balancing and testing using soapUI
Hey, I am trying to crowd source a solution for this problem.
A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
class-map match-all EAI_PWS_9083
2 match virtual-address 10.5.68.29 tcp eq 9083
serverfarm host EAI_PWS_9083
description WebSphere Porduction
failaction purge
probe tcp9083
rserver ESSWSPAPP01 9083
inservice
rserver ESSWSPAPP02 9083
inservice
policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
class class-default
serverfarm EAI_PWS_9083
policy-map multi-match L4SLBPOLICY
class EAI_PWS_9083
loadbalance vip inservice
loadbalance policy L7_POLICY_EAI_PWS_9083
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
parameter-map type http CASE_PARAM
case-insensitiveHi,
Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
Do you know if there is a difference while using soapUI and normal request using browser?
Regards,
Kanwal -
ACE30 Load balancing based on IP and using x-forward-for header
Hi Guys,
We currently have a load balancing policy setup to direct traffic to say FARM-A based on a particular range of source (client) IP addresses, and the default FARM-B for all the other traffic.
We are now looking to introduce a web application firewall (WAF) before the ACE. The WAF will be inserting the client IP address into the x-forward-for http header. Now I was wondering how best can be achieve the load balancing based on source IP given that we'll have to parse the HTTP header for this x-forward-for field? Are there any examples that anyone can point me to?
let me know if you have any questions.
thanks
SheldonHi Sheldon,
You might try creating a class map that matches on the XFF header. Then use that as the L7 load balance criteria (based on the hash value of the XFF header), using the predictor hash header.
-Alex -
Is it possible to use UCS Blade Servers in ACE Load Balancing
Hi all ,
Is it possible to use UCS Blade Servers in ACE Load Balancing ?? Please note that UCS Blade Servers are not connected directly to 6500 Switch where ACE Module installed .i am expecting a good suggestion from whether ACE or Switching Expert
Thanks in advance
SanjeeviThere is nothing that would prevent you from loadbalancing the applications that run on UCS servers. ACE can loadbalance applications that are directly L2 attached (bridged or routed mode) or even servers that are multiple hops L3 hops away using one-armed mode with source nat. The key to this is that the return traffic from the server needs to make it back to the ACE.
-
With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
Allocation
Resource Current Peak Min Max Denied
-- outputs omitted for brevity --
proxy-connections 0 16358 16358 16358 17872
ssl-connections rate 0 626 626 626 23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo -
Ace load balancing, inservice/no inservice serverfarms
I've started working with an ACE load balancer and came across something that just didn't add up to me. I can pull and put servers in and out of rotation without a problem however when working with a serverfarm or a group of servers I have to pull each one individually and can't find a way to remove say the entire serverfarm via one command. Does anyone know of a way to put a serverfarm 'inservice' or set it to 'no inservice' that would make it easier for large groups of servers needing to be adjusted.
Sorry if this isn't the write forum for this kind of question. Please feel free to move it if needed.Hello Chris,
There is no toggle to set every rserver under a serverfarm out of service. You can only take a single rserver out of service at a global level, or under a serverfarm inividually.
One thing to think about - bringing down all of the servers would be the same as removing the serverfarm from under the policy map type loadbalance since it would effectively bring the vip down.
Regards,
Chris Higgins -
Can the ACE load balance SMB?
Server 1 DNS is msserver1
Server 2 DNS is msserver2
VIP DNS is msserver
Can the ACE replace the server name (or IP address) in a tree connect query with the actual real server name that is chosen for the request?Hi , If I understood you correctly and you're looking for intelligent way to loadbalance NetBios/Samba - I'm afraid there is no such functionality on ACE, we can only do simple L4 loadbalancing for such sessions and can't change anything.
-
Is it possible to load balance incoming requests based on client's operating system on ACE?
For example, we have different web pages specifically for Blackberry or iPhones.
