ACE "Secondary" Sticky Method
We're currently switching to ACE to serve our loadbalance needs and are trying to replicate the same set up we had on our old load balancers from another vendor.
I currently have set up stickiness for our web servers using a COOKIE INSERT type sticky method and it appears to be working.
However, if a user comes to our site and has cookies turned off, I presume the stickiness will fail. I'd like to set up a secondary sticky method to use HTTP Headers.
If it works like we want, a user will be stickied to a server based on the cookie insert but if he has his cookies turned off, the ACE would revert to the sticky by HTTP Header method.
Is this possible? If not, does anyone have any other ideas on how to fill this requirement?
Thanks!
Gilles,
Thank you for your reply.
We use a third party content proxy vendor to distribute our website through-out the world. So it appears to our website that all (most) of our traffic is coming from this vendor. For this reason (and others, such as AOL changing source addresses at will), our primary wish is to use cookies to maintain stickiness. Our developers don't want to add the cookie to the application, nor do they want to maintain a session ID in the URL. So they would like the loadbalancer to insert the cookie. This I already have configured.
Now, on the chance that the client has cookies disabled in his browser, we would like to have a backup sticky method. Our contect proxy vendor inserts an HTTP HEADER called "True-Client-IP" that lists the client's true source IP. As a backup to the cookie disable problem, we would like to revert to using this HTTP HEADER to maintain stickiness.
When using the COOKIE INSERT method, what do most users do to combat the cookie disable problem?
Thanks in advance for your help!
Similar Messages
-
ACE Best Sticky Method for SSL Traffic
Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
1) low volume sites, 2 real servers
2) ACE _will not_ do SSL offloading
3) Balancing HTTPS requests
4) Many versions of HTTP clients
5) Currently running ACE A1 code
I am thinking of:
1) TCP Header | HostID inspection
2) SSL-session ID (not good if re-key often though)
3) Any suggestions?
many thx,
WRHi Will,
You can see a comple configured example for your perusal in this regard for
Configure ACE Module for End to End SSL Termination
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
And Many more here regarding
Data Center Application Services Configuration Examples:
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
Hope these configuration examples will be useful to you.
Sachin Garg -
ACE SSL Sticky class-map generic vs class default differences.
There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
Can anyone explain the benefits and differences of using a specific class-map generic such as this:
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
Versus just matching class default?
So if I have a configuration such as this:
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
vs
policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
sticky-serverfarm ssl-v3
What's the benefit or drawback?The SSL session id is only available in version 3.0.1 and 3.1.1
So you can match this particular version and then attempt to do stickyness.
You are guaranteed to find what you're looking for.
If you match a class-default it means you apply stickyness to any version of ssl packet.
So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
Gilles. -
URL-learn cookie stickiness method
Hello
In our network we are trying to configure a SLB with stickiness based on the passive cookie method on the CSM-S module for cat6k.
The server is setting the JSESSIONLIST cookie in the "set-cookie" field in the HTTP header. Unfortunately, each time a client is accessing the server, the server adds more data into the "Refer" field in the HTTP header that it's placed before the cookie field. Finally when the HTTP header is bigger then 4000 bytes, which is the maximum max-parse length value for CSM-S module, the module is unable to correctly stick the session based on the cookie value send by the client.
When a server sets the set-cookie value in the HTTP header, at the same time, it sets the parameter called jsessionid in the URI that has the same value that the cookie JSESSIONLIST. Because of our problem with the long "Referer" field in subsequent client requests we have tried to configure the stickiness based on URL-Learn method.
The virtual server is using a sticky group configured as below
sticky 2 cookie JSESSIONLIST timeout 30
cookie secondary jsessionid
Unfortunately it does not work. We are wondering why. In the configuration-guide there is not much information about this kind of stickiness. We are wondering if it is not a problem for CSM to stick a session based on the "secondary cookie", when, at the same time, the cookie field is also transmitted in the client requests. We are also wondering if it is not a problem for a load balancer that the jsessionid parameter in the URI follows ";" not "?" as in the example in the configuration guide.
I am attaching an example HTTP GET request from the client (some values were hidden). This trace shows the request with a short "Refere" field but the subsequent packets contain this field much more bigger.
Thanks for any help in advancethe CSM will look into the url if it can't find the cookie in the header.
