CSM load balancing
I have an interesting problem. I have a VIP with a two server, serverfarm. Originally the VIP and serverfarm were doing load balancing in the switch IOS and the vip was configured with a 27 bit subnet mask. I moved the configuration to our csm mod and removed the subnet mask. The original sticky was set to 120 and I reset the sticky to 30 as part of the move. Now the load balancing is extremely off kilter (200 connections to 7). Any ideas what could be amiss?
Real servers are physical devices assigned to a server farm. Real servers provide the services that are load balanced. When the server receives a client request, it pulls matching information from a disk and sends it to the CSM for forwarding to the client.
You configure the real server in the real server configuration mode by specifying the server IP address and port when you assign it to a server farm. You enter the real server configuration mode from the serverfarm mode where you are adding the real server.
This URl should help me:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guide09186a00801760d0.html#xtocid439743
Similar Messages
-
Portal Landscape - With 2 CSM (load balance) related question
Hi,
We are currently having a portal landscape (Dev, QA -2 app servers, PRD - 4 app servers). The load balancing happens on Production Portal using CSM (load balancer) and it does SSL offloading for security encryption and it lands onto one of the application servers. When we try to login to portal it authenticates using the LDAP (OID). And we have some links which takes to backend R/3, BW etc (we use SAP load balance using SMLG logon group)
Now due to another special project the following is what we are planning:
1. Adding couple of more application servers for production portal or having seperate second portal landscape itself
2. Adding couple of more application servers for R/3 production server (load balance can be done with special logon group for that)
Questions are:
1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will happen to the login authentication happened through the first portal and SSO ticket ?
3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave when same id comes as part of SSO.
Or if anyone thinks of any other issue apart from SSO or encryption related things which i need to be aware of, kindly let me know.
Thanks,
Murali.I am not sure what CSM is, but I would expect it only does ssl offloading and a sort of "reverse proxy" against the cluster.
>1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this >scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
This depends on the host name you use for the two CSM clusters. If they have the same subdomain, there should be no problem as the SAP Logon Ticket (MYSAPSSO2) cookie is issued to the sub domain of the portal.
If they do not have the same subdomain, the second CSM cluster will receive the request without the MYSAPSSO2 cookie, and will therefore trigger reauthentication.
>2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will >happen to the login authentication happened through the first portal and SSO ticket ?
It will fail, as the MYSAPSSO2 cookie from the first portal is not recognized in the second. However, you can easily setup so that the second portal trusts the first and does a logon based on its credentials
>3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave >when same id comes as part of SSO.
I assume both portal will be setup against the same LDAP/UME source. Therefore it will allow the logon. The backend systems should trust both the first and second portal (STRUSTSSO2 transaction)
I think your architecture choice comes down to if the new project has special considerations with regards to versioning of portal. If it does, it would be sensible to separate it into a separate portal (and you can always integrate them with the first portal through portal federation if you have a relatively new version).
Regards
Dagfinn -
I have a request to do a redirect on a CSM load balance device and I am not sure how to go about doing it.
The request is to send traffic destined for https://payments.domain.com to https://www.diffdomain.com/folder/folder/page.jsp. I already have a serverfarm created for www.diffdomain.com, I guess I could create a vserver with a unique IP address for payments.domain.com and point it at the same set of servers, but how would I append the "/folder/folder/page.jsp" on to the request?Hi,
The only way you can do HTTPS to HTTPS redirection is if you have an SSL module or also if this module happens to be a CSM-S. To be able to redirect encrypted traffic the CSM needs to inspect first the L5 information contained on the HTTP header. Once the SSL card has decrypted the traffic you can configure a webhost relocation serverfarm to ask the client to send the request to https://www.diffdomain.com/folder/folder/page.jsp which will be sent to the 443 vserver that is already taking traffic for https://payments.domain.com
Hope this helps.
