ACE with sticky http-cookies across two server farms issue
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
e.g.
Farm1 (front end HTTP service) - StickyGroup1
rserver1 - 192.168.0.1:80
rserver2 - 192.168.0.2:80
rserver3 - 192.168.0.3:80
Farm2 (SSL front end authentication service) - StickyGroup2
rserver1 - 192.168.0.1:443
rserver2 - 192.168.0.2:443
rserver3 - 192.168.0.3:443
We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
Our service is behind a single virtual server configured as follows (example URL and addresses):
Virtual Server Configuration
Virtual server name: www.somedomain.com
Virtual IP: 2.2.2.2
TCP/443 (https)
SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).* Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
Default L7 Load Balancing action : Sticky, Group: StickyGroup1
So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
Any suggestions or solutions appreciated.
Thanks
Paul
The issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping.
Similar Messages
-
Sticky Resource Not Available when setting up sticky http-cookie
When I try to configure the sticky:
(config)# sticky http-cookie ACE-COOKIE COOKIE-STICKY
I get the error:
sticky resource not available
An L7 policy has not yet been set up⦠could that be the reason for this error? Or, is it because I have not setup a class resource for the sticky cookie?Syed,
I thought it resolved it, but it really didn't.
Added the resource-class in the Admin context:
resource-class any-available
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 35.00 maximum equal-to-min
no difference. -
Can two server farm share the same VIP?
Hello,
Can i create two server farm and share the same VIP? for example:
is posible this configuration?
rserver host des1
ip address 10.24.18.34
inservice
rserver host des2
ip address 10.24.18.35
inservice
rserver host was1
ip address 10.24.18.10
inservice
rserver host was2
ip address 10.24.18.11
inservice
serverfarm host farm1
rserver des1
inservice
rserver des2
inservice
serverfarm host farm2
rserver was1
inservice
rserver was2
inservice
class-map type http loadbalance match-all Check-Headers-10
2 match http url .*
3 match http header Host header-value "10.24.16.*"
4 match http header User-Agent header-value ".*MSIE.*"
class-map type http loadbalance match-all Check-Headers-s-10
2 match http url .*
3 match http header Host header-value "10.24.16.*"
4 match http header User-Agent header-value ".*MSIE.*"
class-map type http loadbalance match-all other-http-10
2 match http url .*
class-map type http loadbalance match-all other-http-s-10
2 match http url .*
class-map match-all server-vlan-vip-10-http
2 match virtual-address 10.24.16.10 tcp eq www
class-map match-all server-vlan-vip-10-https
2 match virtual-address 10.24.16.10 tcp eq https
policy-map type loadbalance first-match http-10-lb
class Check-Headers-10
serverfarm farm2
class other-http-10
serverfarm farm2
policy-map type loadbalance first-match http-10-s-lb
class Check-Headers-s-10
serverfarm farm1
class other-http-s-10
serverfarm farm1
policy-map type loadbalance first-match lb-logic-10
class class-default
serverfarm farm2
policy-map type loadbalance first-match lb-logic-s-10
class class-default
serverfarm farm1
policy-map multi-match server-vip-service-policy-10
class server-vlan-vip-10-http
loadbalance vip inservice
loadbalance policy http-10-lb
loadbalance policy http-10-s-lb
loadbalance vip icmp-reply
class server-vlan-vip-10-https
loadbalance vip inservice
loadbalance policy lb-logic-10
loadbalance policy lb-logic-s-10
loadbalance vip icmp-reply
interface vlan 233
description Servidores_Balanceados_outside
peer ip address 10.24.16.7 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input client-vips
no shutdown
interface vlan 242
description Servidores_desarrollo1
peer ip address 10.24.18.33 255.255.255.240
access-group input anyone
access-group output anyone
service-policy input server-vip-service-policy-10
no shutdownHello gdufour,
Actually i've got this configuration:
1.) One serverfarm (farm1).
2.) In this serverfarm, i have two real servers des1 and des2.
3.) The real servers are using VIP 10.24.16.10.
4.) The loadbalance is roundrobin using http with headers.
I want to have:
1.) One new server (a.b.c.d), it can be in the same subnett.
2.) This server don't know if can belong to serverfarm farm1.
2.) When i reach to http://index/url/url1, this has to be to VIP 10.24.16.10.