Instead of having multiple URL's & VIP's, we'd like to have a single VIP, but load balance traffic to different serverfarms based on client's OS.You can loadbalance based on User-Agent header, first you need to quantify what Iphone and blackberry use for user-agent for instance from a regular browser you might see:
User-AgentT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
from an iphone you will typically see:
User-Agent=Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en)
AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3
you can go to http://www.user-agents.org to find out what strings are used
That being the case you can make classes on the header to match for loadbalancing decisions:
class-map type http loadbalance match-any mobile
2 match http header User-Agent header-value .*iphone
4 match http header Uswer-Agent header-value .*blackberry
then in LB policy say we want to go to farmA for mobile and farmB for pc's
policy-map type loadbalance first-match L7POLICY
class mobile
serverfarm farmA
class class-default
serverfarm farmB
see:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1021388 -
ACE load-balancing-Cookie problem
In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
There are only two possibilities how this could happen:
a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
b) The predictor in the serverfarm chooses a new realserver within the same request.
If that is really the cause of that problem this would be bug in the cisco ace.
What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
For example:
GET /ips-opdata/scripts/jquery.js HTTP/1.1
Host: www.xxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxx.com/
Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
HTTP/1.1 200 OK
Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
ETag: W/"72181-1298537508000"
Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
Content-Type: text/javascript
Content-Length: 72181
Date: Mon, 28 Mar 2011 06:15:19 GMT
As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
We hope that this helps you to figure out the reason of the problem.The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config. -
Load Balancing on a URL with parameters in it.
Hi,
We have two main Server Farms. I have been asked to load balance to each farm based on the url. The problem:
The url looks like this
https://www.domain.com/test/ci/?par1=Default&par2=main&userRole=userrole&mcId=companyname&par4=somethingelse
The bit of the url for the decision making is "mcId", but as I understand it, I cannot use a "?" in the url text string on the CSS. So, how do i do it ?
Many thanks
WayneWayne,
the documentation is actually incorrect.
The '?' does not prevent the advanced-balance url feature to work.
It just changes where the CSS starts looking for the string.
Check this url for a sample config.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080409807.html#wp1115519
Regards,
Gilles. -
Hi all,
I´m configuring 2 ACE 4710 in failover, and I also need to balance 2 webservers at the momment. I have all of the IP address in the same subnet, is that a problem?
Server 1 192.168.1.1
Server 2 192.168.1.2
VIP 192.168.1.3
I have a VLAN for administration, and I have a VLAN for the client connection.
But when I try to connect to the VIP, It doesn't show the web page, but if I connect to the servers page directly they are working ok..
Does anybody know what can i check, or if there is any manual that really shows how to configure this type of connections.
Thanks..Hello,
From your description, it sounds like you might have a one-armed configuration for load balancing. If your management VLAN interface is only used for management, and you only have the client VLAN interface for load balancing, then this would be a one-armed config. If this is indeed the case, then you would need to use either Policy-Based Routing to route the server response traffic back to the ACE rather than directly back to the client. Or, the more common solution is to configure source NAT as shown below:
access-list ANYONE line 10 extended permit tcp any any
rserver host SERVER_01
ip address 192.168.1.1
inservice
rserver host SERVER_02
ip address 192.168.1.2
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
class-map match-all VIP-3
2 match virtual-address 192.168.1.3 any
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-3
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance icmp-reply active
nat dynamic 1 vlan 20
interface vlan 10
description MANAGEMENT VLAN
ip address 172.16.51.11 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
no shutdown
interface vlan 20
description CLIENT VLAN
ip address 192.168.1.10 255.255.255.0
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.100 192.168.1.100 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.254
Hope this helps,
Sean -
ACE Load balancing with different source IP
Dear All ,
I am very much new to ACE . We are deploying it on our enterprise infrastructure (10.x.x.x/8) . I have a setup like this, we have 5 Proxy server which is supporting for our enteprise internet needs . Load balancing to this 5 blue coat proxy server is done via ACE module .
My customer is having special requirement based on specfic source subnet , ACE need to redirect the that specific source subnet to a particular proxy server . Is this possible in ACE ?? or we need to have separate Virtual server group for that specific source subnet range . kindly correct me if am worng on my understanding .
