ACE to Load Balance SurfControl/Win App

According to SurfControl is it possible to use a L4 - L7 load balancer to bear the 10000 per server limitation.
Is the any know option to do this using the ACE module?

Thx for the reply Gilles.
Is it possible to select only www, https, dns traffic to be sent to the farm and leave the rest to follow the way out to the next upstream devive?
Gus

Similar Messages

ACE to load balance Citrix servers

Hello,
Have anyone configured ACE Modules to load balance Citrix Servers (HTTP) ?
Any special considerations needed?
Many thanks,

HI Javier,
There is one complete design guide available on ciso site.
Kindly go through the below mentioned URL for complete config for ACE to load balance CITRIX as follows:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/citrixdg_final.html
You will get othe design guides also which can be very useful:
http://www.cisco.com/en/US/netsol/ns751/networking_solutions_design_guidances_list.html
Sachin Garg

Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080

Folks,
I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology. ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name. Traffic then gets load balanced between the Websense servers. The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.
ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
So the problem I have is this:
How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
The ACE hardware being used is ACE20-MOD-K9 - MODULE
I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.
I believe I am on the correct track. The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
I'm looking for ideas! I'm hopeful someone must have solved this problem previously!!
Regards,
Simon

Hi Simon,
The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
You can class-map match-any xxxxx
2 match virtual-address x.x.x.x tcp any
and then you configure further classification on the basis of L7 like url, header etc.
But again, you will still need SSL termination on ACE.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

Cisco ACE - Firewall load balancing

I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
access-list ALL line 8 extended permit ip any any
probe icmp ICMP-Probe
interval 15
passdetect interval 60
rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice
serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
    inservice
rserver FW2
    inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
    inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
    inservice
sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls
This is my workaround for connection to the IP address of the firewalls (for management)
class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type management first-match Remote-Management-Policy
class Remote-Access
    permit
policy-map type loadbalance first-match FWLB-No-LB
class class-default
    serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
    serverfarm Firewalls-NO-LB1
policy-map type loadbalance first-match FWLB-l7slb
class class-default
    serverfarm Firewalls
policy-map multi-match Firewall-No-LB
class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdown

Hello,
as i know, there is no others ways.
You can only reduce your configuration by puting all your class undert the same policy-map:
policy-map multi-match int70
class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input int70
no shutdown

ACE 4700 load balancing Issue

Hi,
I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.
Below is the running configuration. Please help me to troubleshot the problem.
HOB-ACE-1/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
boot system image:c4710ace-mz.A3_2_0.bin
hostname HOB-ACE-1
interface gigabitEthernet 1/1
description Man_HOB_1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description VIP_HOB_1
switchport access vlan 24
no shutdown
interface gigabitEthernet 1/3
description HA_HOB_1
switchport access vlan 180
no shutdown
interface gigabitEthernet 1/4
shutdown
[7m--More-- [m
access-list ALL line 8 extended permit ip any any
probe icmp ICMP_PROBE1
interval 15
faildetect 4
passdetect interval 60
passdetect count 5
receive 5
rserver host MFREFSAS497
description MAAFAXSERVER
ip address 10.16.12.148
conn-limit max 4000000 min 4000000
inservice
rserver host MSHOFCFS489
description HOBFAXSERVER
ip address 10.26.12.130
conn-limit max 4000000 min 4000000
inservice
[7m--More-- [m
[K
serverfarm host SFHOBACE-1
description SFHOBACE-1
predictor hash header Accept
probe ICMP_PROBE1
rserver MFREFSAS497 80
    conn-limit max 4000000 min 4000000
    inservice
rserver MSHOFCFS489 80
    conn-limit max 4000000 min 4000000
    inservice
class-map match-all VSHOBACE-1
2 match virtual-address 10.26.24.242 any
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
[7m--More-- [m
[K
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match VSHOBACE-1-l7slb
class class-default
    serverfarm SFHOBACE-1
policy-map multi-match global
class VSHOBACE-1
    loadbalance vip inservice
    loadbalance policy VSHOBACE-1-l7slb
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 24
    nat dynamic 1 vlan 1000
service-policy input global
interface vlan 24
description "Client VLAN"
ip address 10.26.24.243 255.255.255.0
[7m--More-- [m
access-group input ALL
no shutdown
interface vlan 1000
ip address 10.26.12.132 255.255.255.0
peer ip address 10.26.12.133 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 180
ip address 192.168.180.2 255.255.255.248
peer ip address 192.168.180.3 255.255.255.248
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 180
ft group 1
peer 1
priority 140
associate-context Admin
[7m--More-- [m
inservice
ip route 0.0.0.0 0.0.0.0 10.26.12.1
snmp-server contact "HOB_ACE"
snmp-server location "HOB"
snmp-server community FAXSERVER group Network-Monitor
snmp-server user administrator Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI. role Admin domain
default-domain
username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1 role Admin domain de
fault-domain
ssh key rsa 1024 force
Thanks and Regards,
Ashfaque

