Configuring cookie based sticky on ACE
I have an ACE and I am trying to setup stickiness based on HTTP cookies. My objective is to stick a client to one of the real servers in the server farm until the the cookie expires. I am using the same COOKIE name for all three servers but using different values that are unique to each server. On testing I discovered that each client request when stuck to the same real server always uses the same sticky database entry and a browser refresh updates the same entry...what am I doing wrong?
My config is as follows:
context Admin
member STICKY
access-list ALL line 8 extended permit ip any any
rserver host SERVER1
description content server 1
ip address 134.178.51.17
inservice
rserver host SERVER2
description content server 2
ip address 134.178.51.18
inservice
rserver host SERVER3
description content server 3
ip address 134.178.51.19
inservice
serverfarm host SFARM1
predictor leastconns
rserver SERVER1
inservice
rserver SERVER2
inservice
rserver SERVER3
inservice
sticky http-cookie MYCOOKIE STICKYGroup
timeout 4
serverfarm SFARM1
class-map type http loadbalance match-any L7CLASS6
2 match http cookie MYCOOKIE cookie-value "123456"
3 match http cookie MYCOOKIE cookie-value "56789"
policy-map type loadbalance first-match L7POLICY6
class L7CLASS6
sticky-serverfarm STICKYGroup
class class-default
serverfarm SFARM1
class-map match-all V1L4VIPCLASS
2 match virtual-address 134.178.51.10 tcp eq www
policy-map multi-match V1L4SLBPOLICY
class V1L4VIPCLASS
loadbalance vip inservice
loadbalance policy L7POLICY6
Cookie values are learned dynamically by ACE and sticky entries are created.So you do not need to match cookie values.
With Sticky group configuration you tell ACE which Cookie-name to look for in the HTTP traffic passing through ACE.
So following should be sufficient
sticky http-cookie MYCOOKIE STICKYGroup
timeout 4
serverfarm SFARM1
policy-map type loadbalance first-match L7POLICY6
class class-default
sticky-serverfarm STICKYGroup
Lets assume your Server1 is setting cookie value 123456 by using "SET-Cookie:MYCOOKIE=123456" & Server2 is sending ""SET-Cookie:MYCOOKIE=56789" the flow will be as follows
1. If a new client hits the VIP on ACE with no cookie set then ACE will select a Sever from the server farm as per the LB algo and forward the HTTP request to the selected server. Lets suppose ACE selects Server1.
3. Server1 will send "SET-Cookie:MYCOOKIE=123456" in the HTTP response to the client.
4. ACE on getting this response from Server1 will dynamically learn that Server1 is setting up cookie value 123456 and will create a sticky entry in the database.
(Due to this sticky db entry any subsequent http requests with "Cookie:MYCOOKIE=123456" will be directly forwarded to Server1.
5. This sticky entry in ACE sticky DB will only time out if "timeout in minutes" configured under sticky group elapses and no active conns are using this entry.With every new http request matching the sticky entry this timeout is initialized.
6. If a new client come with no cookie set in the Http request then ACE will select a server using LB logic and will learn the cookie value & will create appropriate sticky entry.
7. If a client sends a request with cookie value present then ACE will simply look into the sticky db and forward the request to the appropriate server.
HTH
Syed Iftekhar Ahmed
Similar Messages
-
Needing to setup cookie based stickiness for the oracle guys. We have two 6513s with CSM software version 3.1(4). I read a few of the Cisco docs to try and figure this out myself but what I configured is not working.
Here is what the oracle guys want. If user is on Server 10.10.103.14 and Server 10.10.103.14 goes down the load balancers currently switches to Server 10.10.103.15. If server A comes back up the user is currently switched back to Server 10.10.103.14 and the session is lost. The Oracle guys want the user to stick on Server 10.10.103.15 until the session is completed.
