ACE: Stickyness, Cookie in URL
Hello,
I have a problem with cookies in the URL if the browser does not support Cookies in the http header.
I'm setting the cookie in the url static , so the URL looks like:
http://testfarm/sticky.cgi?serverid=1.1.1.1
And configure the sticky group:
sticky http-cookie serverid sticky-farm cookie secondary serverid
replicate sticky
serverfarm sticky-farmm 8 static cookie-value "1.1.1.1" rserver server1
16 static cookie-value "1.1.1.2" rserver server2
What's wrong with my configuration?
If the client accepts cookies in the Cookie header anything works but not if the client rejects the cookie.
Hi Gilles,
no, i did not specify a port in the serverfarm or in the realserver.
The configuration looks like this:
sticky http-cookie serverid ST-sticky-farm
cookie secondary serverid
replicate sticky
serverfarm sticky-farm
8 static cookie-value "1.1.1.1" rserver server1
16 static cookie-value "1.1.1.2" rserver server2
policy-map type loadbalance first-match L7-10-1-1-1
class class-default
sticky-serverfarm sticky-farm
policy-map multi-match L4_SLB_POL_external
description L4 Policy fuer SLB ohne NAT
class V-10-1-1-1
loadbalance vip inservice
loadbalance policy L7-10-1-1-1
loadbalance vip icmp-reply active
appl-parameter http advanced-options HTTP-rebalance
class-map match-any V-10-1-1-1
2 match virtual-address 10.1.1.1 tcp eq www
serverfarm host sticky-farm
probe tcp80-i30
rserver server1
inservice
rserver server2
inservice
rserver host server1
ip address 1.1.1.1
inservice
rserver host server2
ip address 1.1.1.2
inservice
Sven
Similar Messages
-
Hello,
I have a following configuration:
sticky http-cookie STICKY_TMP STICKY_TMP
cookie insert ...
Cookies are sent and stickiness works. Everything is ok... Almost :-)
Now I have a question regarding value of cookies created by ACE.
Currently cookies have values that look like this "R4224709512"
Is it possible to change this value so it reflects the target node that processes requests for this sticky session. This cookie could contain i.e. ip address of real server.
Arrowpoint cookie on CSS1150 worked this way...
Another question. How do I identify this cookie value with sticky-entries in "show sticky database static" output?
This command doesn't show anything like R4224709512, but only numbers like 18293255029648678255
best regards
KubaI am using ACE with version A3(2.1).
The “sticky-entry” in "show sticky data static"is a hash of the cookie-value set by ACE for the real server. so you need to use "show sticky database http-cookie " to determine which server are serving the client.
ACE-1/routed(config-pmap-lb-c)# do show sticky database http-cookie
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 0 -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 0 -
..sometimes they'd only show up w/ the static instead of the cookies option for some reason.
found some explanation about this:
http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
There is a difference between inserting an ACE-generated cookie or using one learned by the ACE. The cookie-insert feature creates a static cookie.
To look at static cookies you need to use the command:
show sticky database static
if you try static cookie (cookie inserted by ACE), the value is placed in the static sticky table at the time of configuration...
so no need to send traffic, once the static sticky config is in place, you should see an entry with 'show sticky database static'.
Do not try to filter the table with some other parameters...they do not work until A2(1.4)
There are 2 database:
One for static entries and one for dynamic entries.
Every show command that does not include the static keyword will look into the dynamic database.
So, you won't see anything by using those commands.
You could perform some test to identify which cookie is sent to which server.
The cookie value is static, so the number of value is limited to the number of servers.
There is a dynamic cookie learning feature available in ACE.
Kinly tell me if you want to discuus about that.
Kindly rate if possible.
Kind regards,
Sachin garg -
I leverage "cookie insert broswer-expire" to use ACE generated static cookie.
Now I add some additional "static cookie-value "xxx" rserver xxx", in order to make cookie more "meanful" and would be easier for troubleshooting.
