ACE Stickyness problem
I am trying to configure stickyness on an ACE appliance. I can't seem to get it to work. I have tried a http cookie and a IP Netmask and can't get it to work. When I do a show stat sticky or a show sticky database I get nothing. Attached is the config of my ace.
you need to assign sticky resources to your context before you can start using it.
Use the following command to see if you have allocated sticky resources
switch/Admin# show np 1 me-stats "-slb -v" | i Stick
Num Active Sticky Entry: 1 0
Num Active Reverse Sticky Entry: 0 0
Free Sticky Entry Count: 944765 0
switch/Admin#
Gilles.
Similar Messages
-
ACE : Stickyness problem with http cookies
Hi,
I am facing a serious problem with stickyness in a e-commerce configuration.
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
The page is reloaded, but the name of the user does not appear on it
The question :
As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
Thank you for any hints,
YvesHi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849 for the server HQCHECOM01
R105852786 for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695 for the server HQCHECOM01
R357158616 for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE... -
What is load balancing "stickyness" problem
We are getting this error " Failed to send alert messages to browser " on the interaction centre after saving the ticket followed by the END button.
There is a similar thread with the same issue [CRM 2007-IC Web Interface Message - Failed to send Alert Message to Browser;
in the observations one of the solution for the issue was load balancing "stickyness" problem
If any one can share some knowledge on load balancing "stickyness" problem it is really appreciated and points will be awarded.
regards
Kumar
Edited by: S Kumar on Jun 16, 2011 11:28 AMClustering : is the use of multiple computers to provide a single service.
Load Balancing: Technique implemented to spread "load" between alike computers for service availability via unshared system resources increasing system availability and performance.
Please refer to this link to gather more about :
http://en.wikipedia.org/wiki/Load_balancing_%28computing%29 -
ACE : Stickyness with static cookies problem
Hi Gilles
I restart a conversatoion as a question to clarify the situation :
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849 for the server HQCHECOM01
R105852786 for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695 for the server HQCHECOM01
R357158616 for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...Yves,
you have to specify the destination port
56 static cookie-value "R355972695" rserver HQCHECOM01 80
64 static cookie-value "R357158616" rserver HQCHECOM02 80
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
Gilles. -
Hello,
i've wanted to configure Stickyness via SSL Session ID.
I coul'd not find anything in the docs how to do this.
Is this feature not supported by the ACE?
SvenI read somewhere it will be supported with the next major release or Gilles mentioned something like that.
AFAIK it is not supported right now.
Ergo -> geht nicht :)
Roble -
Hello,
I have two 6509 switches with ACE modules installed and configured as active/standby. There is no FWSM installed, so MSFC shares a common subnet with the external interface of ACE. On both MSFCs, I can see the static route injected (RHI) by ACE. However, those routes are different. On the MSFC hosting the active ACE, the next hop of the static route installed is the alias IP address of the external ACE interface. On the MSFC hosting the standby ACE has the next hop as the IP address of the external interface of the standby ACE not the alias.
This causes a problem when traffic is routed through the second MSFC where it will send traffic destined to my VIP to the standby ACE causing traffic to be dropped.
Why this behaviour happens? I started to see this behaviour after a sudden reboot on the standby ACE. Before that, I am not sure what was the route injected into the second MSFC but I had no problem with my VIP.
Can anyone help me how I can tell the second MSFC to route traffic towards the alias instead of the interface IP?
Thanks.The TAC case is resolved. Posting back to the community so the solution can be shared with a wider audience.
Thanks to Mohammed for keeping outputs of troubleshooting at the time of problem, it was found that after the standby ACE rebooted, BOTH the active ACE and standby ACE were injecting the host route to the VIP, this is not expected behaviour. The expected behaviour is for the active ACE to inject the host route with the ACE alias IP as the next hop, and the standby to not inject the route.
This problem is due to a software defect CSCsx67908 "When you configure ACEs for redundancy and Route Health Injection (RHI) and the standby ACE reboots, duplicate RHI entries can exist on the supervisor."
ref: http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html
Software fix integrated is available. There is also workaround by a "FT switchover" on the ACE.
