CSM load balancing

Similar Messages

• Portal Landscape - With 2 CSM (load balance) related question

  Hi,
    We are currently having a portal landscape (Dev, QA -2 app servers, PRD - 4 app servers). The load balancing happens on Production Portal using CSM (load balancer) and it does SSL offloading for security encryption and it lands onto one of the application servers. When we try to login to portal it authenticates using the LDAP (OID). And we have some links which takes to backend R/3, BW etc (we use SAP load balance using SMLG logon group)
  Now due to another special project the following is what we are planning:
  1. Adding couple of more application servers for production portal or having seperate second portal landscape itself
  2. Adding couple of more application servers for R/3 production server (load balance can be done with special logon group for that)
  Questions are:
  1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
  2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will happen to the login authentication happened through the first portal and SSO ticket ?
  3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave when same id comes as part of SSO.
  Or if anyone thinks of any other issue apart from SSO or encryption related things which i need to be aware of, kindly let me know.
  Thanks,
  Murali.

  I am not sure what CSM is, but I would expect it only does ssl offloading and a sort of "reverse proxy" against the cluster.
  >1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this >scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
  This depends on the host name you use for the two CSM clusters. If they have the same subdomain, there should be no problem as the SAP Logon Ticket (MYSAPSSO2) cookie is issued to the sub domain of the portal.
  If they do not have the same subdomain, the second CSM cluster will receive the request without the MYSAPSSO2 cookie, and will therefore trigger reauthentication.
  >2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will >happen to the login authentication happened through the first portal and SSO ticket ?
  It will fail, as the MYSAPSSO2 cookie from the first portal is not recognized in the second. However, you can easily setup so that the second portal trusts the first and does a logon based on its credentials
  >3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave >when same id comes as part of SSO.
  I assume both portal will be setup against the same LDAP/UME source. Therefore it will allow the logon. The backend systems should trust both the first and second portal (STRUSTSSO2 transaction)
  I think your architecture choice comes down to if the new project has special considerations with regards to versioning of portal. If it does, it would be sensible to separate it into a separate portal (and you can always integrate them with the first portal through portal federation if you have a relatively new version).
  Regards
  Dagfinn

• CSM Load Balance redirect

  I have a request to do a redirect on a CSM load balance device and I am not sure how to go about doing it.
  The request is to send traffic destined for https://payments.domain.com to https://www.diffdomain.com/folder/folder/page.jsp. I already have a serverfarm created for www.diffdomain.com, I guess I could create a vserver with a unique IP address for payments.domain.com and point it at the same set of servers, but how would I append the "/folder/folder/page.jsp" on to the request?

  Hi,
  The only way you can do HTTPS to HTTPS redirection is if you have an SSL module or also if this module happens to be a CSM-S. To be able to redirect encrypted traffic the CSM needs to inspect first the L5 information contained on the HTTP header. Once the SSL card has decrypted the traffic you can configure a webhost relocation serverfarm to ask the client to send the request to https://www.diffdomain.com/folder/folder/page.jsp which will be sent to the 443 vserver that is already taking traffic for https://payments.domain.com
  Hope this helps.
  Pablo

• How to config CSM load balance of http combined https

  In this case,when I config CSM for load balance http and https service separately was ok.2 VIPs , 2 Serverfarms, One for http , and one for https .But I found that the https would referred to http information on IIS , because when the client first to access http is ok,and then login by https ,the information is not right.So,how to config CSM in this case,any reply will be very be appreciated.

  There are 2 different ways.
  You could combine the 2 vserver into a single one by not specifying the tcp port.
  Another solution would be to use the same sticky group for both vservers.
  For example, you could use sticky srcip.
  ie:
  sticky 10 netmask /32 address source
  vserver http
  sticky 60 group 10
  inservice
  vserver https
  sticky 60 group 10
  inservice
  Regards,
  Gilles.
  Thanks for rating this answer.

• CSM - Load balance using Server CPU

  Hi
  I have a customer who requires the load-balancing prediction
  algorithm to be based on the CPU level of the Server. So the server with the least CPU is chosen at the laod-balancing stage.
  Is there a way to do this?
  Thanks James

  Hi James
  With CSM the only option is DFP (Dynamic feed back protocol). If your application vendor provides DFP agents (which is very unlikely) for the application then these agents can be installed on App servers for the desired purpose.
  Config details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/rsfarms.html#wp1039774')">http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/rsfarms.html#wp1039774
  With ACE you can use SNMP based probes to achieve what you are looking for.
  Syed Iftekhar Ahmed

• CSM Load Balancer Help

  Hey,
  Just a quick question....
  Does anyone know a) if it's possible and b) how to have two servers off the CSM but instead of load-balancing between them make them a failover pair i.e. if server A goes down server B will take over - done using the same VIP?? It's needed because the application on the servers can't do load-balancing yet but can work in a failover way.
  I'm reading the book trying to work it out but if someone has done this before that would be great!
  Thanks
  Anthony