But how can I activate the new static cookie, since the previous static cookit never expires? thanks.If I understand you question correctly then
you would like to configure cookie string value when using the COOKIE insert feature.
This was possible in CSS using string command.
With ACE currently you cannot configure a cookie-value for the cookie that is inserted by ACE (-- using cookie-insert feature). ACE
always automatically add a cookie value for the cookie it inserts.
This cookie value is similar to R2482639152
If you use
static cookie-value "xxx" rserver yyy"
The static cookie option will only work if a client happens to come in with
the cookie=xxx. Then that connection will be stuck to rserver yyy.
Syed -
ACE : Stickyness problem with http cookies
Hi,
I am facing a serious problem with stickyness in a e-commerce configuration.
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
The page is reloaded, but the name of the user does not appear on it
The question :
As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
Thank you for any hints,
YvesHi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849 for the server HQCHECOM01
R105852786 for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695 for the server HQCHECOM01
R357158616 for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE... -
ACE : Stickyness with static cookies problem
Hi Gilles
I restart a conversatoion as a question to clarify the situation :
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849 for the server HQCHECOM01
R105852786 for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695 for the server HQCHECOM01
R357158616 for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...Yves,
you have to specify the destination port
56 static cookie-value "R355972695" rserver HQCHECOM01 80
64 static cookie-value "R357158616" rserver HQCHECOM02 80
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
Gilles. -
I have ACE 4710 and I need configuration:
I have real web-server with folders : /1/index.html, /2/index.html, /3/index.html
I need to balance virtual service:
If I try to connect URL: http://server/index.html, then ACE balance among
http://real_server/1/index.html,
http://real_server/2/index.html,
http://real_server/3/index.htm
How can I configure ACE ?ACE, can't modify the url.
But it can send redirect.
So you could build 3 redirect rservers, and have ACE loadbalance between them.
rserver redirect HTTP-REDIRECT1
webhost-redirection http://real_server/1/index.html
inservice
rserver redirect HTTP-REDIRECT2
webhost-redirection http://real_server/2/index.html
inservice
rserver redirect HTTP-REDIRECT3
webhost-redirection http://real_server/3/index.html
inservice
serverfarm redirect SF_REDIRECT
rserver HTTP-REDIRECT1
inservice
rserver HTTP-REDIRECT2
inservice
rserver HTTP-REDIRECT3
inservice
But even if it works, this does not sound good.
It seems like a design done by an application server person who does not know how network loadbalancers work.
It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
But this can be done differently with cookies or by just doing stickyness on source ip address.
Gilles. -
need help to understand what sticky entries are expected to be seen under show sticky database and for all it options.
we are not sure what cookie values are used by the servers. if i understood right
if servers dont send any cookie , then ACE will use the configured static cookie value and send the cookie to client on behalf of the server. if ace receives the cookie value from server then it forwards the info to the client. in this situation what configuration is required to maintain stickyness
below is my config..
sticky http-cookie sfarm1-sticky sticky-cookie-insert-8005
cookie insert
replicate sticky
serverfarm sfarm1-apache
policy-map type loadbalance first-match sfarm1-apache-8000_pol
class class-default
sticky-serverfarm sticky-cookie-insert-8005
policy-map multi-match VIPS
class sfarm1-apache-8000-cl
loadbalance vip inservice
loadbalance policy sfarm1-apache-8000_pol
loadbalance vip icmp-reply active
ThanksACE supports parsing HTTP headers up to 64K bytes.
By default ACE Module can parse 4096 bytes (4K).
By default for ACE appliance can parse 2048 bytes.
You can change it to a higher number, for example to instruct ACE to parse 8192 bytes
parameter-map type http My_HTTP_PARAMS
set header-maxparse-length 8192
policy-map multi-match My-VIPS
class Syed
loadbalance vip inservice
loadbalance policy syed-policy
loadbalance vip icmp-reply active
appl-parameter http advanced-options My_HTTP_PARAMS
Increasing it to a very high number will have performance impacts.
