Ace with servers in VMware
Hi;
I have a customer who has a test site with one ACE doing load balancing for a small farm ( 8 servers). Recently the customer moved his servers to
to VMware. The customer claims that since that change, the ACE is causing for large delays. His claim is that when he points his clients http requests directly to the servers, bypassing the ACE, he receives normal response time. His claim is that the ACE is causing up to 30 sec delays. This was definitely not the case before they made their change.
I was wondering if anyone has any insight to this type of situation ? Are there any specific ACE issues and load balancing factors that may surface when working with VMware, which are not notticable with real servers?
The ACE is blade in 6500
Thanks for any help.
Mickey
Hi Mickey,
Because this is a ACE module, you can just sniff the ten gig interface on the ACE. This way you will get everything coming in and out of the ACE. Now if you have lot of traffic then this will be bit overwhelming. So may be you can find a lean period and do this exercise or possible pick a client PC from where you can repro the slowness and filter based on that.
Also as you will be using wireshark, you can write to multiple files so that you dont loose the interesting traffic.
I have attached the process of doing a ten gig capture to this post. Hope this helps
Cheers
V.K
Similar Messages
-
One-armed ACE with servers gateway to ACE (no SNAT?)
Hello ACE experts, I have two questions;
Design;
One-armed ACE appliance where the servers use the ACE as default gateway? (and ACE of course a default route to the router)
Apparently it works in my lab… But since it’s not documented I wonder what the gotcha’s are?
(This would eliminate the SNAT requirement for one-armed)
I know I need;
-no icmp-guard to allow ‘asymmetric icmp’
-no normalisation to allow asymmetric traffic when not using VIP (router to server is direct, but server response uses the ACE)
And other question;
Bandwidth license, apparently ALL traffic counts to this limit, even only routed traffic, is this true?
So In routed mode, all traffic from server backend that needs to be routed over ACE - a backup!? - counts?
Regards KristofHi
the reason I use "process every packet" was it was one of the advantage being offerd by one arm mode to not to process every packet. The main reason for one arm deployment, as i mentioned previously also, is ease in placement of ACE. We can have servers in any vlan and can put ACE altogther iin different VLAN. i guess this advantage is of no use for you because servers are already in same segment as that of ACE.
The main cause ,which i understand, customer don't like the concept of SNAT is because of its restriction on reporting and security. Client IP will be hide, so any reporting on servers for sessions source (or for monitoring attacks) will not be fruitfull. Although with feaures like XFF we can overcome this fault for HTTP traffic, but still customers don't like the consept of hiding details of IP accessing their servers.
regarding B/w count in bridge mode i am not 100% sure but beleive here again every passing traffic will count as ACE still monitor every packet and decide whether its a passing traffic or part of loadbalancing or hitting any of its confiugred policy. -
Nexus 1000V. problem when working with the console VMWare
I have a problem when working with the console VMWare.
Sometimes it is impossible to connect any of the hypervisor to the guest OS managed by them.
I get the message: "Unable connect to the MKS: Host address lookup for server <name of the hypervisor> failed: No such host is known."
This message always appears in conjunction with the reconfiguration of virtual switch: "Reconfigure vNetwork Distributed Switch .... Initiated by Cisco_Nexus_1000V_ ....."
Upon completion of the reconfiguration, Communication console, with guest OS is restored, or on its own or after a reboot srv-vc.
In this time, I do not see any message in Nexus 1000v log.
What is this?
Thanks in advance.Smells of a DNS issue. Are you sure your ESX hosts are reachable from your client via DNS hostname? Try pinging them from a command prompt/terminal. You may have DNS server issues.
As a temp fix, edit your [windowspath]/system32/etc/drivers/hosts file and manually add the ESX host name and IP, then re-test.
Regards,
Robert -
Does apple provide app developers with servers when publishing an app on their App Store?
I want to develpo apps for mobile devices for Apple's App Store and I was just wondering if I had to have my own servers to launch the app or if Apple provides an app developer with servers. I thought they did since they charge you 99$ a year and take 30% of earnings.
Apple supplies the infrastructur for app distribution, update management and payment handling using the App Store that runs on their servers, as mentioned above.
Depending on your application you may also be able to use GameCenter or iCloud (which run on Apple servers) to support certain app features/functionality without having to run or pay for your own servers.
