ACE Load Balancing Problem

Similar Messages

• ACE load balancing and testing using soapUI

  Hey, I am trying to crowd source a solution for this problem.
  A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
  Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
  class-map match-all EAI_PWS_9083
    2 match virtual-address 10.5.68.29 tcp eq 9083
  serverfarm host EAI_PWS_9083
    description WebSphere Porduction
    failaction purge
    probe tcp9083
    rserver ESSWSPAPP01 9083
      inservice
    rserver ESSWSPAPP02 9083
      inservice
  policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
    class class-default
      serverfarm EAI_PWS_9083
  policy-map multi-match L4SLBPOLICY
  class EAI_PWS_9083
      loadbalance vip inservice
      loadbalance policy L7_POLICY_EAI_PWS_9083
      loadbalance vip icmp-reply active
      appl-parameter http advanced-options CASE_PARAM
  parameter-map type http CASE_PARAM
    case-insensitive

  Hi,
  Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
  Do you know if there is a difference while using soapUI and normal request using browser?
  Regards,
  Kanwal

• Ace load balancing, inservice/no inservice serverfarms

  I've started working with an ACE load balancer and came across  something that just didn't add up to me. I can pull and put servers in  and out of rotation without a problem however when working with a  serverfarm or a group of servers I have to pull each one individually  and can't find a way to remove say the entire serverfarm via one  command. Does anyone know of a way to put a serverfarm 'inservice' or  set it to 'no inservice' that would make it easier for large groups of  servers needing to be adjusted.
  Sorry if this isn't the write forum for this kind of question. Please feel free to move it if needed.

  Hello Chris,
    There is no toggle to set every rserver under a serverfarm out of service.  You can only take a single rserver out of service at a global level, or under a serverfarm inividually.
    One thing to think about  - bringing down all of the servers would be the same as removing the serverfarm from under the policy map type loadbalance since it would effectively bring the vip down.
  Regards,
  Chris Higgins

• Is it possible to use UCS Blade Servers in ACE Load Balancing

  Hi all ,
  Is it possible to use UCS Blade Servers in ACE Load Balancing ?? Please note that UCS Blade Servers are not connected directly to 6500 Switch where ACE Module installed .i am expecting a good suggestion from whether ACE or Switching Expert
  Thanks in advance
  Sanjeevi

  There is nothing that would prevent you from loadbalancing the applications that run on UCS servers.  ACE can loadbalance applications that are directly L2 attached (bridged or routed mode) or even servers that are multiple hops L3 hops away using one-armed mode with source nat.  The key to this is that the return traffic from the server needs to make it back to the ACE.

• Ask the Expert: Configuration and Troubleshooting the Cisco Application Control Engine (ACE) load balancer

  With Ajay Kumar and Telmo Pereira 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
  Ajay Kumar  is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications. 
  Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
  Remember to use the rating system to let Ajay know if you have received an adequate response.
  Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
  This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello Krzysztof,
  Another set of good/interesting questions posted. Thanks! 
  I will try to clarify your doubts.
  In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
  ACE/Context# show resource usage
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  -- outputs omitted for brevity --
    proxy-connections             0      16358      16358      16358      17872
    ssl-connections rate          0        626        626        626      23204
  Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
  On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
  So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
  ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource. 
  For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
  If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
  This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
  We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
  1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE  should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
  To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
  For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users. 
  2)  ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
  As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
  To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
  As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
  3)  If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
  The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
  I hope this makes things clearer! Uff...
  Regards,
  Telmo

• Need help with ACE Load Balancing Base on URL pattern

  This is the first time for me trying to configure something like this on the ACE load balancer.  I need help configuring a load balancing policy base on URL pattern.  URL https://ineedhelp.com base on /willuhelpme and /imlost
  Key: ineedhelp_key
  cert:  ineedhelp_cert
  serverfarmA
  serverA 10.1.1.1 443
  serverfarmB
  serverB 10.1.1.2 443
  ineedhelp.com/willuhelpme-------serverfarmA
  ineedhelp.ocm/imlost---------------serverfarmB

  This is the first time for me trying to configure something like this on the ACE load balancer.  I need help configuring a load balancing policy base on URL pattern.  URL https://ineedhelp.com base on /willuhelpme and /imlost
  Key: ineedhelp_key
  cert:  ineedhelp_cert
  serverfarmA
  serverA 10.1.1.1 443
  serverfarmB
  serverB 10.1.1.2 443
  ineedhelp.com/willuhelpme-------serverfarmA
  ineedhelp.ocm/imlost---------------serverfarmB

• ACE - Load Balance SMB?

  Can the ACE load balance SMB?
  Server 1 DNS is msserver1
  Server 2 DNS is msserver2
  VIP DNS is msserver
  Can the ACE replace the server name (or IP address) in a tree connect query with the actual real server name that is chosen for the request?                  