Another workaround by routing is to disable RHI for the VIP, and instead advertise the VIP subnet by routing protocol on the switch supervisor (eg, advertising the connected Vlan via EIGRP, OSPF, etc...).
RHI of the VIP is not enable by default, and can be disabled with the following from ACE:
policy-map multi-match XYZ
class ABC
no loadbalance vip advertise active
More info on RHI can be found here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/getting/started/guide/rhi.html
Regards,
Simon -
Hi,
I've a problem with license install procedure on ACE. If I try to perform cisco procedure:
LICENSE KEY INSTALLATION INSTRUCTIONS
After you have received the software license key for a new or upgraded license in an e-mail from Cisco Systems, you must copy the license file to a network server and then use the copy command in Exec mode to copy the file to disk0 on the ACE. The syntax for this command is:
3-4
copy tftp://server_name/path_filename disk0:
The arguments are:
. server_name-Network server where you copied the license file.
. path_filename-URL location of the license file and the name of the file.
. disk0:-Flash disk in the ACE.
For example, to copy the ACE-VIRT-020.lic license file from the license directory on the track network server, enter:
host1/Admin# copy tftp://track/license/ace-virt-020.lic disk0:
To install a new software license on your ACE or to update an existing license to increase the number of virtual contexts, use the license install command in Exec mode. The syntax of this command is:
license install disk0:filename
The arguments are:
. disk0:-Flash disk in the ACE.
. filename-Filename for the license file.
For example, enter:
host1/Admin# license install disk0:ACE-VIRT-020.lic
I received this message:
Installing license... failed: License server does not support this feature
Could somebody help me?
Regards,
DinoHi Dino,
the first license that i received was a text file with ASCII DOS control codes but the ACE needs Unix/Linux style ASCII control codes.
If you have Linux machine around you should be able to use the programm dos2unix and convert it.
There are also Editors around which can save the file in DOS or UNIX flavor.
Anyhow if the license file is converted and you created an online lincse this should work.
Copy the file with tftp: to disk0: and use license install disk0:name.lic.
Hope it helps.
Roble -
need help to understand what sticky entries are expected to be seen under show sticky database and for all it options.
we are not sure what cookie values are used by the servers. if i understood right
if servers dont send any cookie , then ACE will use the configured static cookie value and send the cookie to client on behalf of the server. if ace receives the cookie value from server then it forwards the info to the client. in this situation what configuration is required to maintain stickyness
below is my config..
sticky http-cookie sfarm1-sticky sticky-cookie-insert-8005
cookie insert
replicate sticky
serverfarm sfarm1-apache
policy-map type loadbalance first-match sfarm1-apache-8000_pol
class class-default
sticky-serverfarm sticky-cookie-insert-8005
policy-map multi-match VIPS
class sfarm1-apache-8000-cl
loadbalance vip inservice
loadbalance policy sfarm1-apache-8000_pol
loadbalance vip icmp-reply active
ThanksACE supports parsing HTTP headers up to 64K bytes.
By default ACE Module can parse 4096 bytes (4K).
By default for ACE appliance can parse 2048 bytes.
You can change it to a higher number, for example to instruct ACE to parse 8192 bytes
parameter-map type http My_HTTP_PARAMS
set header-maxparse-length 8192
policy-map multi-match My-VIPS
class Syed
loadbalance vip inservice
loadbalance policy syed-policy
loadbalance vip icmp-reply active
appl-parameter http advanced-options My_HTTP_PARAMS
Increasing it to a very high number will have performance impacts.
