ACE Routing Load-Balance problem
I'm trying to configure a routing load-balance with Cisco ACE Module based on the following scenario:
local users has a router (R1) as it default gateway, this router (R1) has a default route to the VIP that represent the serverfarm with two linux servers that should be used for Data Shaping over the WAN. I need to balance the traffic over the two linux servers and not necessary over the WAN.
The problem is that when I set up the local network router default route to VIP the routing process simply stop work ! If I change the route to the real server ip address everything start working again without any problem.
Follow the configs:
Local network Router - Static route
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Follow the ACE configs:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 100 line 8 extended permit ip any any
rserver host rout001
ip address 10.0.0.32
inservice
rserver host rout002
ip address 10.0.0.31
inservice
serverfarm host BLC_ROUTING
predictor leastconns
rserver rout001
inservice
rserver rout002
inservice
class-map match-any VIP
2 match virtual-address 10.0.0.1 any
class-map type management match-any mgmt
2 match protocol icmp any
3 match protocol telnet any
4 match protocol ssh any
policy-map type management first-match access
class mgmt
permit
policy-map type loadbalance first-match INT_router
class class-default
serverfarm BLC_ROUTING
policy-map multi-match VIP
class VIP
loadbalance vip inservice
loadbalance policy INT_router
loadbalance vip icmp-reply
interface vlan 6
bridge-group 10
access-group input 100
service-policy input access
service-policy input VIP
no shutdown
interface vlan 8
bridge-group 10
access-group input 100
service-policy input access
service-policy input VIP
no shutdown
interface bvi 10
ip address 10.0.0.5 255.255.255.0
no shutdown
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I tried to change some parameters like "transparent" at serverfarm config and change the "predictor" method to "hash address source" but there was no good results at all.
Anyone has any idea why this process is not working ?
Is there any special configuration for this scenario ?
Regards,
Ricardo
Ricardo,
What is this route ??
ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
You can't have 0.0.0.0/24.
You must be missing something ?
Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
It should normally be directly connected to your router.
With the static route, do you see traffic coming to the ACE module ?
Does it loadbalance to the server ?
'show service-policy detail' check the packet counters
Gilles.
Similar Messages
-
Hello,
I have a requirement to load balance between real servers on different subnets, but I need to preserve the original source IP address through the ACE. I know the ACE can do Asymmetric server normalization but that appears to require the servers to be on the same subnet. The traffic is just generic TCP and I don't want the ACE to take any action on the traffic other than to do basic balancing and allow me to direct all traffic to one server or the other for maintenance. Is there any way to accomplish routed load balancing that preserves the original source IP?Hi B-Cunningham,
Very simple !!
When you need the same user to be always sent to the same server, you need some sort of stickyness.
There are many different ways to achieve this.
Some predictor algorithms will by definition always select the same server for a given client. This is the case with the source ip hashing predictor.
But very often you will need to configure a sticky method in combination with your predictor algorithm.
What is the source ip hash predictor a sticky method ?
Actually, this is not a sticky method. But since the hash algorithm always give the same result for a given source ip address, it guarantees that a client using the same ip address will always be sent to the same server.
The advantage is that it does not require to configure a specific sticky method. It also works without the need for a sticky table. So it does preserve resources.
But the hash function will have different results when you add or remove a server. Therefore, when your rserver list is modified your clients might be sent to different servers breaking stickyness.
Is sticky source ip a good solution ?
Because of the changing hash results mentioned above, most people will prefer to use a standard predictor (roundrobin , leastconn, ...) and add a sticky source ip option.
The idea is to also use the source ip address to identify the client and select the corresponding server.
Unlike the hash method, the stick source ip solution will need sticky resources to save the information necessary for ACE to remember which client uses which server.
The advantage of the sticky option is that the sticky table is not affected when the rserver list is modified.
Why not use sticky source ip ?
Very often this solution is enough to guarantee stickyness.
But because a lot of clients do not have a static ip address, this method does not work.
There is also the problem of proxy servers hiding many clients behind a single ip address resulting in rserver overload when using sticky source ip.
For HTTP the solution is to use information contained in the client HTTP request and server HTTP response.
An HTTP Cookie is an object used by a server to identify HTTP clients. A loadbalancer can therefore also use this information to map a client to a server.
One drawback of hash predictor is that the hash predictor methods do not recognize the weight value you configure for real servers. The ACE uses the weight that you assign to real servers only in the round-robin and least-connections predictor methods.