Hello Hossain,
Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.
Use the
ACE/Admin(config)# no service-policy input global
ACE/Admin(config)# interface vlan 24
ACE/Admin(config-if)# service-policy input global
Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.
Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.
Do you happen to have a quick logical diagram of this piece of the network?
Thnx
Pablo

ACE to load balance proxy servers

Hi,
i have a set of 4 proxy servers that are already load balanced. But they are using a incorrectly configured health probe on the ace. I need to know a good configuration for a heath probe that will send a http request over port 80 , wait for response, and read it? I searched the forum and the cisco pages but could not find a proper answer.
the current probe is as follows:
probe http HTTPGET
description Tests that www.gmail.com returns 302 redirect
interval 10
request method get url http://www.gmail.com
expect status 302 302
-Gordon

Hi Gordon,
This is what you want to achieve :
I need to know a good configuration for a heath probe that will send a http request over port 80 , wait for response, and read it?
So ideally you have to choose what content you want to request and what you expect as response.
Any HTTP request will assume that the request is going to the web server or the device can understand HTTP and respond accordingly.
If you ask me I would say that the probes which you are using make sense.
If the probe fails that means the proxy is unable to reach "www.gmail.com" which is almost as good as proxy is not working.
Let me know your thought about it.
regards,
Ajay Kumar

ACE Routing Load-Balance problem

I'm trying to configure a routing load-balance with Cisco ACE Module based on the following scenario:
local users has a router (R1) as it default gateway, this router (R1) has a default route to the VIP that represent the serverfarm with two linux servers that should be used for Data Shaping over the WAN. I need to balance the traffic over the two linux servers and not necessary over the WAN.
The problem is that when I set up the local network router default route to VIP the routing process simply stop work ! If I change the route to the real server ip address everything start working again without any problem.
Follow the configs:
Local network Router - Static route
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Follow the ACE configs:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 100 line 8 extended permit ip any any
rserver host rout001
ip address 10.0.0.32
inservice
rserver host rout002
ip address 10.0.0.31
inservice
serverfarm host BLC_ROUTING
predictor leastconns
rserver rout001
inservice
rserver rout002
inservice
class-map match-any VIP
2 match virtual-address 10.0.0.1 any
class-map type management match-any mgmt
2 match protocol icmp any
3 match protocol telnet any
4 match protocol ssh any
policy-map type management first-match access
class mgmt
permit
policy-map type loadbalance first-match INT_router
class class-default
serverfarm BLC_ROUTING
policy-map multi-match VIP
class VIP
loadbalance vip inservice
loadbalance policy INT_router
loadbalance vip icmp-reply
interface vlan 6
bridge-group 10
access-group input 100
service-policy input access
service-policy input VIP
no shutdown
interface vlan 8
bridge-group 10
access-group input 100
service-policy input access
service-policy input VIP
no shutdown
interface bvi 10
ip address 10.0.0.5 255.255.255.0
no shutdown
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I tried to change some parameters like "transparent" at serverfarm config and change the "predictor" method to "hash address source" but there was no good results at all.
Anyone has any idea why this process is not working ?
Is there any special configuration for this scenario ?
Regards,
Ricardo

Ricardo,
What is this route ??
ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
You can't have 0.0.0.0/24.
You must be missing something ?
Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
It should normally be directly connected to your router.
With the static route, do you see traffic coming to the ACE module ?
Does it loadbalance to the server ?
'show service-policy detail' check the packet counters
Gilles.

ACE 4710 Load Balancer

Hello,
I have a requirement to load balance between real servers on different subnets, but I need to preserve the original source IP address through the ACE. I know the ACE can do Asymmetric server normalization but that appears to require the servers to be on the same subnet. The traffic is just generic TCP and I don't want the ACE to take any action on the traffic other than to do basic balancing and allow me to direct all traffic to one server or the other for maintenance. Is there any way to accomplish routed load balancing that preserves the original source IP?