However, if the header length is too big, the CSM will consider this an error and it will stop parsing.
A solution for you is to increase the parse length with a variable:
gdufour-cat6k-2#sho mod csm 3 var | i PAR
MAX_PARSE_LEN_MULTIPLIER 1
It will multiply whatever parse length you have configured.
Now, you could also change the server behavior with the referer.
Increasing the size of the header will consume BW and reduce performance of the LB and SSL offloader.
Gilles. -
ACE with sticky http-cookies across two server farms issue
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
e.g.
Farm1 (front end HTTP service) - StickyGroup1
rserver1 - 192.168.0.1:80
rserver2 - 192.168.0.2:80
rserver3 - 192.168.0.3:80
Farm2 (SSL front end authentication service) - StickyGroup2
rserver1 - 192.168.0.1:443
rserver2 - 192.168.0.2:443
rserver3 - 192.168.0.3:443
We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
Our service is behind a single virtual server configured as follows (example URL and addresses):
Virtual Server Configuration
Virtual server name: www.somedomain.com
Virtual IP: 2.2.2.2
TCP/443 (https)
SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).* Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
Default L7 Load Balancing action : Sticky, Group: StickyGroup1
So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
Any suggestions or solutions appreciated.
Thanks
PaulThe issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping. -
ACE: Different Sticky rules for different URLs
Is there a way to apply different sticky rules (or no sticky at all) depending on the URL for a given site under ACE?
The reason I want to do this is because I have an extremely common URL that chews up sticky resources when it doesn't matter if the URL is sticky. We have several thousand PC's that have a web based screen saver on them that just pull random pages to be displayed on the users' screen when the screen saver kicks in. These pages do not need to be sticky but other pages on the same farm need sticky. Is this possible?
CaseyCreate a more specific Layer 7 class map and instead of calling sticky serverfarm use serverfarm.
for example
sticky http-cookie COOKIE STATIC
cookie insert browser-expire
timeout 5
serverfarm WEBFARM
serverfarm host WEBFARM
rserver SV1 80
inservice
rserver SV2 80
inservice
class-map match-any APP1-VIP
2 match virtual-address 10.86.178.160 tcp eq http
class-map type http loadbalance match-all Condition1
2 match http url .*
3 match http header Host header-value 172.16.31.*
4 match http header User-Agent header-value .*MSIE.*
class-map type http loadbalance match-all Condition2
2 match http url .*
policy-map type loadbalance first-match L7_COOKIE_STATIC
class Condition2
sticky-serverfarm STATIC
class Condition1
serverfarm WEBFARM
policy-map multi-match CLIENT_VIPS
class APP1-VIP
loadbalance vip inservice
loadbalance policy L7_COOKIE_STATIC
loadbalance vip icmp-reply active
loadbalance vip advertise active
Syed -
Cisco ACE 20 - sticky radius attribute not working
Hello to you all
I need your help. I´m trying to create a sticky group applied to my auth serverfarm based on the calling-station-id attribute, but for some reason when I apply the configs, I get not replies from my rservers. I´ve checked the radius servers, and no packets are getting to them. For some reason, when I create the sticky group the ACE 20 doesn´t distribute the traffic at all.
The service-policy is inservice, all the rservers are operational, but there´s no replies to my authentication requests, and no entries in the sticky database.
My current configs:
ADMIN context:
resource-class RADIUS-STICKY
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
context context-radius
member RADIUS-STICKY
CONTEXT-RADIUS context:
serverfarm host RADIUS-AUTH
predictor leastconns
probe RADIUS-PROBE-AUTH
rserver RADIUS-01
inservice
rserver RADIUS-02
inservice
rserver RADIUS-03
inservice
sticky radius framed-ip calling-station-id RADIUS-AUTH
serverfarm RADIUS-AUTH
timeout 5
policy-map type loadbalance first-match RADIUS-AUTH
class class-default
sticky-serverfarm RADIUS-AUTH
Am I missing anything?
