Ace Sticky Configuration
Hi Guys,
I'm trying to set up a sticky configuration on an ACE modeule in a 6500.
I've got the loadbalancing woking happily but need to ammend the config to add stickiness.
As far as I know the first command is someting on the lines of...
sticky http-cookie COOKIENAME STICKYGROUP
however when I put this in I get the following error.
Error: Sticy resource not available
I suspect that i'm missing something obvious.
Any assistance is greatly appreciated.
Regards
Steve
By default all the resources are available to ACE contexts except sticky resource.
You need a resource class with sticky resource defined and this class applied to the context.
for example
resource-class GOLD
limit-resource sticky minimum 1 maximum equal-to-min
Thanks
Syed Iftekhar Ahmed
Similar Messages
-
Cookie stickiness configuration issue with Cisco ACE
Hi,
We have configured a ACE (in standby mode) with ip netmask stickiness and wanted to configure cookie stickiness for a remedy server placed behind the ace. BMC has said that they use JSESSIONID field on the remedy application and i want to know the procedure for configuring ace to see this field and deploy cookie stickiness feature on the ace.
We tried configuring the ace to learn the cookie string dynamically and tried to insert the cookie in the server response to the client but both methods have failed and the user is not able to see the remedy app webpage in both occassions.
Are there any pre-requisites to be configured on the ace before configuring cookie stickiness feature? We would appreciate your timely response.
Thanks in advance.Hi,
Refer the document below for sample configuration. If this still doesn't work a full config and sniffer capture required to verify this.
http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
Regards,
Siva -
Backup rserver with sticky configured
Hi,
I would like to ask regarding the configuration for the backup rserver with sticky configured.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
This is not documented in the Cisco guides.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Suppose the real server1 fails and connections are diverted to server2. Then server1 resumes service. What happens to existing connections on server2 and the new connections?
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
serverfarm SFARM1
rserver SERVER1
backup-rserver SERVER2
inservice
rserver SERVER2
inservice standby- Existing connections keep accessing server2.
- If a new client request (connection) matches a sticky entry for server2, ACE forwards this request to server2.
ACE looks up sticky entries and use server2 since standby state is handled as UP.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/rsfarms.html#wp1000385
- If a new client request (connection) doesn't match any sticky entry for server2, ACE forwards this request to server1.
If you want to use server1 after coming back OPERATIONAL, I recommend you use 'backup serverfarm' without sticky option as below.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/sticky.html#wp1137791
serverfarm SFARM1
rserver SERVER1
inservice
serverfarm SFARM2
rserver SERVER2
inservice
sticky ip-netmask 255.255.255.255 address both sticky_ip
serverfarm SFARM1 backup SFARM2
The following is a test result of standby rserver and sticky ip.
ACE20a/Admin# sh rserver
rserver : sv1, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.11:0 8 PROBE-FAILED 0 2
rserver : sv2, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.12:0 8 OPERATIONAL 0 8
ACE20a/Admin#
!___ access from client to ACE vip
ACE20a/Admin# sh sticky database
sticky group : sticky_ip
type : IP
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
13882423967172020068 sv2:0 86384 -
!___ ACE learns client address and registers the entry
ACE20a/Admin#
ACE20a/Admin# sh rserver
rserver : sv1, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.11:0 8 OPERATIONAL 0 2
!___ return OPERATIONAL
rserver : sv2, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.12:0 8 STANDBY 0 9
!___ return STANDBY
ACE20a/Admin# sh sticky database
sticky group : sticky_ip
type : IP
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
13882423967172020068 sv2:0 86356 -
!___ ACE keeps sticky entry to server2.
ACE20a/Admin#
!___ access from client with new syn packet
ACE20a/Admin# sh sticky database
sticky group : sticky_ip
type : IP
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
13882423967172020068 sv2:0 86389 -
!___ use this sticky entry (time-to-expire flag is reset) and send packets to server2
ACE20a/Admin#
ACE20a/Admin# sh ver | i image
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_1.bin -
ACE 4710 Stickiness Configuration
We have the ACE 4710 Ver. A3(2.0) configured and the load balancing is working fine. But we are having problem to keep a user session on one web server. The website is running on IIS, and it's created using ASP.NET. The user session is bouncing between the two load balancing servers. How can we configure stickiness to solve this issue? Or, what are the recommend solutions?