Here is the hash algorithm
((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))The _key in this case is the source ip address has an unsigned 32 bits number.You then do rserver_index = hash % number_of_rserver.
Session persistence (stickiness) based on client source IP address or HTTP cookies are recommended to be configured on the Cisco ACE for this flow.
IP Address Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.
Here can be the sample configuration:
resource-class websrv
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 20.00 maximum equal-to-min
rserver host webserver1
ip address 10.10.10.1
inservice
rserver host webserver2
ip address 10.10.10.2
inservice
rserver host webserver3
ip address 10.10.10.3
inservice
serverfarm host werbsrv1only
probe websrv
rserver webserver1 1000
inservice
serverfarm host werbsrv123
probe websrv
rserver webserver1 1000
inservice
rserver webserver2 1000
inservice
rserver webserver3 1000
inservice
ACE receives requests to the VIP on port 80 and translates them to port 1000 using the server farm configuration shown above.
The link to the websrv home page is http://websrv:1000/index.html. A probe to this link is configured on ACE as follows:
probe http websrv
port 1000
interval 2
faildetect 2
passdetect interval 2
request method get url /index.html
expect status 200 200
Session persistence can be established by tying the session to an IP address, that uniquely identifies the client.
Create a sticky-group
sticky ip-netmask 255.255.255.255 address source Client_subnet_1
timeout 10
serverfarm werbsrv1only
Change the server farm to the sticky-group:
policy-map type loadbalance first-match basic-slb
class class-default
sticky-serverfarm werbsrv1only
sticky ip-netmask 255.255.255.255 address source Client_subnet_2
timeout 10
serverfarm werbsrv123
sticky ip-netmask 255.255.255.255 address source Client_subnet_3
timeout 10
serverfarm werbsrv123
Here you can find the details in the below url :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
I have also attached a jpeg for your reference.
Hope you will get the idea how to use the sticky based on IP address.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
Here you can find sample config of similar type:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html
HTH .
Please rate if you find it useful.
Thanks and regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
http://www.hclcomnet.co.in
A-10, Sector 3, Noida- 201301
INDIA -
Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080
Folks,
I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology. ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name. Traffic then gets load balanced between the Websense servers. The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.
ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
So the problem I have is this:
How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
The ACE hardware being used is ACE20-MOD-K9 - MODULE
I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.
I believe I am on the correct track. The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
I'm looking for ideas! I'm hopeful someone must have solved this problem previously!!
Regards,
SimonHi Simon,
The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
You can class-map match-any xxxxx
2 match virtual-address x.x.x.x tcp any
and then you configure further classification on the basis of L7 like url, header etc.
But again, you will still need SSL termination on ACE.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
ACE to load balance Citrix servers
Hello,
Have anyone configured ACE Modules to load balance Citrix Servers (HTTP) ?
Any special considerations needed?
Many thanks,HI Javier,
There is one complete design guide available on ciso site.
Kindly go through the below mentioned URL for complete config for ACE to load balance CITRIX as follows:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/citrixdg_final.html
You will get othe design guides also which can be very useful:
http://www.cisco.com/en/US/netsol/ns751/networking_solutions_design_guidances_list.html
Sachin Garg -
Router can perform static route load balance
Dear All
I am not sure a question. I need your idea and help. The question is if the router can perform static route load balance. I tested it. The result showed No. If you have any experience on it, could share it with me. I also post my result here. Thank youDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Normally they can, but you generally need different next hops. How did you "test". -
Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65 Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out. -
Hi,
I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.
Below is the running configuration. Please help me to troubleshot the problem.
