ACE Load balancing FTP connections.
I have my ACE blade (running A1(4d) ) currently set-up to static nat to an FTP server.
I have tried setting up a sticky SLB VIP for FTP across this server and an additional box but firewall in front of the ACE throws the connections.
It appears that the servers are responding directly to the clients when in SLB and so the control connection has the wrong IP (real vs. VIP)
How do I set this up so that it works?
Here's the relevant config, IPs change to protect the innocent.
probe ftp FTP_DL
description FTP Probe
expect status 220 220
rserver host HTTPDL_01
ip address 10.2.200.21
inservice
rserver host HTTPDL_02
ip address 10.2.200.22
inservice
serverfarm host Download_FTP
probe FTP_DL
rserver HTTPDL_01
inservice
rserver HTTPDL_02
inservice
sticky ip-netmask 255.255.255.255 address both FTP_DL
timeout 10
replicate sticky
serverfarm Download_FTP
class-map match-any FTP_DL
3 match virtual-address A.A.A.A any
policy-map type loadbalance first-match FTP_DL
class class-default
sticky-serverfarm FTP_DL
policy-map multi-match FTP_Download
class FTP_DL
loadbalance vip inservice
loadbalance policy FTP_DL
interface vlan 200
description Back End Connection
ip address 10.2.200.2 255.255.255.0
alias 10.2.200.1 255.255.255.0
peer ip address 10.2.200.3 255.255.255.0
no normalization
service-policy input ICMP_ALLOW_POLICY
no shutdown
interface vlan 300
description ACE to Firewall
ip address 10.3.100.252 255.255.255.0
alias 10.3.100.254 255.255.255.0
peer ip address 10.3.100.253 255.255.255.0
no normalization
service-policy input FTP_Download
no shutdown
There is an active/passive cluster of firewalls in front of the ACE and all the VIPs are Public IPs from our class C range which are routed through from the firewalls.
The vlan300 interface on the ACE is in a transport VLAN with the back end FW interfaces. The vlan200 interface is on the same VLAN as the rservers.
If I change the Class map to
match virtual address A.A.A.A tcp eq ftp
I see the data connections being bounced on the inside interface on the firewall as they are not matched to the VIP.
Similar Messages
-
Is it possible to use UCS Blade Servers in ACE Load Balancing
Hi all ,
Is it possible to use UCS Blade Servers in ACE Load Balancing ?? Please note that UCS Blade Servers are not connected directly to 6500 Switch where ACE Module installed .i am expecting a good suggestion from whether ACE or Switching Expert
Thanks in advance
SanjeeviThere is nothing that would prevent you from loadbalancing the applications that run on UCS servers. ACE can loadbalance applications that are directly L2 attached (bridged or routed mode) or even servers that are multiple hops L3 hops away using one-armed mode with source nat. The key to this is that the return traffic from the server needs to make it back to the ACE.
-
With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
Allocation
Resource Current Peak Min Max Denied
-- outputs omitted for brevity --
proxy-connections 0 16358 16358 16358 17872
ssl-connections rate 0 626 626 626 23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo -
Load balancing FTP/HTTP on same VIP
Hi,
Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
class-map match-any WCVS
2 match virtual-address 20.0.0.1 tcp eq www
4 match virtual-address 20.0.0.1 tcp eq ftp
policy-map multi-match int3
class WCVS
loadbalance vip inservice
loadbalance policy VS-l7slb
inspect ftp
nat dynamic 5 vlan 20
int vl20
service-policy input int3Hello,
I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used. The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP. Below is your config with some modifications. I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map. There is one line that I would like you to remove and see if it works. If it does not, then add this line and see if it works.