Here is an example of a sticky config. This will sticky on source address.
sticky ip-netmask 255.255.255.255 address source WebSeal_Sticky
replicate sticky
serverfarm WebSeal_Farm
Then apply it-
policy-map type loadbalance first-match WebSeal-Virtual-Server-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
policy-map type loadbalance first-match WebSeal_HTTPS-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
Also check out the configuration guide.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html
Hope that helps. -
ACE Sticky Connections, Show Conn Output and Show serverfarm
Hi Community,
I'm deploying a Cisco ACE module and I have some questions about sticky connections and about the output of the show conn command and show serverfarm command.
I have the follwoing configuration:
rserver host srv_1 ip address 10.4.11.14 inservicerserver host srv_2 ip address 10.4.11.18 inserviceserverfarm host farm_144 rserver srv_1 144 weight 1 inservice rserver srv_2 144 weight 3 inservice
sticky ip-netmask 255.255.255.255 address source st_host144
timeout 10080
serverfarm farm_144
class-map match-all vip_144
2 match virtual-address 10.4.11.208 tcp eq 143
policy-map type loadbalance first-match lb_144
class class-default
policy-map multi-match policy_vip_webcache
class vip_webcache_144
loadbalance vip inservice
loadbalance policy lb_144
loadbalance vip icmp-reply active
nat dynamic 411 vlan 411
We can assume that service policy was applied at the interface vlan. So, let's go to the questions:
1- If sticky is enabled the output command "show conn" should show just one entry by ip address?
The real output is:
DC01-ACE-01-PRIMARY-SW1/context_servidores# show conn | inc :143333046 1 in TCP 411 10.2.158.87:3616 10.4.11.208:143 ESTAB 286390 3 in TCP 411 10.2.158.87:3562 10.4.11.208:143 ESTAB310233 1 in TCP 411 10.1.5.87:3424 10.4.11.208:143 ESTAB
Look that the ip address 10.2.158.87 is shown 2 times. In same times, the same ip address is shown 4 times to the same VIP and the same port. Is it a normal behavior?
2- According to the configuration, the srv_2 has weight 3 and srv_1 has weigth 1, but the output of show serverfarm show somethin strange:
DC01-ACE-01-PRIMARY-SW1/context_servidores# show serverfarm farm_144 serverfarm : farm_144, type: HOST total rservers : 2 state : ACTIVE DWS state : DISABLED --------------------------------- ----------connections----------- real weight state current total failures ---+---------------------+------+------------+----------+----------+--------- rserver: srv_1 10.4.11.14:144 1 OPERATIONAL 11 386 0 rserver: srv_2 10.4.11.18:144 3 OPERATIONAL 35 66 0
We can see that the weight is working good, but the total of connections is higher at srv_1 than srv_2. Why?
Somebody can help me to understand better this problem of if its a normal behavior?
Thanks in advance!!Hi Gaurav,
About question 1, I got some informations too. It's perfectly normal the client open 2 or more connections at the same time. The client's application is the responsable. We removed the ACE and put the client directly to the server and the result of the total connections opened was the same.
About question 2, I made some "clears" on the serverfarm, the sticky database and after that, the numbers were more real.
DC01-ACE-02-SECONDARY-SW1/context_servidores# sh serverfarm farm_webcache_144
serverfarm : farm_webcache_144, type: HOST
total rservers : 2
state : ACTIVE
DWS state : DISABLED
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: srv_webcache_1
10.4.11.14:144 1 OPERATIONAL 1025 15499 4436
rserver: srv_webcache_2
10.4.11.18:144 2 OPERATIONAL 1794 33471 471
DC01-ACE-02-SECONDARY-SW1/context_servidores#
Anyway thank you very much for your feedback.
Plínio Monteiro -
Hello,
I have a following configuration:
sticky http-cookie STICKY_TMP STICKY_TMP
cookie insert ...
Cookies are sent and stickiness works. Everything is ok... Almost :-)
Now I have a question regarding value of cookies created by ACE.
Currently cookies have values that look like this "R4224709512"
Is it possible to change this value so it reflects the target node that processes requests for this sticky session. This cookie could contain i.e. ip address of real server.
Arrowpoint cookie on CSS1150 worked this way...
Another question. How do I identify this cookie value with sticky-entries in "show sticky database static" output?
This command doesn't show anything like R4224709512, but only numbers like 18293255029648678255
best regards
KubaI am using ACE with version A3(2.1).
The “sticky-entry” in "show sticky data static"is a hash of the cookie-value set by ACE for the real server. so you need to use "show sticky database http-cookie " to determine which server are serving the client.
