ACE sorry server and sticky

Similar Messages

• ACE backup-server and sticky

  Hi all,
  a question:
       if a configure a serverfarm with backup-server
  serverfarm host S_Das
    rserver DAS1
      backup-rserver DAS1_1
      inservice
    rserver DAS_1
      inservice standby
    rserver DAS2
      backup-rserver DAS2_1
      inservice
    rserver DAS_1
      inservice standby
  sticky ip-netmask 255.255.255.255 address both SF_DAS
    timeout 10
    replicate sticky
    serverfarm S_Das
  and rserver DAS1 goes down what will be behaviour of sticky and balancing?
  New connection wel'll go towards DAS2 or a tricky and clever sticky take precedence? (i mean persistence on DAS1_1 that is my backup server..)
  tnx
  Das

  Hi Danilo,
  If your primary rserver goes down the sticky entries associated with that server will be automatically flushed from the sticky table so that
  all new incoming connections will be diverted to your backup rserver.
  In case that primary rserver comes back then:
  - Existing connections on backup keep accessing backup.
  - For new connection requests ACE looks up sticky entries, if there's already an entry for backup server the connections is sent to the standby rserver.
  - If a new client request (connection) doesn't match any sticky entry for backup rserver ACE forwards this request to primary.
  In case that you want to use the primary rserver for all the connections after coming back to operational state then the backup option would be configured like this:
  rserver Primary
  ip address 10.10.10.2
    inservice
  rserver Standby
  ip address 10.10.10.3
    inservice
  serverfarm host Primary
    rserver Primary
      inservice
  serverfarm host Standby
    rserver Standby
      inservice
  policy-map type loadbalance http first-match slb
  class class-default
  serverfarm Primary backup Standby
  HTH

• CSM : Sorry server and Stickyness when reals are overloaded

  Hi,
  I have a portal of eight real servers and one sorry server, which should redirect new user to another portal, in case of an overload condition of all eight real servers. Server load is measured on each real server using a custom developed agent, which basically measures the real CPU load. If a real server experiences an overload, the local agent uses the CSM XML interface to set the maxcons value in the CSM to stop accepting new connections. However, I want to continue accepting sticky connections (request with a valid cookie). The experience shows that the CSM does accept to create new connections to real server reaching maxcons, even if a cookie exist.
  This causes a problem if we want to redirect NEW users to another portal in case of overload, but to keep EXISTING users in the server farm, even if the number of connections could increase slightly above maxconns...
  How can I solve the problem ?
  Thank you
  Yves Haemmerli

  Hi Thomas,
  Thank you for your comment. I also understand this behaviour like you, however this can have a devastating effect in a global portal environment. Imagine, you have three portals distributed over the world, each having let say 8 real servers. In the real life, it is seldom to replicate data in real time between data centers, due to the distance. However, the user roles and customized bookmarks and other user-specific settings are replicated. This allows to provide a global portal to users. But if a user connects to one particular regional portal, he has to stay on this portal for the duration of the whole browser session, do you follow me ? OK, now imagine that all 8 real servers in a portal reach the maxconns, because 10'000 users are connected to the portal. For new users (users with no sticky cookie), we want to send them to another regional portal. This is achieved with the global site selection provided by the GSS for example. But for existing user already connected to the overloaded portal, we want to KEEP them on the portal ! else, as the user browser continuously opens and closes TCP sessions, all 10'000 users will be immediately transferred to the other regional portal! This means the the other regional portal will becom overloaded as well, while the first portal load will be droped to zero very quickly ! Then, we not only create a situation where users loose their data by being transferred to another portal, but we also create a oscillations in the portal load !
  I really don't know if there is a mean to solve this problem...Do you have any idea ?
  Regards,
  Yves Haemmerli

• ACE - Sorry Server

  Here is a description of the problem I am having:
  I have a VIP configured  using 2 serverfarms. ServerFarm-A as the primary and ServerFarm-B as the backup.
  Serverfarm-A (Primary) contains 2 webservers hosting the website
  Serverfarm-B (BackUp) contains 1 server simply hosting a sorry page
  When  Serverfarm-A (Primary) fails, I recieve the sorry page hosted on Serverfarm-B (Backup)
  This action works fine with no issues. I simply click the refresh button on my browser and get the sorry page.
  When Serverfarm-A (Primary) comes back on-line I still recieve the sorry page hosted on Serverfarm-B (Backup)
  The only way I do not recieve the sorry page is if the client deletes its cache from the browser. (This issue occurs in both IE and FireFox)
  I am assuming that since this action does not occur when ServerFarm-A goes down why would it happen the opposite way.
  I have tried several differnt configs recommended by TAC and still no luck.
  I am hoping someone has come across this issue and can help.