What is the best way to accomplish this using cookies and can you provide some config examples. Below is what my current config looks like.
serverfarm ORACLEAPPFARM3
nat server
no nat client
predictor hash address source
failaction purge
real 10.10.103.14
inservice
real 10.10.103.15
inservice
health retries 2 failed 2
probe ORACLEICMPPROBE
sticky 3 cookie CookieAPPFARM3 insert
policy POLICYAPPFARM3
sticky-group 3
serverfarm ORACLEAPPFARM3
vserver ORACLEVIRTUAL3
virtual 10.0.103.22 any
serverfarm ORACLEAPPFARM3
replicate csrp connection
persistent rebalance
slb-policy POLICYAPPFARM3
inservicecookie insert was introduced in version 4.1.
So it is most probably not doing much with your 3.1 version.
http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_bulletin09186a00802072b0.html
If you do not want to upgrade, you can do sticky based on source ip.
Replace your sticky 3 cookie command with a 'sticky 3 netmask /32 timeout 600'
Also, if you do stickyness you should change your predictor command to 'predictor leastconn' or 'predicot roundrobin'.
Regards,
Gilles. -
If 3 Real servers in a non-load balancing environmet are setting session cookies with diffrenet cookie names e.g.
server1 response
set-Cookie: SESSIDSAAAAAA=DMNNNELCECNCKDIIDCPOIMGG
Server2 response
set-Cookie: SESSIDSBBBBBB=DAAMMNELCECNCKPYTWPOIPOP
Server3 response
set-Cookie: SESSIDSCCCCCC=POHYTUOIPOPPLKJHTERIQOKJ
then how can CSM be configured with cookie based stickiness.
I tried cookie insert on CSM with NULL value Assigned to "COOKIE_INSERT_EXPIRATION_DATE".
It resulted in two set cookie responses (one from server and one from CSM).
I am wondering how csm will react ( cookie insert is used) if client request carries two cookie name-value pairs.
clients are behind megaproxy so cookie based stickiness is needed.
Thanksif you look into a http client request you will see that many times there are more than 1 cookies.
The most important is to make sure the CSM insert a cookie with a different name.
Create your own name.
The client will receive both the csm cookie and the server cookie and will send both when opening a new connection.
The CSM is able to locate its own cookie in the list and do the stickyness.
Gilles. -
Hi,
I'm trying to configure a cookie-based slb method which corresponds to my current CSS11503-configuration. Basicly, my CSS performs slb purely based on the content of the arrowpoint-cookie, using the following config:
advanced-balance arrowpoint-cookie
arrowpoint-cookie name WPS6
The cookie contains the real ip of the underlying webserver and the CSS fowards traffic based on that particular content of the cookie. Whenever we need to do an unscheduled shutdown of a webserver, we gracefully take the webserver out of service by setting the weight to 0, but also, my webdepartment have implemented a feature in Websphere, that somehow sends a cookie-expire to both the SESSIONID-cookie and the WPS6 cookie. So once the subsequent http-req hits the CSS, the cookie is gone and the CSS lb'es the req to a diffent server. We've intentionally left out the sticky-option, as it didn't work well with the before mentioned Websphere-feature.
Now I'm trying to configure something similar on the ACE, but so far without luck. I did start by configuring sticky-group with the cookie-insert option and a http-parametermap with persistence-rebalance. But all attempts to recreate the above mentioned scenario, have failed. It's seems, that even with persistence-rebalance, the client-session is still stuck to the webserver and a display of the sticky-database shows, that the sticky-entry persists. Even when I manually delete the cookie-container on the client and verify with the Live-HTTP-plugin, that the subsequent http-req does not contain the WPS6 cookie, the req is still forwarded to the realserver. Even when the real-server is placed in 'inservice standby'.
Is it possible to staticly define a cookie-value for, say, 4 webservers, each with their own unique cookie? And when the initial part of the tcp is completed and the ACE decides which realserver is to be used, it sets a cookie containing that particular value and includes it in the http-response. So if any subsequent http-req's are not containing that cookie, the ACE re-balancences that req and sends it to a different webserver.