ACE-1/routed(config-pmap-lb-c)# do show sticky database http-cookie
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 0 -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 0 -
..sometimes they'd only show up w/ the static instead of the cookies option for some reason.
found some explanation about this:
http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
There is a difference between inserting an ACE-generated cookie or using one learned by the ACE. The cookie-insert feature creates a static cookie.
To look at static cookies you need to use the command:
show sticky database static
if you try static cookie (cookie inserted by ACE), the value is placed in the static sticky table at the time of configuration...
so no need to send traffic, once the static sticky config is in place, you should see an entry with 'show sticky database static'.
Do not try to filter the table with some other parameters...they do not work until A2(1.4)
There are 2 database:
One for static entries and one for dynamic entries.
Every show command that does not include the static keyword will look into the dynamic database.
So, you won't see anything by using those commands.
You could perform some test to identify which cookie is sent to which server.
The cookie value is static, so the number of value is limited to the number of servers.
There is a dynamic cookie learning feature available in ACE.
Kinly tell me if you want to discuus about that.
Kindly rate if possible.
Kind regards,
Sachin garg -
Hi Folks,
First of all I am new the job and have very little ACE expierence. I work on a large campus. We have to 6513's with an ACE blade in each. A few contexts configured for different applications. Basically the server guys have come to me and asked me to enabled stickiness on one of there contexts.
Now I am sure this is basic stuff to ye guys but I am just wondering what I need to do? Can I implement this on the fly without causing an outage? I have cut and paste the relevant context below. And added the changes I think that need to be made. Do you guys think this will work and will it cause any outage?
I appreciate any help at all guys:
Here is current config:
probe tcp APPS-PROBE
port 8080
interval 3
passdetect interval 5
parameter-map type ssl SSL-APPS-ADVANCED
cipher RSA_WITH_RC4_128_MD5
rserver host SERVER1
ip address 10.10.10.1
inservice
rserver host SERVER2
ip address 10.10.10.2
inservice
ssl-proxy service SSL-APPS-PROXY
key appfiles.pem
cert appfilesCAcert
chaingroup APPFILES-CHAINGRP
ssl advanced-options SSL-APPS-ADVANCED
serverfarm host APPS-FARM
predictor leastconns
probe APPS-PROBE
rserver SERVER1 8080
inservice
rserver SERVER2 8080
inservice
class-map match-any APPS-VIP
2 match virtual-address 10.10.10.4 tcp eq https
policy-map type management first-match MGT-POLICY
class class-default
policy-map type loadbalance first-match APPS-POLICY
class class-default
serverfarm APPS-FARM
policy-map multi-match APPSPOLICY
class APPS-VIP
loadbalance vip inservice
loadbalance policy APPS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-APPS-PROXY
service-policy input APPSPOLICY
Will adding the following to the context make stickiness work?
sticky ip-netmask 255.255.255.255 address source STICKY-APPS-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm APPS-FARM
policy-may type loadbalance first-match APPS-POLICY
class class-default
sticky-serverfarm STICKY-APPS-FARM
I am really lost on this and only getting this from looking at stickiness on other configs. Can you guys advise will this work.Also look at the following :
www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html
Autogenerating a MAC Address for a VLAN Interface
By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer 2 domains, unless it is a shared VLAN. The ACE allocates the same MAC address to the VLANs.
When you are using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, you must assign two Layer 3 VLANs to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses.
To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
mac address autogenerate
For example, enter:
host1/Admin(config-if)# mac address autogenerate
To disable MAC address autogeneration on the VLAN, use the no mac address autogenerate command. For example, enter:
host1/Admin(config-if)# no mac address autogenerate -
Dear all,
I do have a question about the configuration option of a sticky serverfarm. There is an option to timeout active conns. Originally my thinking was that this option changes the sticky behaviour to a session timeout instead an idle timeout. While testing this seems to be not correct
sticky http-cookie myCookie myStickyServerfarm
timeout 10
timeout activeconns
replicate sticky
serverfarm myServerfarm backup mySorryfarm
The manual explains it like this:
Configuring a Cookie Sticky Timeout
The sticky timeout specifies the period of time that the ACE keeps the HTTP cookie sticky information for a client connection in the sticky table after the latest client connection terminates. The ACE resets the sticky timer for a specific sticky-table entry each time that the module opens a new connection that matches that entry.