HOB-ACE-1/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
boot system image:c4710ace-mz.A3_2_0.bin
hostname HOB-ACE-1
interface gigabitEthernet 1/1
description Man_HOB_1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description VIP_HOB_1
switchport access vlan 24
no shutdown
interface gigabitEthernet 1/3
description HA_HOB_1
switchport access vlan 180
no shutdown
interface gigabitEthernet 1/4
shutdown
[7m--More-- [m
access-list ALL line 8 extended permit ip any any
probe icmp ICMP_PROBE1
interval 15
faildetect 4
passdetect interval 60
passdetect count 5
receive 5
rserver host MFREFSAS497
description MAAFAXSERVER
ip address 10.16.12.148
conn-limit max 4000000 min 4000000
inservice
rserver host MSHOFCFS489
description HOBFAXSERVER
ip address 10.26.12.130
conn-limit max 4000000 min 4000000
inservice
[7m--More-- [m
[K
serverfarm host SFHOBACE-1
description SFHOBACE-1
predictor hash header Accept
probe ICMP_PROBE1
rserver MFREFSAS497 80
conn-limit max 4000000 min 4000000
inservice
rserver MSHOFCFS489 80
conn-limit max 4000000 min 4000000
inservice
class-map match-all VSHOBACE-1
2 match virtual-address 10.26.24.242 any
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
[7m--More-- [m
[K
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VSHOBACE-1-l7slb
class class-default
serverfarm SFHOBACE-1
policy-map multi-match global
class VSHOBACE-1
loadbalance vip inservice
loadbalance policy VSHOBACE-1-l7slb
loadbalance vip icmp-reply
nat dynamic 1 vlan 24
nat dynamic 1 vlan 1000
service-policy input global
interface vlan 24
description "Client VLAN"
ip address 10.26.24.243 255.255.255.0
[7m--More-- [m
access-group input ALL
no shutdown
interface vlan 1000
ip address 10.26.12.132 255.255.255.0
peer ip address 10.26.12.133 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 180
ip address 192.168.180.2 255.255.255.248
peer ip address 192.168.180.3 255.255.255.248
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 180
ft group 1
peer 1
priority 140
associate-context Admin
[7m--More-- [m
inservice
ip route 0.0.0.0 0.0.0.0 10.26.12.1
snmp-server contact "HOB_ACE"
snmp-server location "HOB"
snmp-server community FAXSERVER group Network-Monitor
snmp-server user administrator Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI. role Admin domain
default-domain
username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1 role Admin domain de
fault-domain
ssh key rsa 1024 force
Thanks and Regards,
AshfaqueHello Hossain,
Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.
Use the
ACE/Admin(config)# no service-policy input global
ACE/Admin(config)# interface vlan 24
ACE/Admin(config-if)# service-policy input global
Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.
Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.
Do you happen to have a quick logical diagram of this piece of the network?
Thnx
Pablo -
Cisco ACE - Firewall load balancing
I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
access-list ALL line 8 extended permit ip any any
probe icmp ICMP-Probe
interval 15
passdetect interval 60
rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice
serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
inservice
rserver FW2
inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
inservice
sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls
This is my workaround for connection to the IP address of the firewalls (for management)
class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type management first-match Remote-Management-Policy
class Remote-Access
permit
policy-map type loadbalance first-match FWLB-No-LB
class class-default
serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
serverfarm Firewalls-NO-LB1
policy-map type loadbalance first-match FWLB-l7slb
class class-default
serverfarm Firewalls
policy-map multi-match Firewall-No-LB
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdownHello,
as i know, there is no others ways.
You can only reduce your configuration by puting all your class undert the same policy-map:
policy-map multi-match int70
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input int70
no shutdown -
Hi Folks,
We have ITS 6.20 Patch level 33 installed which connects to our R/3 system. We are trying to add multiple Agate servers (not multiple Agate processes) to one Wgate. We installed agates on two hosts, host1 and host2. We then installed wgate on host1 which we connected during the time of installation to agate on host2. It connected fine and we were able to get the webgui and also able to login to R/3 system. At that time we had problem in going to native ADM instance as we were getting http 500 error (we had re-installed ADM instance on both the hosts after the whole exercise of installating agate and wgate). Hoping that we can solve native ADM problem later, we added the the second agate which is on hosts1(the same host on which wgate is) by adding the entry for agate 2 in the wgate registry xml file.
<key name="Agates">
<key name="Agate1">
<value name="Host" type="text">host2</value>
<value name="PortAGate" type="text">sapavw00_******</value>
<value name="PortMManager" type="text">sapavwmm_******</value>
<value name="Type" type="text">1</value>
<value name="SncNameAGate" type="text"/>
<value name="SncNameWGate" type="text"/>
<value name="MultiProcess" type="text">no</value>
<value name="Available" type="text">yes</value>
</key>
<key name="Agate2">
<value name="Host" type="text">host1</value>
<value name="PortAGate" type="text">sapavw00_******</value>
<value name="PortMManager" type="text">sapavwmm_******</value>
<value name="Type" type="text">1</value>
<value name="SncNameAGate" type="text"/>
<value name="SncNameWGate" type="text"/>
<value name="MultiProcess" type="text">no</value>
<value name="Available" type="text">yes</value>
</key>
The second agate added fine and is doing load balancing as well as we can see requests getting routed to both the agate in the load balancing screen. However we are not able to access the global.srvc file under configuration->Performance->global services->All settings as we are getting the following message:
Error loading service file "global.srvc"!