Pablo -
How to config CSM load balance of http combined https
In this case,when I config CSM for load balance http and https service separately was ok.2 VIPs , 2 Serverfarms, One for http , and one for https .But I found that the https would referred to http information on IIS , because when the client first to access http is ok,and then login by https ,the information is not right.So,how to config CSM in this case,any reply will be very be appreciated.
There are 2 different ways.
You could combine the 2 vserver into a single one by not specifying the tcp port.
Another solution would be to use the same sticky group for both vservers.
For example, you could use sticky srcip.
ie:
sticky 10 netmask /32 address source
vserver http
sticky 60 group 10
inservice
vserver https
sticky 60 group 10
inservice
Regards,
Gilles.
Thanks for rating this answer. -
CSM - Load balance using Server CPU
Hi
I have a customer who requires the load-balancing prediction
algorithm to be based on the CPU level of the Server. So the server with the least CPU is chosen at the laod-balancing stage.
Is there a way to do this?
Thanks JamesHi James
With CSM the only option is DFP (Dynamic feed back protocol). If your application vendor provides DFP agents (which is very unlikely) for the application then these agents can be installed on App servers for the desired purpose.
Config details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/rsfarms.html#wp1039774')">http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/rsfarms.html#wp1039774
With ACE you can use SNMP based probes to achieve what you are looking for.
Syed Iftekhar Ahmed -
Hey,
Just a quick question....
Does anyone know a) if it's possible and b) how to have two servers off the CSM but instead of load-balancing between them make them a failover pair i.e. if server A goes down server B will take over - done using the same VIP?? It's needed because the application on the servers can't do load-balancing yet but can work in a failover way.
I'm reading the book trying to work it out but if someone has done this before that would be great!
Thanks
AnthonyThanks for the responses.
I'm using CSM 4.6(6) and have given what you suggested a go but have run into problems.
When I disconnect the primary server I see that go out of service but that also knocks out the VIP and it never fails over to the second server. Am I missing something? I've attached the relevant parts of the config and would be greatful for any advice.
serverfarm FARM1
nat server
nat client WEB
real 10.2.250.10
inservice
probe HTTP
serverfarm FARM2
nat server
nat client WEB
real 10.2.250.11
inservice
probe HTTP
vserver WEBTRAFFIC
virtual 10.2.250.100 tcp www
vlan 250
serverfarm FARM1 backup FARM2
persistent rebalance
inservice
I also had a go at creating that variable but it wouldn't let me...just said variable not configurable - but I'll play with that and see if I can work it out...I'm not so bothered as long as the backup part works.
Thanks guys...
Anthony -
FWSM and CSM (Load Balance) in the same chassi
Folks,
Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?
PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ
PATH:
(outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM
My main doubts:
1) FWSM using multi-context, Is there any integration problem with CSM ?
2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?
3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?
Cisco Says:
"The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,
Cisco recommends forcing the FWSM to operate in bus mode using the
fabric switching-mode force bus command. When service modules such as the CSM and the FWSM
operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."
In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.
Tks !!!Luis-
You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP. On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.
Regards,
Chris -
Server Load Balance in one network using CSM Cat6509
I have 2 Web Servers with real IP address 10.1.12.61 and 10.1.12.62 (subnet mask 255.255.255.0). The virtual IP address configured on CSM is 10.1.12.100
I also have 2 Application Servers with real IP address 10.1.12.81 and 10.1.12.82 (subnet mask 255.255.255.0). The virtual IP address is 10.1.12.120.
Users will access Web server using the virtual IP address (10.1.12.100) so that the traffic will be load balanced.
But there is also requirement that those Web Servers access Application Servers using IP address 10.1.12.120 so that the traffic will be load balanced as well.
Is this requirement feasible?
Can CSM load balance between servers in one network address?Budiman,
I am building the same situatiuon here. But the most simple part seems not to be working. I have two webservers in the same subnet as my VIP.
The clients can be everywhere in every subnet.