3.) When i reach the link, the VIP 10.24.16.10 redirect to server a.b.c.d.
4.) When the server a.b.c.d down, the serverfarm farm1 have to take the load of the url.
Is posible this configuration?
Thank you.
Best Regards -
Flex IO error# 2032 when using IE7 for parallel https calls across two servers
Hi,
Weeks back I faced a wierd issue in the behaviour of flashplayer running on IE7 which is invoking parallel https calls. I have two SSL enabled servers one is listening on port 443 and the other is listening on port 8443 but both running in the same domain. I developed a flex client (using httpservice class) which sends parallel https requests to these two servers. When the number of parallel requests increases say more than 5 requests to each server, the fault handler was encountered with the error message:
[RPC Fault faultString="HTTP request error" faultCode="Server.Error.Request" faultDetail="Error: [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032: Stream Error. URL: https://servlet"]. URL: https://servlet"]
I used some http tracer tools to check if the request jumps out of the browser but that didnt happen. I am 100% sure that I am using the correct url. I was totally helpless . This worked without any issues in IE8 or Chrome or Firefox. This made me think about increasing the number of concurrent connections for IE7 by modifying the windows registry. But still no difference in the behaviour.
After breaking my head for a long days, I got one solution which would work. This issue is happening only if we are sending https requests to different ports in the same domain. So rather than moving one among the two servers to a new domain, I got a new DNS name for the same destination. So presently I got two DNS names pointing to the same machine in which both the servers are mounted.
After this it really worked cool!!! Now that I am using a separate DNS name for the server listening on port 8443 and the old DNS name is used to hit the server listening on 443. And I am happy that its working fine without any issues .
But can anyone tell me if this is really an IE7 issue or do we have anyother solution to fix this.
Please share ur thoughts..Hi,
I am building a mobile employee directory and for that I am using Flash Builder 4.6/AIR 3.1.0. I am using RESTful web service to get XML results and to display on my mobile application. I am getting the same below error when accessing the webservice from mobile app (Android - Galaxy Tab 7 inch).
Error: [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error # 2032"] URL: http://adfdevp.alshaya.com:7013/RESTEmployeeDetails-EmployeeDetails-co">http://adfdevp.alshaya.com:7013/RESTEmployeeDetails-EmployeeDetails-co ntext-root/jersey/restlabhttp://adfdevp.alshaya.com:7013/RESTEmployeeDetails-http://adfdevp.als haya.com:7013/RESTEmployeeDetails-EmployeeDetails-co ntext-root/jersey/restlabEmployeeDetails-context-root/jersey/restlab
The same code is working in Flash Builder 4.6. I have checked Network Monitor to "Disabled" before deploying to mobile. What am i doing wrong here? I am pasting my code below-
<?xml version="1.0" encoding="utf-8"?>
<s:View xmlns:fx="http://ns.adobe.com/mxml/2009"
xmlns:s="library://ns.adobe.com/flex/spark" title="HomeView" xmlns:dao="dao.*"
xmlns:mx="library://ns.adobe.com/flex/mx">
<fx:Script>
<![CDATA[
import mx.collections.ArrayCollection;
import mx.collections.IList;
import mx.collections.XMLListCollection;
import mx.events.FlexEvent;
import mx.rpc.events.FaultEvent;
import mx.rpc.events.ResultEvent;
import mx.rpc.xml.SimpleXMLDecoder;
import mx.utils.ArrayUtil;
import valueObjects.EmployeeDetail;
[Bindable]
private var myXml:XML;
[Bindable]
public var resultCollection:IList;
public function handleXml(event:ResultEvent):void
var xmlListCollection:XMLListCollection = new XMLListCollection(event.result.children());
var xmlListCollectionValues:XMLListCollection = new XMLListCollection(event.result.emp.children());
var resultArray:Array = xmlListCollection.toArray();
var resultArrayValues:Array = xmlListCollectionValues.toArray();
var objEmployeeDetails:EmployeeDetail;
var resultCollection:ArrayCollection = new ArrayCollection();
var j:int = 0;
for(var i:int=0;i<resultArray.length;i++){
objEmployeeDetails = new EmployeeDetail();
objEmployeeDetails.brand = resultArrayValues[j];
objEmployeeDetails.division = resultArrayValues[j+1];
objEmployeeDetails.email = resultArrayValues[j+2];