More details at
ACE Module:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1350453')">http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1350453
ACE Appliance:
http://preview.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1062867')">http://preview.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1062867
Syed Iftekhar Ahmed -
ACE FTP problem in active mode
Hi everyone,
i have a problem with active ftp (passive ftp works fine).
here is my conf :
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
rserver host ftp1
ip address 10.0.151.131
inservice
rserver host ftp2
ip address 10.0.151.132
inservice
serverfarm host ftp
transparent
failaction reassign
rserver ftp1
inservice
rserver ftp2
inservice
class-map match-any vip
2 match virtual-address X.X.X.X tcp eq ftp
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
inspect ftp
interface vlan 1000
description public-side
ip address Y.Y.Y.Y M.M.M.M
no normalization
no icmp-guard
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input LBPOL
no shutdown
interface vlan 100
description private-side
ip address 10.0.99.160 255.255.0.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
on both hosts, i added X.X.X.X vip and the good rule/route with iproute2.
as i said at the beginning, passive ftp is ok. active is not.
while in active mode, i can connect to the ftp but any list/put/get fails.
any idea ?
MAOne thing I don't understand here is why do you have
serverfarm host ftp
transparent
With this in place the ACE will not rewrite the destination IP and the server will receive a packet destined to the VIP. This is not very common, but it can work. The rest of your config seems to be fine, except the missing lbpol policy.
Which sw version are you running? -
Hi,
Hopefully someone can tell me if what i'm trying to achieve is possible. I need to append details to a URL, i've attempted a rewrite but dont want to send the 10.10.10.1 address back to the client and want to send their original request with the appended URL. As the ip and port are staying the same the request loops. Hardware ACE 4710 software A3 (2.0)
I need to loadbalance.
http://ourdomain.com:9080 > http://10.10.10.1-10:9080/ThisBitAdded
ourdomain.com resolves to the same address every time, 10.10.10.1-10 are the real servers.
Any help greatly appreciated.
Thanks
ChrisChris:
As I'm preparing a response, I'm curious about how you have it set up at this point. What is the configuration that you were testing? -
Hi everyone.
We have a customer who has a server farm formed by 3 servers with the following real ip address:
10.10.24.5-6-7 and a virtual 10.10.24.3 as configured in the ace module.
We found the following behavior in the session number of the servers. We can conclude that there is a server with much more sessions than the others (10.10.24.6):
Can sombody help me telling why can happen that?
I am attaching the ACE config as a reference
Thanks
ACE-DIGENERAL/OCS# sh serverfarm Herramientas_Col
serverfarm : Herramientas_Col, type: HOST
total rservers : 3
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: SP1
10.10.24.5:0 8 OPERATIONAL 390 296043280
rserver: SP2
10.10.24.6:0 8 OPERATIONAL 1003 3371471400
rserver: SP3
