Configuring cookie based sticky on ACE

Similar Messages

• Configure Cookie Stickiness

  Needing to setup cookie based stickiness for the oracle guys. We have two 6513’s with CSM software version 3.1(4). I read a few of the Cisco docs to try and figure this out myself but what I configured is not working.
  Here is what the oracle guys want. If user is on Server 10.10.103.14 and Server 10.10.103.14 goes down the load balancers currently switches to Server 10.10.103.15. If server A comes back up the user is currently switched back to Server 10.10.103.14 and the session is lost. The Oracle guys want the user to stick on Server 10.10.103.15 until the session is completed.
  What is the best way to accomplish this using cookies and can you provide some config examples. Below is what my current config looks like.
  serverfarm ORACLEAPPFARM3
  nat server
  no nat client
  predictor hash address source
  failaction purge
  real 10.10.103.14
  inservice
  real 10.10.103.15
  inservice
  health retries 2 failed 2
  probe ORACLEICMPPROBE
  sticky 3 cookie CookieAPPFARM3 insert
  policy POLICYAPPFARM3
  sticky-group 3
  serverfarm ORACLEAPPFARM3
  vserver ORACLEVIRTUAL3
  virtual 10.0.103.22 any
  serverfarm ORACLEAPPFARM3
  replicate csrp connection
  persistent rebalance
  slb-policy POLICYAPPFARM3
  inservice

  cookie insert was introduced in version 4.1.
  So it is most probably not doing much with your 3.1 version.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_bulletin09186a00802072b0.html
  If you do not want to upgrade, you can do sticky based on source ip.
  Replace your sticky 3 cookie command with a 'sticky 3 netmask /32 timeout 600'
  Also, if you do stickyness you should change your predictor command to 'predictor leastconn' or 'predicot roundrobin'.
  Regards,
  Gilles.

• Cookie based Load Balancing

  If 3 Real servers in a non-load balancing environmet are setting session cookies with diffrenet cookie names e.g.
  server1 response
  set-Cookie: SESSIDSAAAAAA=DMNNNELCECNCKDIIDCPOIMGG
  Server2 response
  set-Cookie: SESSIDSBBBBBB=DAAMMNELCECNCKPYTWPOIPOP
  Server3 response
  set-Cookie: SESSIDSCCCCCC=POHYTUOIPOPPLKJHTERIQOKJ
  then how can CSM be configured with cookie based stickiness.
  I tried cookie insert on CSM with NULL value Assigned to "COOKIE_INSERT_EXPIRATION_DATE".
  It resulted in two set cookie responses (one from server and one from CSM).
  I am wondering how csm will react ( cookie insert is used) if client request carries two cookie name-value pairs.
  clients are behind megaproxy so cookie based stickiness is needed.
  Thanks

  if you look into a http client request you will see that many times there are more than 1 cookies.
  The most important is to make sure the CSM insert a cookie with a different name.
  Create your own name.
  The client will receive both the csm cookie and the server cookie and will send both when opening a new connection.
  The CSM is able to locate its own cookie in the list and do the stickyness.
  Gilles.