This brings me to the question, what is this option used for. The only diffrence I can see is, that there is a http connection which is open for longer than the timeout value (here 10min) will be kicked out and in the meantime this sticky-entry isn't used (otherwise the idle time would be reset).
Are there any other explanations what this feature can do?
best regards
OliverHi Oliver,
I'm afraid the official documentation is not very clear on this section.
The sticky timeout doesn't count since the moment that the last connection is closed, but since it's established. However, by default it will not remove the sticky entry as long as there are connections still active. This is what can be tuned with the "timeout activeconns".
When the "timeout activeconns" option is present, the ACE will remove the sticky entry as soon as the timer is reached, regardless of whether there are active connections or not.
I hope this answers your question, but if you want some further clarification, let me know.
Regards
Daniel -
Hi,
I have an issue with sticky server that I’m hope might just be a command I’m missing.
I am inserting a cookie and the sticky works fine.
When my browser has a successful sticky connection i take the server that has the sticky connection out of service. I try to make another connection, i see the connection round robin to all remaining servers but i don’t get a successful connection i do see the connection failure count increment on all other servers in the farm. Only when i bring the server back into service can i get a successful connection.
Any advice appreciated.
Sticky config below.
sticky http-cookie WEB-Cookie-1 WEB-Sticky-1
cookie insert
serverfarm WEB-SERVERS-80
Code
Version A3(2.0) [build 3.0(0)A3(2.0
Thanks
ChrisHello Chris, This will be an easy fix for you. The command you are looking for is defined under the serverfarm inwhich you are creating sticky entries against.. You need to add a failaction.. I'm pasting the command syntax and options for the command.. Based on your breif description failaction purge will give you the desired result:
(config-sfarm-host) failaction
To configure the action that the ACE takes if a real server in a server farm goes down, use the failaction command. Use the no form of this command to reset the ACE to its default of taking no action when a server fails.
failaction {purge | reassign [across-interface]}
no failaction
Syntax Description
purge
Specifies that the ACE remove the connections to a real server if that real server in the server farm fails after you configure this command. The appliance sends a reset (RST) both to the client and to the server that failed.
reassign
Specifies that the ACE reassigns existing server connections to the backup real server, if a backup real server is configured. If no backup real server is configured, this keyword has no effect.
across-interface
(Optional) Instructs the ACE to reassign all connections from the failed real server to a backup real server on a different VLAN that is commonly referred to as a bypass VLAN. By default, this feature is disabled. -
ACE - Sticky using XFF client value
Might be a stupid question ....but we have a situation where client traffic is LB to our proxy infrastructure , at the LB the XFF client address is inserted into the header and source sticky is enabled. We now need to LB to addtional servers( more than within our proxy infrastructure) downstream from our proxy servers and retain the client sessions, if we use source sticky we will have a one to one relationship with the downstream servers . This we don't want as we want to spread the load across all downstream servers. My question is instead of source IP sticky could we use say the XFF info or something else to stick sessions to the downstream servers.
Hi,
So your proxy server will need to contact different servers through loadbalancer?
You can use cookies for the same and make the ACE to insert cookie. I haven't tried using XFF header and value for sticky but ACE let's you configure it so it can be tried too.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
i dotn seem to be getting a round robin effect on any of the 8 web servers being load balanced.
example from sh sticky database group GROUPn
4427481407323410243 WEB-SRV2:0 0 -
2452774824762134266 WEB-SRV1:0 0 -
8113453920705035427 WEB-SRV1:0 0 -
17215884597540077782 WEB-SRV1:0 0 -
123286896185049456 WEB-SRV2:0 0 -
13101217844384152730 WEB-SRV2:0 0 -
8462688148628735445 WEB-SRV2:0 0 -
8799530925601492925 WEB-SRV1:0 0 -
9158066764881164093 WEB-SRV1:0 208 -
4233929232369710669 WEB-SRV1:0 469 -
652881741833831225 WEB-SRV1:0 730 -
11929551358522611685 WEB-SRV2:0 935 -
2201018326228455336 WEB-SRV2:0 1024 -
540836670260610939 WEB-SRV2:0 1406 -
4341078594550796939 WEB-SRV1:0 1567 -
MY STICKY CONFIG
sticky http-cookie JSESSIONID GROUP6
replicate sticky
serverfarm WEB_FARM1_FARM
any ideas ?