  Hi , If I understood you correctly and you're looking for intelligent way to loadbalance NetBios/Samba - I'm afraid there is no such functionality on ACE, we can only do simple L4 loadbalancing for such sessions and can't change anything.

• ACE load-balancing-Cookie problem

  In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
  We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
  There are only two possibilities how this could happen:
  a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
  But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
  b) The predictor in the serverfarm chooses a new realserver within the same request.
  If that is really the cause of that problem this would be bug in the cisco ace.
  What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
  For example:
  GET /ips-opdata/scripts/jquery.js HTTP/1.1
  Host: www.xxxxx.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
  Accept: */*
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 115
  Connection: keep-alive
  Referer: http://www.xxxxx.com/
  Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
  HTTP/1.1 200 OK
  Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
  Server: Apache-Coyote/1.1
  X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
  ETag: W/"72181-1298537508000"
  Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
  Content-Type: text/javascript
  Content-Length: 72181
  Date: Mon, 28 Mar 2011 06:15:19 GMT
  As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
  We hope that this helps you to figure out the reason of the problem.

  The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
  For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config.

• ACE Routing Load-Balance problem

  I'm trying to configure a routing load-balance with Cisco ACE Module based on the following scenario:
  local users has a router (R1) as it default gateway, this router (R1) has a default route to the VIP that represent the serverfarm with two linux servers that should be used for Data Shaping over the WAN. I need to balance the traffic over the two linux servers and not necessary over the WAN.
  The problem is that when I set up the local network router default route to VIP the routing process simply stop work ! If I change the route to the real server ip address everything start working again without any problem.
  Follow the configs:
  Local network Router - Static route
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Follow the ACE configs:
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  access-list 100 line 8 extended permit ip any any
  rserver host rout001
  ip address 10.0.0.32
  inservice
  rserver host rout002
  ip address 10.0.0.31
  inservice
  serverfarm host BLC_ROUTING
  predictor leastconns
  rserver rout001
  inservice
  rserver rout002
  inservice
  class-map match-any VIP
  2 match virtual-address 10.0.0.1 any
  class-map type management match-any mgmt
  2 match protocol icmp any
  3 match protocol telnet any
  4 match protocol ssh any
  policy-map type management first-match access
  class mgmt
  permit
  policy-map type loadbalance first-match INT_router
  class class-default
  serverfarm BLC_ROUTING
  policy-map multi-match VIP
  class VIP
  loadbalance vip inservice
  loadbalance policy INT_router
  loadbalance vip icmp-reply
  interface vlan 6
  bridge-group 10
  access-group input 100
  service-policy input access
  service-policy input VIP
  no shutdown
  interface vlan 8
  bridge-group 10
  access-group input 100
  service-policy input access
  service-policy input VIP
  no shutdown
  interface bvi 10
  ip address 10.0.0.5 255.255.255.0
  no shutdown
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  I tried to change some parameters like "transparent" at serverfarm config and change the "predictor" method to "hash address source" but there was no good results at all.
  Anyone has any idea why this process is not working ?
  Is there any special configuration for this scenario ?
  Regards,
  Ricardo

  Ricardo,
  What is this route ??
  ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
  You can't have 0.0.0.0/24.
  You must be missing something ?
  Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
  It should normally be directly connected to your router.
  With the static route, do you see traffic coming to the ACE module ?
  Does it loadbalance to the server ?
  'show service-policy detail' check the packet counters
  Gilles.

• ACE load balance based on Source IP Address

  Hi Cisco  Support,
  I have question  related to Cisco ACE behavior in term to taking a decision based on source  address
  I currently have two  servers sits behind ACE part of one server farm, these servers are load balanced  via one VIP on ACE module and every things looks fine.
  Now service  owners want to replace these old servers with new hardware hence before the  migration we need to make sure these new servers are working as required standard hence  need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we  can't engage all our partner to participate in this test therefore decided to  engage only one partner to carry our test with us.
  For that reason can  we some how configure the ACE so when packet arrive on ACE from one test partner  mentioned above, ACE send only that partner's traffic based on it's source address  (define via class/policy map on ACE if possible) towards new servers in the existing server  farm and not to the old server in the same server farm.
  Thanks for your  support

