ACE "Secondary" Sticky Method

Similar Messages

• ACE Best Sticky Method for SSL Traffic

  Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
  1) low volume sites, 2 real servers
  2) ACE _will not_ do SSL offloading
  3) Balancing HTTPS requests
  4) Many versions of HTTP clients
  5) Currently running ACE A1 code
  I am thinking of:
  1) TCP Header | HostID inspection
  2) SSL-session ID (not good if re-key often though)
  3) Any suggestions?
  many thx,
  WR

  Hi Will,
  You can see a comple configured example for your perusal in this regard for
  Configure ACE Module for End to End SSL Termination
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  And Many more here regarding
  Data Center Application Services Configuration Examples:
  http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
  Hope these configuration examples will be useful to you.
  Sachin Garg

• ACE SSL Sticky class-map generic vs class default differences.

  There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
  Can anyone explain the benefits and differences of using a specific class-map generic such as this:
  class-map type generic match-any SSL-v3-32
    2 match layer4-payload regex "\x16\x03\x00..\x01.*"
    3 match layer4-payload regex "\x16\x03\x01..\x01.*"
  Versus just matching class default?
  So if I have a configuration such as this:
  policy-map type loadbalance generic first-match SSL-v3-Sticky
  class SSL-v3-32
     sticky-serverfarm ssl-v3
  vs
  policy-map type loadbalance generic first-match SSL-v3-Sticky
  class class-default
     sticky-serverfarm ssl-v3
  What's the benefit or drawback?

  The SSL session id is only available in version 3.0.1 and 3.1.1
  So you can match this particular version and then attempt to do stickyness.
  You are guaranteed to find what you're looking for.
  If you match a class-default it means you apply stickyness to any version of ssl packet.
  So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
  Gilles.

• URL-learn cookie stickiness method

  Hello
  In our network we are trying to configure a SLB with stickiness based on the passive cookie method on the CSM-S module for cat6k.
  The server is setting the JSESSIONLIST cookie in the "set-cookie" field in the HTTP header. Unfortunately, each time a client is accessing the server, the server adds more data into the "Refer" field in the HTTP header that it's placed before the cookie field. Finally when the HTTP header is bigger then 4000 bytes, which is the maximum max-parse length value for CSM-S module, the module is unable to correctly stick the session based on the cookie value send by the client.
  When a server sets the set-cookie value in the HTTP header, at the same time, it sets the parameter called jsessionid in the URI that has the same value that the cookie JSESSIONLIST. Because of our problem with the long "Referer" field in subsequent client requests we have tried to configure the stickiness based on URL-Learn method.
  The virtual server is using a sticky group configured as below
  sticky 2 cookie JSESSIONLIST timeout 30
  cookie secondary jsessionid
  Unfortunately it does not work. We are wondering why. In the configuration-guide there is not much information about this kind of stickiness. We are wondering if it is not a problem for CSM to stick a session based on the "secondary cookie", when, at the same time, the cookie field is also transmitted in the client requests. We are also wondering if it is not a problem for a load balancer that the jsessionid parameter in the URI follows ";" not "?" as in the example in the configuration guide.
  I am attaching an example HTTP GET request from the client (some values were hidden). This trace shows the request with a short "Refere" field but the subsequent packets contain this field much more bigger.
  Thanks for any help in advance

  the CSM will look into the url if it can't find the cookie in the header.
  However, if the header length is too big, the CSM will consider this an error and it will stop parsing.
  A solution for you is to increase the parse length with a variable:
  gdufour-cat6k-2#sho mod csm 3 var | i PAR
  MAX_PARSE_LEN_MULTIPLIER 1
  It will multiply whatever parse length you have configured.
  Now, you could also change the server behavior with the referer.
  Increasing the size of the header will consume BW and reduce performance of the LB and SSL offloader.
  Gilles.