• ACE cookie-based slb

  Hi,
  I'm trying to configure a cookie-based slb method which corresponds to my current CSS11503-configuration. Basicly, my CSS performs slb purely based on the content of the arrowpoint-cookie, using the following config:
  advanced-balance arrowpoint-cookie
  arrowpoint-cookie name WPS6
  The cookie contains the real ip of the underlying webserver and the CSS fowards traffic based on that particular content of the cookie. Whenever we need to do an unscheduled shutdown of a webserver, we gracefully take the webserver out of service by setting the weight to 0, but also, my webdepartment have implemented a feature in Websphere, that somehow sends a cookie-expire to both the SESSIONID-cookie and the WPS6 cookie. So once the subsequent http-req hits the CSS, the cookie is gone and the CSS lb'es the req to a diffent server. We've intentionally left out the sticky-option, as it didn't work well with the before mentioned Websphere-feature.
  Now I'm trying to configure something similar on the ACE, but so far without luck. I did start by configuring sticky-group with the cookie-insert option and a http-parametermap with persistence-rebalance. But all attempts to recreate the above mentioned scenario, have failed. It's seems, that even with persistence-rebalance, the client-session is still stuck to the webserver and a display of the sticky-database shows, that the sticky-entry persists. Even when I manually delete the cookie-container on the client and verify with the Live-HTTP-plugin, that the subsequent http-req does not contain the WPS6 cookie, the req is still forwarded to the realserver. Even when the real-server is placed in 'inservice standby'.
  Is it possible to staticly define a cookie-value for, say, 4 webservers, each with their own unique cookie? And when the initial part of the tcp is completed and the ACE decides which realserver is to be used, it sets a cookie containing that particular value and includes it in the http-response. So if any subsequent http-req's are not containing that cookie, the ACE re-balancences that req and sends it to a different webserver.
  /Ulrich
  PS! Merry X-mas

  Ulrich,
  what you're asking for is what ACE does currently.
  The static cookies are created at configuration time.
  You can see the values with "show sticky cookie-insert"
  ie:
  switch/Admin# show sticky cookie-insert group portalap
       Cookie   |        HashKey       |           rserver-instance
    ------------+----------------------+----------------------------------------+
    R4181073320 | 11105909834649097754 | vmware-http/vmware-27:80
    R4181109257 | 10017312105356339124 | vmware-http/vmware-28:80
    R4183409225 | 15537882249682767338 | vmware-http/vmware-46:80
    R4183517036 | 1787657754489574767  | vmware-http/vmware-49:80
  Whenever we see the cookie "R...." we check if the associated server is alive and forward the connection to that server.
  Otherwise we loadbalance to a new server and include the new cookie in the response.
  For established connections, persistence rebalance is indeed required to inspect every request and rebalance the connection to a new server if a new cookie is detected.  However ACE will try not to rebalance when not needed.
  If you need a new loadbalancing decision each time, you need 'persistence rebalance strict'.
  An alternative could be the configuration of 'failaction purge' to force the connection to be terminated when the server goes down.
  'inservice standby' is described @ http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000333
  •Tears down existing non-TCP connections to the server
  •Allows current TCP connections to complete
  •Allows new sticky connections for existing server connections that match entries in the sticky database
  •Load balances all new connections (other than the matching sticky connections mentioned above) to the other servers in the server farm
  •Eventually takes the server out of service
  As you can see, this option still allows connection to the server if it matches a sticky entry.
  Gilles.

• Cookie stickiness on ACE

  Hi:
  I have the following configuration. Although the users can hit the web server, the stickiness doesn't work.
  sticky http-cookie TEST1 TEST1
  timeout 300
  replicate sticky
  serverfarm PROXY
  policy-map type loadbalance first-match L7_TEMPORAL
  class HTTP-TEMPORAL
  sticky-serverfarm TEST1
  policy-map multi-match L4-VIP-LB-Policy
  class VIP-TEMPORAL
  loadbalance policy L7_TEMPORAL
  Raul

  Not sure if you already did that but to make stickiness work you need to assign resources for stickiness per context. Have look at the link.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686ebf.html#wp1051078
  sticky http-cookie TEST1 TEST1 says the ace is looking for a cookie named "TEST1" in the http header so you should make sure that cookie exists. Otherwise add a "cookie insert" and the ace should insert that a cookie named "TEST1" then.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686ebf.html#wp1015713
  [quote]
  The name argument in the sticky command specifies the cookie name that appears in the HTTP header. The name argument in the cookie secondary command specifies the cookie name that appears in the URL.
  [/quote]
  Roble