10.10.24.7:0 8 OPERATIONAL 354 164816790
Como se puede observar el sever 10.10.24.6 posee mas del doble de conexiones que los otros 2.
5. En el siguiente pantallazo también se observan conexiones detalladas y los puertos por donde habla:
ACE-DIGENERAL/OCS# sh conn serverfarm Herramientas_Col
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
70 1 in TCP 951 10.10.22.13:3837 10.10.24.3:80 ESTAB
17239 1 out TCP 324 10.10.24.7:80 10.10.22.13:3837 ESTAB
76 1 in TCP 951 10.83.21.32:1419 10.10.24.3:80 ESTAB
5531 1 out TCP 324 10.10.24.6:80 10.83.21.32:1419 ESTAB
95 1 in TCP 951 10.20.7.51:1702 10.10.24.3:80 ESTAB
16237 1 out TCP 324 10.10.24.6:80 10.20.7.51:1702 ESTAB
98 1 in TCP 951 10.80.31.55:3188 10.10.24.3:80 ESTAB
11995 1 out TCP 324 10.10.24.6:80 10.80.31.55:3188 ESTAB
32749 1 in TCP 951 10.80.21.23:1926 10.10.24.3:80 ESTAB
108 1 out TCP 324 10.10.24.7:80 10.80.21.23:1926 ESTAB
110 1 in TCP 951 10.25.14.231:1705 10.10.24.3:80 ESTAB
37994 1 out TCP 324 10.10.24.6:80 10.25.14.231:1705 ESTAB
7438 1 in TCP 951 10.31.102.32:2329 10.10.24.3:80 ESTAB
141 1 out TCP 324 10.10.24.7:80 10.31.102.32:2329 ESTAB
31247 1 in TCP 951 10.81.36.32:1650 10.10.24.3:80 ESTAB
151 1 out TCP 324 10.10.24.5:80 10.81.36.32:1650 ESTAB
176 1 in TCP 951 10.20.208.124:2598 10.10.24.3:80 ESTAB
13219 1 out TCP 324 10.10.24.7:80 10.20.208.124:2598 ESTAB
32576 1 in TCP 951 10.233.9.40:1577 10.10.24.3:80 ESTAB
233 1 out TCP 324 10.10.24.6:80 10.233.9.40:1577 ESTAB
27499 1 in TCP 951 10.218.16.28:2902 10.10.24.3:80 ESTAB
244 1 out TCP 324 10.10.24.5:80 10.218.16.28:2902 ESTAB
248 1 in TCP 951 10.85.19.55:1540 10.10.24.3:80 ESTAB
14014 1 out TCP 324 10.10.24.7:80 10.85.19.55:1540 ESTAB
27166 1 in TCP 951 10.25.22.90:1766 10.10.24.3:80 ESTAB
254 1 out TCP 324 10.10.24.6:80 10.25.22.90:1766 ESTAB
380 1 in TCP 951 10.23.22.62:1855 10.10.24.3:80 ESTAB
11563 1 out TCP 324 10.10.24.6:80 10.23.22.62:1855 ESTAB
397 1 in TCP 951 10.212.35.30:1540 10.10.24.3:80 ESTAB
15491 1 out TCP 324 10.10.24.7:80 10.212.35.30:1540 ESTAB
35588 1 in TCP 951 10.100.30.5:1773 10.10.24.3:80 ESTAB
405 1 out TCP 324 10.10.24.6:80 10.100.30.5:1773 ESTAB
31392 1 in TCP 951 10.216.27.41:1524 10.10.24.3:80 ESTAB
449 1 out TCP 324 10.10.24.6:80 10.216.27.41:1524 ESTAB
592 1 in TCP 951 10.25.21.219:1364 10.10.24.3:80 ESTAB
2988 1 out TCP 324 10.10.24.5:80 10.25.21.219:1364 ESTAB
614 1 in TCP 951 10.25.42.221:1517 10.10.24.3:80 ESTAB
18877 1 out TCP 324 10.10.24.6:80 10.25.42.221:1517 ESTAB
21553 1 in TCP 951 10.80.39.123:1634 10.10.24.3:80 ESTAB
652 1 out TCP 324 10.10.24.6:80 10.80.39.123:1634 ESTAB
13640 1 in TCP 951 10.206.2.34:1385 10.10.24.3:80 ESTAB
708 1 out TCP 324 10.10.24.6:80 10.206.2.34:1385 ESTAB
26959 1 in TCP 951 10.100.30.7:1289 10.10.24.3:80 ESTAB
719 1 out TCP 324 10.10.24.5:80 10.100.30.7:1289 ESTAB
29277 1 in TCP 951 10.100.202.50:1248 10.10.24.3:80 ESTAB
758 1 out TCP 324 10.10.24.5:80 10.100.202.50:1248 ESTAB
6185 1 in TCP 951 10.25.27.222:1497 10.10.24.3:80 ESTAB
760 1 out TCP 324 10.10.24.6:80 10.25.27.222:1497 ESTAB
767 1 in TCP 951 10.97.21.28:1821 10.10.24.3:80 ESTAB
23511 1 out TCP 324 10.10.24.7:80 10.97.21.28:1821 ESTAB
826 1 in TCP 951 10.31.105.140:3810 10.10.24.3:80 ESTAB