objEmployeeDetails.employee_name = resultArrayValues[j+3];
objEmployeeDetails.employee_number = resultArrayValues[j+4];
objEmployeeDetails.grade = resultArrayValues[j+5];
objEmployeeDetails.mobile = resultArrayValues[j+6];
objEmployeeDetails.position = resultArrayValues[j+7];
j = j + 8;
resultCollection.addItem(objEmployeeDetails);
list.dataProvider = resultCollection;
//return resultCollection;
public function handleFault(event:FaultEvent):void
//Alert.show(event.fault.faultDetail, "Error");
protected function sesrchEmployee():void
xmlRpc.send();
]]>
</fx:Script>
<fx:Declarations>
<dao:EmployeeDAO id="srv"/>
<mx:HTTPService id="xmlRpc"
url="http://adfdevp.alshaya.com:7013/RESTEmployeeDetails-EmployeeDetails-co ntext-root/jersey/restlab"
result="handleXml(event)"
fault="handleFault(event)"
resultFormat="e4x" showBusyCursor="true">
<mx:request xmlns="">
<data>{key.text}</data>
<data>{key1.text}</data>
</mx:request>
</mx:HTTPService>
</fx:Declarations>
<s:navigationContent/>
<s:titleContent>
<s:VGroup width="100%">
<s:HGroup width="100%">
<s:Label top="40" paddingTop="10" paddingRight="13" height="29" text="Employee Name:"/>
<s:TextInput id="key" width="559"/>
</s:HGroup>
<s:HGroup width="100%">
<s:Label height="30" paddingTop="10" text="Employee Number:"/>
<s:TextInput id="key1" width="100%"/>
</s:HGroup>
</s:VGroup>
</s:titleContent>
<s:actionContent>
<s:Button icon="@Embed('assets/search.png')" click="sesrchEmployee()"/>
</s:actionContent>
<s:List id="list" top="0" bottom="0" left="0" right="0"
change="navigator.pushView(EmployeeDetails, list.selectedItem)">
<s:itemRenderer>
<fx:Component>
<s:IconItemRenderer label="{data.employee_name}"
messageField="position">
</s:IconItemRenderer>
</fx:Component>
</s:itemRenderer>
</s:List>
</s:View>
Please help me to resolve this issue as soon as possible. Appreciate your quick response in this regard.
Thanks,
Murtaza Ghodawala
Mobile: +965 97180549
[email protected] -
ACE module not load balancing across two servers
We are seeing an issue in a context on one of our load balancers where an application doesn't appear to be load balancing correctly across the two real servers. At various times the application team is seeing active connections on only one real server. They see no connection attempts on the other server. The ACE sees both servers as up and active within the serverfarm. However, a show serverfarm confirms that the load balancer sees current connections only going to one of the servers. The issue is fixed by restarting the application on the server that is not receiving any connections. However, it reappears again. And which server experiences the issue moves back and forth between the two real servers, so it is not limited to just one of the servers.
The application vendor wants to know why the load balancer is periodically not sending traffic to one of the servers. I'm kind of curious myself. Does anyone have some tips on where we can look next to isolate the cause?
We're running A2(3.3). The ACE module was upgraded to that version of code on a Friday, and this issue started the following Monday. The ACE has 28 contexts configured, and this one context is the only one reporting any issues since the upgrade.
Here are the show serverfarm statistics as of today:
ACE# show serverfarm farma-8000
serverfarm : farma-8000, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: server#1
x.x.x.20:8000 8 OPERATIONAL 0 186617 3839
rserver: server#2
x.x.x.21:8000 8 OPERATIONAL 67 83513 1754Are you enabling sticky feature? What kind of predictor are you using?
If sticky feature is enabled and one rserver goes down, traffic will leans to one side.
Even after the rserver retuns to up, traffic may continue to lean due to sticky feature.
The behavior seems to depend on the configuration.
So, please let me know a part of configuration?
Regards,
Yuji -
Help with Moodle on Mac OS X server - PhP issue
I am a server newbie. I am setting up a server on a mac for the primary purpose of running a website for my students to use. I have a hosted site now, but the version of php they offer is not high enough to run moodle. I want to install moodle 2.4 on my mac server (mountain lion) but it needs :PHP 5.3.3, MySQL 5.1.33 or Postgres 8.3. I read that I should not try to update the native php (5.3.13) any thoughts or workarounds? I could install an earlier version of moodle, but it is no longer being supported with updates.
