Connections through ACE module
when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?
how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?
vlan 195 is teh client side
vlan 719 is the server side
access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0
class-map match-any NAT_CLASS_VIP
2 match access-list acl_NAT_VIP
policy-map multi-match NAT_POLICY
class NAT_CLASS_VIP
nat dynamic 5 vlan 719
interface vlan 195
ip address 172.19.192.19 255.255.252.0
alias 172.19.192.18 255.255.252.0
peer ip address 172.19.192.20 255.255.252.0
access-group input allowall
access-group output allowall
nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
service-policy input LB_POLICY
no shutdown
interface vlan 719
ip address 10.1.9.66 255.255.255.240
alias 10.1.9.65 255.255.255.240
peer ip address 10.1.9.67 255.255.255.240
access-group input allowall
access-group output allowall
nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat
service-policy input LB_POLICY
service-policy input NAT_POLICY
no shutdown
Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim
Similar Messages
-
Idle Oracle DB connection through ACE dropped after 1 hour
Hi folks,
I'm looking for some ideas how to troubleshoot a problem we're having with an Oracle App.
What we are finding is that when a request takes more than an hour for the Oracle DB to process the connection is being dropped.
When wireshark is used at DB server interface we see nothing for an hour and then a single packet RST,ACK with the source identified as the App Server.
We have an App server farm that is behind an ACE module that is in bridging mode. The DB server is on another VLAN so the path the traffic takes is from the App Svr through the ACE from the back to the frontside vlan, through the 6506's MSFC to be routed to the DB server.
Path like this:
Appserver|-->VL203-->|ACE|-->VL202-->|L3 Switch|-->VL200-->|DB Server
If we move the App server to Vlan 202 in front of the ACE the process carries on to completion (after 75 mins).
Is there anything in the ACE settings that could cause the connection to be dropped after an hour for traffic that should simply be being bridged through?
Any suggestions as to where to look next would be appreciated.
TIA
ZacOK Gilles, I'll look at that in the morning. However, this is where it gets interesting.
We have DB servers on two other VLANs routed by the same switch. The connections to those DB servers don't get cut off after an hour (In the connection path I outlined swap VLAN 200 for VLAN 50 or VLAN 205) One of them is even behind the ACE in a different server farm.
Zac -
Hi,
We have migrated CSM to ACE Module recentlym all the applications are working fine. But one of our real server , Hosting team did NIC Teaming (Active-Active) which was working fine but not with ACE Module (Briding Mode).
My assumtion is because of ACE in Bridge mode all the non-loadbalancing traffic has to go through ACE Module, So we couldnt access the server directly. If ACE is in One-armed mode i think it should be fine.
But with bridge mode do we have any option to make it working.there is a restriction regarding NIC teaming in active/active mode.
The ACE uses an hardcoded mac-to-IP mapping with ARP. As with active active nic teaming you'll have 2 different mac addresses, the one which is not present in the ARP cache of the ACE is considered as a security violation. -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
ACE Module and Limiting Connections
We currently use the ACE module to Load-balancing IPSEC connection into SPA's. Since the SPA's only support 60 new connections per second. I was looking for a way to limit the amount of connecitons from the ACE to the SPA's.
Hello,
Have a look at the Configuring Real Server Rate Limiting section of the ACE documentation. I think this will meet your needs.
Hope this helps,
Sean -
I am facing an issue with Cisco ACE module. Have 5 servers serving the connections for applications. However, during peak hours there is lot of dropped connections.
Also have lot of fragment reassemble.
Please help how to go ahead troubleshooting the issue.it is on the cisco site. In the ACE datasheet to be exact. But I'm talking about the appliance. Not sure about the module. But should be the same. Only thing I was not sure was whether the same limits apply to the base license package, or are the figures lower for the base license. Cisco says that the numbers are the same for the base package.
however I'm yet to verify it on the field -
Cisco ACE module missing licence file - no connectivity
Hi,
We have 2 ACE modules that were delivered without any licenses.
There is no IP connectivity whatsoever to these modules and I'm guessing this is due to the fact there are no licenses installed.
Have tried asking Cisco to no avail - and am not sure if there is an actual problem with them or not.
The VLANs are assigned correctly and I can see inbound ICMP echo from the 6509 that its hosted in, but no outbound packets ever leave the ACE. I've applied a mgmt policy to enable ping/telnet/ssh etc.
