CSM Sticky counters
I am investigating resources for a new application that must have sticky set. I'm looking att counters for sticky and are a little confused. See following info.
sho mod csm 5 sticky group 16
group sticky-data real timeout
16 ip 10.10.159.16 192.168.137.161 5398
16 ip 10.10.167.36 192.168.137.165 6926
16 ip 10.10.175.79 192.168.137.165 5923
16 ip 10.10.187.84 192.168.137.165 4698
16 ip 10.10.64.226 192.168.137.165 821
16 ip 10.10.203.212 192.168.137.161 5028
16 ip 10.10.81.227 192.168.137.165 6137
16 ip 10.10.209.31 192.168.137.161 7177
16 ip 10.10.210.84 192.168.137.165 574
16 ip 10.10.232.8 192.168.137.161 5126
16 ip 10.10.115.84 192.168.137.165 2443
16 ip 10.10.138.14 192.168.137.165 498
16 ip 10.10.138.87 192.168.137.165 248
16 ip 10.10.139.148 192.168.137.165 5248
16 ip 10.10.19.71 192.168.137.161 5319
sho mod csm 5 sticky config
Group CurrConns Timeout Type
16 27 120 src-ip netmask 255.255.255.255
The number of entries in sticky table and number of CurrConns doesn´t matsh. Is it a bug? How do I find out how meny entry I have in the sticky database? From my understanding ther can be 256.000 entries. Is it planned to increase that number? I'm running Ver 4.1(2).
Regards
Mats
Currconns is number of connections.
When source ip address can have multiple connections open, it will only create 1 single sticky entry.
There is no plan to increase the number of entries.
If you think you will need more, change the netmask, this will reduce the number of entries required.
Regards,
Gilles.
Similar Messages
-
Hello,
We have a Catalyst 6500 w/ CSM-S configuration that has 2 serverfarms with identical real servers using the same VIP. Each farm has 50 real servers (2 IPs with 25 consecutive ports each). One of the serverfarms is defined under a SLB policy with client NAT and the second one directly under the vserver. Both serverfarms are configured with the same sticky group for cookie insert. When I issue "show mod csm 13 sticky group 4" I only see 52 entries instead of 100. Also, some of the entries are duplicate. All the rest of the sticky groups are displaying the correct number of cookie entries, matching the number of real servers in the farms. Any ideas on why this is?You probably have encountered the following bug fixed only in version 4.2.2
CSCsa74493
CSM: sticky insert table not updated if adding new reals
The workaround is to reboot the CSM or reconfigure reals, policy and vserver in the correct order.
Gilles. -
CSM - STICKY FOR SAP PORTAL USING SAPLB_* COOKIE
Hello,
Please, someone could send me an sample config implementing session persistence in SAP using saplb_* cookie in CSM with software 4.2 ?
Thank You,we need more details.
What's the cookie name ?
Is it saplb_ ? is it changing (so the asterisk saplb_*) ?
The CSM can only learn the value of a cookie for a specific name which is static.
This is done easily.
IE:
gdufour-cat6k-2(config-module-csm)#sticky 100 cookie saplb
Once you have created your sticky group, you can assign to your vserver
gdufour-cat6k-2(config-module-csm)#vserver www
gdufour-cat6k-2(config-slb-vserver)#sticky 60 group 100
Gilles. -
CSM: Sticky timeout parameter: difference between sticky group and vserver
Hi,
Concerning the example in the CSM manual about configuration of stickiness:
What (or why) is exactly the difference between the timeout parameter (100 minutes):
sticky 12 cookie foo timeout 100 AND the sticky 50 group 12 in the vserver.
The timeout parameter is overruled in the vserver configuration. (100 -> 50)
For what could this be usefull?
Thank you!
Kind regards,
Wim
This example shows how to configure a virtual server named barnett, associate it with the server farm
named bosco, and configure a sticky connection with a duration of 50 minutes to sticky group 12:
Router(config)# mod csm 2
Router(config-module-csm)# sticky 12 cookie foo timeout 100
Router(config-module-csm)# exit
Router(config-module-csm)#
Router(config-module-csm)# serverfarm bosco
Router(config-slb-sfarm)# real 10.1.0.105
Router(config-slb-real)# inservice
Router(config-slb-real)# exit
Router(config-slb-sfarm)#
Router(config-slb-sfarm)# vserver barnett
Router(config-slb-vserver)# virtual 10.1.0.85 tcp 80
Router(config-slb-vserver)# serverfarm bosco
Router(config-slb-vserver)# sticky 50 group 12
Router(config-slb-vserver)# inservice
Router(config-slb-vserver)# exit
Router(config-module-csm)# endif you configure the group under a policy, there is no option for the timeout.