First off, ensure that local DNS services are working. If DNS is not working, then various services offered by OS X Server can be flaky. Launch Terminal.app and issue the following diagnostic command:
sudo changeip -checkhostname
It's common for folks to skip DNS setup or to reference ISP DNS services, which usually gets them in trouble, and have a much larger project fixing DNS-level errors.
OS X 10.8.4 should have php 5.3.15 and PostgreSQL 9.2.1, the versions of both appear to exceed the Moodle minimum requirements of 5.3.3 and 8.3, respectively. To verify the php version, use the usual "<?php phpinfo() ?>" script. For PostgreSQL, the brute-force command-line version check is "psql --version" command.
Put another way, I'm not sure why you're considering upgrading components — which can be problematic — if you're already running OS X Server 10.8.4 as implied by the footers of your posting.
Have a backup before starting the installation, as mistakes happen and having a backup of the whole disk means a faster recovery and an easier ability to start anew. -
Hello Genius
Once a while we have a issue, I am just new to the servers. If anybody has a answer for it ? We do have two TS, TS1 and TS2,
Issue is below
The
Remoter computer xxxxxx that you are trying to connect it is re directing to the terminalserver2.domain.com. RDP can not verify that the two remote computer belongs to same farm. This can occur if their is another computer has the same name or so.
Anybody has issues with it in past?
ThanksHi Jaspreet,
Thank you for posting in Windows Server Forum.
What’s your RDS server OS version?
Initially please try to clean the DNS cache of the involved user by the following command-line:
Ipconfig /flushdns and check whether issue get resolved.
If persists, please try to re-check all the settings on both RDS servers, connection broker and DNS server.(That is, try to recheck DNS RR setting and if want then rebuild the DNS entries, re-type the FQDN of farm name in RDSH configuration and check certificate
name and re-load the certificate and so on.) Please remember when you configure the terminal servers to use the broker you have to specify a farm name. It has to be the same for all the servers in the same "group".
Kindly check beneath article for setting.
Configure an RD Session Host Server to Join a Farm in RD Connection Broker
http://technet.microsoft.com/en-in/library/cc771383.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
ACE : Stickyness problem with http cookies
Hi,
I am facing a serious problem with stickyness in a e-commerce configuration.
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
The page is reloaded, but the name of the user does not appear on it
The question :
As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
Thank you for any hints,
YvesHi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849 for the server HQCHECOM01
R105852786 for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695 for the server HQCHECOM01
R357158616 for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE... -
ACE 4710 Can not confirm http cookie sticky connections
We are using a ACE 4710 with A3(2.6) software release.
I had to change our sticky load balancing method for HTTPS to cookie based.
However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
class-map type http loadbalance match-any ghh-www-443_CLASSURL
2 match http url [.]*
policy-map type loadbalance first-match ghh-sticky-443_POLICY
class class-default
sticky-serverfarm scook-ghh
policy-map multi-match POLICY
class ghh-www-443_CLASS
loadbalance vip inservice
loadbalance policy ghh-sticky-443_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAMAnother point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
Here you have a config example for the first solution:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
Cheers,
Francesco -
Hi,
I have an http session between Web Server farm and Application Server Farm.
After firt http request, Application Server send this pck (see file http_header.txt ).
So, I configured http cookie Stickiness with Dynamic cookie learning:
sticky http-cookie JSESSIONID Cookie-Bea-Group
cookie offset 0 length 64
timeout 70
timeout activeconns
replicate sticky
serverfarm BEA8-SFARM-3
But it doesn't work. But if web server received an answer from Application server with only one set-cookie
Set-Cookie:JSESSIONID=xxxxx
It work
if in the http header there are two set-cookie doesn't work.
I need stick the session based only on JSESSIONID cookie.
Is it possible and how?
Thanks
DinoHi Dear,
The ACE appliance/module has the dynamic cookie feature.
You then just need configure the cookie name and the box does the rest.
When static cookies are used there will only be one entry in the cookie database per real server. So, if ace-cookie is the only cookie defined and there are two servers, there will only be two entries in the sticky database, even if there are thousands of user sessions.