Also when we go to services under configuration, we are getting a message "error accessing services directory!"
In default R/3 system also all the fields are empty although we had given the application server details while installing both the agates.
We are getting the below messages in diagnostics.log file:
2010-11-22T12:30:04.401 --- log opened -
A 2010-11-23T13:55:53.346 [agate,sapdiag ] 00, s00000000061DB140, CsRead returned rd=-100
2010-11-23T14:17:06.863 --- log closed -
2010-11-23T14:17:07.753 --- log opened -
A 2010-11-23T14:30:48.618 [agate,sapdiag ] 00, s00000000061DB220, Cannot handle request from login
A 2010-11-23T14:38:45.615 [agate, ] 00, s0000000000000000, WorkDoGetReq: ContReceiveContainer() failed, rc=0xffffffff
A 2010-11-23T14:38:45.615 [agate, ] 00, s0000000000000000, WorkDoWork: WorkDoGetReq() failed, rc=0xffffffff
A 2010-11-23T14:38:45.677 [agate,sapxgdk ] 00, s0000000000000000, ContSendContainer: FAILED, send length is 0
A 2010-11-23T14:38:50.958 [agate, ] 00, s0000000000000000, WorkDoGetReq: ContReceiveContainer() failed, rc=0xffffffff
A 2010-11-23T14:38:50.958 [agate, ] 00, s0000000000000000, WorkDoWork: WorkDoGetReq() failed, rc=0xffffffff
A 2010-11-23T14:38:50.974 [agate,sapxgdk ] 00, s0000000000000000, ContSendContainer: FAILED, send length is 0
Please let me know if this procedure of adding the agate was wrong or there are some parameter settings that we may have missed. Would it have been better to go for a single host wgate+agate installation on host1 and then add agate2 on host2?Hi Edgar,
Thanks for the reply. I had re-installed ADM instance on both the hosts after the whole exercise of installing agate and wgate.
Anyways, Now we have uninstalled the earlier instances on both hosts and installed wgate+agate on host1 as a single host installation and agate2 on host2. Then we added agate2 to wgate1 and load balancing is working fine. Now the issue of not being able to access the service file and directories, etc has also been resolved. The only problem that remains is that we are not able to go into the native ADM. We get a http 500 error, although the redirect URL is correct. Is the any additional setting required for that to happen? -
We need a load balancing setup that share the load for many web applications on multiple backend servers, but we don’t want the web apps to be activated on all backend servers at the same time. We want to configure all apps as “lazy” on all backend servers. They will then be activated when the first request to their DNS is made. Then the app is started on that backend server.
We have hundreds of apps and each backend server will become very slow if all apps are activated on all backend servers. The preferred solution would therefore be to not call all DNS names on all backend servers but to share the balance based on the DNS name in the requests. Sticky-session or sticky source-IP won’t be enough to solve this as they only stick to each user session.
If User-A request www.siteA.com he may be redirected to backend server 1 and then be kept there. But if User-B then requests the same www.siteA.com he may be redirected to backend server 2 and then be kept there. This means that the web application for siteA will be activated and loaded in both the backend servers. When we host hundreds of sites this will be a problem. We may have hundreds of backend servers but they will all end up loading all web apps over time and get out of memory.
The theory to get this work is a load balancer with the following logic:
1. A request for a certain DNS comes in. For example: www.siteA.com
2. Load balancer checks if this certain DNS has been redirected to a certain backend server before and if this server is alive
2.1. (If not redirected before): Redirect the request to the backend server with least load. Store the selected backend route based on the DNS name.
2.2. (If redirected before): Redirect the request to the assigned backend server for siteA.