13460 1 out TCP 324 10.10.24.6:80 10.31.105.140:3810 ESTAB
21987 1 in TCP 951 10.25.31.213:1855 10.10.24.3:80 ESTAB
839 1 out TCP 324 10.10.24.5:80 10.25.31.213:1855 ESTAB
874 1 in TCP 951 10.88.29.27:1503 10.10.24.3:80 ESTAB
29839 1 out TCP 324 10.10.24.6:80 10.88.29.27:1503 ESTAB
945 1 in TCP 951 10.27.122.13:1286 10.10.24.3:80 ESTAB
32298 1 out TCP 324 10.10.24.6:80 10.27.122.13:1286 ESTAB
24330 1 in TCP 951 10.40.21.50:2368 10.10.24.3:80 ESTAB
954 1 out TCP 324 10.10.24.6:80 10.40.21.50:2368 ESTAB
961 1 in TCP 951 10.80.26.76:1414 10.10.24.3:80 ESTAB
11176 1 out TCP 324 10.10.24.5:80 10.80.26.76:1414 ESTAB
28989 1 in TCP 951 10.91.22.38:1408 10.10.24.3:80 ESTAB
985 1 out TCP 324 10.10.24.5:80 10.91.22.38:1408 ESTAB
1006 1 in TCP 951 10.217.4.20:1522 10.10.24.3:80 ESTAB
26946 1 out TCP 324 10.10.24.5:80 10.217.4.20:1522 ESTAB
8360 1 in TCP 951 10.11.3.28:1679 10.10.24.3:80 ESTAB
1020 1 out TCP 324 10.10.24.6:80 10.11.3.28:1679 ESTAB
9498 1 in TCP 951 10.25.42.221:1519 10.10.24.3:80 ESTAB
1031 1 out TCP 324 10.10.24.6:80 10.25.42.221:1519 ESTAB
18510 1 in TCP 951 10.165.55.51:1232 10.10.24.3:80 ESTAB
1072 1 out TCP 324 10.10.24.7:80 10.165.55.51:1232 ESTAB
5583 1 in TCP 951 10.25.14.12:2086 10.10.24.3:80 ESTAB
1142 1 out TCP 324 10.10.24.6:80 10.25.14.12:2086 ESTAB
39713 1 in TCP 951 10.25.36.58:1663 10.10.24.3:80 ESTAB
1144 1 out TCP 324 10.10.24.7:80 10.25.36.58:1663 ESTAB
8601 1 in TCP 951 10.217.26.34:1677 10.10.24.3:80 ESTAB
1167 1 out TCP 324 10.10.24.6:80 10.217.26.34:1677 ESTAB
17209 1 in TCP 951 10.165.40.45:1526 10.10.24.3:80 ESTAB
1173 1 out TCP 324 10.10.24.5:80 10.165.40.45:1526 ESTAB
18708 1 in TCP 951 10.31.105.137:3714 10.10.24.3:80 ESTAB
1175 1 out TCP 324 10.10.24.6:80 10.31.105.137:3714 ESTAB
1180 1 in TCP 951 10.201.18.40:4777 10.10.24.3:80 ESTAB
6528 1 out TCP 324 10.10.24.6:80 10.201.18.40:4777 ESTAB
1214 1 in TCP 951 10.31.104.46:1501 10.10.24.3:80 ESTAB
5924 1 out TCP 324 10.10.24.6:80 10.31.104.46:1501 ESTAB
1228 1 in TCP 951 10.231.37.32:1161 10.10.24.3:80 ESTAB
15171 1 out TCP 324 10.10.24.6:80 10.231.37.32:1161 ESTAB
28431 1 in TCP 951 10.25.5.76:2317 10.10.24.3:80 ESTAB
1293 1 out TCP 324 10.10.24.5:80 10.25.5.76:2317 ESTAB
1328 1 in TCP 951 10.201.2.26:1293 10.10.24.3:80 ESTAB
19276 1 out TCP 324 10.10.24.7:80 10.201.2.26:1293 ESTAB
1356 1 in TCP 951 10.80.23.27:1396 10.10.24.3:80 ESTAB
4141 1 out TCP 324 10.10.24.6:80 10.80.23.27:1396 ESTAB
1368 1 in TCP 951 10.80.36.124:1428 10.10.24.3:80 ESTAB
19905 1 out TCP 324 10.10.24.6:80 10.80.36.124:1428 ESTAB
30280 1 in TCP 951 10.25.8.11:4836 10.10.24.3:80 ESTAB
1438 1 out TCP 324 10.10.24.6:80 10.25.8.11:4836 ESTAB
1478 1 in TCP 951 10.216.6.46:4153 10.10.24.3:80 ESTAB
12312 1 out TCP 324 10.10.24.6:80 10.216.6.46:4153 ESTAB
23389 1 in TCP 951 10.211.30.38:1593 10.10.24.3:80 ESTAB
1527 1 out TCP 324 10.10.24.6:80 10.211.30.38:1593 ESTAB
1562 1 in TCP 951 10.90.21.58:2889 10.10.24.3:80 ESTAB
36398 1 out TCP 324 10.10.24.7:80 10.90.21.58:2889 ESTAB
1587 1 in TCP 951 10.84.22.29:2121 10.10.24.3:80 ESTAB
37031 1 out TCP 324 10.10.24.6:80 10.84.22.29:2121 ESTAB
1624 1 in TCP 951 10.25.21.218:1465 10.10.24.3:80 ESTAB
4941 1 out TCP 324 10.10.24.6:80 10.25.21.218:1465 ESTABHello!