Let me know how it goes...
logging enable
logging buffered 6
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe http Probe_HTTP
interval 5
passdetect interval 60
expect status 200 200
open 2
receive 2
probe tcp Probe_FTP
port 21
interval 5
passdetect interval 60
open 2
receive 2
rserver host Server1
ip address 10.10.10.10
conn-limit max 4000000 min 4000000
inservice
rserver host Server2
ip address 10.10.10.11
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-HTTP
probe Probe_HTTP
rserver Server1 80
conn-limit max 4000000 min 4000000
inservice
rserver Server2 80
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-FTP
probe Probe_FTP
rserver Server1
conn-limit max 4000000 min 4000000
inservice
rserver Server2
conn-limit max 4000000 min 4000000
inservice
sticky http-cookie XXX_tempCookie XXX_tempCookie
cookie insert
serverfarm FARM-HTTP
class-map type management match-any Management
201 match protocol http any
202 match protocol https any
203 match protocol icmp any
204 match protocol kalap-udp any
205 match protocol ssh any
206 match protocol telnet any
207 match protocol xml-https any
class-map match-any XXX-WCVS-WWW
2 match virtual-address 10.10.10.100 tcp eq www
class-map match-any XXX-WCVS-FTP
2 match virtual-address 10.10.10.100 tcp eq ftp
3 match virtual-address 10.10.10.100 tcp range 1023 65535 <-- try first without this, then with this
class-map match-any NAT-VIP
2 match destination-address 10.10.10.100 255.255.255.255
policy-map type management first-match Management
class Management
permit
policy-map type loadbalance first-match XXX_VS-l7slb-WWW
class class-default
sticky-serverfarm XXX_tempCookie
policy-map type loadbalance first-match XXX_VS-l7slb-FTP
class class-default
Serverfarm FARM-FTP
policy-map multi-match int3
class XXX-WCVS-WWW
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-WWW
class XXX-WCVS-FTP
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-FTP
inspect ftp
class NAT-VIP
nat dynamic 5 vlan 12
interface vlan 12
ip address 10.10.10.1 255.255.255.0
alias 10.10.10.3 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ALL
nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input Management
service-policy input int3
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.254 -
ACE load balancing and testing using soapUI
Hey, I am trying to crowd source a solution for this problem.
A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
class-map match-all EAI_PWS_9083
2 match virtual-address 10.5.68.29 tcp eq 9083
serverfarm host EAI_PWS_9083
description WebSphere Porduction
failaction purge
probe tcp9083
rserver ESSWSPAPP01 9083
inservice
rserver ESSWSPAPP02 9083
inservice
policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
class class-default
serverfarm EAI_PWS_9083
policy-map multi-match L4SLBPOLICY
class EAI_PWS_9083
loadbalance vip inservice
loadbalance policy L7_POLICY_EAI_PWS_9083
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
parameter-map type http CASE_PARAM
case-insensitiveHi,
Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
Do you know if there is a difference while using soapUI and normal request using browser?
Regards,
Kanwal -
Can the ACE load balance SMB?
Server 1 DNS is msserver1
Server 2 DNS is msserver2
VIP DNS is msserver
Can the ACE replace the server name (or IP address) in a tree connect query with the actual real server name that is chosen for the request?Hi , If I understood you correctly and you're looking for intelligent way to loadbalance NetBios/Samba - I'm afraid there is no such functionality on ACE, we can only do simple L4 loadbalancing for such sessions and can't change anything.
-
Need help with ACE Load Balancing Base on URL pattern
This is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmBThis is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmB -
Ace load balancing, inservice/no inservice serverfarms
I've started working with an ACE load balancer and came across something that just didn't add up to me. I can pull and put servers in and out of rotation without a problem however when working with a serverfarm or a group of servers I have to pull each one individually and can't find a way to remove say the entire serverfarm via one command. Does anyone know of a way to put a serverfarm 'inservice' or set it to 'no inservice' that would make it easier for large groups of servers needing to be adjusted.
Sorry if this isn't the write forum for this kind of question. Please feel free to move it if needed.Hello Chris,
There is no toggle to set every rserver under a serverfarm out of service. You can only take a single rserver out of service at a global level, or under a serverfarm inividually.
One thing to think about - bringing down all of the servers would be the same as removing the serverfarm from under the policy map type loadbalance since it would effectively bring the vip down.
Regards,
Chris Higgins -
Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65 Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out. -
ACE load-balancing-Cookie problem
In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
There are only two possibilities how this could happen:
a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
b) The predictor in the serverfarm chooses a new realserver within the same request.
If that is really the cause of that problem this would be bug in the cisco ace.
