ACE: load balancing servers using DMZ ports on FWSM
devices; (2 core with the ff config)
6500
fwsm
idsm
msfc
SETUP;
Servers are connected to the dmzs on the core
REQUIREMENT;
to load balance the servers
QUESTION;
Using the ACE module, is it possibe to load balance the servers which are connected to the port which is configured as DMZ?
Thanks
does not matter where the servers are connected.
However, be aware that the flows from client to server needs to go through the loadbalancer BUT also the flows server to client.
So, you should be careful where you attach the ACE module.
The easier would be to attach to the DMZ as well between the FW and the servers.
Gilles.
Similar Messages
-
ACE load balancing servers on different subnets...
Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy -
Is it possible to use UCS Blade Servers in ACE Load Balancing
Hi all ,
Is it possible to use UCS Blade Servers in ACE Load Balancing ?? Please note that UCS Blade Servers are not connected directly to 6500 Switch where ACE Module installed .i am expecting a good suggestion from whether ACE or Switching Expert
Thanks in advance
SanjeeviThere is nothing that would prevent you from loadbalancing the applications that run on UCS servers. ACE can loadbalance applications that are directly L2 attached (bridged or routed mode) or even servers that are multiple hops L3 hops away using one-armed mode with source nat. The key to this is that the return traffic from the server needs to make it back to the ACE.
-
ACE load balancing and testing using soapUI
Hey, I am trying to crowd source a solution for this problem.
A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
class-map match-all EAI_PWS_9083
2 match virtual-address 10.5.68.29 tcp eq 9083
serverfarm host EAI_PWS_9083
description WebSphere Porduction
failaction purge
probe tcp9083
rserver ESSWSPAPP01 9083
inservice
rserver ESSWSPAPP02 9083
inservice
policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
class class-default
serverfarm EAI_PWS_9083
policy-map multi-match L4SLBPOLICY
class EAI_PWS_9083
loadbalance vip inservice
loadbalance policy L7_POLICY_EAI_PWS_9083
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
parameter-map type http CASE_PARAM
case-insensitiveHi,
Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
Do you know if there is a difference while using soapUI and normal request using browser?
Regards,
Kanwal -
With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
Allocation
Resource Current Peak Min Max Denied
-- outputs omitted for brevity --
proxy-connections 0 16358 16358 16358 17872
ssl-connections rate 0 626 626 626 23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo -
LOAD BALANCE (CSS) and Portal Port Number based on Instance Number
Hi,
My doubt is about LOAD BALANCE (CSS) and Portal Port Number based on Instance Number.
I have to install 3 servers machines and 2 servers databases cluster. There will be a HIGH AVAILABILITY environment. There will be a MIGRATION and UPGRADE.
Today there are 2 servers machines in Windows NLB. Today my production Portal is 6 6.20.
Once, I did something for LABORATORY TEST. Migration (6 6.40) and Upgrade (7.0)in two other machines. But they were with Windows NLB. When I did the installation, for each server machine and during the instalation I had to give one Instance Number for each and in result there was a different Port Number for each.
But I accessed both machines throught a virtual url(dns) with a specific port number. And it works!
NOW, with a HARDWARE LOAD BALANCE _ CSS I don't know how to do.
A guy who works with it tell us that couldn't redirect one Port Number for different port numbers. He couldn't configure the CSS like this.
My question is: Is he write? And if he is, there is a way to give the same instance number for my 3 new Portal servers machines? Example: 5(02)00.
Could you understand?
I need help.
Regards,
cheers,
NiviaNivia,
I have used F5 for load balancing, I am sure you can do the same with CSS. Yes, you can configure a virtual IP on the load balancer with standard ports (80 or 443) and load balancing the traffic to multiple servers with different ports. You can have different ports for each instance.
-Regards
RK -
Hi ,
If we have a specific server say 10.10.10.10 (abc.co.in) on which we are working, Then under RZ12 we make the following entry as :
LOGON GROUP INSTANCE
parallel_generators abc.co.in_10 ( Lets assume : The instance number is 10 )
Now in SM59 under ABAP Connections , I am giving the following technical settings:
TARGET HOST abc.co.in
IP address 10.10.10.10
Instance number 10
Now if we have a scenario of load balancing servers with following server details (with all servers on different instance numbers ) :
10.10.10.11
10.10.10.13
10.1010.10
10.10.10.15
In this case how can we make the RZ12 settings and SM59 settings such that we don't have to hardcode any IP Address.
If the request is redirected to 10.10.10.11 and not to 10.10.10.10 , in that case how will the settings be.