• ACE with sticky http-cookies across two server farms issue

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
  e.g.
  Farm1 (front end HTTP service) - StickyGroup1
  rserver1 - 192.168.0.1:80
  rserver2 - 192.168.0.2:80
  rserver3 - 192.168.0.3:80
  Farm2 (SSL front end authentication service) - StickyGroup2
  rserver1 - 192.168.0.1:443
  rserver2 - 192.168.0.2:443
  rserver3 - 192.168.0.3:443
  We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
  Our service is behind a single virtual server configured as follows (example URL and addresses):
  Virtual Server Configuration
  Virtual server name: www.somedomain.com
  Virtual IP: 2.2.2.2
  TCP/443 (https)
  SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
  L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).*  Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
  Default L7 Load Balancing action : Sticky, Group: StickyGroup1
  So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
  We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
  Any suggestions or solutions appreciated.
  Thanks
  Paul

  The issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
  With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping.

• ACE: Different Sticky rules for different URLs

  Is there a way to apply different sticky rules (or no sticky at all) depending on the URL for a given site under ACE?
  The reason I want to do this is because I have an extremely common URL that chews up sticky resources when it doesn't matter if the URL is sticky. We have several thousand PC's that have a web based screen saver on them that just pull random pages to be displayed on the users' screen when the screen saver kicks in. These pages do not need to be sticky but other pages on the same farm need sticky. Is this possible?
  Casey

  Create a more specific Layer 7 class map and instead of calling sticky serverfarm use serverfarm.
  for example
  sticky http-cookie COOKIE STATIC
  cookie insert browser-expire
  timeout 5
  serverfarm WEBFARM
  serverfarm host WEBFARM
  rserver SV1 80
  inservice
  rserver SV2 80
  inservice
  class-map match-any APP1-VIP
  2 match virtual-address 10.86.178.160 tcp eq http
  class-map type http loadbalance match-all Condition1
  2 match http url .*
  3 match http header Host header-value 172.16.31.*
  4 match http header User-Agent header-value .*MSIE.*
  class-map type http loadbalance match-all Condition2
  2 match http url .*
  policy-map type loadbalance first-match L7_COOKIE_STATIC
  class Condition2
  sticky-serverfarm STATIC
  class Condition1
  serverfarm WEBFARM
  policy-map multi-match CLIENT_VIPS
  class APP1-VIP
  loadbalance vip inservice
  loadbalance policy L7_COOKIE_STATIC
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  Syed

• Cisco ACE 20 - sticky radius attribute not working

  Hello to you all
  I need your help. I´m trying to create a sticky group applied to my auth serverfarm based on the calling-station-id attribute, but for some reason when I apply the configs, I get not replies from my rservers. I´ve checked the radius servers, and no packets are getting to them. For some reason, when I create the sticky group the ACE 20 doesn´t distribute the traffic at all.
  The service-policy is inservice, all the rservers are operational, but there´s no replies to my authentication requests, and no entries in the sticky database.
  My current configs:
  ADMIN context:
  resource-class RADIUS-STICKY
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 10.00 maximum unlimited
  context context-radius
  member RADIUS-STICKY
  CONTEXT-RADIUS context:
  serverfarm host RADIUS-AUTH
    predictor leastconns
    probe RADIUS-PROBE-AUTH
    rserver RADIUS-01
      inservice
    rserver RADIUS-02
      inservice
    rserver RADIUS-03
      inservice
  sticky radius framed-ip calling-station-id RADIUS-AUTH
  serverfarm RADIUS-AUTH
  timeout 5
  policy-map type loadbalance first-match RADIUS-AUTH
    class class-default
      sticky-serverfarm RADIUS-AUTH
  Am I missing anything?
  Best wishes

  I figured it out
  The loadbalance policy-map has to be set has a L7 Radius policy map:
  policy-map type loadbalance radius first-match RADIUS-AUTH
    class class-default
      sticky-serverfarm RADIUS-AUTH
  It now inspects the Radius packets and is able to apply stickiness.

• ACE Appliance Stickiness Error

  Our ACE is configured and seems to be working correctly and now we would like to enable stickiness. We are receiving an error: Error in saving to DB: Can't create sticky because resource is not allocated. We have created system resource class, but not sure how to allocate the resources. We have been reviewing the configuration manuals, but it doesn't seem clear what to do to resolve the error. Any assistance is appreciated. Attached is config example. Thanks, Chris.

  context Admin
  member
  Gilles.