More details at
ACE Module:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1350453')">http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1350453
ACE Appliance:
http://preview.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1062867')">http://preview.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1062867
Syed Iftekhar Ahmed -
I am trying to configure stickyness on an ACE appliance. I can't seem to get it to work. I have tried a http cookie and a IP Netmask and can't get it to work. When I do a show stat sticky or a show sticky database I get nothing. Attached is the config of my ace.
you need to assign sticky resources to your context before you can start using it.
Use the following command to see if you have allocated sticky resources
switch/Admin# show np 1 me-stats "-slb -v" | i Stick
Num Active Sticky Entry: 1 0
Num Active Reverse Sticky Entry: 0 0
Free Sticky Entry Count: 944765 0
switch/Admin#
Gilles. -
ACE class-map match url syntax
Can someone help me with the string that would match a url with no path specified? For instance; user types "https://outlook.domain.net" into their browser and I want the ACE to redirect that request to https://outlook.domain.net/owa".
2 match http url oulook\.domain\.net\Adam and Shday,
I'll give you a hand on this =)
Adam we can solve your problem only if you're doing SSL offloading on the ACE as the layer 5 information that needs to be checked is being sent encrypted.
In case SSL termination is configured then the configuration would be like this:
rserver redirect OWA
webhost-redirection https://%h/owa 301
inservice
serverfarm redirect OWA
rserver OWA
inservice
class-map type http loadbalance match-any OWA
2 match http header Host header-value "outlook.domain.net"
policy-map type loadbalance first-match OWA
class OWA
serverfarm OWA
class class-default
serverfarm Backend
Shday yours is pretty much the same but you need to decide if class-default needs
to be in place:
rserver redirect Domain
webhost-redirection http://%h/any_path 301
inservice
serverfarm redirect Domain
rserver Domain
inservice
class-map type http loadbalance match-any Any
2 match http url /.*
class-map type http loadbalance match-any Domain
2 match http header Host header-value "domain.com"
policy-map type loadbalance first-match Domain
class Any
serverfarm Backend
class Domain
serverfarm Domain
HTH
Pablo -
Hello,
i've wanted to configure Stickyness via SSL Session ID.
I coul'd not find anything in the docs how to do this.
Is this feature not supported by the ACE?
SvenI read somewhere it will be supported with the next major release or Gilles mentioned something like that.
AFAIK it is not supported right now.
Ergo -> geht nicht :)
Roble -
Hello:
I have to delete cookies from a url iview with target a asp.net web application when the iview is selected.
Can you Help me?cookies usually stores in your local broser.
click on tools-> internet options,,,,,,,,,,,,,u can find delete cookies option there.....try to delete it
Koti Reddy -
ACE balance cookie + https
Hello Everyone,
i have a ACE 4400 Appliance, for balance some applications on the network.
i have one application(citrix), the connection to this site is https(443).
I had a balance of cookie, plus this only worked if I left only one server in "inservice" on Serverfarm if I add the second, the application showed me a scree saying "your web interface session is in an inconsistent state."
Since the above problems, I set the cookie for connection to work with "persistence rebalance," but the problem continued.
After I passed the Serverfarm to be balanced by source IP, the troubles are over, I kept the persistence rebalance.
Now comes the question, why not work with cookie? https does not work if the balancing change something in the package, such as information inside a cookie?
Old configuration:
sticky http-cookie NFUSE-COOKIE STICKY-HIAE-NFUSE-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm SF-HIAE-NFUSE
Current Configuration:
sticky ip-netmask 255.255.255.255 address source STICKY-HIAE-TESTE-NFUSE
replicate sticky
serverfarm SF-HIAE-NFUSE
Class/Policy and Parameter map.
class-map match-all VS-HIAE-NFUSE
2 match virtual-address 192.168.16.30 tcp any
policy-map type loadbalance first-match VS-HIAE-NFUSE-l7slb
class class-default
sticky-serverfarm STICKY-HIAE-TESTE-NFUSE
class VS-HIAE-NFUSE
loadbalance vip inservice
loadbalance policy VS-HIAE-NFUSE-l7slb
loadbalance vip icmp-reply active primary-inservice
appl-parameter http advanced-options HTTP-OPTS
parameter-map type http HTTP-OPTS
persistence-rebalance
Tks a lot.