Thanks
Santhoshkumar SaravananHi Saravanan,
Please refer the following link :
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/sticky.pdf
Look at section :
IP Address Stickiness Configuration Quick Start
For example :
8. (Optional) Configure static IP address sticky entries up to a maximum of
65535 static entries per context.
host1/Admin(config-sticky-ip)# static client source 192.168.12.15
destination 172.16.27.3 rserver SERVER1 2000
The above may fulfill your requirement.
regards,
Ajay Kumar -
Cisco ace Load balancer not maintaining session persistence
Hi All,
We have observed from the IIS logs on the internal webservers that loadbalancer is not maintaining session persistence for two specific request for the internal servers.
https://123.xyz.com/Webresource.axd
https://123.xyz.com/ScriptResource.axd
Error
Webresource.axd : 500
Scriptresource.axd: 404
Session persistence is maintained for all other requests hitting loadbalancer.
Issue is observerd on hits for these two specified components. WebResource.axd and ScriptResource.axd are Http Handlers used by ASP.NET and Ajax to add client-side scripting to the outgoing web page.
For e.g /WebResource.axd d=t2GXfySdqWmJ-lZSI0KVbw2&t=634868473645172160 is valid for server 1 and return 200 response but the same request is seen on few other servers where the response is 404 even though load balancer cookie is same. This means that if the request for the both the axd contains a valid decrypter and it connects to the right server then the response seen is 200.
The url passed by the user contains d and t parameters when are unique for each user session.
Solution tried:
Accessed website via another VIP without http redirect rule but could not see difference.
Tried to match machine key across all servers : Failed . Could see the ‘d’ value different for each server.
Load balancer VIP :
x.x.x.x
redirect: http > https
SSL Offload : ON
Poool:
WEB1
WEB2
WEB3
WEB4
WEB5
All servers listening on port 80
sticky config:
sticky ihttp-cookie cookie1 vip-1.1.1.1-80-stickyfarm
cookie insert browser-expire
replicate sticky
serverfarm vip-1.1.1.1_80
sticky http-cookie cookie1 vip-farm:1.1.1.1:443
cookie insert browser-expire
replicate sticky
serverfarm farm:1.1.1.1:443
Has anyone else come across similar issue?
Can you plese check if there is any config on cisco ace that will ensure that session persistence is maintained for these 2 requests.
Thank you for all the help.
regards,
SangramHello Sangram,
We would need simultanous packet traces before and after the ACE to get to the root cause of this issue so I would recommend that you open a cisco tac case for more in depth troubleshooing of this issue.
Joel Lamousnery
CCIE R&S - 36768
Engineer, Customer Support
Technical Services
Maybe you are looking for
-
How to use Linux Print queue in client_text_io.fopen to print from Windows
We have a forms application deploed on LINUX (Oracle application server 10g). I have to print a file from local windows PC to a linux Print Queue from forms I have the following code PROCEDURE file_to_printer (i_filename_output IN VARCHAR2 ,i_network
-
I can't successfully migrate an account from my backup disk.
My mac's hard disk broke down. Therefore, I went to the apple store and they gave me a new hard disk. Then, I went home and tried to migrate all of my previous account's data onto my new hard disk using migration assistant.. One account succeeded, bu
-
A new tab doesn't open when I hit the Open New Tab button
When I click on a new tab, nothing happens. Also when I go to File and click on New Tab, nothing happens.
-
PL/SQL: numeric or value error: character to number conversion error in TRG
Hi, I've got strange issue with one trigger which during update of table reports (DB is 9.2.0.8): ORA-06502: PL/SQL: numeric or value error: character to number conversion error ORA-06512: at "UDR_LOG", line 345 ORA-04088: error during execution of t
-
Execution date in Excel export from a query
Dear all, I am wondering if it is possible to have the query execution date in an exported excel. Case: When working in a query it should be possible to export the query to excel. However I am missing the execution date of the query and the last succ