Hi B-Cunningham,
Very simple !!
When you need the same user to be always sent to the same server, you need some sort of stickyness.
There are many different ways to achieve this.
Some predictor algorithms will by definition always select the same server for a given client. This is the case with the source ip hashing predictor.
But very often you will need to configure a sticky method in combination with your predictor algorithm.
What is the source ip hash predictor a sticky method ?
Actually, this is not a sticky method. But since the hash algorithm always give the same result for a given source ip address, it guarantees that a client using the same ip address will always be sent to the same server.
The advantage is that it does not require to configure a specific sticky method. It also works without the need for a sticky table. So it does preserve resources.
But the hash function will have different results when you add or remove a server. Therefore, when your rserver list is modified your clients might be sent to different servers breaking stickyness.
Is sticky source ip a good solution ?
Because of the changing hash results mentioned above, most people will prefer to use a standard predictor (roundrobin , leastconn, ...) and add a sticky source ip option.
The idea is to also use the source ip address to identify the client and select the corresponding server.
Unlike the hash method, the stick source ip solution will need sticky resources to save the information necessary for ACE to remember which client uses which server.
The advantage of the sticky option is that the sticky table is not affected when the rserver list is modified.
Why not use sticky source ip ?
Very often this solution is enough to guarantee stickyness.
But because a lot of clients do not have a static ip address, this method does not work.
There is also the problem of proxy servers hiding many clients behind a single ip address resulting in rserver overload when using sticky source ip.
For HTTP the solution is to use information contained in the client HTTP request and server HTTP response.
An HTTP Cookie is an object used by a server to identify HTTP clients. A loadbalancer can therefore also use this information to map a client to a server.
One drawback of hash predictor is that the hash predictor methods do not recognize the weight value you configure for real servers. The ACE uses the weight that you assign to real servers only in the round-robin and least-connections predictor methods.
Here is the hash algorithm
((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))The _key in this case is the source ip address has an unsigned 32 bits number.You then do rserver_index = hash % number_of_rserver.
Session persistence (stickiness) based on client source IP address or HTTP cookies are recommended to be configured on the Cisco ACE for this flow.
IP Address Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.
Here can be the sample configuration:
resource-class websrv
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 20.00 maximum equal-to-min
rserver host webserver1
ip address 10.10.10.1
inservice
rserver host webserver2
ip address 10.10.10.2
inservice
rserver host webserver3
ip address 10.10.10.3
inservice
serverfarm host werbsrv1only
probe websrv
rserver webserver1 1000
inservice
serverfarm host werbsrv123
probe websrv
rserver webserver1 1000
inservice
rserver webserver2 1000
inservice
rserver webserver3 1000
inservice
ACE receives requests to the VIP on port 80 and translates them to port 1000 using the server farm configuration shown above.
The link to the websrv home page is http://websrv:1000/index.html. A probe to this link is configured on ACE as follows:
probe http websrv
port 1000
interval 2
faildetect 2
passdetect interval 2
request method get url /index.html
expect status 200 200
Session persistence can be established by tying the session to an IP address, that uniquely identifies the client.
Create a sticky-group
sticky ip-netmask 255.255.255.255 address source Client_subnet_1
timeout 10
serverfarm werbsrv1only
Change the server farm to the sticky-group:
policy-map type loadbalance first-match basic-slb
class class-default
sticky-serverfarm werbsrv1only
sticky ip-netmask 255.255.255.255 address source Client_subnet_2
timeout 10
serverfarm werbsrv123
sticky ip-netmask 255.255.255.255 address source Client_subnet_3
timeout 10
serverfarm werbsrv123
Here you can find the details in the below url :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
I have also attached a jpeg for your reference.
Hope you will get the idea how to use the sticky based on IP address.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411
Here you can find sample config of similar type:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html
HTH .
Please rate if you find it useful.
Thanks and regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
http://www.hclcomnet.co.in
A-10, Sector 3, Noida- 201301
INDIA

Load Balancing for Oracle Apps in linux

Dear all,
I need anykind of information for load balancing (how to do it - architecture) for oracle application in linux environment.
Just for info, the database will be on linux too using RAC (3 machines). I have 4 machines to be use as application tier.
any kind of information will be appriciated.
You can also send it directly to my email account: [email protected] or [email protected]
best regards,
Yohan