Thanks in advanceConfigs - ip etc removed
rserver host WEB-SRV1
ip address nnnnn
probe SRV_PROBE
inservice
rserver host WEB-SRV2
ip address nnnnn
probe SRV_PROBE
inservice
serverfarm host WEB_FARM
rserver WEB-SRV1
inservice
rserver WEB-SRV2
inservice
serverfarm host HTTPS_FARM
rserver WEB-SRV1 443
inservice
rserver WEB-SRV2 443
inservice
ssl-proxy service NAME_SSL_PROXY
key name.key
cert name.crt
chaingroup NAME_CHAINGP
sticky http-cookie JSESSIONID GROUP1
replicate sticky
serverfarm WEB_FARM
class-map match-all HTTPS_VIP
2 match virtual-address nnnn tcp eq https
class-map match-all WEB_VIP
2 match virtual-address nnnn tcp eq www
policy-map type loadbalance first-match HTTPS_LB_POL
class class-default
sticky-serverfarm GROUP1
insert-http X-Forward-For header-value "%is"
ssl-proxy client NAME_SSL_PROXY
policy-map type loadbalance first-match WEB_LB_POL
class class-default
sticky-serverfarm GROUP1
insert-http X-Forward-For header-value "%is"
policy-map multi-match CLIENT_VIPS
class WEB
loadbalance vip inservice
loadbalance policy WEB_LB_POL
loadbalance vip icmp-reply active
nat dynamic 1 vlan 151
policy-map multi-match HTTPS_VIPS
class HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_LB_POL
loadbalance vip icmp-reply active
nat dynamic 1 vlan 151
interface vlan 15
description WEB DMZ
ip address nnn 255.255.255.192
alias nnn 255.255.255.192
peer ip address nnn 255.255.255.192
no normalization
no icmp-guard
access-group input any
access-group output any
nat-pool 1 nnn nnn+1 netmask 255.255.255.192 pat
service-policy input REMOTE_MGT
no shutdown
interface vlan 90
description CLIENT-FACING VLAN
ip address nnn 255.255.255.240
alias nnn 255.255.255.240
peer ip address nnn 255.255.255.240
mtu 1500
no normalization
no icmp-guard
access-group input any
access-group output any
service-policy input REMOTE_MGT
service-policy input HTTPS_VIPS
service-policy input CLIENT_VIPS
no shutdown
The topology is active/active the NAT is to route traffic back the way it came in - the servers use have static routes configured to work with the ACE NAT -
In Cisco ACE, please tell me a configuration example for the following sticky and round-robin load balancing based on URL matching.
if sv=001 and type=100 included in URL, stick to 10.0.1.1:8080
if sv=001 and type=100 included in URL, stick to 10.0.1.2:8080
if sv=001 and type=100 included in URL, stick to 10.0.1.3:8080
else
if sv=001 included in URL, stick to 10.0.1.1:80
if sv=001 included in URL, stick to 10.0.1.2:80
if sv=001 included in URL, stick to 10.0.1.3:80
else
round-robin to any of 10.0.1.1:80, 10.0.1.2:80, 10.0.1.3:80
Thank you.Hi,
You can do sticky in a number of ways, but I will just assume that you are ok using cookies. Remember that you will need to configure a resource class in the admin context in order to use sticky. I'm going to use 1.1.1.1 as an example for the VIP, using http. Also I am assuming you are using a single ACE (no FT). Remember to configure probes as well.
Here's the example:
rserver host server1
ip address 10.0.1.1
inservice
rserver host server2
ip address 10.0.1.2
inservice
rserver host server3
ip address 10.0.1.3
inservice
serverfarm host sv-and-type-farm
rserver server1 8080
inservice
rserver server2 8080
inservice
rserver server3 8080
inservice
serverfarm host sv-farm
rserver server1 80
inservice
rserver server2 80
inservice
rserver server3 80
inservice
sticky http-cookie SV001TYPE100 sv-and-type-cookie
cookie insert browser-expire
timeout 60
serverfarm sv-and-type-farm
sticky http-cookie SV001 sv-cookie
cookie insert browser-expire
timeout 60
serverfarm sv-farm
class-map match-all vip
2 match virtual-address 1.1.1.1 tcp eq www
class-map type http loadbalance match-all sv-and-type
2 match http url .*sv=001.*
3 match http url .*type=100.*
class-map type http loadbalance match-all sv
2 match http url .*sv=001.*
policy-map type loadbalance first-match l7slb
class sv-and-type
sticky-serverfarm sv-and-type-cookie
class sv
sticky-serverfarm qa-ekstern-cookie
class class-default
serverfarm sv-farm
policy-map multi-match int-policy
class vip
loadbalance vip inservice
loadbalance policy l7slb
loadbalance vip icmp-reply active -
ACE 4700 configuring SSL termination weblogic server 10.3.6
Hello,
Im trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance.