Regards,
SHUBHAMHi,
No one using FMS behind a load balancer? No one using RTMPT? -
Load Balancing across Multiple DMZ's
Can you split one Css11503 across two separate DMZ's securely. I have a group of server that are currently being load balanced in one DMZ I now have a requirement to Load balance another set of server in another DMZ is it possible spilt the CSS across two DMZ's and still maintain a high level of Security
You need a separate CSS for each interface of the firewall.
If you use the same CSS for 2 DMZ, traffic inter DMZ will be routed by CSS and will bypass the firewall.
Gilles. -
Ace load balancing, inservice/no inservice serverfarms
I've started working with an ACE load balancer and came across something that just didn't add up to me. I can pull and put servers in and out of rotation without a problem however when working with a serverfarm or a group of servers I have to pull each one individually and can't find a way to remove say the entire serverfarm via one command. Does anyone know of a way to put a serverfarm 'inservice' or set it to 'no inservice' that would make it easier for large groups of servers needing to be adjusted.
Sorry if this isn't the write forum for this kind of question. Please feel free to move it if needed.Hello Chris,
There is no toggle to set every rserver under a serverfarm out of service. You can only take a single rserver out of service at a global level, or under a serverfarm inividually.
One thing to think about - bringing down all of the servers would be the same as removing the serverfarm from under the policy map type loadbalance since it would effectively bring the vip down.
Regards,
Chris Higgins -
Cluster/load balance weblogic using L4 switch like Alteon
Can I install weblogic as a standalone server on 2 or more server and
cluster/load balance weblogic using a hardware balancer like Alteon Layer4
switch (of course I will use a centralised storage to maintain a single copy
of data which will eliminate syncronizing problem among servers)?
BTW, Alteon can support persistent binding. The reason to use a Layer 4
switch is that it is very fast, and this will make the application server
layer transparent to client, the client can think this is a single server
(it don't need to know whether there are 5 weblogic servers or 20 weblogic
servers behind switch), and hardware are more reliable, sacalable and fast.
I am not sure whether the normal weblogic clustered servers need to
share/exchange info on the running memory, if it does, this approach will
fail.
So My understanding is:
Alteon with WL 6.0 can do load balancing for:
entity bean
stateless session bean
but can't do load balancing for:
stateful session bean (will persistent/sticky binding solve part of the
problem except fail-over)
in-memory replication
am I right?
Pao Wan
"Don Ferguson" <[email protected]> wrote in message
news:[email protected]...
> It is possible to configure Alteon to understand the WebLogic 6.0 cookie
format
> and have a proxy-less cluster configuration that performs load balancing
and
> fail over of session state.
>
> It is also possible to configure Alteon's hardware-based SSL decryption
for really
> fast HTTPS processing.
>
> We are working on a white paper that describes how to configure Alteon for
use
> with WebLogic Server 6.0.
>
> -Don
>
>
> Robert Patrick wrote:
>
> > Cameron,
> >
> > I believe that BEA tested their new proxy-less web clustering solution
with
> > load-balancing products from Alteon and several other vendors
(Arrowpoint ?--
> > which is now Cisco). However, it was my understanding that these
products do
> > not understand how to decrypt our cookies and extract IP addresses but
rather
> > these products are capable of doing sticky load balancing based on the
Session
> > ID contained in our cookie.
> >
> > If this is correct, then what this means is that when the primary server
fails,
> > the request will be routed to "some other server" in the cluster but not
> > necessarily the one that holds the secondary copy of the user's session.
The
> > change in WLS 6.0 is that WLS will accept these misdirected requests and
it will
> > go out to the correct server and "migrate" the session to the server
that
> > received the request making that server the new primary (and
regenerating the
> > Session ID).
> >
> > I am sure if this is wrong that our product manager or one of our
engineers will
> > correct me (please?)...
> >
> > Hope this helps,
> > Robert
> >
> > Cameron Purdy wrote:
> >
> > > Hi Robert,
> > >
> > > FWIW - There are several vendors (Primeon? Arrowpoint?) who claim to
> > > understand WL cookies and parse the IPs out. (I haven't verified it
myself
> > > though.)
> > >
> > > --
> > > Cameron Purdy
> > > Tangosol, Inc.
> > > http://www.tangosol.com
> > > +1.617.623.5782
> > > WebLogic Consulting Available
> > >
> > > "Robert Patrick" <[email protected]> wrote in message
> > > news:[email protected]...