• ACE 4710 Stickiness Configuration

  We have the ACE 4710 Ver. A3(2.0) configured and the load balancing is working fine. But we are having problem to keep a user session on one web server. The website is running on IIS, and it's created using ASP.NET. The user session is bouncing between the two load balancing servers. How can we configure stickiness to solve this issue? Or, what are the recommend solutions?

  Here is an example of a sticky config. This will sticky on source address.
  sticky ip-netmask 255.255.255.255 address source WebSeal_Sticky
  replicate sticky
  serverfarm WebSeal_Farm
  Then apply it-
  policy-map type loadbalance first-match WebSeal-Virtual-Server-l7slb
  class class-default
  sticky-serverfarm WebSeal_Sticky
  policy-map type loadbalance first-match WebSeal_HTTPS-l7slb
  class class-default
  sticky-serverfarm WebSeal_Sticky
  Also check out the configuration guide.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html
  Hope that helps.

• ACE cookie stickiness issue

  Hi,
  We are having ACE as the load balancer
  Software running on ACE
  loader: Version 12.2[121]
  system: Version A2(1.1a) [build 3.0(0)A2(1.1a) adbuild_22:19:41-2008/07/21_
  /auto/adbu-rel3/rel_a2_1_1_throttle/REL_3_0_0_A2_1_1A]
  system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_1a.bin
  We have 2 webservers (load balanced) & 2 application servers(load balanced).Cookie based stickiness is currently used on Web & Application servers.
  Ideal scenario:
  1.Client opens the url http://...There is always a dual session whenever the client opens the url.One is for Java & the other for html.
  2.Client--->Webserver1
  3.Webserver1---->APP1
  Most of the times when the client types the url, the dual sessions goes to one Webserver as per round robin (eg web server 1) & the webserver 1 communicates with Application server as per round robin (eg.application server 1).
  Problem:
  Now at times when the client types the url, the dual sessions gets split which means one session goes to one webserver & the other session goes to second webserver.Ideally it should not as per the application demands.
  When this happens, both the webservers communicates with both the application servers.Here is where the problem happens.The client is asked for the login page again which indicates that the client has went to the second application server for the login.
  What ideally should happen is the client should stick to the same application server depending up the sticky timeout.
  Foll. is the output of show conns when prob occurs:
  Primary-ACE/DMZ2# sh conn serverfarm SF-8888
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  1321 1 in TCP 2504 172.21.46.34:2037 172.24.51.200:8888 ESTAB
  1255 1 out TCP 2704 172.24.51.33:8888 172.21.46.34:2037 ESTAB
  1108 2 in TCP 2504 172.21.46.34:2036 172.24.51.200:8888 ESTAB
  1144 2 out TCP 2704 172.24.51.32:8888 172.21.46.34:2036 ESTAB
  Primary-ACE/APP# sh conn serverfarm SF-8888
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  959 2 in TCP 2507 172.24.51.32:58306 172.24.54.200:8888 ESTAB
  115 2 out TCP 2707 172.24.54.32:8888 172.24.51.32:58306 ESTAB
  651 2 in TCP 2507 172.24.51.33:51030 172.24.54.200:8888 ESTAB
  901 2 out TCP 2707 172.24.54.33:8888 172.24.51.33:51030 ESTAB
  I have attached the configs.
  The web server we are testing is 172.24.51.32 & 33 - port 8888
  Application servers - 172.24.54.32 & 33-port 8888
  Rgds./Sachin