A "show connection serverfarm Herramientas_Col detail" and "show sticky database group POOL3" would be handy in this situation. You have sticky configured which will intentionally throw off the loadbalancing predictor. My guess at this point is that rserver SP2 might not close connections in the same manner that SP1 and SP3 do. If that was true, that would result in a longer connection time, which means the sticky database would not idle out as fast, hence more connection for SP2.
Regards,
Chris -
Traceroute does not work when initiated from a server behind the ACE module. The output shows only the destination ip.
The ACE is in routed mode.Traceroute is a widely available utility on most operating systems today. Much like ping, it is a valuable tool for determining connectivity in a network. Ping allows the user to find out if there is a connection between two end systems. Traceroute does this as well, but it additionally lists the intermediate routers between the two systems. Users can therefore see the routes that packets can take from the Content Engine to another system. Use the traceroute EXEC command to find the route to a remote host, when either the host name or IP address is known.
-
hello
i have ace running in the router mode
i have server and client different vlan
(server vlan 20, client vlan 192)
1. client vlan(20) -> vip(20.1.1.102) service ok
2. client vlan(20) -> vip(20.1.1.102) ping fail?
why happen ping fail ?
Hope this helps
[Configuration]
access-list ALL line 10 extended permit ip any any
access-list ALL line 11 extended permit icmp any any
probe tcp tcp_21
port 21
interval 2
faildetect 2
passdetect interval 5
passdetect count 2
serverfarm host slb
probe tcp_21
rserver test_01
inservice
rserver test_02
inservice
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
class-map match-all slb
2 match virtual-address 20.1.1.102 any
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm slb
policy-map multi-match test
class slb
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
interface vlan 20
ip address 20.1.1.2 255.255.255.0
alias 20.1.1.1 255.255.255.0
peer ip address 20.1.1.3 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input REMOTE_MGMT
service-policy input test
no shutdown
interface vlan 192
ip address 192.168.1.102 255.255.255.0
alias 192.168.1.1 255.255.255.0
peer ip address 192.168.1.103 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input test
no shutdownIs the A2 train the current version recommended by Cisco? These devices load balance critical systems so we usually try and stay with Safe Harbor code were ever possible. In my deployment I require stability over features and in the past have stayed away from the "newest" code releases for fear of flaky or buggy behavior.
Thanks -
Hi,
I have an issue with sticky server that I’m hope might just be a command I’m missing.
I am inserting a cookie and the sticky works fine.
When my browser has a successful sticky connection i take the server that has the sticky connection out of service. I try to make another connection, i see the connection round robin to all remaining servers but i don’t get a successful connection i do see the connection failure count increment on all other servers in the farm. Only when i bring the server back into service can i get a successful connection.
Any advice appreciated.