• Unable to configure Request based provisioning in OIM 9.1.0.1

  Hi,
  I have been trying to configure request based provisioning wherein Admin can request to provision a resource for a certain user. I have checked on the Auto Prepopulate and Auto Save options in the Process Definition. The problem which I am facing is that if I uncheck the Auto save option, admin's request is completed properly and an Approval request is generated. If the admin approves it, the resource status is set to Provisioning. Inside the resource object, there's only one task System Validation with status completed. The process form is empty if I view it. But if i go to edit i can see the fields being populated. After saving the form, i can see the data in the "View" option too. After this, I am able to add a task "Create User" and provision the user to Active Directory.
  But if i check the Auto Save option in the Process definition, the request is completed but no approval task is generated. There is nothing in the User's resource profile as well.
  What could be the reason for this and what could be a probable solution in such a scenario? I seek all your help in order to resolve this issue.

  I have configured the approval tasks and the provisioning is working fine. The error which i am facing now is with 2nd level approver. I want the first level approver to be the requestor's manager, which is working fine. But when i am trying to fetch the Manager details of the requestor's manager (Requestor->Manager-> Manager), I am facing the below error.
  Running GETSECONDLEVELAPPROVERTYPEUSER
  2012-10-31 13:20:28,956 INFO [STDOUT] Target Class = com.pldt.adapter.ad.TaskAssignment
  2012-10-31 13:20:28,957 INFO [STDOUT] Running GETSECONDLEVELAPPROVERKEY
  2012-10-31 13:20:28,957 INFO [STDOUT] Target Class = com.pldt.adapter.ad.TaskAssignment
  2012-10-31 13:20:28,957 INFO [STDOUT] ***************************Inside getSecondLevelApprover***************
  2012-10-31 13:20:28,974 INFO [STDOUT] **************************usrKey**********1
  2012-10-31 13:20:29,039 INFO [STDOUT] *****************ResultSet1***********Thor.API.tcMetaDataSet@5b895cb9
  2012-10-31 13:20:29,080 INFO [STDOUT] *****************ResultSet2***********Thor.API.tcMetaDataSet@68d6c6eb
  2012-10-31 13:20:29,080 ERROR [STDERR] java.lang.ClassCastException: java.lang.Long cannot be cast to java.lang.String
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.adapterfactory.events.tcAdpEvent.setKeyValue(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpGETSECONDLEVELAPPROVER.implementation(adpGETSECONDLEVELAPPROVER.java:56)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.dataobj.tcScheduleItem.handleTaskAssignPostInsert(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
  2012-10-31 13:20:29,082 ERROR [STDERR]      at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
  I am passing the user key of the manager to fetch his manager's data. Please suggest a resolution for this.

• Sharepoint Error Message "Configuring column based defaults is only allowed in document library lists"

  We set up a SP 2010 site with several document libraries. Library A works fine only when I click on column default value settings I get the following error message:
  "configuring column based defaults is only allowed in document library lists"
  This list is a normal document library and all other settings work fine. If I create a new document library or go to the settings of document library B I don't see this problem and the feature works fine.
  How can I solve this problem within this library since I cannot delete the library and replace it by a new one.
  Thanks.
  library settings page of this library:

  Hi,
  According to your post, my understanding is that
  when you clicked on column default value settings you got the error message.
  What are the column types in the library?
  It seems that some column types don't support default value settings.
  I recommend to create a new library with the same columns to check whether you can set
  default values.
  If so and the error message persists, please check the SharePoint ULS log to find more information about this error, the ULS log file is in the location: C:\Program Files\Common Files\Microsoft
  Shared\Web Server Extensions\14\LOGS
  You can check the ULS log by the methods here:
  http://blogs.msdn.com/b/opal/archive/2009/12/22/uls-viewer-for-sharepoint-2010-troubleshooting.aspx
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• Configuring Delivery Based Billing-Make to order

  Hi Team,
  I am configuring thDelivery based billing process.
  I have created the SO and the Delivery document
  Howevere when i try to do Post goods Issue in the Delivery document i get the following error.
  1. The storage location is not defined for delivery item 000010     
  Can you please help.
  Regards,
  Rajneesh