Best wishesI figured it out
The loadbalance policy-map has to be set has a L7 Radius policy map:
policy-map type loadbalance radius first-match RADIUS-AUTH
class class-default
sticky-serverfarm RADIUS-AUTH
It now inspects the Radius packets and is able to apply stickiness. -
ACE Appliance Stickiness Error
Our ACE is configured and seems to be working correctly and now we would like to enable stickiness. We are receiving an error: Error in saving to DB: Can't create sticky because resource is not allocated. We have created system resource class, but not sure how to allocate the resources. We have been reviewing the configuration manuals, but it doesn't seem clear what to do to resolve the error. Any assistance is appreciated. Attached is config example. Thanks, Chris.
context Admin
member
Gilles. -
ACE 4710 Stickiness Configuration
We have the ACE 4710 Ver. A3(2.0) configured and the load balancing is working fine. But we are having problem to keep a user session on one web server. The website is running on IIS, and it's created using ASP.NET. The user session is bouncing between the two load balancing servers. How can we configure stickiness to solve this issue? Or, what are the recommend solutions?
Here is an example of a sticky config. This will sticky on source address.
sticky ip-netmask 255.255.255.255 address source WebSeal_Sticky
replicate sticky
serverfarm WebSeal_Farm
Then apply it-
policy-map type loadbalance first-match WebSeal-Virtual-Server-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
policy-map type loadbalance first-match WebSeal_HTTPS-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
Also check out the configuration guide.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html
Hope that helps. -
Hi,
We are having ACE as the load balancer
Software running on ACE
loader: Version 12.2[121]
system: Version A2(1.1a) [build 3.0(0)A2(1.1a) adbuild_22:19:41-2008/07/21_
/auto/adbu-rel3/rel_a2_1_1_throttle/REL_3_0_0_A2_1_1A]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_1a.bin
We have 2 webservers (load balanced) & 2 application servers(load balanced).Cookie based stickiness is currently used on Web & Application servers.
Ideal scenario:
1.Client opens the url http://...There is always a dual session whenever the client opens the url.One is for Java & the other for html.
2.Client--->Webserver1
3.Webserver1---->APP1
Most of the times when the client types the url, the dual sessions goes to one Webserver as per round robin (eg web server 1) & the webserver 1 communicates with Application server as per round robin (eg.application server 1).
Problem:
Now at times when the client types the url, the dual sessions gets split which means one session goes to one webserver & the other session goes to second webserver.Ideally it should not as per the application demands.
When this happens, both the webservers communicates with both the application servers.Here is where the problem happens.The client is asked for the login page again which indicates that the client has went to the second application server for the login.
What ideally should happen is the client should stick to the same application server depending up the sticky timeout.
Foll. is the output of show conns when prob occurs:
Primary-ACE/DMZ2# sh conn serverfarm SF-8888
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
1321 1 in TCP 2504 172.21.46.34:2037 172.24.51.200:8888 ESTAB
1255 1 out TCP 2704 172.24.51.33:8888 172.21.46.34:2037 ESTAB
1108 2 in TCP 2504 172.21.46.34:2036 172.24.51.200:8888 ESTAB
1144 2 out TCP 2704 172.24.51.32:8888 172.21.46.34:2036 ESTAB
Primary-ACE/APP# sh conn serverfarm SF-8888
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
959 2 in TCP 2507 172.24.51.32:58306 172.24.54.200:8888 ESTAB
115 2 out TCP 2707 172.24.54.32:8888 172.24.51.32:58306 ESTAB
651 2 in TCP 2507 172.24.51.33:51030 172.24.54.200:8888 ESTAB
901 2 out TCP 2707 172.24.54.33:8888 172.24.51.33:51030 ESTAB
I have attached the configs.
The web server we are testing is 172.24.51.32 & 33 - port 8888
Application servers - 172.24.54.32 & 33-port 8888
Rgds./SachinSachin~
What is exactly your flow?
Is client hitting the Webserver farm (in web server context) and then Web servers hitting the APPs Servers in the APPS server context?
If thats the case (only Web servers are App server clients and client is not hitting application serverfarm ) then you can use source ip based sticky in APP server farm which will ensure that one web server sticks to a particular APP server and it never changes the APP server.