Rafael MendesRealized the configuration as specified in the link.
Apparently, everything ok.
However, I can not access the page using internet explorer. I tested with firefox, safari, opera, everything works with internet explorer not.
Configuration follows below, is something wrong?
Thanks.
serverfarm host SF-HIAE-NFUSE
description Servidores nfuse.einstein.br
rserver WPVAP06
inservice
rserver WPVAP07
inservice
parameter-map type generic sslidparam
set max-parse-length 70
sticky layer4-payload STICK-L4-NFUSE-SSL
serverfarm SF-HIAE-TESTESSLTERM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
class-map match-all VS-L4-NFUSE-SSL-TERMINATOR
2 match virtual-address 192.168.16.254 tcp eq https
policy-map type loadbalance generic first-match VS-HIAE-TESTESSLTERM
class class-default
sticky-serverfarm STICK-L4-NFUSE-SSL
policy-map multi-match int10
class VS-L4-NFUSE-SSL-TERMINATOR
loadbalance vip inservice
loadbalance policy VS-HIAE-TESTESSLTERM
loadbalance vip icmp-reply active primary-inservice
appl-parameter generic advanced-options sslidparam -
ACE Module Cookie Parsing causes Reset Connection
I am trying to upgrade my ACE Modules from A2(1.3) to A2(3.2) . Unfortunately, the cookie parsing breaks when there are illegal characters and causes a connection reset (RST) when there is an invalid cookie, but only on code later than A2(1.3).
The cookie in question is being passed by a third party so making them change the cookie is not necessarily do-able. The cookie has the following value:
Cookie: CurrentUser={"UserKey":{"Key":"anonymous"},"LastUpdated":"10/13/2010 1:35:52 PM"}
We are using the following parameter map:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 20480
length-exceed continue
On the older code, the request is passed on to the server.
Is there a setting similar to "length-exceed continue" that I can give the ACE to tell it to ignore cookies it cannot parse?HTTP inspection is not enabled.
Did you mean adding a class-default to the policy-map?
Adding it to the policy-map does make it match the class-default. Unfortunately, cookie parse errors result in the inability to parse both the cookie and the host header as well. It seems that rather than just failing to parse the cookie and being unable to do sticky matching - it completely fails the entire header parsing.
Here's our setup:
rserver host test1
ip address 192.168.1.101
inservice
rserver host test2
ip address 192.168.1.102
inservice
rserver host test3
ip address 192.168.1.103
inservice
rserver host test4
ip address 192.168.1.104
inservice
serverfarm host auto
probe HTTP-diagnostic
rserver test1
inservice
rserver test2
inservice
serverfarm host news
probe HTTP-diagnostic
rserver test3
inservice
rserver test4
inservice
sticky http-cookie autoCookie auto-cookie
cookie insert browser-expire
replicate sticky
serverfarm auto
sticky http-cookie newsCookie news-cookie
cookie insert browser-expire
replicate sticky
serverfarm news
class-map type http loadbalance match-any auto
2 match http header Host header-value "www.auto.local"
3 match http header Host header-value "auto.local"
class-map type http loadbalance match-any news
2 match http header Host header-value "www.news.local"
3 match http header Host header-value "news.local"
class-map match-all prod_VIP
2 match virtual-address XXX.XXX.XXX.XXX tcp eq www
policy-map type loadbalance first-match prod_POLICY
class auto
sticky-serverfarm auto-cookie
class news
sticky-serverfarm news-cookie
class class-default
sticky-serverfarm auto-cookie
policy-map multi-match aggregate-slb-apps
class prod_VIP
loadbalance vip inservice
loadbalance policy prod_POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
appl-parameter http advanced-options CASE_PARAM -
Alternatives for HTTP Session(Cookies or URL Reqriting)
Sir/Madam,
Actually we can handle session using (1) URL rewriting and (2) Cookies , apart from this is there any way to handle sessions ? If so what are they ?.