  Larry,
  Have you compared the headers that are being sent by the servers in the primary farm with those of the sorry serverfarm? If the sorry servers are marking the content as cacheable but the primary servers are not then you could perhaps configure the sorry servers with the same settings.
  Is the sorry server giving actual application content or just a sorry page telling the user the site is unavailable?
  Also when you refresh is the browser making a new tcp connection to the vip or is it just sending a get on the existing tcp conversation? A wireshark trace on the client would show if it is a new connection or a continuation of the existing one. If the connection is still established and you are just sending another get on the same tcp stream you may want to try and disable connection keepalive on the web server. When the primary farm comes back up only new tcp connections should be sent there. The existing connection will stay on the server they were initially sent to.

• ACE - Balance HTTP and sticky only SSL/TLS

  Hi there,
  I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
  I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
  I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
  I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
  Here is the actual configuration:
  probe tcp HTTP
    description Keepalive web servers
    interval 20
    passdetect interval 30
  rserver host Server1
    ip address 10.1.1.1
    inservice
  rserver host Server2
    ip address 10.1.1.2
    inservice
  rserver host Server3
    ip address 10.1.1.3
    inservice
  rserver host Server4
    ip address 10.1.1.4
    inservice
  rserver host Server5
    ip address 10.1.1.5
    inservice
  rserver host Server6
    ip address 10.1.1.6
    inservice
  serverfarm host PRX
    failaction purge
    predictor leastconns
    probe HTTP
    rserver Server1
      inservice
    rserver Server2
       inservice
    rserver Server3
      inservice
    rserver Server4
      inservice
    rserver Server5
      inservice
    rserver Server6
      inservice
  sticky ip-netmask 255.255.255.0 address source sticky-PRX
    timeout 60
    serverfarm PRX
  class-map match-any VIP-PRX
    2 match virtual-address 10.10.10.101 tcp eq www
  policy-map type loadbalance first-match POLICY-L7-PRX
    class class-default
      sticky-serverfarm sticky-PRX
  policy-map multi-match PRX-Balance
    class VIP-PRX
      loadbalance vip inservice
      loadbalance policy POLICY-L7-PRX
      loadbalance vip icmp-reply
  interface vlan 100
    ip address 10.10.10.11 255.255.255.0
    alias 10.10.10.10 255.255.255.0
    peer ip address 10.10.10.12 255.255.255.0
    no normalization
    access-group output SOLO-SLB
    service-policy input PRX-Balance
  Thanks
  Alexis

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• CSS 11501 - Balancing vs. Sorry Server

  Hi,
  I need a little advice.
  I have configured my test CSS box with two services. I enabled keepalives and load balancing with one server having a weight of 5, while the other is set to the default.
  Testing has proven successfull in redirecting requests when the primary server (weight 5) is taken offline. However, when it comes back online, not all requests are sent to it, and some requests still go to the secondary server.
  My question:
  If I want all requests to go to the primary server except in the event it is unavailable, should I configure the secondary server as a Sorry server, and not as a load balanced peer? I would effectively be using the Sorry server as a secondary content server.
  Is this workable? Am I missing something?
  Thanks,
  JM

  JM,
  yes you need the sorryserver option if you don't want traffic to go to your backup.
  Whatever weight option you configure, there will always be a fraction of the traffic going to the backup.
  Gilles.

• ACE and secondary sorry server?

  Hi,
  I need to transfer the CSS' concept of the "secondary sorry server" to the ACE.
  My (so far untested) idea is: attaching a backup server-farm to the primary server-farm to get the "sorry server" function; attaching a backup rserver to the rserver used in the backup server-farm to get a backup for the backup.
  Will it work this way?
  Arno

  Cascading serverfarms is restricted to one backup level but you can cascade backup for individual servers.

• ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

  Hi All,
  I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
  The customer wants the following:
  They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
  So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
  The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
  I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
  For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
  The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
  Anyone have an idea how to build this?

  Hi,
  It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
  In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
  As per the below example:
  I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
  serverfarm host 1313-GIN-GWAP-SDC-80
    rserver RSERVER1
      backup-rserver test1
      inservice
    rserver test1
      inservice standby
    rserver test2
      inservice standby
  regards,
  Ajay Kumar

• CSM : Server overload and sorry-server

  Hi,
  I have a portal of eight real servers and one sorry server, which should redirect new user to another portal, in case of an overload condition of all eight real servers. Server load is measured on each real server using a custom developed agent, which basically measures the real CPU load. If a real server experiences an overload, the local agent uses the CSM XML interface to set the maxcons value in the CSM to stop accepting new connections. However, I want to continue accepting sticky connections (request with a valid cookie). The experience shows that the CSM does accept to create new connections to real server reaching maxcons, even if a cookie exist.
  This causes a problem if we want to redirect NEW users to another portal in case of overload, but to keep EXISTING users in the server farm, even if the number of connections could increase slightly above maxconns...
  How can I solve the problem ?
  Thank you
  Yves Haemmerli

  Try this doc:
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801a51ba.shtml

• Shouldn't ACE 4710 ignore cookie stickiness when the server is down?