This is why the option exist under the stick-group.
In the vserver, you can overrid this timeout - so the timeout is per vserver.
If you want the same timeout, just configure the same value.
gdufour-cat6k-2(config-module-csm)#policy test1
gdufour-cat6k-2(config-slb-policy)#sticky-group ?
<1-255> sticky group ID
gdufour-cat6k-2(config-slb-policy)#sticky-group 12 ?
Gilles. -
CSM sticky timeout value - is this an idle timeout value?
We have sticky groups configured in our CSM, with an timeout value of 60 minutes. My question is does the timeout value reference an 'idle' value, such as a user disconnected from the session, and now that timer is counting down from the 60 minutes to 0, to remove the stale session out of CSM?
Or is this some other kind of value? If so, what does the value actually represent?
Group CurrConns Timeout Type
17 290 60 src-ip netmask 255.255.255.255
Also, from this info below, is "this" timeout value in seconds, or should this show in minutes? Or is this a bug that I need to resolve by updating the CSM version? We're still on v2.2(1).
CSM with SSL WS-X6066-SLB-S-K9
Thanks, Tony
switch#sho mod csm 1 sticky group 17
group sticky-data real timeout
17 ip 10.x.x.x 10.x.x.x 3469
17 ip 10.x.x.x 10.x.x.x 3275
17 ip 10.x.x.x 10.x.x.x 3016
17 ip 10.x.x.x 10.x.x.x 2791
17 ip 10.x.x.x 10.x.x.x 879Hi Ajay, thank you for the response. From your reply, "It appears that you have configured the sticky timeout value higher then the default value. So the sticky timeout value is in minutes," we set each group to have a 60 minute timeout value. I had read from another string that the timeout values I'm seeing in this table were incorrectly displayed, due to an upgraded needed on the CSM. We're running 2.2(1), and I thought I remember reading 4.2.2 was required to correct this bug?
switch#sho mod csm 1 sticky group 17
group sticky-data real timeout
17 ip 10.x.x.x 10.x.x.x 3469
17 ip 10.x.x.x 10.x.x.x 3275
17 ip 10.x.x.x 10.x.x.x 3016
17 ip 10.x.x.x 10.x.x.x 2791
17 ip 10.x.x.x 10.x.x.x 879 -
Hello,
I have a couple of CSMs in my ServerFarm Distribution Layer and am hoping someone could advise and help me, if possible.
If I have a vserver with "sticky" applied and with a url policy applied in addition to a default serverfarm. Is there a way to force the CSM to make a load balance decision after an initial decision gets made and entered into the sticky table???
Note: The policy points to different reals than the default serverfarm.
With the "sticky" command applied to the vserver and a user comes in (1st time), they are processed either by the policy or by the default serverfarm (based on url) and are load balanced and entered into the sticky table. Everything works. However, if they come back in a 2nd time and need to be load balanced by the opposite process, (by policy or by default serverfarm this time), the CSM never processes it because the user is already in the sticky table. The CSM will not make a load balancing decision to other reals if the user is already in the sticky table from a previous load
balancing decision.
Is there any way the CSM can do this?? Or is the CSM limited for this type of
requirement??
Note: I cannot change the host name portion of my url.
Thanks for your help. I greatly appreciate it.
TonyWe will need to see your config - policy and sticky.
I'm not sure to understand how you created this.
The CSM will normally parse the policy sequentially, and when it finds a match statement, it will use the sticky method or serverfarm configured.
If no match, it goes to the next policy.
Maybe all you need to do is configure different sticky group for each policy.
ie:
map Host1 header
match protocol http header Host header-value ...
map Host2 header
sticky 1 ......
sticky 2 ......
policy P1
header-map Host1
sticky-group 1
policy P2
header-map Host2
sticky-group 2
Gilles. -
Hi,
My setup is as follow, I have 2 CSM in two different 6509 running in active and standby mode and 2 SSLM running also in two different 6509 too.