3. If a backend server is down then all DNS requests to this server will be redirected to another backend server with least load. All requests to these DNS names will be assigned to this backend server instead.
h3. Example of set up
Many DNS to one IP
192.168.1.1 www.siteA.com
192.168.1.1 www.siteB.com
192.168.1.1 www.siteC.com
Frontend load balancer
192.168.1.1 (load balancer)
Backend app servers
192.168.2.2 (App server 1)
192.168.2.3 (App server 2)
192.168.2.4 (App server 3)
h3. Snapshot of servers during load
App server 1
www.siteA.com (Activated)
www.siteB.com (Lazy)
www.siteC.com (Lazy)
App server 2
www.siteA.com (Lazy)
www.siteB.com (Activated)
www.siteC.com (Lazy)
App server 3
www.siteA.com (Lazy)
www.siteB.com (Lazy)
www.siteC.com (Activated)Only from load balancing point of view cluster is not really needed.
apart from session replication and failover capabilities, few more benefits are there with clustering only if you are using a web server also.
Stuck threads can be due to lot's of problems like application issues, load issues etc, So first make sure you are getting stuck thread on both servers or only on one, if on one, then in this case your load balancing not working properly and sending more load to that server, and if you are getting stuck threads on both then try to add one more managed server.
Regards
Mukesh Negi
http://weblogicserveradministration.blogspot.com -
HttpClusterServlet Load Balancing Problem
Hi,
I have a problem with LoadBalancing and HttpClusterServlet.
I have 2 boxes, with a clustered application, deployed on 2 managed servers
box 1 with adminServer and and a managed server (managed1)
box 2 with second managed server (managed2)
on box 1 I have another managed server, which hosts the HttpClusterServlet application
The cluster is made up of managed1 & managed2, and httpClusterServlet is configured
to send requests to boths the managed servers in the cluster.
When I run some tests against the httpClusterServlet web application to see how
it load-balances requests, I can see that all the requests are redirected just
to managed1,
on the same machine.
If I stop managed1, and run some tests, I can see that httpCluster every time
tries to contact managed1 first, and since it's down, sends the requests to managed2(handles
failover correctly).
If I move the httpClusterServlet application to another box, let's call it box
3, and re run the tests, it will load-balances the requests between managed1 (box1)
and managed2(box2) correctly.
I would like to know if httpClusterServlet has some kind of "server affinity"
logic (?) or I'm missing something in the cluster configuration (even if I can't
see clearly how the cluster configuration could affect things, since HttpServlet,
which is not in the cluster, just should route
requests to the specified servers in round-robin fashion, I guess)
Someone in previous posts pointed out http session issues, is it true? and so,
why?
Sorry for the far too long post,
thanks in advance,
Thomas
Only from load balancing point of view cluster is not really needed.
apart from session replication and failover capabilities, few more benefits are there with clustering only if you are using a web server also.
Stuck threads can be due to lot's of problems like application issues, load issues etc, So first make sure you are getting stuck thread on both servers or only on one, if on one, then in this case your load balancing not working properly and sending more load to that server, and if you are getting stuck threads on both then try to add one more managed server.
Regards
Mukesh Negi
http://weblogicserveradministration.blogspot.com -
We have two network connections coming into the office. One is a private WAN and the other is an internet WAN. We have a RV042 Router configured for load balancing. On Wan1 we have our private WAN which includes Exchange, and 6 VPNs. On WAN2 we have a Public IP, and workers from home. Both connections are 5Mg T1s and both have the ability to reach the internet but only wan2 has a public IP (76.x.x.x) were as WAN1 has a private IP. (10.x.x.x).
Now were the problem lies is our new web based Payroll system does not support load balancing. We have to shutdown one side when we want to do payroll (turn load balancing off.)
Now is there a way to make our payroll computers only use one side? modify host file maybe? Or force a certain MAC address to only use WAN1 OR is there a better router that can Accomplish this?
Any help would be appreciated
Peter LabelleI ran in to this problem at a client where we had an RV042. Different scenario though. We had 2 static IP from 2 different ISP's. We had an accounting program that used HTTPS on port 443 hosted at a different location. We had to bind outgoing port 443 to WAN1 to prevent disconnect problems. This caused a problem in case that internet connection went down.
What we did was create a service on the RV042 for TCP port 4433 and binded the traffic to WAN2. On the side hosting the accounting package we created a rule in that router to translate all public port 4433 requests to internal 443 requests.
On the workstations we had to leave 2 desktop shortcuts one that pointed to 443 and one to 4433. That way if one link doesn't work they can just use the second link.
It's not the best solution but at least it works until they ok a swap out to a router that supports better binding.
I'm not provided this as a solution but maybe it can spark an idea of a workaround.
I know a company called Xincom use to make a dual wan router that was decently priced that supported strict binding per internal ip address. The build quality wasn't the best and they use to die all the time but maybe their new units are better. When they worked though they were very good and I never had a problem. -
Bind Load balancing problem..expert help required
Hi there.