  Hi,
  Just to put some config sample that might help you to get this done.
  First create the new rservers and include them under a new serverfarm (New-APP)/
  serverfarm host Webfarm
    rserver SVR1
      inservice
    rserver SVR2
      inservice
  serverfarm host New-APP
    rserver New-1
      inservice
    rserver New-2
      inservice
  - Same VIP already working.
  class-map match-all VIP-HTTP
    2 match virtual-address 10.10.10.10 tcp eq www
  - Create a new class that will include your partner's IP(s).
  class-map type http loadbalance match-any 3rd-Party
    2 match source-address 200.200.200.1 255.255.255.255 
    3 match source-address 200.200.200.10 255.255.255.255 
  Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
  policy-map type loadbalance first-match L7-SLB
    class 3rd-Party
      serverfarm New-APP
    class class-default
      serverfarm Webfarm
  Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
  HTH
  Pablo

• ACE Load Balancing

  Hi all,
  I´m configuring 2 ACE 4710 in failover, and I also need to balance 2 webservers at the momment. I have all of the IP address in the same subnet, is that a problem?
  Server 1 192.168.1.1
  Server 2 192.168.1.2
  VIP 192.168.1.3
  I have a VLAN for administration, and I have a VLAN for the client connection.
  But when I try to connect to the VIP, It doesn't show the web page, but if I connect to the servers page directly they are working ok..
  Does anybody know what can i check, or if there is any manual that really shows how to configure this type of connections.
  Thanks..

  Hello,
  From your description, it sounds like you might have a one-armed configuration for load balancing.  If your management VLAN interface is only used for management, and you only have the client VLAN interface for load balancing, then this would be a one-armed config.  If this is indeed the case, then you would need to use either Policy-Based Routing to route the server response traffic back to the ACE rather than directly back to the client.  Or, the more common solution is to configure source NAT as shown below:
  access-list ANYONE line 10 extended permit tcp any any
  rserver host SERVER_01
    ip address 192.168.1.1
    inservice
  rserver host SERVER_02
    ip address 192.168.1.2
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
  class-map match-all VIP-3
    2 match virtual-address 192.168.1.3 any
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-3
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance icmp-reply active
      nat dynamic 1 vlan 20
  interface vlan 10
    description MANAGEMENT VLAN
    ip address 172.16.51.11 255.255.255.0
    access-group input ANYONE
    service-policy input REMOTE_MGT
    no shutdown
  interface vlan 20
    description CLIENT VLAN
    ip address 192.168.1.10 255.255.255.0
    service-policy input CLIENT_VIPS
    nat-pool 1 192.168.1.100 192.168.1.100 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.254
  Hope this helps,
  Sean

• ACE load balancing issue

  Hi,
  I have ACE module and 2 servers the problem i am facing is only one server is been serviced by ACE the other server is not getting much traffic at all.
  One server gets hit most of the time like 3 pkts goes to server 1 and 1 pkt goes to server 2.
  Could anyone tell me why is this issue that unequal load balancing is occoring on my device.
  Thanks in advance.

  here's the output of
  sh serverfarm det
  serverfarm : DNS, type: HOST
  total rservers : 2
  active rservers: 2
  description : -
  state : ACTIVE
  predictor : ROUNDROBIN
  failaction : -
  back-inservice : 0
  partial-threshold : 0
  num times failover : 0
  num times back inservice : 0
  total conn-dropcount : 0
  Probe(s) :
  DNS_PROBE, type = DNS
  ----------connections-----------
  real weight state current total failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: DNS-118-1
  10.0.0.1:0 8 OPERATIONAL 206 127901 1
  max-conns : - , out-of-rotation count : -
  min-conns : -
  conn-rate-limit : - , out-of-rotation count : -
  bandwidth-rate-limit : - , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value : 0
  rserver: DNS-118-2
  10.0.0.2:0 8 OPERATIONAL 230 212332 4
  max-conns : - , out-of-rotation count : -
  min-conns : -
  conn-rate-limit : - , out-of-rotation count : -
  bandwidth-rate-limit : - , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value : 0
  here's the output of
  sh service-policy L3L4_LOADB detail
  Status : ACTIVE
  Description: -----------------------------------------
  Context Global Policy:
  service-policy: L3L4_LOADB
  class: CLASS_MAP
  nat:
  nat dynamic 1 vlan 118
  curr conns : 325 , hit count : 340457
  dropped conns : 5
  client pkt count : 2697687 , client byte count: 179735431
  server pkt count : 2694477 , server byte count: 535957631
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  VIP Address: Protocol: Port:
  10.0.0.3 tcp eq 53
  10.0.0.3 udp eq 53
  loadbalance:
  L7 loadbalance policy: L7_LOADB
  VIP Route Metric : 77
  VIP Route Advertise : ENABLED-WHEN-ACTIVE
  VIP ICMP Reply : ENABLED-WHEN-ACTIVE
  VIP State: INSERVICE
  curr conns : 325 , hit count : 340462
  dropped conns : 5
  client pkt count : 2697687 , client byte count: 179735431
  server pkt count : 2694477 , server byte count: 535957631
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  L7 Loadbalance policy : L7_LOADB
  class/match : class-default
  LB action: :
  primary serverfarm: DNS
  state: UP
  backup serverfarm : -
  hit count : 340457
  dropped conns : 0

• ACE - Load Balance insert cookie method for https

  I am trying to load balance between 2 web servers using the cookie insert method by ACE for achieving the session persistence. The servers are not inserting any cookie. It works fine for the http connections but when trying with https connection it is not working.
  Can anyone help me with this please.
  Is it that ACE cookie insert method of session persistence will not work with https connections.