My SSL traffic terminates at my SSLM
Currently my CSM and SSL is working fine but I notice there's this niggling issue whereby at times accessing my web servers via HTTPS traffic. My SSL stickyness don't seem to be working at times. The secnario is as that while accessing the pages via HTTPS the certificate web pages keep prompting and after checking the cert there are from 2 different SSLM. Furthermore after doing a trace I can confirm that the SSL sticky don work at times but this is like a 5-10 % rate.
After reading some of the post in the forum, the SSL ID in IE will expire and renegoiate again. Could this cause this problem ? ALso how can I rectify this. Pls advise. Thanks
Attached are my config and the screen cature of the errorindeed IE is most probably the culprit here.
The CSM learns the SSLID generated by the SSLM and create a sticky entry to link this value to the SSLM.
when IE wants to renegotiate the SSLID, it starts a new SSL session with a blank [0x00] SSLID.
The CSM can't stick this client to the corresponding SSLM and therefore it will loadbalance the session to the next SSLM.
If you have no control on the browser, there is no solution using SSLID.
What some people will do is use another form of stickyness to resolve the problem.
The only other sticky method is based on source ip address.
Regards,
Gilles. -
Hi
Does anyone know if it is possible to have the same STICKY rule on multiple VIPs or what the max number of STICKY rules is on CSM SW version 3.2(1).
Since we are using SSL modules too, we use an SSL STICKY rule per VIP and a Sticky rule per DECRYPT VIP. We currently have 209 Sticky Rules and would like to know when we will hit our limit.
Regards
Wayneyou can use the same sticky group in multiple vserver.
Just be aware that if client X is stuck to server Y for vserver Z, the same client X will get stuck to the same server Y for vserver Z' that would be using the same group.
By using different group a client could be stuck to different server depending on the vserver they hit.
Also, if you use the same group in multiple vserver, you need to make sure the same reals exist for the vserver.
ie: if client X gets stuck to server Y on vserver Z, if client X open a connection with vserver Z' then the server Y must be part of the serverfarm under vserver Z'.
Regards,
Gilles. -
I am running 4.1(4) on my CSM. I know 4.2 supports the sticky header command, but at this time I cannot upgrade to 4.2. How can I do sticky based on header information using 4.1(4). Would I have to do some type of policy? Can you provide an example if this is possible.
Thanks,
LBstrange request.
You know sticky on header is a feature that was introduced with 4.2 but still you want to do it with 4.1 ?
Unfortunately, if this feature was introduced in 4.2 it means it did not exist before that and that there was no way of doing it before 4.2.
As indicated in the following document, http header stickyness is a new feature in release 4.2
http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00803e006a.html
Gilles. -
Hi
Does anyone know what resets the sticky timer on a CSM? It appears to be the initial connection and not subsequent packets once the socket has been opened.
We have an application that keeps the the socket open for an undefined period of time but the sticky timer does not get reset.
Is this normal? If so is there a way to work around this so that the timer is reset by each packet.
Thx
WayneWayne,
this is normal.
The timer is only reset by new connections.
There is no workaround as this is the intended behavior.
You should maybe use a different solution or increase the sticky timeout to a higher value.
Regards,
Gilles. -
I have configured the
CSM with sticky on all vservers. The one problem I am having is the programmers that need to get directly to the server cannot, they are stuck on the server they inially attached to, they cannot even connect using telnet or http. What am I missing or what do I need to add to allow them to access servers, bypassing the sticky???Hi Thornick,
If you say that they are always stuck to the same server,
then they go to the server via the virtual ip address and NOT directly.
I assume that de servers are directly attached behind the CSM blade.
One possible solution could be to use a policy serverfarm (in your VSERVERs)
which is not sticky and also use the client group option within this policy serverfarm.
This client group refers to an access-list containing all ip addresses of
your programmers PC's.
Greetings, Wim -
Csm sticky - number of groupings
We have numerous vservers supporting L4 load balancing - and have configured sticky based on source IP. We don't need stickieness across vservers - each vserver is independent and we just need to ensure that clients hitting a vserver will be directed to the same real server each time.