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan4 vlan30-31 vlan160 vlan180-195 vlan360 vlan380-395 vlan560 vlan580-
595 vlan760 vlan780-795
switch/Admin# sh ip int bri
Interface IP-Address Status Protocol
vlan4 10.119.127.196 up up
vlan30 10.119.127.241 up up
vlan31 10.119.127.245 up up
interface vlan 4
description ACE Mgmt interface for Admin Context
ip address 10.119.127.196 255.255.255.224
service-policy input REMOTE_MGMT
no shutdown
vlan4 is up
Hardware type is VLAN
MAC address is 00:1f:ca:7b:6f:33
Mode : routed
IP address is 10.119.127.196 netmask is 255.255.255.224
FT status is non-redundant
Description:ACE Mgmt interface for Admin Context
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
Config download failures : 1
2980 unicast packets input, 16363862 bytes
240857 multicast, 3026 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
0 unicast packets output, 187712 bytes
0 multicast, 2933 broadcast
0 output errors, 0 ignored
switch/Admin# sh arp
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.119.127.193 00.00.00.00.00.00 vlan4 GATEWAY - * 3 req dn
10.119.127.196 00.1f.ca.7b.6f.33 vlan4 INTERFACE LOCAL _ up
10.119.127.245 00.1f.ca.7b.6f.33 vlan31 INTERFACE LOCAL _ up
10.119.127.241 00.1f.ca.7b.6f.33 vlan30 INTERFACE LOCAL _ up
================================================================================
Total arp entries 4
The ARP table for the adjacent switch SVI has a valid MAC upon reboot, but soon after resets to 00.00.00.00.00.00
Problem is that once Cisco eventually send me the license file I have no way of TFTP'ing it to the ACE module.
Any suggestions/advice?Thanks for the info - so I should at least be able to connect to a license-less ACE at least, but these modules seem to have a problem.
If the modules are reloaded (from the ACE) or reset (from the Supervisor) they initially have the ARP entry (however still cannot communicate to the attached Supervisor via SVI) which eventually resets.
Info as requested:
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 0 0 0
mgmt-connections 0 0 0 0 0
proxy-connections 0 0 0 0 0
xlates 0 0 0 0 0
bandwidth 0 76 0 125000000 296849008
throughput 0 76 0 0 296849008
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 2 0 0 15
ssl-connections rate 0 0 0 0 0
mac-miss rate 0 0 0 0 0
inspect-conn rate 0 0 0 0 0
acl-memory 0 6336 0 0 11
sticky 0 0 0 0 0
regexp 0 0 0 0 0
syslog buffer 0 0 0 0 0
syslog rate 0 0 0 0 24
Context: APPLICATION
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: BACK_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: FRONT_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: TEST_DEV
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
switch/Admin# sh cde health
CDE BRCM INTERFACE
======================
Packets received 3357
Packets transmitted 12
Broadcom interface CRC error count 0
BRCM VOQ status [empty] [not full]
BRCM pull status [pulling]
CDE HYPERION INTERFACE
======================
Packets received 7668407
Packets transmitted 967915
Short packets drop count 0
Fifo Full drop count 0
Protocol error drop count 0
FCS error drop count 0
CRC error drop count 0
Num times flow control triggered on hyp interface 0
Num self generated multicast packets filtered 967915
HYP IXP0 VOQ status [empty] [not full]
HYP IXP1 VOQ status [empty] [not full]
HYP SLOW VOQ status [empty] [not full]
HYP tx pull status [pulling]
CDE IXP0 INTERFACE
======================
Packets received 964680
Packets transmitted 6581196
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP0 Fast VOQ status [empty] [not full]
IXP0 BRCM VOQ status [empty] [not full]
IXP0 pull status [pulling]
IXP0 spi src status [healthy]
IXP0 spi snk status [healthy]
CDE1 SWITCH1 INTERFACE
======================
Packets received (hyp, ixp0) 3241
Packets received (bcm) 6
Packets received (daughter card 0) 0
Packets received (daughter card 1) 0
Packets Errors received (hyp, ixp0) 0
Packets Errors received (bcm) 0
Packets Errors received (daughter card 0) 0
Packets Errors received (daughter card 1) 0
Packets transmitted (ixp1) 122653
Packets transmitted (nitrox) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
CDE2 SWITCH2 INTERFACE
======================
Packets received (ixp1) 122653
Packets received (nitrox) 0