  Thanks for the responses.
  I'm using CSM 4.6(6) and have given what you suggested a go but have run into problems.
  When I disconnect the primary server I see that go out of service but that also knocks out the VIP and it never fails over to the second server. Am I missing something? I've attached the relevant parts of the config and would be greatful for any advice.
  serverfarm FARM1
  nat server
  nat client WEB
  real 10.2.250.10
  inservice
  probe HTTP
  serverfarm FARM2
  nat server
  nat client WEB
  real 10.2.250.11
  inservice
  probe HTTP
  vserver WEBTRAFFIC
  virtual 10.2.250.100 tcp www
  vlan 250
  serverfarm FARM1 backup FARM2
  persistent rebalance
  inservice
  I also had a go at creating that variable but it wouldn't let me...just said variable not configurable - but I'll play with that and see if I can work it out...I'm not so bothered as long as the backup part works.
  Thanks guys...
  Anthony

• FWSM and CSM (Load Balance) in the same chassi

  Folks,
  Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?
  PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ
  PATH:
  (outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM  , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM
  My main doubts:
  1) FWSM using multi-context, Is there any integration problem with CSM ?
  2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?
  3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?
  Cisco Says:
  "The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,
  Cisco recommends forcing the FWSM to operate in bus mode using the
  fabric switching-mode force bus command. When service modules such as the CSM and the FWSM
  operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."
  In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.
  Tks !!!

  Luis-
  You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP.  On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.
  Regards,
  Chris

• Server Load Balance in one network using CSM Cat6509

  I have 2 Web Servers with real IP address 10.1.12.61 and 10.1.12.62 (subnet mask 255.255.255.0). The virtual IP address configured on CSM is 10.1.12.100
  I also have 2 Application Servers with real IP address 10.1.12.81 and 10.1.12.82 (subnet mask 255.255.255.0). The virtual IP address is 10.1.12.120.
  Users will access Web server using the virtual IP address (10.1.12.100) so that the traffic will be load balanced.
  But there is also requirement that those Web Servers access Application Servers using IP address 10.1.12.120 so that the traffic will be load balanced as well.
  Is this requirement feasible?
  Can CSM load balance between servers in one network address?

  Budiman,
  I am building the same situatiuon here. But the most simple part seems not to be working. I have two webservers in the same subnet as my VIP.
  The clients can be everywhere in every subnet.
  This is what happens:
  btpebgw70#sh mod contentSwitchingModule 9 conns
  prot vlan source destination state
  In TCP 401 192.6.53.42:1901 151.183.58.196:80 ESTAB
  Out TCP 401 151.183.58.196:80 192.6.53.42:1901 ESTAB
  ok this is good but:
  btpebgw70#sh mod contentSwitchingModule 9 reals detail
  151.183.58.201, ORBIS, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 58, total conn failures = 58
  the failures have the same value as the established. Can you send me your config part of the csm because I am getting tired of this. Please email to [email protected]
  Thanks in advance!

• Load balance on CSM with both Firewalsl and Cache engines

  Hi,
  I'm come from VDC#3 ( Vietnam) , we have 2 CSM , 3 firewall , and 8 CE 7325. We configed dual CSMs load balance for 3 FW, and now we want to use one CSM to load balance for CEs. Can you hint me best topylogy network?
  Thanks

  your topology is correct.
  The problem is your config.
  If you need access to the CE ip addresses, you need to configure a vserver to allow this traffic.
  Something like
  serverfarm FORWARD
  no nat server
  no nat client
  predictor forward
  vserver access2ce
  vip x.x.x.0/24 any
  serverfarm FORWARD
  ins
  Replace x.x.x.0/24 with the subnet used by the CE.
  Regards,
  Gilles.
  Thanks for rating this answer.

• Server Load-balancing and ACL router decision

  Hello,
  My 2 server farm distribution switches are running in "hybrid" mode, with CAT OS on the switch and IOS on the MSFC.
  My server team is asking to block traffic to a specific server that is load balanced using Cisco's CSM load-balancer which is also installed in the chassis.
  The question that I have is this.
  Does anyone know in what order the MSFC will inspect and apply the ACL and when will the CSM make the load balancing decision?
  The reason I need to know this is that the CSM is setup in bridged mode, where traffic to the server comes into the MSFC with a destination IP of a VIP which resides on the CSM. Subsequently, the CSM forwards the traffic to the one of the real servers in the load-balanced server farm after it makes its load-balancing decision. Which ocurrs first??
  Does anyone have any info on what ocurrs first and so forth??
  Is there a link to Cisco's website that explains this process??
  Thanks in advance for your help.
  Tony