I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine
Was reading http://docs.oracle.com/cd/E23943_01/web.1111/e13709/load_balancing.htm#i1045186
Can anyone point me to a working config example for doing this with the ACE4700 or give me some directions here?
Kind regards,
LaurensHi Laurens,
Here is a basic configuration for SSL termination:
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
inservice
rserver test2 80
inservice
ssl-proxy service TEST
key cert
cert cert
class-map match-all VIPSSL
2 match virtual-address 10.198.16.122 tcp eq https
policy-map type loadbalance first-match test
class class-default
serverfarm test
policy-map multi-match clients
class VIPSSL
loadbalance vip inservice
loadbalance policy test
loadbalance vip icmp-reply active
nat dynamic 1 vlan 112
ssl-proxy server TEST
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
Cesar R
ANS Team -
ACE NAT configuration - is it possible to use a different source PAT IP per rserver in a serverfarm?
Hi,
I've a quick question regarding using PAT (port address translation) on an ACE module specifically for the purpose of load-balancing requests to a cluster of Exchange CAS servers.
Each CAS server needs to see requests from the same source IP which can be achieved by using source NAT / PAT but due to the scale of this Exchange deployment a single NAT pool with one PAT'd IP will not provide enough ports (i.e. there may well be more than ~64,000 ports required at any one time).
Is it possible to configure PAT on the ACE so that each individual rserver will see requests from a unique source PAT address, i.e., each rserver sees a different source PAT IP, i.e., in order to provide ~64,000 ports per source PAT IP <-> CAS server pair as opposed to ~64,000 ports shared between all the CAS servers?
If so, does anyone have any configuration examples (based on a single-armed configuration)?
TIAHi Tia,
I don't think we can do this. We can easily configure a different nat pool per serverfarm but not per rserver.
--Olivier -
ACE - sticky serverfarm and sorry servers
Primary serverfarm with stickiness (cookie insert) goes down. Backup serverfarm kicks in with sorry servers. Primary serverfarm comes back up and returning connections still get serviced by the backup farm. The reason for this is explained in the load balancing guide.
[quote]
If you want to configure a sorry server farm and you want existing connections to revert to the primary server farm after it comes back up, do not use stickiness.
[/quote]
Source: http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686ebf.html#wp1060156
The big questions is. How can i offer a serverfarm with stickiness and a sorry serverfarm without stickiness?
RobleHi Syed,
unfortunately that's the theory. If you have cookie inserts the clients are still stuck to the sorry servers once they have hit the sorry servers.
And my sticky group looks exactly like your first example. The documentation is kind off confusing. My interpretation of the quoted text was if your primary serverfarm is sticky your backup server farm will also be sticky no matter what you configure. That is actually why i asked.
If i use dynamic cookies from the application the clients hop from one rserver to another every 2nd or 3rd connection. The behavior of the stickiness and sorry servers then works like i want it but the stickiness itself is not consistent.
1.5a still had this behavior and i think this might be a bug.
Roble
Maybe you are looking for
-
I am considering installing os9 over existing 8.6 to accomodate msn messenger 2.5.1 which I understand is the only email software that runs on classic macs. What problems should I anticipate? 9500 PowerPC G3 Mac OS 8.6 or Earlier 394Mhz
-
BOM Explosion in PO for Subcontract.
Hello Gurus, I have Created the BOM using CS01 for subcontract order. i could not able to explode it during my PO. I wantend to know weather there is any prerequsit to be made for the BOM Explosion in the PO..? regards, Mahesh.
-
Unplanned delivery cost - miro
Hi, how to post unplanned dleivery cost in miro?? i have Rs.3000 against a po.. how to post in miro??
-
Mantain a Session in one application after opening another application
Hi My Requirements is like this.. I have one ear apllication running in one place.. We we click a link on this applcation it has to open up a third party application in another widow., and session in the current application has be maintained until th
-
Hi Experts, We have checked the documentation which have been received from SAP (SBO_Customer portal), Based on the Early Watch Alert. AS per SAP requsition we have minimized the size of 'Test Database Log' file through MS_SQL Management Studio.(Res