Depending on your needs there may also be other (non-Apple) webservices, that may reduce the amount of work that you'll need to spend, to setup and maintain your servers. -
ACE implementation with servers at remote locations
Hi,
We are having two ACE appliances in the datacenter in failover mode. Currently, we using route mode with two servers placed in the DC which are getting load balanced. Now, we are planning to move the servers to a new location and this location is reachable via WAN from the DC. Is there any challenge in moving the servers to a new location.
1. Do we need to do any natting ?
2. Is there any configuration document for ACE appliance using route mode with NAT ?
Any help would be appreciated.
Rgds./
SckThere are 2 things to look at.
1/ Make sure the ACE can reach the server (ping)
2/ Make sure the return traffic from the server goes back to the ACE
This 2nd point can be tricky when the servers are not directly connected to ACE.
The servers will see the connections coming from clients (not ACE ip address), therefore they will use a default gateway to send the response which does not necessarily send traffic back to ACE.
You may need policy routing on the gateway.
Or you may have to configure client nat (in this case, the servers see the connections coming from ACE itself), but then you lose information about client source ip. This can be solved by doing header insert but this is only possible for HTTP and it has a cost in terms of performance.
The best option is to keep the servers close to the loadbalancer.
If you want to move both servers, see if you can also move the loadbalancer to the same remote location.
Gilles. -
ACE implementacion with servers Lan in other Router
Hi,
I need help in this topology, I need to design an escenario, where the Lan Servers are in other Router, the conexion between the ACE module and the Lan Server is throught a routing protocols using a Layer 3 device like an ASA.
I have a confusion of using a Context in routed mode or One Armed mode. i dont know what is the best option.
I need help.
Attached a Diagram of the escenarios.
Regards,
Fidel GonzalezHi Fidel,
This should work in Routed or One-Armed, the only thing you need to be sure is that the response of the servers is going back to the ACE instead of going directly to the client.
You probably will need to use source nat when the ACE sends the traffic to the servers.
Cesar R
ANS Team -
ACE with sticky http-cookies across two server farms issue
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
e.g.
Farm1 (front end HTTP service) - StickyGroup1
rserver1 - 192.168.0.1:80
rserver2 - 192.168.0.2:80
rserver3 - 192.168.0.3:80
Farm2 (SSL front end authentication service) - StickyGroup2
rserver1 - 192.168.0.1:443
rserver2 - 192.168.0.2:443
rserver3 - 192.168.0.3:443
We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
Our service is behind a single virtual server configured as follows (example URL and addresses):
Virtual Server Configuration
Virtual server name: www.somedomain.com
Virtual IP: 2.2.2.2
TCP/443 (https)
SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).* Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
Default L7 Load Balancing action : Sticky, Group: StickyGroup1
So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
Any suggestions or solutions appreciated.
Thanks
PaulThe issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping. -
[ACE] Real servers and VIP in the same VLAN
Hello.
I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
Thanks a lot,
MiquelHi Miquel,
Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
==========================================================================
One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
==========================================================================
login timeout 0
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 451
interface vlan 451
description Servers vlan
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Let me know if you have any question.
Regards,
Kanwal -
Hello,
I have a static NAT configured on my ACE that translates an internal IP to an external IP, but I want the same internal IP to maintain its IP when destined to a certain network. It's the same concept that is used on PIX/ASA with a nonat rule (nat 0). Any ideas on how to accomplish this?
Here's my static NAT config:
class-map match-all cmap-static-10.20.1.10
2 match source-address 10.20.1.10 255.255.255.255
policy-map multi-match pmap-nat-vl4001
class cmap-static-10.20.1.10
nat static 5.5.5.5 netmask 255.255.255.255 vlan 501
interface vlan 4001
service-policy input pmap-nat-vl4001
Thanks,
LeeI hate to drudge up an old post, but this sounds exactly like an issue I am researching and I was wondering if anyone could help expand on this.
I have a serverfarm that I want everyone to hit with NAT'd addresses except for two IP's, but when I attempt to add a "match access-list" the class-map (which already has a match virtual-address), I get an error that I can not add other match types.
class-map match-all VIP_HOST1
2 match virtual-address 172.1.1.100 any
Basically I have a serverfarm (HOST1.domain.com) that has two rservers (10.1.1.101 and 10.1.1.102) that use VIP 172.1.1.100. I have two other servers (10.1.1.201 and 10.1.1.202) that will use the VIP of HOST1, but I do not wish for those two IP's to get NAT'd.