Packets Errors received (ixp1) 0
Packets Errors received (nitrox) 0
Packets transmitted (hyp, ixp0) 3241
Packets transmitted (broadcom) 6
Packets transmitted (daughter card 0) 0
Packets transmitted (daughter card 1) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
Packets Errors transmitted (daughter card 0) 0
Packets Errors transmitted (daughter card 1) 0
CDE IXP1 INTERFACE
======================
Packets received 3247
Packets transmitted 122653
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP1 Fast VOQ status [empty] [not full]
IXP1 BRCM VOQ status [empty] [not full]
IXP1 pull status [pulling]
IXP1 spi src status [healthy]
IXP1 spi snk status [healthy]
CDE NITROX INTERFACE
======================
Packets received 0
Packets transmitted 0
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
NTX Fast VOQ status [empty] [not full]
NTX BRCM VOQ status [empty] [not full]
NTX pull status [pulling]
NTX spi src status [healthy]
NTX spi snk status [healthy]
== Backplane ==
ITASCA_SYS_CNTL1 0x300 data 0x61f0000
ITASCA_SYS_CNTL2 0x304 data 0x80630000 -
ACE Module Cookie Parsing causes Reset Connection
I am trying to upgrade my ACE Modules from A2(1.3) to A2(3.2) . Unfortunately, the cookie parsing breaks when there are illegal characters and causes a connection reset (RST) when there is an invalid cookie, but only on code later than A2(1.3).
The cookie in question is being passed by a third party so making them change the cookie is not necessarily do-able. The cookie has the following value:
Cookie: CurrentUser={"UserKey":{"Key":"anonymous"},"LastUpdated":"10/13/2010 1:35:52 PM"}
We are using the following parameter map:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 20480
length-exceed continue
On the older code, the request is passed on to the server.
Is there a setting similar to "length-exceed continue" that I can give the ACE to tell it to ignore cookies it cannot parse?HTTP inspection is not enabled.
Did you mean adding a class-default to the policy-map?
Adding it to the policy-map does make it match the class-default. Unfortunately, cookie parse errors result in the inability to parse both the cookie and the host header as well. It seems that rather than just failing to parse the cookie and being unable to do sticky matching - it completely fails the entire header parsing.
Here's our setup:
rserver host test1
ip address 192.168.1.101
inservice
rserver host test2
ip address 192.168.1.102
inservice
rserver host test3
ip address 192.168.1.103
inservice
rserver host test4
ip address 192.168.1.104
inservice
serverfarm host auto
probe HTTP-diagnostic
rserver test1
inservice
rserver test2
inservice
serverfarm host news
probe HTTP-diagnostic
rserver test3
inservice
rserver test4
inservice
sticky http-cookie autoCookie auto-cookie
cookie insert browser-expire
replicate sticky
serverfarm auto
sticky http-cookie newsCookie news-cookie
cookie insert browser-expire
replicate sticky
serverfarm news
class-map type http loadbalance match-any auto
2 match http header Host header-value "www.auto.local"
3 match http header Host header-value "auto.local"
class-map type http loadbalance match-any news
2 match http header Host header-value "www.news.local"
3 match http header Host header-value "news.local"
class-map match-all prod_VIP
2 match virtual-address XXX.XXX.XXX.XXX tcp eq www
policy-map type loadbalance first-match prod_POLICY
class auto
sticky-serverfarm auto-cookie
class news
sticky-serverfarm news-cookie
class class-default
sticky-serverfarm auto-cookie
policy-map multi-match aggregate-slb-apps
class prod_VIP
loadbalance vip inservice
loadbalance policy prod_POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
appl-parameter http advanced-options CASE_PARAM -
Slow TCP performance for traffic routed by ACE module
Hi,
the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-( See:
server1: / #ftp server2
Connected to server2.cent.priv.
220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
Name (server2:root):
331 Password required for root.
Password:
230 User root logged in.
ftp> bin
200 Type set to I.
ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
200 PORT command successful.
150 Opening data connection for /dev/null.
5000+0 records in.
5000+0 records out.