Dynamic cookie learning is another option for keeping the SAP session persistent. The sticky table can hold a maximum of four million dynamic entries (four million simultaneous users). The key is choosing the right cookie name.
Lets take an example of SAP sets a number of cookies for various purposes (note the ace_cookie was set by Cisco ACE using cookie insert, not SAP), but the saplb_* cookie is set by SAP specifically for load-balancers. It has the format saplb_=()[].
Here, the cookie value also helps to verify which server instance and physical node you are connected to.
The configuration process for cookie learning is similar-with a few changes in the syntax.
Example configuration:
ssticky http-cookie saplb_* ep-cookie
replicate sticky
serverfarm EP-HTTP
policy-map type loadbalance http first-match ep-policy
class class-default
sticky-serverfarm ep-cookie
In the above examples, the replicate sticky command is used so that the cookie information is replicated to the standby Cisco ACE context. With this implementation, session persistence is maintained in the event of a failover. The default timeout is one day.
The show sticky data command retrieves the active sticky entries that have been dynamically learned. The value shown is not the actual cookie value, but a function of it created by Cisco ACE.
Example configuration:
switch/SAP-Datacenter# show sticky data
sticky group : ep-cookie
type : HTTP-COOKIE
timeout : 100 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
6026630525409626373 SAP-EP:50000 5983
Load Balancing Identifier
The Load Balancing Identifier used for Load balancing to Web AS Java instances has the following syntax.
saplb_=()[]
The cookie is set on path=â/â and domain=.
The same syntax applies if the identifier is used via url rewriting.
The applies only to the J2EE Engine where session stickyness on a process (JVM) level is required. The uniquely identifies a set of instances. If there are no special group definitions then the special group identifier '*' is used. This will be the case for a default installation.
The SAP Web Dispatcher checks for path prefix match and thereby determines group name. This allows to obtain from the set of dispatch cookies or to do initial load balancing for the group. The Java dispatcher receives the request and also checks for the group. The Java dispatcher then reads from the appropriate dispatch cookie or performs initial dispatch on his local nodes.
The CSS does not have the possibility to learn dynamic cookie value created on the server.
So, you can either use arrowpoint cookies which is quite simple or have your server team add a static value to the jsessionid in order to identify the server.
We can then configure the CSS to locate this static value and match it to a service.
If possible kindly rate.
Keep in touch.
Kind regards,
Sachin Garg -
ACE 4710 Redirect to Different Server Farm based on URL
I have a weblogic 11 serverfarm where i want to redirect to a different serverfarm based on the URL. I am able to do it and it appears to be working however I am having issues with the cookies. I seem to be getting logged out of our App when switching between the serverfarms. Is there any way to fix this issue? My configuration is below.
Thanks!
-Andy
Generating configuration....
crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe http HTTP_PROBE
port 7001
interval 10
passdetect interval 5
request method get url /login.jsp
expect status 200 299
connection term forced
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP7001_PROBE
port 7005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host WLS11Host1
ip address 192.168.211.250
inservice
rserver host WLS11Host2
ip address 192.168.211.14
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host SPEND-FARM
probe HTTP_PROBE
rserver WLS11Host1 7001
inservice
serverfarm host WLS11FARM
probe HTTP_PROBE
rserver WLS11Host2 7001
inservice
parameter-map type http HTTP-PARM
persistence-rebalance
set secondary-cookie-start none
parameter-map type http PARSE
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parameter-map type ssl SSL_MAP
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
serverfarm WLS11FARM
replicate sticky
sticky http-cookie ACE-COOKIE-SPEND SPEND_STICKY
cookie insert browser-expire
serverfarm SPEND-FARM
replicate sticky
ssl-proxy service WWW-PROD-SSLPROXY
key client_ssl.pem
cert pastar.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_MAP
class-map type http loadbalance match-any HTTP-MARKETING
2 match http url /index.html
class-map type http loadbalance match-any HTTPS-SPEND
2 match http url /spend/.*
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS-7001-CLASS
2 match virtual-address 192.168.215.28 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.215.28 tcp eq https
policy-map type loadbalance first-match HTTPS
class HTTPS-SPEND
sticky-serverfarm SPEND_STICKY
insert-http x-forward header-value "%is"
class L5
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match WLS11-7001-Policy
class HTTP-MARKETING