> > > > There are not any hardware vendors (yet) that can understand
WebLogic's
> > > session
> > > > ID. While you might be able to use the load balancer without the
proxy on
> > > 5.1,
> > > > you would not be able to take advantage of in-memory replication
failover
> > > unless
> > > > you only had two machines in the cluster. Like you said, everything
will
> > > work
> > > > with 6.0 regardless of how the load balancer works (though you
really,
> > > really
> > > > want to minimize the number of times the requests come into the
wrong
> > > server by
> > > > utilizing sticky load balancing).
> > > >
> > > > Hope this helps,
> > > > Robert
> > > >
> > > > Cameron Purdy wrote:
> > > >
> > > > > Rajesh,
> > > > >
> > > > > I meant that it would work in lieu of a proxy (such as Apache or
NES)
> > > with
> > > > > 5.1, but only if both the hw load balancer and WL were set up to
use
> > > > > cookies. Some hw load balancers rely on IP and that doesn't
work -- AOL
> > > > > connections for example can change the source IP on the fly.
Others
> > > produce
> > > > > their own cookies, that will work. Some even can use WL cookies
and
> > > parse
> > > > > them to determine where to go. According to what I've read, with
6.0 if
> > > the
> > > > > WL primary dies or for some other reason the request shows up at
the
> > > "wrong"
> > > > > server, it will be handled correctly. That means you are pretty
safe
> > > with
> > > > > hw load balancers and 6.0, almost regardless of the sticky
> > > implementation
> > > > > that they use.
> > > > >
> > > > > --
> > > > > Cameron Purdy
> > > > > Tangosol, Inc.
> > > > > http://www.tangosol.com
> > > > > +1.617.623.5782
> > > > > WebLogic Consulting Available
> > > > >
> > > > > "Rajesh" <[email protected]> wrote in message
> > > > > news:[email protected]...
> > > > > >
> > > > > > Hi Cameron,
> > > > > > Can you elaborate on how it would work with WL5.1 since no in
memory
> > > > > replication
> > > > > > would happen if the servers are standalone.
> > > > > >
> > > > > > "Cameron Purdy" <[email protected]> wrote:
> > > > > > >Yes, this will work fine with WL6. (WL5.1 will work fine as
long as
> > > > > cookies
> > > > > > >are used by the load balancer.)
> > > > > > >
> > > > > > >--
> > > > > > >Cameron Purdy
> > > > > > >Tangosol, Inc.
> > > > > > >http://www.tangosol.com
> > > > > > >+1.617.623.5782
> > > > > > >WebLogic Consulting Available
> > > > > > >
> > > > > > >
> > > > > > >"paowan" <[email protected]> wrote in message
> > > > > > >news:[email protected]...
> > > > > > >> Can I install weblogic as a standalone server on 2 or more
server
> > > and
> > > > > > >> cluster/load balance weblogic using a hardware balancer like
Alteon
> > > > > Layer4
> > > > > > >> switch (of course I will use a centralised storage to
maintain a
> > > single
> > > > > > >copy
> > > > > > >> of data which will eliminate syncronizing problem among
servers)?
> > > > > > >>
> > > > > > >> BTW, Alteon can support persistent binding. The reason to use
a
> > > Layer
> > > > > > >4
> > > > > > >> switch is that it is very fast, and this will make the
application
> > > > > server
> > > > > > >> layer transparent to client, the client can think this is a
single
> > > > > server
> > > > > > >> (it don't need to know whether there are 5 weblogic servers
or 20
> > > > > weblogic
> > > > > > >> servers behind switch), and hardware are more reliable,
sacalable
> > > and
> > > > > > >fast.
> > > > > > >>
> > > > > > >> I am not sure whether the normal weblogic clustered servers
need to
> > > > > > >> share/exchange info on the running memory, if it does, this
> > > approach
> > > > > will
> > > > > > >> fail.
> > > > > > >>
> > > > > > >>
> > > > > > >
> > > > > > >
> > > > > >
> > > >
>
-
Need help with ACE Load Balancing Base on URL pattern
This is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmBThis is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmB -
Can the ACE load balance SMB?
Server 1 DNS is msserver1
Server 2 DNS is msserver2
VIP DNS is msserver
Can the ACE replace the server name (or IP address) in a tree connect query with the actual real server name that is chosen for the request?Hi , If I understood you correctly and you're looking for intelligent way to loadbalance NetBios/Samba - I'm afraid there is no such functionality on ACE, we can only do simple L4 loadbalancing for such sessions and can't change anything.