This is what happens:
btpebgw70#sh mod contentSwitchingModule 9 conns
prot vlan source destination state
In TCP 401 192.6.53.42:1901 151.183.58.196:80 ESTAB
Out TCP 401 151.183.58.196:80 192.6.53.42:1901 ESTAB
ok this is good but:
btpebgw70#sh mod contentSwitchingModule 9 reals detail
151.183.58.201, ORBIS, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
total conns established = 58, total conn failures = 58
the failures have the same value as the established. Can you send me your config part of the csm because I am getting tired of this. Please email to [email protected]
Thanks in advance! -
Load balance on CSM with both Firewalsl and Cache engines
Hi,
I'm come from VDC#3 ( Vietnam) , we have 2 CSM , 3 firewall , and 8 CE 7325. We configed dual CSMs load balance for 3 FW, and now we want to use one CSM to load balance for CEs. Can you hint me best topylogy network?
Thanksyour topology is correct.
The problem is your config.
If you need access to the CE ip addresses, you need to configure a vserver to allow this traffic.
Something like
serverfarm FORWARD
no nat server
no nat client
predictor forward
vserver access2ce
vip x.x.x.0/24 any
serverfarm FORWARD
ins
Replace x.x.x.0/24 with the subnet used by the CE.
Regards,
Gilles.
Thanks for rating this answer. -
Server Load-balancing and ACL router decision
Hello,
My 2 server farm distribution switches are running in "hybrid" mode, with CAT OS on the switch and IOS on the MSFC.
My server team is asking to block traffic to a specific server that is load balanced using Cisco's CSM load-balancer which is also installed in the chassis.
The question that I have is this.
Does anyone know in what order the MSFC will inspect and apply the ACL and when will the CSM make the load balancing decision?
The reason I need to know this is that the CSM is setup in bridged mode, where traffic to the server comes into the MSFC with a destination IP of a VIP which resides on the CSM. Subsequently, the CSM forwards the traffic to the one of the real servers in the load-balanced server farm after it makes its load-balancing decision. Which ocurrs first??
Does anyone have any info on what ocurrs first and so forth??
Is there a link to Cisco's website that explains this process??
Thanks in advance for your help.
TonyTony,
It sounds as if your setup is like this:
Client VLAN----MSFC----VLAN A----CSM----Server VLAN
With VLAN A and Server VLAN being the same IP subnet.
In this case all client traffic reaching the VIPs on the CSM first traverses the MSFC. So, if you want to block traffic to a specific VIP or Server IP you can do that on the MSFC's Interface for Client VLAN. You could configure an access list that filters inbound traffic on that VLAN interface.
Make sense?
-Brad -
RPC Load Balancing on CSM and SSL
We are load-balancing SSL successfully but the Exchange people want to use RPC to access
mailboxes using CSM.
We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
serverfarm EXCH-CAS
nat server
no nat client
real x.x.248.100
inservice
real x.x.248.101
inservice
probe EXCH-CAS
serverfarm EXCH-CAS-SSL
nat server
no nat client
real x.x.254.60
inservice
real x.x.254.61
inservice
probe SSL-FARM
! vserver EXCH-CAS
virtual x.x.254.154 tcp www
vlan 460
serverfarm EXCH-CAS
sticky 1440 group 152
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-S
virtual x.x.214.139 tcp https
vlan 400
serverfarm EXCH-CAS-SSL
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-TEST-S
virtual x.x.214.139 tcp 0
vlan 400
serverfarm EXCH-CAS
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
Thanks,
Mohamad -
Load Balancing FTP Server thru CSM using a single Client IP
Hello,
We have a need to load balance 3 FTP servers. These servers are reached only from a single client IP which is a database server. The FTP method that is being used is currently passive. Our configuration is currently unidirectional, ie, the FTP client (the one database server) sends to the VIP and the FTP Servers then talk directly back to the FTP client and the traffic does not go back through the CSM. The problem is that because FTP negotiates another port to talk on, we have to use sticky so that the connection is sent back to the original FTP server that sent the FTP data port to talk on. But, since we only have a single client IP that is ever used we are not load balancing appropriately across the FTP servers.