226 Transfer complete.
163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
local: |dd if=/dev/zero bs=32k count=5000 remote: /dev/null
ftp>
The output from show resource usage doesn't show any drops:
conc-connections 0 0 800000 1600000 0
mgmt-connections 10 54 10000 20000 0
proxy-connections 0 0 104858 209716 0
xlates 0 0 104858 209716 0
bandwidth 0 46228 50000000 225000000 0
throughput 0 1155 50000000 100000000 0
mgmt-traffic rate 0 45073 0 125000000 0
connections rate 0 9 100000 200000 0
ssl-connections rate 0 0 500 1000 0
mac-miss rate 0 0 200 400 0
inspect-conn rate 0 0 600 1200 0
acl-memory 7064 7064 7082352 14168883 0
sticky 6 6 419430 0 0
regexp 47 47 104858 209715 0
syslog buffer 794624 794624 418816 431104 0
syslog rate 0 31 10000 20000 0
There is parameter map configured with rebalance persistant for cookie insertion in the context.
Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
RomanDefault inactivity timeouts used by ACE are
icmp 2sec
tcp 3600sec
udp 120sec
With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
other inactivity timeouts as they are now use following
parameter-map type connection GLOBAL-TCP
set timeout inactivity 600
parameter-map type connection GLOBAL-UDP
set timeout inactivity 120
parameter-map type connection GLOBAL-ICMP
set timeout inactivity 2
class-map match-all ALL-TCP
match port tcp any
class-map match-all ALL-UDP
match port tcp any
class-map match-all ALL-ICMP
match port tcp any
policy-map multi-match TIMEOUTS
class ALL-TCP
connection advanced GLOBAL-TCP
class ALL-UDP
connection advanced GLOBAL-UDP
class ALL-TCP
connection advanced GLOBAL-ICMP
and apply service-policy TIMEOUTS globally
Syed Iftekhar Ahmed -
Hi,
I need to know if for 2 ACE to work on FT the subnet needs to be same or can it work on different subnet as well?
Is it possible to connect 2 6509 with ACE each, connected through routes, not with vlans (layer 3, not layer 2)??
Also, can both ACE be made funcational to work in active active??NO.
You need to extend Each vlan going into one ACE module to its peer.
Both ACE module can be Active/Active only in multi context mode. For e.g if you have four contexts C1,C2,C3,C4 the you can make C1 & C2 active on Ace1 & C3&C4 active on Ace2.
Syed Iftekhar Ahmed -
Per-ServerFarm SNAT on ACE Module.
Dear all,
I hace an ACE Module configured in Multiple Routed Contexts.
My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
Is this correct?
The software version is A2(3,5).
Thanks a lot!
DavidHi David
Could you please calrify and maybe separate tasks you have ?
As I understand you have such tasks for now :
1) Don't show rserver IPs anywere outside ACE
2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
E.g.
policy-map multi-match VIP_IN
class MY-CLASS
loadb vip ins
loadb policy MY-L7Policy
nat 1 dynamic vlan X << - inside interface
and then on inside interface
inter vlan X
nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE. -
Hi
In the Datashhet of the ACE-Module (ACE20-MOD-K9) there is the following promise:
Throughput
16 Gbps*, 8 Gbps*, and 4 Gbps
We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).
Are these 4Gbps bidirectional or unidirectional?
Is it 2Gbps in one direction and 2Gbps in the other direction?
Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
How can I measure the effective used bandwith on the ACE module?
What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
How do I know that the ACE runs at it's bandwith limitation?
Any Ideas?
Thanks
PatrikHi Patrik,
See my answers inline:
We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).Are these 4Gbps bidirectional or unidirectional?Is it 2Gbps in one direction and 2Gbps in the other direction?
It measures the total throughput going through the box. It includes both directions. Also take into account that, for any traffic through the ACE, the packets are seen twice (client to ACE and ACE to server), so the effective throughput is half of the licensed one.
Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
You could get up to 2Gbps unidirectional. This traffic will go through the ACE twice, adding to the 4Gbps license
How can I measure the effective used bandwith on the ACE module?
With the "show resource usage" command
What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
It will drop packets that go over the bandwidth without taking into account to which connection they belong
How do I know that the ACE runs at it's bandwith limitation?
Again, "show resource usage"
Regards
Daniel -
ACE module SSL url rewrite and path rewrite
Hi all,
I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.