What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
For example:
GET /ips-opdata/scripts/jquery.js HTTP/1.1
Host: www.xxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxx.com/
Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
HTTP/1.1 200 OK
Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
ETag: W/"72181-1298537508000"
Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
Content-Type: text/javascript
Content-Length: 72181
Date: Mon, 28 Mar 2011 06:15:19 GMT
As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
We hope that this helps you to figure out the reason of the problem.The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config. -
ACE load balancing based on URL
I am trying to send traffic to one server or another based on the URL. I want traffic to foo.com/selfserv to direct to server A and traffic to foo.com/webui to direct to server B. I found URL inspection etc but I am not sure how to apply it the scenario as I do not want the ACE to inspect all inbound HTTP requests.
The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. To configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the HTTP method, use the match http url command in class-map HTTP load balance configuration mode.
The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP URL string. You can configure a class map to make Layer 7 SLB decisions based on the URL name and optionally, the RTSP method, by using the match rtsp url command in class-map RTSP load balance configuration mode.
Configuring Traffic Policies for Server Load Balancing:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html -
Load Balancing FTP Server thru CSM using a single Client IP
Hello,
We have a need to load balance 3 FTP servers. These servers are reached only from a single client IP which is a database server. The FTP method that is being used is currently passive. Our configuration is currently unidirectional, ie, the FTP client (the one database server) sends to the VIP and the FTP Servers then talk directly back to the FTP client and the traffic does not go back through the CSM. The problem is that because FTP negotiates another port to talk on, we have to use sticky so that the connection is sent back to the original FTP server that sent the FTP data port to talk on. But, since we only have a single client IP that is ever used we are not load balancing appropriately across the FTP servers.
Traffic flow goes something like this, tcp port followed after colon as an example
1. FTP Client ----> VIP:21
2. CSM ---------> FTP Server:21
3. FTP Server --------> FTP Client(FTP server says come talk to me on port 1700)
4. FTP Client ---------> VIP:1700
5. CSM ---------> FTP Server:1700
6. FTP Server:1700 ---------> FTP Client
repeat steps 4 thru 6
Here's our hardware and software:
WS-X6066-SLB-APC running 4.2(2)
Config is as follows
module ContentSwitchingModule 9
ft group 101 vlan 9
priority 10
vlan 216 client
ip address 10.209.16.31 255.255.252.0
gateway 10.209.16.1
vlan 20 server
ip address 10.209.0.31 255.255.252.0
alias 10.209.0.11 255.255.252.0
probe ICMP1 icmp
interval 3
failed 3
receive 3
serverfarm FHEPRT
no nat server
no nat client
real 10.209.0.72
inservice
real 10.209.0.73
inservice
real 10.209.0.71
inservice
probe ICMP1
sticky 106 netmask 255.255.255.255 address source timeout 3
policy FHEPRT_POL1
sticky-group 106
serverfarm FHEPRT
vserver FHEPRT1
virtual 10.209.16.71 any
vlan 216
unidirectional
serverfarm FHEPRT
replicate csrp connection
no persistent rebalance
slb-policy FHEPRT_POL1
inserviceYou are missing "service ftp" config in the Vip definition. Try the following
vserver FHEPRT1
virtual 10.209.16.71 tcp ftp service ftp
Syed Iftekhar Ahmed -
Hi,
I have one server application with two physical servers clustered with one virtual IP address . I have total six ip addresses for one server : details are given below
Cluster IP’s :
Node 1 :
NIC 1 : 10.10.x.x : physical IP address
NIC 2 : 172.16.x.x : heartbeat address used in between server
Node 2 :
NIC 1 : 10.10.x.x : physical ip address
NIC 2 : 172.16.x.x : heartbeat address used in between server
Cluster IP : 10.10.x.x : clustered IP address used to access server
SQL IP : 10.10.x.x : clustered IP address used to access SQL application .
now i want to achieve server load-balancing using ACE module. Please suggest to me fulfil this requirement. how to do this ?
whether i need to remove the virtual IP and directly bind two physical ip to ace virtual ip add.