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
class HTTPS-SPEND
serverfarm REDIRECT-SERVERFARM
class L5
serverfarm REDIRECT-SERVERFARM
policy-map multi-match WLS11-SLB
class WLS-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options HTTP-PARM
class WLS11-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options PARSE
ssl-proxy server WWW-PROD-SSLPROXY
interface vlan 1000
ip address 192.168.215.27 255.255.255.0
access-group input allow
nat-pool 1 192.168.215.28 192.168.215.28 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.215.1
snmp-server community poweradvocaterw group Network-MonitorHi,
So when you come with " http url /index.html", you go to "sticky-serverfarm 7001_STICKY" and ACE must be inserting sticky "ACE_COOKIE-7001". Now when you get redirected because you match "HTTPS-Spend", ACE will loadbalance the request which will now come on HTTPS and insert sticky " ACE-COOKIE-SPEND". That's why i guess you see two sticky entries. Now i guess ACE will keep the connection to servers in "sticky-serverfarm SPEND_STICKY" or you see that ACE is not doing the same or you expected the ACE to send the requested to "sticky-serverfarm 7001_STICKY" even though it matches the HTTPS-Spend class-map condition?
Regards,
Kanwal -
Hi all,
I have a issue with a ACE configuration which terminate https traffic and load balance the client request to the real servers.
All working fine, with one exception. If the client requests for the URL "https://www.myservice.com/content/" the connection working perfect.
If the request are "https://www.myservice.com/content" (missing slash on the end), the real servers sending a redirect back to the client.
The redirect is "http://www.myservice.com/content/".
How can I absorb the request to get not http but https.
Any suggestions are welcome.
Regards,
ReneHi Kanwal,
I have tried your solution today without any success.
The configuration are simple, but the result are always the same.
client browser---------https--------ACE-------http---------rserver
If the client use the URL: https://this.is.a.request.com/dir/
All will working fine. But if the user us the URL: https://this.is.a.request.com/dir <-- missing slash
The server response back to the client are: http://this.is.a.request.com/dir/ <-- respond via http not https
But the ACE are not configured to response to http.
I used also your recommendation, but without any success.
I have tried the function with “ssl url rewrite” but this solution did not work.
My I am absolutely wrong with my way, but you will find the configuration below, which I have configured. Probably you have a solution for me.
Regards,
Rene
probe http PROBE-GENERIC-HTTP
description HTTP Probe for GEVER-UVEK-PR Servers
port 80
interval 20
faildetect 2
passdetect interval 25
passdetect count 2
receive 3
request method get url /iisstart.htm
expect status 200 200
rserver host SERVER-1
description uvek-s6201-235 (GEVER-UVEK-PR)
ip address 10.135.13.235
inservice
rserver host SERVER-2
description uvek-s6201-28 (GEVER-UVEK-PR)
ip address 10.135.14.28
inservice
rserver host SERVER-3
description uvek-s6202-116 (GEVER-UVEK-PR)
ip address 10.135.13.116
inservice
serverfarm host GEVER-UVEK-PR-FARM
predictor leastconns
probe PROBE-GENERIC-HTTP
rserver SERVER-1 80
inservice
rserver SERVER-2 80
inservice
rserver SERVER-3 80
parameter-map type generic GEVER-UVEK-SSLID-PARAMETER
set max-parse-length 70
parameter-map type ssl SSL_CIPHERS
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE-UVEK-COOKIE GEVER-UVEK-PR-COOKIE
cookie insert browser-expire
serverfarm GEVER-UVEK-PR-FARM
action-list type modify http HTTP2HTTPS_REWRITE
ssl url rewrite location "this\..*"
ssl-proxy service SSL-GEVER-UVEK-FRONTEND
key gever.key
cert gever.crt
ssl advanced-options SSL_CIPHERS
class-map match-all VIP-GEVER-UVEK-PR
2 match virtual-address a.b.c.67 tcp eq https
policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY
class ANY-CONTENT
sticky-serverfarm GEVER-UVEK-PR-COOKIE
action HTTP2HTTPS_REWRITE
policy-map multi-match CLIENT-VIPs
class VIP-GEVER-UVEK-PR
loadbalance vip inservice
loadbalance policy GEVER-UVEK-PR-HTTP-POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1583
appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER
ssl-proxy server SSL-GEVER-UVEK-FRONTEND
interface vlan 1583
description VLAN EVD-Prod (inside Produktion neues Segment)
ip address 10.135.14.11 255.255.254.0
alias 10.135.14.10 255.255.254.0
peer ip address 10.135.14.12 255.255.254.0
access-group input EVERYONE
nat-pool 1 10.135.15.240 10.135.15.240 netmask 255.255.255.255 pat
service-policy input REMOTE-MGMT
no shutdown
interface vlan 1584
description VLAN EVD-LB (outside)
ip address a.b.c.74 255.255.255.0
alias a.b.c.73 255.255.255.0
peer ip address a.b.c.75 255.255.255.0
access-group input EVERYONE
service-policy input CLIENT-VIPs
no shutdown
ip route 0.0.0.0 0.0.0.0 a.b.c.1 -
ACE: Different Sticky rules for different URLs
Is there a way to apply different sticky rules (or no sticky at all) depending on the URL for a given site under ACE?