Thanks for any assistance! -
How do I license my Physical Windows and Unix/Linux Servers for VMware VCM?
I currently have vCenter Operations Manager Suite Enterprise edition which will allow me to manage my VMware VMs with VCM.
I would also like to manage my 300-500 Physical Windows and Linux/Unix Servers.
What license do I need to buy to achieve this?
Cheers,
/mYou need an OS Instance (OSI) license for each managed endpoint.
vRealize Suite Cloud Management Platform Purchasing | United States
Cheers,
Paul -
Display Questions with Retina and VMware Fusion (Windows 7/8)
Looking to buy my first MacBook Pro and looking to make sure I get the specs I need and have a couple of questions.
I would like to be able to run (simultaenously)
During the day for work:
Windows 7 x64 - 30GB HD - 1 Core - 1GB Ram - Purpose: Has a VPN client that allows me to VPN and RDP only
Windows 8.1 x64 - 60GB HD - 2 Cores - 4GB+ Ram - Purpose: Office 2013 installed on this VM and all my other work applicatons (light weight)
OSX 10.10 - Whatever it can take - Light Web Browsing etc while at work.
After work:
Guess it doesn't matter really - i'd like to play games (bootcamp fine) if possible too. Nothing crazy so barely worth mentioning.
My main questions:
Display: Iris Pro or nVidia - Can the base 15 inch GPU/CPU handle the two VMs at the same time plus the host OS (OSX) without hiccups?
Display: How does VMware Fusion recognize the discrete GPU - will the system be smooth/quiet without activating it?
Battery life: Virtualization is pretty heavy battery wise. Does anyone know what happens to the battery when you're running a couple VMs?
Display: How is running Windows 7/8 on a MacBook with a specifically retina display? Do the Windows PCs look really ugly/blurry due to such a high resolution?
What is the minimum hardware required for these VMs to run fast and responsive? (CPU/GPU/RAM only)
Thanks!!Sorry - we're users here, just like you, and some questions just get lost sometimes.
The fastest hardware you can buy, the easier you'll be able to run Windows. If you use Boot Camp to run Windows (7, 8 or 8.1) the machine will run at it's best. If you want to run Windows alongside the Mac OS, you'll need to use a VM application (I use Parallels - I've tried VMwareFusion but like Parallels better and it just works best for me).
So, to your questions:
The Retina machine with the NVIDIA GPU will be the fastest - it's a faster processor and has more VRAM.
Any VM is going to use resources - how much RAM, for example, is up to you. I have 16 GB of RAM and 8GB dedicated to Parallels/Windows 7 Pro.
I wouldn't (and you really can't) run a VM for very long on battery. If you're using VM's, that's the time to plug into mains. Running a 'couple' of VM would put further heavy use on your GPU, CPU and shorten your battery life.
I would make sure to get a good, fast quad-core i7 processor, the 2GB of VRAM NVIDIA GPU and the maximum amount of RAM (16GB).
Good luck,
Clinton -
Hi all,
I am currently having trouble with flash player in VMware. Some flash content works fine while others do not. For example, when navigating to youtube the banner will not load correctly but I can watch a video with no issues. Have gone through the reinstallation process to no avail. Flash player was working properly before the update and the issue does not occur in a native machine with the same specs. Any help would be greatly appreciated.
Thank you in advance.
Specs:
Native OS: Mac OS X 10.6.8
VMware Fusion 3.1.3 running Windows 7 Professional 64bit SP 1
Browser: Internet Explorer 9 32bit
Flash Version: 10.3.181.34Thank you for adding this. I've added my vote and I'd like to suggest to others impacted by this to take a minute, visit the bug, add their vote and make a comment.
https://bugbase.adobe.com/index.cfm?event=bug&id=2940665
Chris -
Cisco Prime Collaboration Deployment with BE7K and VMWare license
Hello, I am looking for some help trying to figure out if Cisco Prime Collaboration Deployment can be used to upgrade our existing 7.1.5 cluster. From what I have read there is a API problem with the VMWare license that comes with the BE7K. But after reviewing the BOM/quote from my VAR it lists the foundation license which based of the release notes is supported.