  Sachin~
  What is exactly your flow?
  Is client hitting the Webserver farm (in web server context) and then Web servers hitting the APPs Servers in the APPS server context?
  If thats the case (only Web servers are App server clients and client is not hitting application serverfarm ) then you can use source ip based sticky in APP server farm which will ensure that one web server sticks to a particular APP server and it never changes the APP server.
  Following example will insert cookie named "Mycookie" in the server responses from APP1 rservers to the client
  rserver host App1-Srvr1
  ip address 192.168.1.1
  inservice
  rserver host App1-Srvr2
  ip address 192.168.1.2
  inservice
  serverfarm host APP1-SFARM
  rserver App1-Srvr1
  inservice
  rserver App1-Srvr2
  inservice
  class-map match-any APP1-VIP
  2 match virtual-address 10.10.10.1 tcp eq www
  sticky http-cookie MYcookie App1-sticky
  cookie insert
  timeout 720
  replicate sticky
  serverfarm App1-Sfarm
  policy-map type loadbalance first-match APP1-POLICY
  class class-default
  sticky-serverfarm App1-sticky
  policy-map multi-match VIPS
  class VIP-P80
  loadbalance vip inservice
  loadbalance policy APP1-POLICY
  loadbalance vip icmp-reply active
  HTH
  Syed Iftekhar Ahmed

• ACE 4710 Sticky analyzes

  Hello,
  I have running an ACE4710 with round 10 differnet Services what al  needs stickyness because of the Apllication what is balanced.
  There are also different Sticky settings setup.
  Now in the last days I see the Sitcky Table much more growing than weeks ago.
  That is easily to see by for exapmple "show stats sticky" or   "sh np 1 me-stats "-slb -v"". There I see the summary of Sticky Table entries for all defintions at the whole context.
  What I am missing is to get a view which of the 10 Sticky definitions are causing most of the counter increasing. Is there a change to get an overview
  which of sticky definitions causes how much entries in the Sticky Table to get an idea by what service that big increase is done?
  Any Idea or tipp is welcome
  Thank you in advance for help.
  Gerhard

  Gerhard-
  show sticky database group count
  Issue this for each one, it will tell you what groups are using the most.
  Show stats sticky also will tell you if you are starting to re-use sticky entries.  This means that we are needing sticky entries prior to them timing out in the table. 
  Regards,
  Chris

• Use of before, secondary , after method in step type activity of workflow.

  Hello,
  Can anyone tell me any practical scenario where they encountered the use of these methods and how they implemented it?
  Thanks
  Minal

  add a before method to display something to a user decision.
  What is your requirement.
  Kind regards, Rob Dielemans

• ACE cookie stickiness

  Is there a way for the ACE to read the cookie value if it has a period in it (.).  For example the cookie is ASP.NET_SessionID.  The ACE appears to be ignoring the (.).  I know I can switch to cookie insert, but was curious if I can work with the (.) in case this comes up in the future.

  Is there a way for the ACE to read the cookie value if it has a period in it (.).  For example the cookie is ASP.NET_SessionID.  The ACE appears to be ignoring the (.).  I know I can switch to cookie insert, but was curious if I can work with the (.) in case this comes up in the future.

• ACE 4710 Sticky Database question

             Hello,
  I am considering using IP sticky timeout, but have a quick question about the database, is the 800,000 sticky connection per appliance or per context?
  Thanks,
  Dave       

  Hi Dave,
  "Sticky table entries 800,000" this is per appliance.
  You can distibute this resource based on usage per context.
  regards,
  Ajay Kumar

• ACE Sticky issue.

  Hi,
  The Sticky function of the ACE is not working. There were no changes been made on the device it was working fine before but not now,.
  We have 2 ACE one is Active(ACE1) and Second one is Standby (ACE2).
  Testing done till now:-
  ================
  Done the Failover from Active(ACE1) to Standby (ACE2).
  When ACE2 was Active the Sticky started working fine without any issues.
  2)  when I did the failover again back from ACE2 to ACE1 the problem arrise Sticky doesnt work any more.
  Any suggestion about this strange behaviour?
  Thanks in advance.
  Regards
  Alex.

  What version do you run ?
  What type of sticky method ?
  Could you get a
  - show np 1 me-stats "-slb"
  and a
  - show np 2 me-stats "-slb"
  Possibly get 2 occurences one before and one after a test.
  Thanks,
  Gilles.