Sticky config below.
sticky http-cookie WEB-Cookie-1 WEB-Sticky-1
cookie insert
serverfarm WEB-SERVERS-80
Code
Version A3(2.0) [build 3.0(0)A3(2.0
Thanks
ChrisHello Chris, This will be an easy fix for you. The command you are looking for is defined under the serverfarm inwhich you are creating sticky entries against.. You need to add a failaction.. I'm pasting the command syntax and options for the command.. Based on your breif description failaction purge will give you the desired result:
(config-sfarm-host) failaction
To configure the action that the ACE takes if a real server in a server farm goes down, use the failaction command. Use the no form of this command to reset the ACE to its default of taking no action when a server fails.
failaction {purge | reassign [across-interface]}
no failaction
Syntax Description
purge
Specifies that the ACE remove the connections to a real server if that real server in the server farm fails after you configure this command. The appliance sends a reset (RST) both to the client and to the server that failed.
reassign
Specifies that the ACE reassigns existing server connections to the backup real server, if a backup real server is configured. If no backup real server is configured, this keyword has no effect.
across-interface
(Optional) Instructs the ACE to reassign all connections from the failed real server to a backup real server on a different VLAN that is commonly referred to as a bypass VLAN. By default, this feature is disabled. -
ACE: Stickyness, Cookie in URL
Hello,
I have a problem with cookies in the URL if the browser does not support Cookies in the http header.
I'm setting the cookie in the url static , so the URL looks like:
http://testfarm/sticky.cgi?serverid=1.1.1.1
And configure the sticky group:
sticky http-cookie serverid sticky-farm cookie secondary serverid
replicate sticky
serverfarm sticky-farmm 8 static cookie-value "1.1.1.1" rserver server1
16 static cookie-value "1.1.1.2" rserver server2
What's wrong with my configuration?
If the client accepts cookies in the Cookie header anything works but not if the client rejects the cookie.Hi Gilles,
no, i did not specify a port in the serverfarm or in the realserver.
The configuration looks like this:
sticky http-cookie serverid ST-sticky-farm
cookie secondary serverid
replicate sticky
serverfarm sticky-farm
8 static cookie-value "1.1.1.1" rserver server1
16 static cookie-value "1.1.1.2" rserver server2
policy-map type loadbalance first-match L7-10-1-1-1
class class-default
sticky-serverfarm sticky-farm
policy-map multi-match L4_SLB_POL_external
description L4 Policy fuer SLB ohne NAT
class V-10-1-1-1
loadbalance vip inservice
loadbalance policy L7-10-1-1-1
loadbalance vip icmp-reply active
appl-parameter http advanced-options HTTP-rebalance
class-map match-any V-10-1-1-1
2 match virtual-address 10.1.1.1 tcp eq www
serverfarm host sticky-farm
probe tcp80-i30
rserver server1
inservice
rserver server2
inservice
rserver host server1
ip address 1.1.1.1
inservice
rserver host server2
ip address 1.1.1.2
inservice
Sven
Maybe you are looking for
-
Working with 3 Reports -- How to Display Summary/Formula field in Each Repo
I have 3 Report that represent three Company. Each Company/Report has their report Details and field totals at the bottom. Now what I am trying to accomplish is that I need to add all three companies grand total and sum it up and display at the botto
-
Batch file settings and import of jpgs
I have a batch of 20 or so images which when i import them all set to 5seconds as a default I want to import them and have them set to 10 seconds (to allow for transition times) can anyone advise the method please? thanks j
-
Hi, I am currently writing my own cap uploader, but am currently getting in the INSTALL command. My current steps are: Authenticate Secure Channel // reply 90 00 80 E6 02 - Install for Load command // reply 90 00 80 E8 - Upload data block // all give
-
Hi, I want to display report in which i want to display total count of the value for that particular year but like 1995-96 in that it will gives information from Apr-1995 to Mar-1996. not whole year data. But i can restrict this month as financial ye
-
Slideshow won't work in .mac Gallary?
After i create a homepage album and press start slideshow it doesn't work, what happens is the same thing happens as when pressing an image. The photo appears in a new window and nothing else happens i can navigate to the next picture with the arrows