UCSS-U-VMW-FND-5-1
UCSS Cisco UC Virt. Foundation Five Year - 1 server
Has anybody out there had expericne with PCD and BE7K'?
This is from release notes of PCD
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_P139675A_00_pcd-rns-1051/CUCM_BK_P139675A_00_pcd-rns-1051_chapter_010.html
Search for “Business Edition 7000” and it will state it is not supported with PCD. It is because the licenses that the BE 6k and 7K are shipped with don’t enable certain VMware APIs that PCD needs.
“Virtualization Software License Compatibility
Cisco Prime Collaboration Deployment is not compatible with all license types of VMware vSphere ESXi, as some licenses do not enable required VMware APIs.
The following are compatible with Cisco Prime Collaboration Deployment:
Cisco UC Virtualization Foundation (appears as "Foundation Edition" in vSphere Client)
VMware vSphere Standard Edition, Enterprise Edition, or Enterprise Plus Edition
Evaluation mode license
The following are not compatible with Cisco Prime Collaboration Deployment:
Cisco UC Virtualization Hypervisor (appears as "Hypervisor Edition" in vSphere Client)-preloaded on Cisco Business Edition 6000 and Business Edition 7000
VMware vSphere Hypervisor Edition
Any help would be appreacted.
JPThanks Jamie for repsonding, we haven't made any purchase's yet but I wanted to ensure we are purchasing a solution that won't lead to a lot of frustration. We only have 1000 phones so we are pretty small and the BE7K seems to be a good fit and value.
Cheers, -
ACE with cache engine "spoof" mode
If Cache Engine use spoof mode, how ACE be configured for support this mode. Have it any command add into ACE?
I am looking into this myself. Can the ACE work in this fashion:
Clients VLAN 10
Internet VLAN 20
Cache Servers VLAN 30
Traffic that comes in from clients on vlan 10, any of it that is tcp port 80, send to the cache on vlan 30. Traffic coming back from the internet, vlan 20, if its tcp port 80, send to the cache on vlan 30.
Its basic layer 4 redirection. But when the traffic goes to the cache, the cache is not going to use its own IP to make the internet request, its going to use the clients IP, this is why a map is needed on vlan 10 and vlan 20, to ensure traffic is pipelined thru the ace. Has anyone done this? -
Trying to get ACE module and IOS devices to work with TACACS+. I have ACS v3.2.
The "optional" syntax does not work. Any idea if the argument is valid for the ACS version ?
service=exec
optional shell:Admin=Admin domain
Tried it with quotations but that didn't work either.Hi,
Here is a reference doc for configuring ACE for Tacacs+ authentication,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
0_A1/configuration/security/guide/aaa.html#wp1321891
Under custom attribute for Tacacs+ we need to specify attribute as,
shell:Admin*ADMIN MYDOMAIN1
= means mandatory attribute
* means optional
Information on context/role/domain (Virtualization on ACE):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
0_A1/configuration/virtualization/guide/ovrview.html
Default "role" on ACE:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
HTH
JK
Plz rate helpful posts-
Maybe you are looking for
-
Lost iTunes music (iTunes need an enhancement)
I kept my iTunes library on a NAS (Network Attached Storage), that I connected to wirelessly from my Macbook with Tiger. I decided to migrate to Leopard on the same device because Safari kept crashing on me, beach ball, etc. So I copied my Library to
-
How to get content item out of work flow automatically
hi experts, my requirement is that Contributor will contribute the Content , and provide the content publish Date. When contributor contribute content, content goes in workflow. I want auto approval of workflow so that when Publish Date actually come
-
Go URL - User Authentication Failure
Hi, I am trying to use a 'Go URL' in web application and I see some issue with authentication mechanism. I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active dir
-
Keep getting"invalid Verb" when trying to load websites. IE MSN
log on to main web page which is MSN. got to a couple of favorites and when I hit the home button to go back to MSN I get invalid Verb message. This also happens when trying to update fantasy sport lineups. I can get to the site, change my line up bu
-
I am trying to make an imovie from pictures that I have in iphoto. The pictures that I am using are about 25 years old-not the best quality but still good. When I look at the movie in preview it all all looks good. Once I burn the dvd the quality