Thanks and Regards
- Raja.Of course... You could use (1) Cookies and (2) URL rewriting, as an alternative.
Or you could write your own JSP/servlet engine and require all pages to be forms that have the session ID in them or whatever other custom hair-brained idea you wanted. -
ACE-Single VIP-Multiple URL-Multiple ServerFarm
Hi Everyone,
I am trying to put together a configuration that has multiple requirements that are all dependant so I wanted to post in a single discussion. Please see the parameters below:
1. ACE 4710 placed in DMZ in one-armed mode
2. Use only 2 VIPS (1 for HTTP traffic and 1 HTTPS traffic)
3. Multiple URLs for each VIP. Each URL makes use of sub-domains (ex. "subdomain1.domain.com" , "subdomain2.domain.com")
4. Match on the hostheader and send to a corresponding serverfarm. (each URL has seperate serverfarm).
5. SSL off-load. All Secure URL's share a single wild-card certificate.
6. Any connections to Secure URL's that connect using HTTP need to be redirected to HTTPS and then load-balanced. I would like to have a single redirect serverfarm that will take the path and url that is sent,whichever that may be, and redirect it to HTTPS.
So here are my questions:
1. One of the URL's being matched is for Exchange 2010 (OWA and ActiveSync). Since all services will be directed at the same serverfarm I believe that matching on the sub-domain (host header) will be sufficient for both services but I would like some confirmation.
2. I would like to confirm that the composition of my class-maps and subsequent policy-maps will meet the requirements listed above.
3. I would like any suggestions on how I may make this configuration more efficient.
I have attached a scrubbed copy of my configuration, any suggestions would be greatly appreciated!!!Hi Michael,
One of the URL's being matched is for Exchange 2010 (OWA and ActiveSync). Since all services will be directed at the same serverfarm I believe that matching on the sub-domain (host header) will be sufficient for both services but I would like some confirmation
The ACE performs regular expression matching against the received packet data and hence you can use a single expression like \.mvnu\.edu and that should match msmail\.mvnu\.edu", ihelp\.mvnu\.edu and ishare\.mvnu\.edu and since all of them need to go to same serverfarm there is no need to define three different server farms under policy map.
2. I would like to confirm that the composition of my class-maps and subsequent policy-maps will meet the requirements listed above.
The config looks fine but you can make it more stream line by using one regex which will match all host header information and since it needs to go one serverfarm only, it is not required to have three different server farms unless needed of course. Pardon if i haven't understood your requirment correctly.
3. I would like any suggestions on how I may make this configuration more efficient.
It should be there in answer 1:)
Please feel free to discuss if there is something which is not what you were looking for.
Regards,
Kanwal
Maybe you are looking for
-
Most applications won't launch (application quit unexpectedly) HELP!!!
I tried to open final cut pro and it would keep unexpectedly quitting everytime i pressed reopen the same is happening with most applications including imovie and garageband I did a software update for the sake of it an hour or so ago and left it, ca
-
How to connect the speackers for the CT4830
Hello. I can't find how to plug the subwoofer to the card.
-
RDN of the join Adapter in OVD 11G
Hi, In OVD 11G for a Join view adapter, the RDN on the join Adapter is from the primary adapter by default. Is there any way to configure the Join adapter so the RDN on the join adapter is from the RDN of the non-primary adapter. Any helps on this is
-
Hi, How can I change the e-mail address connected with my account? Thanks for some help Krzysztof
-
we have some inactive PA & PSA masters in our database. We are using PA / PSA for various employee locations. Many locations are not in use, but the employees are assigned to them in year 2001, 2002.. Due to this, all the drop down / data help, shows