/Ulrich
PS! Merry X-masUlrich,
what you're asking for is what ACE does currently.
The static cookies are created at configuration time.
You can see the values with "show sticky cookie-insert"
ie:
switch/Admin# show sticky cookie-insert group portalap
Cookie | HashKey | rserver-instance
------------+----------------------+----------------------------------------+
R4181073320 | 11105909834649097754 | vmware-http/vmware-27:80
R4181109257 | 10017312105356339124 | vmware-http/vmware-28:80
R4183409225 | 15537882249682767338 | vmware-http/vmware-46:80
R4183517036 | 1787657754489574767 | vmware-http/vmware-49:80
Whenever we see the cookie "R...." we check if the associated server is alive and forward the connection to that server.
Otherwise we loadbalance to a new server and include the new cookie in the response.
For established connections, persistence rebalance is indeed required to inspect every request and rebalance the connection to a new server if a new cookie is detected. However ACE will try not to rebalance when not needed.
If you need a new loadbalancing decision each time, you need 'persistence rebalance strict'.
An alternative could be the configuration of 'failaction purge' to force the connection to be terminated when the server goes down.
'inservice standby' is described @ http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000333
•Tears down existing non-TCP connections to the server
•Allows current TCP connections to complete
•Allows new sticky connections for existing server connections that match entries in the sticky database
•Load balances all new connections (other than the matching sticky connections mentioned above) to the other servers in the server farm
•Eventually takes the server out of service
As you can see, this option still allows connection to the server if it matches a sticky entry.
Gilles. -
Hi:
I have the following configuration. Although the users can hit the web server, the stickiness doesn't work.
sticky http-cookie TEST1 TEST1
timeout 300
replicate sticky
serverfarm PROXY
policy-map type loadbalance first-match L7_TEMPORAL
class HTTP-TEMPORAL
sticky-serverfarm TEST1
policy-map multi-match L4-VIP-LB-Policy
class VIP-TEMPORAL
loadbalance policy L7_TEMPORAL
RaulNot sure if you already did that but to make stickiness work you need to assign resources for stickiness per context. Have look at the link.
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686ebf.html#wp1051078
sticky http-cookie TEST1 TEST1 says the ace is looking for a cookie named "TEST1" in the http header so you should make sure that cookie exists. Otherwise add a "cookie insert" and the ace should insert that a cookie named "TEST1" then.
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686ebf.html#wp1015713
[quote]
The name argument in the sticky command specifies the cookie name that appears in the HTTP header. The name argument in the cookie secondary command specifies the cookie name that appears in the URL.
[/quote]
Roble -
Unable to configure Request based provisioning in OIM 9.1.0.1
Hi,
I have been trying to configure request based provisioning wherein Admin can request to provision a resource for a certain user. I have checked on the Auto Prepopulate and Auto Save options in the Process Definition. The problem which I am facing is that if I uncheck the Auto save option, admin's request is completed properly and an Approval request is generated. If the admin approves it, the resource status is set to Provisioning. Inside the resource object, there's only one task System Validation with status completed. The process form is empty if I view it. But if i go to edit i can see the fields being populated. After saving the form, i can see the data in the "View" option too. After this, I am able to add a task "Create User" and provision the user to Active Directory.
But if i check the Auto Save option in the Process definition, the request is completed but no approval task is generated. There is nothing in the User's resource profile as well.
What could be the reason for this and what could be a probable solution in such a scenario? I seek all your help in order to resolve this issue.I have configured the approval tasks and the provisioning is working fine. The error which i am facing now is with 2nd level approver. I want the first level approver to be the requestor's manager, which is working fine. But when i am trying to fetch the Manager details of the requestor's manager (Requestor->Manager-> Manager), I am facing the below error.