I'm in the middle of doing this right now. There is a doc on metalink (233428.1) that details the process. I would highly recommend trying this in dev/test env first. Even though the instructions are very straight forward and not very complicated, I'm still having configuration issues.
Clint

Issue with Load balancing for 2 Apps Node for EBS 12.1

Hi Guys,
I had been following section 2.4 of Using Load-Balancers with Oracle E-Business Suite Release 12 (Doc ID 380489.1).
As per doc, I should be able to (but which is not happening in my case)
[root@ebs1 etc]# nslookup ebslbr.oracle.com
Server:         172.18.0.99
Address:        172.18.0.99#53
Name:   ebslbr.oracle.com
Address: 172.18.0.102
Name:   ebslbr.oracle.com
Address: 172.18.0.101
[root@ebs1 etc]# telnet ebslbr.oracle.com
Trying 172.18.0.101...
telnet: connect to address 172.18.0.101: Connection refused
Trying 172.18.0.102...
telnet: connect to address 172.18.0.102: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@ebs1 etc]#
I could able to lookup individual servers as well.
[root@ebs1 etc]# nslookup ebs1
Server:         172.18.0.99
Address:        172.18.0.99#53
Name:   ebs1.oracle.com
Address: 172.18.0.101
[root@ebs1 etc]# nslookup ebs2
Server:         172.18.0.99
Address:        172.18.0.99#53
Name:   ebs2.oracle.com
Address: 172.18.0.102
[root@ebs1 etc]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain   localhost
#:1             localhost6.localdomain6 localhost6
#172.18.0.101    ebs1.oracle.com        ebs1
#172.18.0.102     ebs2.oracle.com        ebs2
#172.18.0.111    db1.oracle.com         db1
[root@ebs1 etc]# ping ebs2
PING ebs2.oracle.com (172.18.0.102) 56(84) bytes of data.
64 bytes from ebslbr (172.18.0.102): icmp_seq=1 ttl=64 time=0.482 ms
64 bytes from ebslbr (172.18.0.102): icmp_seq=2 ttl=64 time=0.546 ms
--- ebs2.oracle.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.482/0.514/0.546/0.032 ms
[root@ebs1 etc]# ping ebs1
PING ebs1.oracle.com (172.18.0.101) 56(84) bytes of data.
64 bytes from ebs1 (172.18.0.101): icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from ebs1 (172.18.0.101): icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from ebs1 (172.18.0.101): icmp_seq=3 ttl=64 time=0.041 ms
[root@ebs1 etc]#
[root@ebs1 etc]# telnet 127.0.0.1
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@ebs1 etc]# service iptables status
Firewall is stopped.
[root@ebs1 etc]#
I've further went, made changes in context file...ran autoconfig...but not getting frontend with 'ebslbr' hostname.
Can you please assist what could be the issue ?
Thanks,