My RV042 has 2 WAN connections. One is connected to a Public Internet (WAN1) and the DMZ/Internet to my VPN router (WAN2)
Behind the VPN router connected t my WAN2 is the finance servers at network 10.36.88.0
Both users local and those who connects using PPTP VPN clients can access resources in the LAN
My problem is that due the round robin of load balancing sometimes they cannot reach the finance server
I tried playing bind the HTTP port and creating some rules with no luck
We want our users to use the WAN1 for all the web pages except those behind the VPN
Is there a way i can make that if my users access my finance server they go trough the WAN2?
Could you please provide me some guidance? (Rules, binds. etc)
in thi case woul be
An access rule or bind that all the WEB traffic for 10.36.88.0 flows to WAN2.If you type "show real" you will probably see the column for "Data In" rising. This column is all the way on the right side of the display. This indicates that the server has received requests that it has not responded to.
By default, the LD does not use the Data value to fail a server. So by default, the data threshold for all the real servers is "0". If you set it to a non-zero number, the LD will start to use it.
http://www/univercd/cc/td/doc/product/iaabu/localdir/ldv42/421guide/42ch05.htm#xtocid856528
localdirector(config)# data 192.168.1.1:0:0:tcp 30
Hope this helps,
Steve Hall
Cisco TAC -
RV320, load balancing problem
Hi,
How do I force the router to use WAN1 till it's saturated, and ther switch to WAN2 when needed. I've already configured the bandwidth correctly for each WAN, but it seems that some clients use WAN1, others use WAN2, disregarding the fact that they should use WAN1 as primary and the bandwidth it's not saturated by any other client.Only from load balancing point of view cluster is not really needed.
apart from session replication and failover capabilities, few more benefits are there with clustering only if you are using a web server also.
Stuck threads can be due to lot's of problems like application issues, load issues etc, So first make sure you are getting stuck thread on both servers or only on one, if on one, then in this case your load balancing not working properly and sending more load to that server, and if you are getting stuck threads on both then try to add one more managed server.
Regards
Mukesh Negi
http://weblogicserveradministration.blogspot.com -
Hi,
we've got an SA520 with activated Load Balancing for two ISP's on the two WAN ports. Both WAN ports are showing "WAN status UP".
The problem is, that every connection stalls after a few minutes (for example a download, a web radio live stream or an PPTP VPN connection). It seems that the load balancing is switching the lines permanently for all sessions, which doesn't make any sense. How can I configure an session based load balancing without binding protocols on a special WAN port?
Best Regards, KlausHello Klaus,
Thank you so much for your inquiry.
It seems that the load balancing is switching the lines permanently for
all sessions, which doesn't make any sense.
With Load Balancing enabled, pacekts traverse through the gateway in a manner that has no initial regard to protocol assignment to a specific WAN port. After the SA learns the routes to destination networks, it uses the route that is best, usually the shortest. The router will automatically switch back and forth, literally balancing the load, based on packet amount, with no regard to protocols.
How can I configure an
session based load balancing without binding protocols on a special WAN
port?
That said, protocol binding is neccessary in order to direct the traffic, based on protocol assigment, in a specified manner. The nature of Load Balancing requires protocol binding in order to prevent a protocol, even HTTP, from jumping WAN ports. I hope this helps!
Maybe you are looking for
-
IPod Touch 1st generation doesn't sync notes any more
I have a 1st gen iPod Touch and 2 iPhones (4 and 4S). I use the iPod mainly for the gym, so I write my routines on the notes app. Now that I have updated my Mac to Mountain Lion and notes are out of Mail app, they don't sync. Does anybody know if the
-
How do I import a large Aperture library from an external disk?
I have a large Aperture library, about 110GB of photos, it currently resides on an external USB3 drive for space reasons. I'd like to migrate this into Photos, but every time I try I get an error: "There is not enough disk space to migrate your libr
-
Unwanted Blackberry email messages
I'm getting tons of email messages like the one below. Is this normal or some kind of junk mail.Or how do I remove? "This message is used to carry data between the BlackBerry handheld and an associated server. Please do not delete, move or respond to
-
HT201493 Resolution on photos is bad
Resolution in photos is bad how do I fix
-
i have 15.00 on my itune gift card but it`s saying the card has been redeem but i didn`t buy anything yet.You can still see the 15.00 in on my itunes.