Running GETSECONDLEVELAPPROVERTYPEUSER
2012-10-31 13:20:28,956 INFO [STDOUT] Target Class = com.pldt.adapter.ad.TaskAssignment
2012-10-31 13:20:28,957 INFO [STDOUT] Running GETSECONDLEVELAPPROVERKEY
2012-10-31 13:20:28,957 INFO [STDOUT] Target Class = com.pldt.adapter.ad.TaskAssignment
2012-10-31 13:20:28,957 INFO [STDOUT] ***************************Inside getSecondLevelApprover***************
2012-10-31 13:20:28,974 INFO [STDOUT] **************************usrKey**********1
2012-10-31 13:20:29,039 INFO [STDOUT] *****************ResultSet1***********Thor.API.tcMetaDataSet@5b895cb9
2012-10-31 13:20:29,080 INFO [STDOUT] *****************ResultSet2***********Thor.API.tcMetaDataSet@68d6c6eb
2012-10-31 13:20:29,080 ERROR [STDERR] java.lang.ClassCastException: java.lang.Long cannot be cast to java.lang.String
2012-10-31 13:20:29,081 ERROR [STDERR] at com.thortech.xl.adapterfactory.events.tcAdpEvent.setKeyValue(Unknown Source)
2012-10-31 13:20:29,081 ERROR [STDERR] at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpGETSECONDLEVELAPPROVER.implementation(adpGETSECONDLEVELAPPROVER.java:56)
2012-10-31 13:20:29,081 ERROR [STDERR] at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
2012-10-31 13:20:29,081 ERROR [STDERR] at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
2012-10-31 13:20:29,081 ERROR [STDERR] at com.thortech.xl.dataobj.tcScheduleItem.handleTaskAssignPostInsert(Unknown Source)
2012-10-31 13:20:29,081 ERROR [STDERR] at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
2012-10-31 13:20:29,082 ERROR [STDERR] at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
I am passing the user key of the manager to fetch his manager's data. Please suggest a resolution for this. -
We set up a SP 2010 site with several document libraries. Library A works fine only when I click on column default value settings I get the following error message:
"configuring column based defaults is only allowed in document library lists"
This list is a normal document library and all other settings work fine. If I create a new document library or go to the settings of document library B I don't see this problem and the feature works fine.
How can I solve this problem within this library since I cannot delete the library and replace it by a new one.
Thanks.
library settings page of this library:Hi,
According to your post, my understanding is that
when you clicked on column default value settings you got the error message.
What are the column types in the library?
It seems that some column types don't support default value settings.
I recommend to create a new library with the same columns to check whether you can set
default values.
If so and the error message persists, please check the SharePoint ULS log to find more information about this error, the ULS log file is in the location: C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\14\LOGS
You can check the ULS log by the methods here:
http://blogs.msdn.com/b/opal/archive/2009/12/22/uls-viewer-for-sharepoint-2010-troubleshooting.aspx
Best Regards,
Linda Li
Linda Li
TechNet Community Support -
Configuring Delivery Based Billing-Make to order
Hi Team,
I am configuring thDelivery based billing process.
I have created the SO and the Delivery document
Howevere when i try to do Post goods Issue in the Delivery document i get the following error.
1. The storage location is not defined for delivery item 000010
Can you please help.
Regards,
RajneeshHi ,
Check storage location- in picking tab , is exist or not. If not enter manually.
Check - stock of the material using Transaction under particular storage location too.-transaction-mmbe
You can also default storage location in customizing- under-
LE-Shipping-Picking-Determine picking location-Assign picking location
Also go through - below link - for business process- config details
http://help.sap.com/bp_bl604/BL_US/html/index.htm
Thanks
Chidambaram -
Hi,
I'm using Webcache 10.1.2 as Load balance for Forms 9.0.4 Applications. I confuse about two documnents in Metalink as Note 229900.1 and Note:268830.1. While in the former it said the "OC4J-based" option with JSESSIONID is used for Forms Application, the later recommend to use "Any Set Cookie" option with Cookie-based for Form Application.