Following example will insert cookie named "Mycookie" in the server responses from APP1 rservers to the client
rserver host App1-Srvr1
ip address 192.168.1.1
inservice
rserver host App1-Srvr2
ip address 192.168.1.2
inservice
serverfarm host APP1-SFARM
rserver App1-Srvr1
inservice
rserver App1-Srvr2
inservice
class-map match-any APP1-VIP
2 match virtual-address 10.10.10.1 tcp eq www
sticky http-cookie MYcookie App1-sticky
cookie insert
timeout 720
replicate sticky
serverfarm App1-Sfarm
policy-map type loadbalance first-match APP1-POLICY
class class-default
sticky-serverfarm App1-sticky
policy-map multi-match VIPS
class VIP-P80
loadbalance vip inservice
loadbalance policy APP1-POLICY
loadbalance vip icmp-reply active
HTH
Syed Iftekhar Ahmed -
Hello,
I have running an ACE4710 with round 10 differnet Services what al needs stickyness because of the Apllication what is balanced.
There are also different Sticky settings setup.
Now in the last days I see the Sitcky Table much more growing than weeks ago.
That is easily to see by for exapmple "show stats sticky" or "sh np 1 me-stats "-slb -v"". There I see the summary of Sticky Table entries for all defintions at the whole context.
What I am missing is to get a view which of the 10 Sticky definitions are causing most of the counter increasing. Is there a change to get an overview
which of sticky definitions causes how much entries in the Sticky Table to get an idea by what service that big increase is done?
Any Idea or tipp is welcome
Thank you in advance for help.
GerhardGerhard-
show sticky database group count
Issue this for each one, it will tell you what groups are using the most.
Show stats sticky also will tell you if you are starting to re-use sticky entries. This means that we are needing sticky entries prior to them timing out in the table.
Regards,
Chris -
Use of before, secondary , after method in step type activity of workflow.
Hello,
Can anyone tell me any practical scenario where they encountered the use of these methods and how they implemented it?
Thanks
Minaladd a before method to display something to a user decision.
What is your requirement.
Kind regards, Rob Dielemans -
Is there a way for the ACE to read the cookie value if it has a period in it (.). For example the cookie is ASP.NET_SessionID. The ACE appears to be ignoring the (.). I know I can switch to cookie insert, but was curious if I can work with the (.) in case this comes up in the future.
Is there a way for the ACE to read the cookie value if it has a period in it (.). For example the cookie is ASP.NET_SessionID. The ACE appears to be ignoring the (.). I know I can switch to cookie insert, but was curious if I can work with the (.) in case this comes up in the future.
-
ACE 4710 Sticky Database question
Hello,
I am considering using IP sticky timeout, but have a quick question about the database, is the 800,000 sticky connection per appliance or per context?
Thanks,
DaveHi Dave,
"Sticky table entries 800,000" this is per appliance.
You can distibute this resource based on usage per context.
regards,
Ajay Kumar -
Hi,
The Sticky function of the ACE is not working. There were no changes been made on the device it was working fine before but not now,.
We have 2 ACE one is Active(ACE1) and Second one is Standby (ACE2).
Testing done till now:-
================
Done the Failover from Active(ACE1) to Standby (ACE2).
When ACE2 was Active the Sticky started working fine without any issues.
2) when I did the failover again back from ACE2 to ACE1 the problem arrise Sticky doesnt work any more.
Any suggestion about this strange behaviour?
Thanks in advance.
Regards
Alex.What version do you run ?
What type of sticky method ?
Could you get a
- show np 1 me-stats "-slb"
and a
- show np 2 me-stats "-slb"
Possibly get 2 occurences one before and one after a test.
Thanks,
Gilles.
Maybe you are looking for
-
How do I transfer apps from one ipad to another
Let me start off by saying that itunes confuses the crap out of me. I am a moderately saavy tech person and even spent a morning watching youtube tutorials a while back and still I can barely figure what to do in itunes. I get by. So, my son had an
-
why can't i downgrade to mavericks? i have got some problem with yosmite. i would like to downgrade to mavericks.please help me how to get it ? thanks
-
Import my web from iDisk to iWeb
Hi everybody! I write from Spain, I've a problem after reset the system: how can I import my web (created with iWeb) from iDisk (or from my archive of back up) to iWeb application again? In MobileMe Support they don't know how help me and I can't rec
-
Best Apps for I Pad 2 for storing documents
What are the best apps for storing and organizing documents. Is Pages necessary for casual use?
-
Windows 8 and Beats audio (fn+b not working)
Hi guys, I bought a HP DM4-3114TX which came with Windows 7 on it, I upgraded this to Windows 8 Pro without keeping any settings/files (so like a fresh install). I have been to the driver download page of the HP website and downloaded all the drivers