  Hello,
  I have implemented sticky load balancing with cookies. The problem is that if one of my two servers in the server farm is down (and even if the ace recognizes it as down via a probe) it keeps sending the requests to the server that is down, obviously because it has set a cookie for this server,
  Shouldn't the ACE ignore the cookie when the server is down?
  Is there a command to ignore cookie stickiness if the server is down? Is there another workaround?
  an example of my config is
  serverfarm host SF_Ebanking
    rserver RS_IAS_1 XXXX
      conn-limit max 4000000 min 4000000
      probe http_probe_ebanking
      inservice
    rserver RS_IAS_2 XXXX
      conn-limit max 4000000 min 4000000
      probe http_probe_ebanking
      inservice
  sticky http-cookie ACE_COOKIE ebanking_sticky
    cookie insert
    replicate sticky
    serverfarm SF_Ebanking
    16 static cookie-value "server01" rserver RS_IAS_1
    24 static cookie-value "server02" rserver RS_IAS_2
  thanks,
  george

  This is not as obvious as you seem to believe.
  ACE will not select a server that is down !!!! Even if the cookie points to that server.
  What might be happening is that the connection from the browser to the ACE has not been killed, so when client sends a new request it reuses the existing connection and ACE does allow an existing connection to be maintain with a dead server by default.
  Try the command 'failaction purge' under the serverfarm.
  This should kill the active connections with the dead server and allow a new connection to be open with the other server even if the cookie points to the dead one.
  Regards,
  Gilles.

• Firefox would take me to yahoo but now it says sorry gone the requested resource is no longer available on this server and there is no forwarding address.

  When I click on my Firefox Icon instead of yahoo coming up I get a page that says 410 Gone. Sorry Gone The requested resource is no longer available on this server and there is no forwarding address. Please remove all references to this resource. Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination on yahoo try visiting the "Yahoo home page" or look through a list of Yahoo's online services. Also you may find what you're looking for if you try searching below (it gives a search box). Below the box it says Please try Yahoo Help Central if you need more assistance. If I click on the words Yahoo Home Page it will them take me to the yahoo home page which is used to do my my just clicking on my Firefox Icon. I would appreciate any help someone could give me. I have removed Firefox from my computer and re-downloaded it with the yahoo download but still get the same screen when I click in the Firefox Icon.

  I just wanted to say thank you to the-edmeister. Your response corrected my problem. Thank you I appreciate it.

• ACE difference beetwen predictor and sticky

  Hi all!
  which is relashionship and difference beetwen predictor and sticky serverfarm?
  Seems a silly question but we've got some hash predictor and i cannot understand how can both live in configuration.
  If i put a serverfarm with predictor hash src address and sticky for cookie and i begin and e-commerce session, after a while i disconnect my PC and change src IP what is rule that take precedence?
  and so on for other examples with mixed predictor and sticky
  thx Dan

  stiky takes precedence.
  If there is no sticky match, we use the predictor.
  G.

• CSS and a Sorry Server

  I have been trying to get my CSS 11506 to redirct to a Sorry Server when our content servers go offline. We thought that we had it working, but after some downtime it turned out that our configuration did not work.
  After extensive reading I can't figure out what is wrong with my config, or if the problem lies else where. I am attaching my config below, can anyone tell me if they see any problems with what I have or if there is something that I need to do in addition to what I have. Thank you for you help, here is the config:
  *************************** GLOBAL ***************************
  no restrict web-mgmt
  no restrict xml
  bypass persistence disable
  snmp community ******read-write
  snmp name "******"
  snmp contact "*******r"
  snmp location "CSS11056"
  snmp trap-host 10.20.1.4 ******
  dns primary 10.20.1.2
  ftp-record ******10.20.1.17 *** des-password
  ibfebcgg6aheuc4h1hfcqhpcubwdxcjb cssgui
  ip route 0.0.0.0 0.0.0.0 10.20.1.1 1 !
  *************************INTERFACE*************************
  interface 1/1
  phy 1Gbits-FD-sym !
  **************************CIRCUIT**************************
  circuit VLAN1
  router-discovery lifetime 1000
  ip address 10.20.1.4 255.255.255.0
  router-discovery
  **************************SERVICE**************************
  service Blade01
  ip address 10.20.1.60
  active
  service Blade02
  ip address 10.20.1.61
  active
  service Blade03
  ip address 10.20.1.62
  active
  service Blade04
  ip address 10.20.1.63
  active
  service sorry
  ip address 10.20.1.41
  active
  !*************************** OWNER***************************
  owner ***
  email-address ******
  content Content1
  vip address 10.20.1.80
  balance aca
  add service Blade01
  add service Blade02
  no persistent
  primarySorryServer sorry
  active
  content Content2
  vip address 10.20.1.81
  add service Blade03
  add service Blade04
  balance aca
  active
  !*************************** GROUP***************************
  group content1nat
  vip address 10.20.1.80
  add destination service Blade01
  add destination service Blade02
  add destination service sorry
  group content2nat
  add destination service Blade03
  add destination service Blade04
  vip address 10.20.1.81
  !**************************** ACL ****************************
  acl 10
  clause 5 permit any 10.20.1.60 destination content ****
  sourcegroup ****
  clause 6 permit any 10.20.1.61 destination content ICC/flippid
  sourcegroup Content1
  clause 99 permit any any destination any
  clause 2 permit any 10.0.0.0 destination content ****
  sourcegroup ****
  apply circuit-(VLAN1)
  clause 7 permit any 10.20.1.41 destination content ****
  sourcegroup Content1