  Tony,
  It sounds as if your setup is like this:
  Client VLAN----MSFC----VLAN A----CSM----Server VLAN
  With VLAN A and Server VLAN being the same IP subnet.
  In this case all client traffic reaching the VIPs on the CSM first traverses the MSFC. So, if you want to block traffic to a specific VIP or Server IP you can do that on the MSFC's Interface for Client VLAN. You could configure an access list that filters inbound traffic on that VLAN interface.
  Make sense?
  -Brad

• RPC Load Balancing on CSM and SSL

  We are load-balancing SSL successfully but the Exchange people want to use RPC to access
  mailboxes using CSM.
  We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

  Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
  serverfarm EXCH-CAS
  nat server
  no nat client
  real x.x.248.100
    inservice
  real x.x.248.101
    inservice
  probe EXCH-CAS
  serverfarm EXCH-CAS-SSL
  nat server
  no nat client
  real x.x.254.60
    inservice
  real x.x.254.61
    inservice
  probe SSL-FARM
  ! vserver EXCH-CAS
    virtual x.x.254.154 tcp www
    vlan 460
    serverfarm EXCH-CAS
    sticky 1440 group 152
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver EXCH-CAS-S
    virtual x.x.214.139 tcp https
    vlan 400
    serverfarm EXCH-CAS-SSL
    sticky 5 group 252
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver EXCH-CAS-TEST-S
    virtual x.x.214.139 tcp 0
    vlan 400
    serverfarm EXCH-CAS
    sticky 5 group 252
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  Thanks,
  Mohamad

• Load Balancing FTP Server thru CSM using a single Client IP

  Hello,
  We have a need to load balance 3 FTP servers. These servers are reached only from a single client IP which is a database server. The FTP method that is being used is currently passive. Our configuration is currently unidirectional, ie, the FTP client (the one database server) sends to the VIP and the FTP Servers then talk directly back to the FTP client and the traffic does not go back through the CSM. The problem is that because FTP negotiates another port to talk on, we have to use sticky so that the connection is sent back to the original FTP server that sent the FTP data port to talk on. But, since we only have a single client IP that is ever used we are not load balancing appropriately across the FTP servers.
  Traffic flow goes something like this, tcp port followed after colon as an example
  1. FTP Client ----> VIP:21
  2. CSM ---------> FTP Server:21
  3. FTP Server --------> FTP Client(FTP server says come talk to me on port 1700)
  4. FTP Client ---------> VIP:1700
  5. CSM ---------> FTP Server:1700
  6. FTP Server:1700 ---------> FTP Client
  repeat steps 4 thru 6
  Here's our hardware and software:
  WS-X6066-SLB-APC running 4.2(2)
  Config is as follows
  module ContentSwitchingModule 9
  ft group 101 vlan 9
  priority 10
  vlan 216 client
  ip address 10.209.16.31 255.255.252.0
  gateway 10.209.16.1
  vlan 20 server
  ip address 10.209.0.31 255.255.252.0
  alias 10.209.0.11 255.255.252.0
  probe ICMP1 icmp
  interval 3
  failed 3
  receive 3
  serverfarm FHEPRT
  no nat server
  no nat client
  real 10.209.0.72
  inservice
  real 10.209.0.73
  inservice
  real 10.209.0.71
  inservice
  probe ICMP1
  sticky 106 netmask 255.255.255.255 address source timeout 3
  policy FHEPRT_POL1
  sticky-group 106
  serverfarm FHEPRT
  vserver FHEPRT1
  virtual 10.209.16.71 any
  vlan 216
  unidirectional
  serverfarm FHEPRT
  replicate csrp connection
  no persistent rebalance
  slb-policy FHEPRT_POL1
  inservice

  You are missing "service ftp" config in the Vip definition. Try the following
  vserver FHEPRT1
  virtual 10.209.16.71 tcp ftp service ftp
  Syed Iftekhar Ahmed

• Load Balancing with a CSM & SSL Module

  I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
  Thanks..

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• IPSec (transport mode) load balancing via CSM

  Suppouse that there is two servers providing service for remote aplications. Those aplications using IPSEC in transport mode. I would like to put at front CSM to load-balance beetwen both of them (persist via SRC IP is ok for me).
  Have you any expirience with transort mode? IMHO it is not possible becouse of ip header changes? (I have no exact informatin that resign from AH transforms are possible)
  What when changing to tunnel mode. Have you ever seen that configuraion working?

  I think you can for the transport mode. I have not had any luck with the Tunnel mode.

• Cisco CSM: Duplication of udp packets possible instead of load balancing?

  Hi all,
  Does anybody know if it's possible to use the csm (WS-X6066-SLB-APC, OS 4.3.1) to duplicate udp packets to several real servers instead of balancing them.
  In our special case we want to test duplicating snmp traps to several network management systems whereas on the snmp clients only one target address (the vserver address) is configured.
  Many thanks in advance,
  Thorsten

  Hi Thorsten,
  I'm afraid this is not possible. With the CSM you can only load-balance.
  Regards
  Daniel