Any idea?Hi,
looks as if the latter is a work around for what is described in bug 3309696, that this is an integration issue. Forms uses jsession and there is no need for a cookie to be set. However, due to a bug in OC4J this seemed to be required
In order for web cache to sitck to a given OHS, OHS must set a cookie with the
client. (Thats what web cache uses to bind the session). By default forms uses
a cookie in the URL for session and does not set a cookie using HTTP. With the
cookie in the URL web cache does not see it and does not bind to a server
causing it to balance all requests and break forms.
Frank. -
How to configure RSA Based User Authentication on XR?
Hello,
I have been reading Cisco docs about how to configure RSA Based User Authentication on a ASR9K.
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.pdf
I have problems importing the public key to the router. No matter how i try i always get this output:
RP/0/RSP1/CPU0:XXX#crypto key import authentication rsa tftp://10.232.201.180/id_rsa.pub
Wed Jul 16 14:00:15.558
Cannot execute the command : Invalid argument
I have tried copying the file to Disk0: and using this path but get the same error.
Could anyone help me explaining step by step how to configure RSA Based User Authentication.
ThanksHi
1. Generate a key on your station
ssh-keygen -t rsa -b 1024
2. Remove the key type and host, leaving only key and decrypt it using base64:
cut -f2 -d\ id_rsa.pub | base64 -d > id_rsa2.pub
3. Import the key to the deivce
(admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub
4. Create a username on the device matching the imported key
username USERTEST
group root-system
Regards,
/A -
Hi,
We need persistency (or sticky load balancing) based on MSISDN and destination ip&port pairs.
My content configuration shown below:
owner WEBLOGIC
content weblogic
add service msisdn-9001-1
add service msisdn-9001-2
add service msisdn-9001-3
add service msisdn-9002-1
add service msisdn-9002-2
add service msisdn-9002-3
url "/*"
advanced-balance wap-msisdn
protocol tcp
port 9003
vip address 10.200.148.15
active
As a service ,there are 3 server (ofcourse 3 IP) But each server has 2 instance (Port 9001 and 9002)
Here is the service configuration:
service msisdn-9001-1
ip address 10.200.148.20
protocol tcp
port 9001
keepalive type tcp
keepalive port 9001
active
service msisdn-9001-2
ip address 10.200.148.21
protocol tcp
port 9001
keepalive type tcp
keepalive port 9001
active
service msisdn-9001-3
ip address 10.200.148.60
protocol tcp
port 9001
keepalive type tcp
keepalive port 9001
active
service msisdn-9002-1
ip address 10.200.148.20
protocol tcp
port 9002
keepalive type tcp
keepalive port 9002
active
service msisdn-9002-2
ip address 10.200.148.21
protocol tcp
port 9002
keepalive type tcp
keepalive port 9002
active
service msisdn-9002-3
protocol tcp
port 9002
keepalive type tcp
keepalive port 9002
ip address 10.200.148.60
active
But I didn't achieve that coming MSISDN go to always same service.Please confirm that you want to configure stickiness both based on the MSISDN header and the destination ip/port. What you can try to do in this case is set a separate content rules based on the destination port and use the 'advanced-balance wap-msisdn' in conjunction with the content rule based on the destination port.
-
Breakdown of 'show sticky database' - ACE
I need assistance to interpret the show sticky database response. What does the sticky entry value resolve to.
I have set the stickiness on source and destination addresses. Is it possible to identify from show sticky database that which is the source IP for the sticky entry in the display.No.
Client in this command is actual client.
for e.g following command shows that ACE has a sticky entry for client "x.x.x.x"
and this client is stuck to real server "Rserver2" due to sticky group "STICKY-GP1" and this sticky entry will remain in the sticky DB for 585 more seconds (if the connection remains idle).
switch/ACE# show sticky database client x.x.x.<
sticky group : STICKY-GP1
type : IP
timeout : 10
timeout-activeconns : FALSE
sticky-entry rserver-ints time-to-exp
---------------+--------------+------
2702367184 rserver2:8888 585
Syed -
Priority based Rserver activation - ACE Load Balancing
Hi,
I know certain load balancers which have priority based pool member activation for e.g. the server farm has two rservers. And all the traffic is sent to Rserver1, even though Rserver2 is live.