  Hi ,
  Check storage location- in picking tab , is exist or not. If not enter manually.
  Check - stock of the material using Transaction under particular storage location too.-transaction-mmbe
  You can also default storage location in customizing- under-
  LE-Shipping-Picking-Determine picking location-Assign picking location
  Also go through - below link - for business process- config details
  http://help.sap.com/bp_bl604/BL_US/html/index.htm
  Thanks
  Chidambaram

• JSESSIONID or Cookie-based

  Hi,
  I'm using Webcache 10.1.2 as Load balance for Forms 9.0.4 Applications. I confuse about two documnents in Metalink as Note 229900.1 and Note:268830.1. While in the former it said the "OC4J-based" option with JSESSIONID is used for Forms Application, the later recommend to use "Any Set Cookie" option with Cookie-based for Form Application.
  Any idea?

  Hi,
  looks as if the latter is a work around for what is described in bug 3309696, that this is an integration issue. Forms uses jsession and there is no need for a cookie to be set. However, due to a bug in OC4J this seemed to be required
  In order for web cache to sitck to a given OHS, OHS must set a cookie with the
  client. (Thats what web cache uses to bind the session). By default forms uses
  a cookie in the URL for session and does not set a cookie using HTTP. With the
  cookie in the URL web cache does not see it and does not bind to a server
  causing it to balance all requests and break forms.
  Frank.

• How to configure RSA Based User Authentication on XR?

  Hello,
  I have been reading Cisco docs about how to configure RSA Based User Authentication on a ASR9K.
  http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.pdf
  I have problems importing the public key to the router. No matter how i try i always get this output: 
  RP/0/RSP1/CPU0:XXX#crypto key import authentication rsa  tftp://10.232.201.180/id_rsa.pub
  Wed Jul 16 14:00:15.558
  Cannot execute the command : Invalid argument
  I have tried copying the file to Disk0: and using this path but get the same error.
  Could anyone help me explaining step by step how to configure RSA Based User Authentication.
  Thanks

  Hi
  1. Generate a key on your station
   ssh-keygen -t rsa -b 1024
  2. Remove the key type and host, leaving only key and decrypt it using base64:
   cut -f2 -d\  id_rsa.pub | base64 -d > id_rsa2.pub
  3. Import the key to the deivce
   (admin)#crypto key import authentication rsa username USERTEST ftp://xxxr/ak/id_rsa2.pub
  4. Create a username on the device matching the imported key
  username USERTEST
   group root-system
  Regards,
  /A

• MSISDN Based sticky problem

  Hi,
  We need persistency (or sticky load balancing) based on MSISDN and destination ip&port pairs.
  My content configuration shown below:
  owner WEBLOGIC
  content weblogic
  add service msisdn-9001-1
  add service msisdn-9001-2
  add service msisdn-9001-3
  add service msisdn-9002-1
  add service msisdn-9002-2
  add service msisdn-9002-3
  url "/*"
  advanced-balance wap-msisdn
  protocol tcp
  port 9003
  vip address 10.200.148.15
  active
  As a service ,there are 3 server (ofcourse 3 IP) But each server has 2 instance (Port 9001 and 9002)
  Here is the service configuration:
  service msisdn-9001-1
  ip address 10.200.148.20
  protocol tcp
  port 9001
  keepalive type tcp
  keepalive port 9001
  active
  service msisdn-9001-2
  ip address 10.200.148.21
  protocol tcp
  port 9001
  keepalive type tcp
  keepalive port 9001
  active
  service msisdn-9001-3
  ip address 10.200.148.60
  protocol tcp
  port 9001
  keepalive type tcp
  keepalive port 9001
  active
  service msisdn-9002-1
  ip address 10.200.148.20
  protocol tcp
  port 9002
  keepalive type tcp
  keepalive port 9002
  active
  service msisdn-9002-2
  ip address 10.200.148.21
  protocol tcp
  port 9002
  keepalive type tcp
  keepalive port 9002
  active
  service msisdn-9002-3
  protocol tcp
  port 9002
  keepalive type tcp
  keepalive port 9002
  ip address 10.200.148.60
  active
  But I didn't achieve that coming MSISDN go to always same service.