How do i check ace server load-balancing configuration with live server .... do we have any tool to check the packet behaviour to confirm that load-balancing is happening properly in between two physical servers :
Please guide me and share the knowledge .....................Hi Vinod,
You are correct. In order to achieve load-balancing with an ACE blade, you need to configure the addresses of the two severs separately. If you look at the documentation page on cisco.com for ACE (http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html) you will find sample configuration for the most commont topologies.
As for how to verify if the load-balancing is working correctly, you can use the command "show serverfarm ", which will list you all the servers in a serverfarm, along with the current and total connection numbers for each of them. -
Hi all,
I´m configuring 2 ACE 4710 in failover, and I also need to balance 2 webservers at the momment. I have all of the IP address in the same subnet, is that a problem?
Server 1 192.168.1.1
Server 2 192.168.1.2
VIP 192.168.1.3
I have a VLAN for administration, and I have a VLAN for the client connection.
But when I try to connect to the VIP, It doesn't show the web page, but if I connect to the servers page directly they are working ok..
Does anybody know what can i check, or if there is any manual that really shows how to configure this type of connections.
Thanks..Hello,
From your description, it sounds like you might have a one-armed configuration for load balancing. If your management VLAN interface is only used for management, and you only have the client VLAN interface for load balancing, then this would be a one-armed config. If this is indeed the case, then you would need to use either Policy-Based Routing to route the server response traffic back to the ACE rather than directly back to the client. Or, the more common solution is to configure source NAT as shown below:
access-list ANYONE line 10 extended permit tcp any any
rserver host SERVER_01
ip address 192.168.1.1
inservice
rserver host SERVER_02
ip address 192.168.1.2
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
class-map match-all VIP-3
2 match virtual-address 192.168.1.3 any
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-3
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance icmp-reply active
nat dynamic 1 vlan 20
interface vlan 10
description MANAGEMENT VLAN
ip address 172.16.51.11 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
no shutdown
interface vlan 20
description CLIENT VLAN
ip address 192.168.1.10 255.255.255.0
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.100 192.168.1.100 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.254
Hope this helps,
Sean -
ACE: load balancing servers using DMZ ports on FWSM
devices; (2 core with the ff config)
6500
fwsm
idsm
msfc
SETUP;
Servers are connected to the dmzs on the core
REQUIREMENT;
to load balance the servers
QUESTION;
Using the ACE module, is it possibe to load balance the servers which are connected to the port which is configured as DMZ?
Thanksdoes not matter where the servers are connected.
However, be aware that the flows from client to server needs to go through the loadbalancer BUT also the flows server to client.
So, you should be careful where you attach the ACE module.
The easier would be to attach to the DMZ as well between the FW and the servers.
Gilles.
Maybe you are looking for
-
ITunes 8 + OS 10.5.7 NOT Compatible??
There seems to be a pattern appearing here in the posts on numerous threads relating to iTunes 8 AND OS 10.5.7. Ever since I upgraded to iTunes 8.2 on my MacBookPro running OS 10.5.7, I can no longer play any of the movies or tv shows I downloaded be
-
I have Outlook on my PC and thought it would be smart to have my contact in the Clouds where my ipad, work pc, home pc would be updated etc. So I was asked I though to copy my contacts from Outlook to iCloud. Instead it moved them and in doing so l
-
QuickVPN on Verizon 4G not working
QuickVPN is not making a connection over the Verizon 4G network. After "Activating Policy" it tries to verify the network, but always times out. I get the message "remote gateway is not responding. Do you want to wait? My same setup works on the 3G n
-
HELP... iPod 5th gen wont play on docking station
We have 2 iPod 4th gen nano's and both play perfectly well on the docking stations, one being great quality one. The 5th gen nano plays but only with internal speakers even tho connected to docking station....Help.
-
ICloud error message-"YOU CAN'T SIGN IN AT THIS TIME. TRY SIGNING IN AGAIN".
Can't get ICloud to work on Mac. Always get error message saying "YOU CAN'T SIGN IN AT THIS TIME. TRY SIGNING IN AGAIN". Been trying for weeks but with no success. Upgraded to Maverick 10.9.1 just to have use of Icloud but so far nothing. Any suggest