The reason I want to do this is because I have an extremely common URL that chews up sticky resources when it doesn't matter if the URL is sticky. We have several thousand PC's that have a web based screen saver on them that just pull random pages to be displayed on the users' screen when the screen saver kicks in. These pages do not need to be sticky but other pages on the same farm need sticky. Is this possible?
CaseyCreate a more specific Layer 7 class map and instead of calling sticky serverfarm use serverfarm.
for example
sticky http-cookie COOKIE STATIC
cookie insert browser-expire
timeout 5
serverfarm WEBFARM
serverfarm host WEBFARM
rserver SV1 80
inservice
rserver SV2 80
inservice
class-map match-any APP1-VIP
2 match virtual-address 10.86.178.160 tcp eq http
class-map type http loadbalance match-all Condition1
2 match http url .*
3 match http header Host header-value 172.16.31.*
4 match http header User-Agent header-value .*MSIE.*
class-map type http loadbalance match-all Condition2
2 match http url .*
policy-map type loadbalance first-match L7_COOKIE_STATIC
class Condition2
sticky-serverfarm STATIC
class Condition1
serverfarm WEBFARM
policy-map multi-match CLIENT_VIPS
class APP1-VIP
loadbalance vip inservice
loadbalance policy L7_COOKIE_STATIC
loadbalance vip icmp-reply active
loadbalance vip advertise active
Syed -
How to properly load balance between diffrent server farms.
Hi experts,
We are using an ACE 4710. We chose for our server farms to load balance using the least_connections predictor. it seems to work fine inside the same server farm but is it working properly between server farms? It doesn't seem because some of my real servers seems to be more loaded than others. Each server farm are using the same real servers.
Any idea about what is the problem or any suggestion regarding the best load balancing predictor we should use using this kind of configuration?
Thank's to all.The ACE uses load-balancing algorithms or predictors to determine how to balance the traffic among the devices configured in the server farms, independent of the device type. For FWLB, we recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels.
Here is the configuration guide for the Cisco ACE 4700 Series Appliance Server Load-Balancing.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/fwldbal.html -
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean
Maybe you are looking for
-
In a recent update, either FF or something internal at MS. (I am pretty sure it was the latest FF last week) All of our boxes can no longer access lists/libraries in SharePoint 2013 (o365). Every single machine, different computers, different compani
-
Multiple invoice with one Debit note
Dear Experts, Is it possible to create one single debit note with multiple invoices. If yes how. Thanks Shri..
-
Move library to save during reinstall
My son has an older ipod. He upgraded to whatever the itunes is now...7xx. The sync freezes. The ipod itself has been reset, so there is nothing on it. How do I move/save his library on his PC (and move it back again) so that I don't lose it when I u
-
Spinning Beach Ball of Death - Help!
Bought a mid-2009 MBP on Craigslist. Looks fine but...I get the SBBOD every five seconds! I replaced the RAM, replaced the HD and did a fresh install of OSX. What's the (likely/possible) problemo?? What should I test, replace, etc? Thanks!
-
The hinge section of my smart cover has separated from the leather portion. Anyone know of an easy home repair? Nothing damaged and just separated...