  Please confirm that you want to configure stickiness both based on the MSISDN header and the destination ip/port. What you can try to do in this case is set a separate content rules based on the destination port and use the 'advanced-balance wap-msisdn' in conjunction with the content rule based on the destination port.

• Breakdown of 'show sticky database' - ACE

  I need assistance to interpret the show sticky database response. What does the sticky entry value resolve to.
  I have set the stickiness on source and destination addresses. Is it possible to identify from show sticky database that which is the source IP for the sticky entry in the display.

  No.
  Client in this command is actual client.
  for e.g following command shows that ACE has a sticky entry for client "x.x.x.x"
  and this client is stuck to real server "Rserver2" due to sticky group "STICKY-GP1" and this sticky entry will remain in the sticky DB for 585 more seconds (if the connection remains idle).
  switch/ACE# show sticky database client x.x.x.<
  sticky group : STICKY-GP1
  type : IP
  timeout : 10
  timeout-activeconns : FALSE
  sticky-entry rserver-ints time-to-exp
  ---------------+--------------+------
  2702367184 rserver2:8888 585
  Syed

• Priority based Rserver activation - ACE Load Balancing

  Hi,
  I know certain load balancers which have priority based pool member activation for e.g. the server farm has two rservers. And all the traffic is sent to Rserver1, even though Rserver2 is live.
  The traffic is forwarded to Rserver2 only when Rserver1 is down.
  Is this possible with Cisco ACE ?
  Thanks.

  Hi,
  in the example above, when R1 fails, R2 takes over. From the moment R1 becomes alive again, R2 goes again into standby state, so all traffic is send again to R1.
  If R2 fails, nothing will happen because it was in standby state.
  HTH,
  Dario

• Configure Keystore-Based Security on BPEL 11g Service

  Hi,
  I've been exploring OWSM, but haven't found a guide to attach a JKS keystore-based security to a BPEL service. I'm looking for information like attaching a keystore to weblogic, and configuring SOA services to interact via this security mechanism.
  Thanks in advance,

  Doesn't help.
  That is basically telling me how to create, import, export, etc. keystores which I already know and have in place.
  The menu structure given in the doc doesn't match what I have.
  I have no place in that menu to store a keystore. Here's what I have:
  soa-infra -> Security - gives me Application Policies & Application Roles. No keystore options.
  I have a BPEL composite deployment under soa-infra that calls a secure webservice.
  I can call the service manually (from a browser) on this server, so I know I'm not getting blocked by anything.
  When I try to make the call from the BPEL service, I get this error:
  oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
  Caused by: javax.xml.ws.WebServiceException: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  I guessed this was something to do with the keystore.
  If it's not then what is causing it?

• Configure DPS based on Etime or for unindexed searches

  Hi all,
  can anyone help me how to configure Proxy server, in order to route traffic based on etime & also for unindexed searches (Notes=U). I am doing sample tests using connection handlers but no luck.
  For ex;
  I have created 2 data views & want all the searches whose etime is more to go to data view 1 & all the unindexed searches go to dataview 2.
  I really appreciate if anyone can guide me how to do the configuration for this task.
  Thanks
  uday453_108

  Chris,
  I was going through some documents & found this in the appendix of DPS & trying all sorts to figure out how can we do this. (Please see the link below: trawling of LDAP directory)
  http://docs.sun.com/source/817-7615/AppFaq.html
  ""Directory Proxy Server can also be configured to deny un-indexed searches. Un-indexed searches are inefficient and can possibly have a negative impact in performance.""
  So i am curious to know how this can be done & if there's a method, i would really like to implement it in DEV env & see how it works. You told me that servers may crash, but still i just want to configure if there's a way to do it. Do you have any custom scripts which performs this kinds of tasks???
  Let me know..
  Thank you for your support.
  Uday453_108