Hi Hussein,
I've checked it... but there is a confusion... is telnet work without any port no ?
I mean see below output,
[applmgr@ebs1 ~]$ telnet ebs1 8000
Trying 172.18.0.101...
Connected to ebs1.
Escape character is '^]'.
Connection closed by foreign host.
[applmgr@ebs1 ~]$ telnet ebs2 8000
Trying 172.18.0.102...
Connected to ebs2.
Escape character is '^]'.
Connection closed by foreign host.
[applmgr@ebs1 ~]$ telnet ebs2
Trying 172.18.0.102...
telnet: connect to address 172.18.0.102: Connection refused
[applmgr@ebs1 ~]$ telnet ebslbr
Trying 172.18.0.101...
telnet: connect to address 172.18.0.101: Connection refused
Trying 172.18.0.102...
telnet: connect to address 172.18.0.102: Connection refused
[applmgr@ebs1 ~]$ telnet ebslbr 8000
Trying 172.18.0.101...
Connected to ebslbr.
Escape character is '^]'.
As per Metalink DOC: 380489.1, my Context file entries for both nodes,
[applmgr@ebs1 ~]$ grep -i s_webentryurlprotocol $CONTEXT_FILE
         <webentryurlprotocol oa_var="s_webentryurlprotocol">http</webentryurlprotocol>
[applmgr@ebs1 ~]$ grep -i s_webentryhost $CONTEXT_FILE
         <webentryhost oa_var="s_webentryhost">ebslbr</webentryhost>
[applmgr@ebs1 ~]$ grep -i s_webentrydomain $CONTEXT_FILE
         <webentrydomain oa_var="s_webentrydomain">oracle.com</webentrydomain>
[applmgr@ebs1 ~]$ grep -i s_webentrydomain $CONTEXT_FILE
         <webentrydomain oa_var="s_webentrydomain">oracle.com</webentrydomain>
[applmgr@ebs1 ~]$ grep -i s_active_webport $CONTEXT_FILE
      <activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">8000</activewebport>
[applmgr@ebs1 ~]$ grep -i s_login_page $CONTEXT_FILE
         <login_page oa_var="s_login_page">http://ebslbr.oracle.com/OA_HTML/AppsLogin</login_page>
[applmgr@ebs1 ~]$ grep -i s_external_url $CONTEXT_FILE
         <externURL oa_var="s_external_url">http://ebslbr.oracle.com</externURL>
After running autoconfig, I still get frontpage for http://ebs1.oracle.com:8000/OA_HTML/AppsLogin & http://ebs2.oracle.com:8000/OA_HTML/AppsLogin which eventually redirects to http://ebslbr.oracle.com:8000/OA_HTML/RF.jsp?function_id=28716&resp_id=-1&resp_appl_id=-1&security_group_id=0&lang_code=… but which is wrong (there is no load balancing at all)...as my local desktop system32\drivers\etc\hosts file have following entries,
172.18.0.101    ebs1.oracle.com
ebslbr.oracle.com    ebslbr
172.18.0.102    ebs2.oracle.com
ebslbr.oracle.com    ebslbr
so,
ebs1.oracle.com:8000 -> ebslbr.oracle.com:8000 (It will always go to 1st node only)
This can be also proved by,
[applmgr@ebs1 ~]$ telnet ebslbr.oracle.com 8000 (telnet to ebslbr always going to 1st node on ebs1)
Trying 172.18.0.101...
Connected to ebslbr.oracle.com.
Escape character is '^]'.
[applmgr@ebs2 scripts]$ telnet ebslbr.oracle.com 8000 (telnet to ebslbr always going to 2nd node on ebs2)
Trying 172.18.0.102...
Connected to ebslbr.oracle.com.
Escape character is '^]'.
This should be round robin fashion...
Can you please help me, what is going wrong here ?
your help would be much appreciated ...
Regards,
Manish

Regarding ACE load balancing

Hi,
I have one server application with two physical servers clustered with one virtual IP address . I have total six ip addresses for one server : details are given below
Cluster IP’s :
Node 1 :
NIC 1 : 10.10.x.x : physical IP address
NIC 2 : 172.16.x.x : heartbeat address used in between server
Node 2 :
NIC 1 : 10.10.x.x : physical ip address
NIC 2 : 172.16.x.x : heartbeat address used in between server
Cluster IP : 10.10.x.x : clustered IP address used to access server
SQL IP : 10.10.x.x : clustered IP address used to access SQL application .
now i want to achieve server load-balancing using ACE module. Please suggest to me fulfil this requirement. how to do this ?
whether i need to remove the virtual IP and directly bind two physical ip to ace virtual ip add.
How do i check ace server load-balancing configuration with live server .... do we have any tool to check the packet behaviour to confirm that load-balancing is happening properly in between two physical servers :
Please guide me and share the knowledge .....................

Hi Vinod,
You are correct. In order to achieve load-balancing with an ACE blade, you need to configure the addresses of the two severs separately. If you look at the documentation page on cisco.com for ACE (http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html) you will find sample configuration for the most commont topologies.
As for how to verify if the load-balancing is working correctly, you can use the command "show serverfarm ", which will list you all the servers in a serverfarm, along with the current and total connection numbers for each of them.

Apps 11i Load Balancing

Hi,
I have load balancing between 2 Apps Tier, and all the Users are connected to Node2 only, none of the users are on Node1.
Apps 11i and DB 10.2
Any suggestion please....
Thanks,

I have load balancing between 2 Apps Tier, and all the Users are connected to Node2 only, none of the users are on Node1.
Apps 11i and DB 10.2
Any suggestion please....Was this working before? If yes, any changes been done recently?
Please run AutoConfig and bounce the services and see if you can reproduce the issue.
Also, please review (Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i [ID 217368.1]) and make sure your setup is correct.
If you can access each of the nodes directly (not through the load balancer), then you need to check the configuration of your load balancer -- Implementing Load Balancing On Oracle E-Business Suite - Documentation For Specific Load Balancer Hardware [ID 727171.1]
Thanks,
Hussein

TCP SYNSEEN with load balancing Cisco ACE 4710

I have a Cisco ACE 4710 load balancing the traffic to two proxy servers, the configuration is the same since December 2012, but yesterday it stated to show SYNSEEN in the show conn command, and the hosts cannot browse. I think that means that the three-way-handshake is not complete.
If I bypass the ACE the hosts can browse without problems.
I have tested with another ACE appliance and the same configuration but the behaviour is the same.
I need help as soon as possible,
thanks,
I've attached the Show conn, show conn detail and show run.