  Hi,
  1. for https you can use src ip as sticky (mega proxy problem).
  2. you can terminate ssl connection on ace (ssl between client and ace only, between ace and server it's clear) and you can use any L7 sticky (for example cookie)
  3. if you need ssl terminate up to real server, you can first terminate ssl between client and ace on ace, then use L7 sticky and after then terminate second ssl to real server.
  in other words, if you don't decrypt ssl on ace, you can use only L2/3 data for sticky (or ssl id for ssl v2.0)
  martin

• ACE LOAD BALANCER - secure tls renegotiation

  I have a cisco ace loadbalancer and a server farm behind it.
  We have implemented sll-to-ssl termination, but we are facing certain problems with opera browser and android mobiles.
  On both we get "The server does not support secure TLS renegoriation...."
  Running the following:  openssl s_client -connect aaa.bbb.ccc.ddd:443
  On the load balancer we get:
  New, TLSv1/SSLv3, Cipher is AES256-SHA
  Server public key is 1024 bit
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : AES256-SHA
      Session-ID:
      Session-ID-ctx:
      Master-Key: xxxxxxxxx
      Key-Arg   : None
      Krb5 Principal: None
      Start Time: 1323349587
      Timeout   : 300 (sec)
      Verify return code: 21 (unable to verify the first certificate)
  On one of the servers from the farm we get:
  ew, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
  Server public key is 1024 bit
  Secure Renegotiation IS supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : DHE-RSA-AES256-SHA
      Session-ID: yyyyyyy
      Session-ID-ctx:
      Master-Key: xxxxxxxx
      Key-Arg   : None
      Krb5 Principal: None
      Start Time: 1323349689
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
  Is there any connection to our problem with this outputs ?
  Does anyone have any idea on how to solve this problem ?
  Thanks in advance

  Hi Thanassis,
  TLS renegotiation was disabled in all Cisco devices due to a vulnerability of the protocol. Check
  http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml for more details
  Since the renegotiation was disabled for security reasons, there is no way to enable it back, so you should rather be looking for a way to force your browsers not to require this option to be enabled. I would suggest you to contact the Opera support team.
  Regards
  Daniel

• ACE load balancing servers on different subnets...

  Hello,
  I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
  Thanks in advanced for your support.

  Hi,
  You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
  The following extract from a configuration shows the basic principle:
  rserver host master
  ip address 10.199.95.2
  inservice
  rserver host slave
  ip address 10.199.38.68
  inservice
  serverfarm host FARM-web2-Master
  description Serverfarm Master
  probe PROBE-web2
  rserver master
  inservice
  serverfarm host FARM-web2-Slave
  description Serverfarm Slave
  probe PROBE-web2
  rserver slave
  inservice
  class-map match-any L4VIPCLASS
  2 match virtual-address 10.199.80.12 tcp eq www
  3 match virtual-address 10.199.80.12 tcp eq https
  policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
  class REMOTE-ACCESS
  permit
  policy-map type loadbalance first-match LB-POLICY
  class class-default
  serverfarm FARM-web2-Master backup FARM-web2-Slave
  policy-map multi-match L4POLICY
  class L4VIPCLASS
  loadbalance vip inservice
  loadbalance policy LB-POLICY
  loadbalance vip icmp-reply active
  loadbalance vip advertise
  nat dynamic 1 vlan 384
  service-policy input L4POLICY
  interface vlan 383
  description ACE-web2-Clientside
  ip address 10.199.80.13 255.255.255.248
  alias 10.199.80.12 255.255.255.248
  peer ip address 10.199.80.14 255.255.255.248
  access-group input ACL-IN
  access-group output PERMIT-ALL
  no shutdown
  interface vlan 384
  description ACE-web2-Serverside
  ip address 10.199.80.18 255.255.255.240
  alias 10.199.80.17 255.255.255.240
  peer ip address 10.199.80.19 255.255.255.240
  access-group input PERMIT-ALL
  access-group output PERMIT-ALL
  nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.199.80.9
  ip route 10.199.95.2 255.255.255.255 10.199.80.21
  ip route 10.199.38.68 255.255.255.255 10.199.80.21
  HTH
  Cathy