The traffic is forwarded to Rserver2 only when Rserver1 is down.
Is this possible with Cisco ACE ?
Thanks.Hi,
in the example above, when R1 fails, R2 takes over. From the moment R1 becomes alive again, R2 goes again into standby state, so all traffic is send again to R1.
If R2 fails, nothing will happen because it was in standby state.
HTH,
Dario -
Configure Keystore-Based Security on BPEL 11g Service
Hi,
I've been exploring OWSM, but haven't found a guide to attach a JKS keystore-based security to a BPEL service. I'm looking for information like attaching a keystore to weblogic, and configuring SOA services to interact via this security mechanism.
Thanks in advance,Doesn't help.
That is basically telling me how to create, import, export, etc. keystores which I already know and have in place.
The menu structure given in the doc doesn't match what I have.
I have no place in that menu to store a keystore. Here's what I have:
soa-infra -> Security - gives me Application Policies & Application Roles. No keystore options.
I have a BPEL composite deployment under soa-infra that calls a secure webservice.
I can call the service manually (from a browser) on this server, so I know I'm not getting blocked by anything.
When I try to make the call from the BPEL service, I get this error:
oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
Caused by: javax.xml.ws.WebServiceException: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I guessed this was something to do with the keystore.
If it's not then what is causing it? -
Configure DPS based on Etime or for unindexed searches
Hi all,
can anyone help me how to configure Proxy server, in order to route traffic based on etime & also for unindexed searches (Notes=U). I am doing sample tests using connection handlers but no luck.
For ex;
I have created 2 data views & want all the searches whose etime is more to go to data view 1 & all the unindexed searches go to dataview 2.
I really appreciate if anyone can guide me how to do the configuration for this task.
Thanks
uday453_108Chris,
I was going through some documents & found this in the appendix of DPS & trying all sorts to figure out how can we do this. (Please see the link below: trawling of LDAP directory)
http://docs.sun.com/source/817-7615/AppFaq.html
""Directory Proxy Server can also be configured to deny un-indexed searches. Un-indexed searches are inefficient and can possibly have a negative impact in performance.""
So i am curious to know how this can be done & if there's a method, i would really like to implement it in DEV env & see how it works. You told me that servers may crash, but still i just want to configure if there's a way to do it. Do you have any custom scripts which performs this kinds of tasks???
Let me know..
Thank you for your support.
Uday453_108
Maybe you are looking for
-
My Mac reboots on its own a few times a day. I have checked all the permitions and have checked the disk. No issues found. After the reboot this is the report I send: Sat Aug 3 20:19:27 2013 panic(cpu 1 caller 0xffffff7f93a32f33): NVRM[0/2:0:0]: Rea
-
Using an eMac as a kitchen TV?
I just bought a used 1.25 GHz eMac for the kitchen and I was wondering if it's reasonable to use it, with the appropriate peripheral solution, as a kitchen TV? We have DirecTV satellite and I've been looking at the Elgato EyeTV Hybrid device, but I w
-
How long should it take for a new podcast episode to show up in iTunes?
Greetings, I have a podcast listed in iTunes and it showed up fine after they listed it. However, about 6 hours ago I uploaded a new episode (number 2 - woohoo) and it's not showing up in iTunes yet. Obviously when I fired up iTunes it downloaded it
-
Problem in getting Item data using RLE_DELNOTE
Hi everyone, I am using RLE_DELNOTE as print program. This print program is not populating item level details in its structure ls_dlv_delnote. Can anyone help me? Thanks and Regards, Jai
-
I want to put a phone number in to a cell 01273 but the 0 keeps disapearing
i want to put a phone number in to a cell 01273 but the 0 keeps disapearing what am i doing wrong.