Hi Cesar,
Thank you for your answer,
The issue was solved,
We were running an A3 software version, it seems to have a Bug so it doesn't show the NAT commands in the "show run", so when we made the configuration backup we didn't noticed it.
The ACE reloaded because an electrical failure so it losted the NAT config.
We just upgraded to an A4 version and also added a NAT/PAT to enable the communication between the Clients and the Proxy.
Regards,

Load balancing across 4 web servers in same datacentre - advice please

Hi All
Im looking for some advice please
The apps team have asked me about load balancing across some servers but im not that well up on it for applications
Basically we have 4 apache web servers with about 2000 clients connecting to them, they would like to load balance connections to all these servers, they all need the same DNS name etc.
what load balancing methods would I need for this, I believe they run on Linux
Would I need some sort of device, or can the servers run some software that can do this, how would it work? and how would load balancing be achieved here?
cheers

Carl,
What you have mentioned sounds very straightforward then everything should go well.
The ACE is a load balancer which takes a load balancing decisions based on different matching methods like matching virtual address, url, source address, etc then once the load balance decision has been taken then the ACE will load balance the traffic based on the load balance method which you have configured (if you do not configure anything then it will use the default which is "round robin"), then it will send the traffic to the servers which it has available and finally the client should get the content.
If you want to get some details about the load balancing methods here you have them:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/overview.html#wp1000976
For ACE deployments the most common designs are the following.
Bridge Mode
One Arm Mode
Routed Mode
Here you have a link for Bridge Mode and a sample for that:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
Here you have a link for One Arm Mode and a sample for that:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
Here you have a link for Routed Mode and a sample for that:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
Then as you could see in all those links you may end up having a configuration like this:
interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.1
class-map match-all slb-vip
2 match virtual-address 172.16.1.100 any
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
policy-map type loadbalance http first-match slb
class class-default
    serverfarm web
serverfarm host web
rserver lnx1
    inservice
rserver lnx2
    inservice
rserver lnx3
    inservice
rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
Please mark it if it answered you question then other users can use it as reference in the future.
Hope this helps!
Jorge

Cisco ACE20 Load balancing issues

Dear All,
I have a problem with the ACE 20 load balance
To start with following is our architectural request flow:
Load Balancer --> Webseal /(reverse proxy) --> HTTP Server --> Portal Server
We have Hardware Load Balancer Cisco ACE20.
When we access our portal from Webseal server it works totally fine without any issue, but when we access the same application using ACE we face the following issues:
1) Some of the links on do not work. For eg: We have a link "subscribe" which points to https://intranet/abc/wps/portal/subscription , whenever we click on this link, the request is directed to https://intranet/abc/wps/portal i.e homepage
2) URL redirection does not work We have some links which have a url forwarding or redirection for example when we open https://intranet/ef/quickplace it forwards the requests to https://intranet/ef/quickplace/Main.nsf?opendocument....., but this redirection fails and again the request is thrown to homepage i.e https://intranet/abc/wps/portal
3) The response of the request and the overall portal when accessed via ACE is very sluggish and it takes 20 seconds for homepage to load, whereas the homepage loads in 4 secs when accessed via webseal.
below is the ACE details. Kindly provide the your inputs to resolve this issue. will rate all the suggestions
Hardware Product Number: ACE20-MOD-K9
Card Index:     207
Hardware Rev:   2.3
Feature Bits:   0000 0002
Slot No. :      7
Type:           ACE
Software
loader:    Version 12.2[120]
system:    Version A2(1.4) [build 3.0(0)A2(1.4) adbuild_11:54:12-2009/03/05_/a
uto/adbu-rel2/rel_a2_1_4_throttle/REL_3_0_0_A2_1_4]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_4.bin
installed license: ACE-SEC-LIC-K9

Dear all,
Please suggest on this issue.
BS

ACE to Load Balance SurfControl/Win App

Similar Messages

Maybe you are looking for