I am currently load balancing exchange 2010 traffic via an ACE module. Software version is A2(3.3). I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).
The problem comes down to a HTTP header (field is location). I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide". example:
ssl url rewrite location bnecas\.mycompany\.com sslport 443
That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great. However, in addition to that url, there is also a path or something following that part. The actual string that is returned is:
https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.
This is where I've been trying to get the http Header Rewrite command to do something. I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.
The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP. I'm fairly sure it is because of the last part of the location string above. Is there a way to change that location string to do the following:
1. change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)
2. change the last part of the location string to put https in there instead of http
Ideally I would love to have this string
http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
replaced with this one
https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0
I had originally tried the following in the action list:
header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"
ssl url rewrite location bnecas\.mycompany\.com sslport 443
but it didn't work. I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.
Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.
BradHi Brad,
try this:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
action-list type modify http X
header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"
we wont be using ssl url rewrite in this case
Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class -
Want to know about ACE module in 6509 : load-balancing concept
Hi,
I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
1) what is difference between CSM or any other product load-balancer and ACE module :
Gone through site as well , but not getting proper answer or comparison.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?Hello,
1) what is difference between CSM or any other product load-balancer and ACE module :
There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
ACE serise has specific hardware chip for supporting SSL termination but some others do not.
For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
Let me try clarifying your other questions.
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
I think I'd better to put 3) and 4) first.
Virtual ip address (VIP) is the address to which client accesses.
VIP is tied with a serverfarm or serverfarms, in a serverfarm one or multiple rservers can be configured.
"serverfarm" is a group of "rservers".
"rserver" means real-server that has an ip address and processes transactions.
When a client accesses to the VIP, ACE picks up a rserver according to algorithm.
If you configure a VIP that is tied with a serverfarm where only one rsever is configured, client accesses to the virtual ip address are
all forwarded to the rserver.
If you configure a VIP that is tied with a serverfarm where multiple rsevers are configured, client accesses to the virtual ip address are
balanced among those rservers.
If you configure multiple VIPs, client accesses to those VIPs are forwareded to corresponding rservers according to configuration.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
ACE load-balances connections to configured rservers.
If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
You can configure those ip addresses as rserver ip address.
Multiple rservers are tied into a group, "serverfarm".
I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
Above is just an overveiw. ACE gives you granular control not mentioned above.
I can provide more specific information if you tell me details of what you are trying to archive with ACE.
Regards,
Kimihito. -
ACE module - Qos - set ip tos #
All,
Trying to mark traffic to/from L4 rules in the ACE.
Documentation (like always) says it's really easy. Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration. Ok, so I do this, set ip tos 24.
Enable qos globally on the 6500 host, but don't see the traffic being marked.
sh mls qos says that packets are being modified by module 5 (ACE)
But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
sh mls qos:
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
Total packets: 207147888661
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 2663386
IP packets with COS changed by policing: 4889352
Non-IP packets with COS changed by policing: 0
MPLS packets with EXP changed by policing: 0
Can someone explain to me what I've got wrong here? Is the ACE simply marking traffic destined for the servers behind it and not the return traffic? Am I missunderstanding something?Well... hopefully someone knows how to classify traffic coming from the ACE.
I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it. At least not the way I want.
However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution. Problem is, "partially" successful.
You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either. And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone??? Ideas???
Maybe you are looking for
-
How do you remove purchased songs from the iCloud?
There are a bunch of songs that I have bought over the years that I have no intention of listening to again. Since I have signed up for iTunes Match, they now all appear again on all my devices that I use the iCloud on... Apple says that I can simply
-
Error while reading raw file created in previous task using raw file destination
I am reading a flat file and creating an raw file using raw file destination. path of the raw file is in a variable. now I am reading the raw file using the rawfile source component. I am able to execute if the .raw file is available. But when we
-
I am having situation in my project in which I need to transpose the data, means need to display all rows to column. Please asap help me on this. Thanks in advance Anup
-
Cleaning up potentially harmful files
Is there a way to clean potentially harmful files and if so how can I find them and delete them? Im having several issue with pop ups which were not pprevelent before. AnNy suggestions??
-
After last itunes update I cannot get to the internet through itunes. Cannot get to itunes store, itunes help, etc. Also, now when I sync everything syncs properly but I get message at end that tells me that my phone cannot be backed up on the laptop