Traffic flow goes something like this, tcp port followed after colon as an example
1. FTP Client ----> VIP:21
2. CSM ---------> FTP Server:21
3. FTP Server --------> FTP Client(FTP server says come talk to me on port 1700)
4. FTP Client ---------> VIP:1700
5. CSM ---------> FTP Server:1700
6. FTP Server:1700 ---------> FTP Client
repeat steps 4 thru 6
Here's our hardware and software:
WS-X6066-SLB-APC running 4.2(2)
Config is as follows
module ContentSwitchingModule 9
ft group 101 vlan 9
priority 10
vlan 216 client
ip address 10.209.16.31 255.255.252.0
gateway 10.209.16.1
vlan 20 server
ip address 10.209.0.31 255.255.252.0
alias 10.209.0.11 255.255.252.0
probe ICMP1 icmp
interval 3
failed 3
receive 3
serverfarm FHEPRT
no nat server
no nat client
real 10.209.0.72
inservice
real 10.209.0.73
inservice
real 10.209.0.71
inservice
probe ICMP1
sticky 106 netmask 255.255.255.255 address source timeout 3
policy FHEPRT_POL1
sticky-group 106
serverfarm FHEPRT
vserver FHEPRT1
virtual 10.209.16.71 any
vlan 216
unidirectional
serverfarm FHEPRT
replicate csrp connection
no persistent rebalance
slb-policy FHEPRT_POL1
inserviceYou are missing "service ftp" config in the Vip definition. Try the following
vserver FHEPRT1
virtual 10.209.16.71 tcp ftp service ftp
Syed Iftekhar Ahmed -
Load Balancing with a CSM & SSL Module
I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
Thanks..Hi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg -
IPSec (transport mode) load balancing via CSM
Suppouse that there is two servers providing service for remote aplications. Those aplications using IPSEC in transport mode. I would like to put at front CSM to load-balance beetwen both of them (persist via SRC IP is ok for me).
Have you any expirience with transort mode? IMHO it is not possible becouse of ip header changes? (I have no exact informatin that resign from AH transforms are possible)
What when changing to tunnel mode. Have you ever seen that configuraion working?I think you can for the transport mode. I have not had any luck with the Tunnel mode.
-
Cisco CSM: Duplication of udp packets possible instead of load balancing?
Hi all,
Does anybody know if it's possible to use the csm (WS-X6066-SLB-APC, OS 4.3.1) to duplicate udp packets to several real servers instead of balancing them.
In our special case we want to test duplicating snmp traps to several network management systems whereas on the snmp clients only one target address (the vserver address) is configured.
Many thanks in advance,
ThorstenHi Thorsten,
I'm afraid this is not possible. With the CSM you can only load-balance.
Regards
Daniel
Maybe you are looking for
-
In iPhoto 9.5.1, how do I print multiple copies of the same photo on a sheet ? I am somehow missing the "settings" which allowed me to do this in earlier versions. Grateful for any hints. Thank you. Znon
-
Add ical events everyday except one day?
Hi appl support community. This is my first questions on here so forgive me for any faults. I wanted to know if there is away, either first party or third party, to add an event to ical for everday except one or two days. Like making an event every m
-
HT4061 I can't not use my AirPrint from my I pad 2
I can't print from my I pad 2
-
12/24 hour time setting bug!!!!!!
I hope someone can help with this as it is an issue Ive had since the first iPhone. I want to set the time to 12 hour clock as I don't like the 24 hour setting but when I try to change it the option is grayed out. The only way I can amend this is to
-
Add printing to an iOS app?
Is there a way to add print capabilities to an app created in Flash CS5.5? I'm not really looking for a way to print what I see on the screen. What Basically have here is a database app, you scroll through, select a document, and then select print. T