-
Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65 Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out. -
Cisco ace Load balancer not maintaining session persistence
Hi All,
We have observed from the IIS logs on the internal webservers that loadbalancer is not maintaining session persistence for two specific request for the internal servers.
https://123.xyz.com/Webresource.axd
https://123.xyz.com/ScriptResource.axd
Error
Webresource.axd : 500
Scriptresource.axd: 404
Session persistence is maintained for all other requests hitting loadbalancer.
Issue is observerd on hits for these two specified components. WebResource.axd and ScriptResource.axd are Http Handlers used by ASP.NET and Ajax to add client-side scripting to the outgoing web page.
For e.g /WebResource.axd d=t2GXfySdqWmJ-lZSI0KVbw2&t=634868473645172160 is valid for server 1 and return 200 response but the same request is seen on few other servers where the response is 404 even though load balancer cookie is same. This means that if the request for the both the axd contains a valid decrypter and it connects to the right server then the response seen is 200.
The url passed by the user contains d and t parameters when are unique for each user session.
Solution tried:
Accessed website via another VIP without http redirect rule but could not see difference.
Tried to match machine key across all servers : Failed . Could see the ‘d’ value different for each server.
Load balancer VIP :
x.x.x.x
redirect: http > https
SSL Offload : ON
Poool:
WEB1
WEB2
WEB3
WEB4
WEB5
All servers listening on port 80
sticky config:
sticky ihttp-cookie cookie1 vip-1.1.1.1-80-stickyfarm
cookie insert browser-expire
replicate sticky
serverfarm vip-1.1.1.1_80
sticky http-cookie cookie1 vip-farm:1.1.1.1:443
cookie insert browser-expire
replicate sticky
serverfarm farm:1.1.1.1:443
Has anyone else come across similar issue?
Can you plese check if there is any config on cisco ace that will ensure that session persistence is maintained for these 2 requests.
Thank you for all the help.
regards,
SangramHello Sangram,
We would need simultanous packet traces before and after the ACE to get to the root cause of this issue so I would recommend that you open a cisco tac case for more in depth troubleshooing of this issue.
Joel Lamousnery
CCIE R&S - 36768
Engineer, Customer Support
Technical Services -
ACE Load Balancing Configuration For NATed User Traffic
Hello,
I am currently working on a requirement where the shared application services will be hosted in DC and these services will be accessed by multiple (thousands) users from different corporates/customers. The user traffic will be hidden behind customer's proxy servers or firewalls so the load balancer (ACE modules) services hosted in DC will not be able to see requests coming in from induvidual users IP addresses.
In this scenario what are options of load balancing are available in Lyer3/4 and Layer7 ?
Thanks in advance for your help.
SanjayHi Sanjay,
In a set up where all users are coming from behind a proxy, all users will be loadbalanced to same server thus overloading it. This is when you are doing standard L3/L4 LB.
In the situation of proxies, for HTTP applications you shall use L7 LB and use information(cookie) in HTTP client request or server response. The ace will use this information to stick the user to same server for persistence. If a client comes with no cookie it will be loadbalanced according to the predictor method configured. Below is the link for L7 configuration example and other TS steps you can take while configuring L7 policies on ACE. For more informatin i would suggest reading ACE user guide too.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_-_Troubleshooting_Layer_7_Load_Balancing
If you have any questions please feel free to ask.
Regards,
Kanwal
Maybe you are looking for
-
Signal booster for cell service
Seeing if anyone has any suggestions on this one. We have iphones. We WERE on ATT, which has horrible service where we are. So we purcahsed a Micro Cell tower when we had ATT numbers. But then we decided to go to another service, except this serv
-
SCN number difference in primary and standby databases
Hi All, Is it possible that primary database SCN is 20 and standby database SCN is 22 ? If yes , how it works ? Thankyou !
-
This is sort of a curious one. I have to keep CS4 installed to edit Camtasia files as their codec is a 32 bit no-go with 64 bit CS5... Oddly, when I double-click any PPro project (most were created in CS5), they will launch CS4, not CS5. When i go
-
Changing color from Swatch to Spot color
Hello, I have almsot figured this out but have on hangup. I am trying to replace a color with another color from a Pantone library. I am using Illustrator CS6. I have this script which I found on here: #target illustrator var docRef = app.activeDocu
-
I have a windows 7 system and use Adobe Reader XI, 11.0.05 All my excel spreadsheet files have converted to Adobe files and I cannot access my excel spreadsheets. I uninstalled Adobe and reinstalled the version all over, and I also downloaded a sec