  One problem I can see is that you don't have any keepalives configured under the services, so they will default to a Ping. As long as they respond to ping, it will keep traffic going to those servers.
  What services run on these Servers? We generally recommend you use as higher layer keepalive as possible, so if it is a web server for example, use a HTTP keepalive.
  Have a look here for more info:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/KAL.html

• CSS Sorry Server for HTTPS

  How to configure Sorry server for HTTPS (443) port. Sorry server works fine with HTTP, But not with 443
  In the following config if server1 and server2 are down, the HTTP requests goes to the Sorry Server, but for HTTPS nothing is displayed. I am running the sorry server on port 81
  Please suggest
  !************************** SERVICE **************************
  service prisorry
  ip address 10.100.11.11
  keepalive type http
  keepalive port 81
  port 81
  active
  service secsorry
  ip address 10.100.11.12
  keepalive port 81
  keepalive type http
  port 81
  active
  service server1
  ip address 10.100.11.11
  keepalive type http
  keepalive port 80
  active
  service server2
  ip address 10.100.11.12
  keepalive type http
  keepalive port 80
  active
  !*************************** OWNER ***************************
  owner Loadbalancing
  content L4Rule1
  protocol tcp
  add service server2
  add service server1
  port 80
  url "/*"
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  active
  content L4Rule2
  protocol tcp
  add service server2
  port 443
  add service server1
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  application ssl
  active
  content L4Rule3
  add service server2
  protocol tcp
  port 1443
  add service server1
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  active
  Thanks

  I just deployed a couple 11050's the other day so my experience is limited, but I'd guess your problem is that, when using the Primary Sorry Server, you end up with clients sending HTTPS requests to an HTTP port. Having HTTPS requests redirected to HTTP ports is one thing because the client then makes an HTTP request to that port, but the way you have it above, it appears to me that the client will be talking HTTPS to port 81 on the Sorry Server, which is listening for HTTP.

• ACE Backup-server failover

  I'm having trouble with the functionality of backup servers in a serverfarm.
  Lets say I have three rservers in a serverfarm. Each rserver has a backup-server assigned to it. When a probe detects that one of the three nodes failed, the ACE puts the backupserver in rotation for the whole serverfarm. This causes one out of three connections to show a "under construction" page. However two of the three nodes are still functioning, but users randomly see a construction page, which confuses them.
  Is there a way to configure the ACE to follow this procedure?
  One server fails a probe, take server out of rotation
  Second server fails a probe, take server out of rotation
  Third server fails a probe, take server out of rotation
  Place backupserver in rotation for the whole farm
  When one server comes back online, put it inservice and take backupserver out of rotation.
  The intent is for the rservers to be self-sufficient making server administrators not have to have any knowledge of ACE and need to login and manually place a serever out of service. I want a probe to detect IIS failing and allow server administrators to work on one node at a time without an outage, and still retain a construction page if all nodes fail.

  Hi,
  Probably, you may need a "sorry server" configuration but also there´s another way which you may take into account which backup serverfarm, please take a look:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/classlb.html
  backup
  name2
  —(Optional)  Designates an existing host (with valid content) or a redirect (sorry)  server farm as a backup server farm in case all the real servers in the  primary server farm become unavailable. You can configure one backup  server farm for each existing primary server farm. When at least one  server in the primary server farm becomes available again, the ACE sends  all new connections back to the primary server farm. The ACE allows  existing connections to the backup server farm to complete."
  Regards,
  Jorge