We have over 255 vservers defined. Looks like there is limitation of 255 sticky groups. How do we keep stickieness for these vservers (we see that if we use the same sticky group in multiple vservers, we run into problems described in this forum since the real servers are different between vservers). Thanks.unfortunately the limitation can't be removed.
So you need to find other form of stickyness that do not require a sticky group.
You could use a 'predictor hash...' which is more or less equivalent to the sticky group.
Regards,
Gilles. -
CSM: Sticky groups limitation (1..255)
Hi,
The number off total different STICKY GROUPS is limited to 255
This limits directly the number off VSERVERS/SERVERFARMS.
In case I have different serverfarms (and each different vserver maps to only 1 different serverfarm)
AND I want them all to be sticky (for example based on source ip address), I will have to configure
a different sticky group for each serverfarm.
This limits the number off vservers/serverfarms also to the maximun number off sticky groups.
(which is limited to 255)
Correctly or can I bypass this issue?
Thank you, WimThat's correct.
You can use different form of stickyness that do not require a sticky group, like 'predictor hash'.
Regards,
Gilles. -
CSM Sticky Group or predictor command?
Hi,
i want to ensure that my client connections are connecting to the same real server as long as it is inservice. When it goes down a second server will take this job. Question: Is it possible to reach that goal by using a parameter in the predictor or weight command, or is it solely required to configure a sticky group?
Thanx, StephanIf you do not need to loadbalance i would suggest to do a vserver with one serverfarm that has one server and assign to that serverfarm a sorry/backup serverfarm with one server
rp(config-slb-vserver)#serverfarm black-red backup green-blue -
Hello,
I need help configuring my CSM; I have a group of networks which need to be routed to a specific server based on their location.
I have a link which points to VIP:
http://1.1.1.1
If the request comes from source 2.2.2.0/24 they should be sent to http://1.1.1.2.
If the request comes from source 3.3.3.0/24 they should be sent to http://1.1.1.3.
What would be the best way to set ths up?
Thank you,
Scottmodule ContentSwitchingModule 5
vlan 220 server
ip address 10.20.220.2 255.255.255.0
alias 10.20.220.1 255.255.255.0
vlan 221 client
ip address 10.20.221.5 255.255.255.0
gateway 10.20.221.1
alias 10.20.221.2 255.255.255.0
probe PING icmp
interval 2
retries 2
failed 10
receive 2
real SERVER1
address 10.20.220.10
inservice
real SERVER2
address 10.20.220.20
inservice
real SERVER3
address 10.20.220.30
inservice
real SERVER4
address 10.20.220.40
inservice
serverfarm WEBFARM
nat server
no nat client
real name SERVER1
inservice
real name SERVER2
inservice
probe PING
serverfarm WEBFARM2
nat server
no nat client
real name SERVER3
inservice
real name SERVER4
inservice
policy SOURCE-IP-50
client-group 50
serverfarm WEBFARM2
# A policy consists of a series of conditions, plus the
# actions to take if those conditions are matched.
# In this case, the only condition is "client-group 50"
# which requires the incoming connection to match
# the standard access-list 50
# The only action to take is to use serverfarm WEBFARM2
# to serve those requests.
vserver WEB
virtual 10.20.221.100 tcp www
serverfarm WEBFARM
persistent rebalance
slb-policy SOURCE-IP-50
# slb-policies associated to a vserver are always examined
# in the order in which they are configured.
# The defintion of the "serverfarm" under the vserver config
# is the default policy and is always used as last resort
# if no policy matches or if there are no policies
# In this case, incoming requests will be processed to see
# if they match the conditions of slb-policy SOURCe-IP-50
# If they do, then WEBFARM2 is used, otherwise the default
# policy is selected (i.e. WEBFARM will be used).
# If a default farm is not configured, then connections
# not matching any policy are dropped.
inservice
access-list 50 permit 10.20.1.100
# Configuration of the IOS standard access-list
# You can configure any of the 1-99 standard access-list
# or you can configure named access-lists
Maybe you are looking for
-
My iPhone 4s Question: Wi-Fi not connected. Choose A network ... This prob solve ? phone configuration: capacity: 27.3 GB version: 8.0.2(12A405) Model: MD241LL/A Serial Number: C2*******TD6 Wi-Fi Address: A8:FA:D8:2E:5E:50 IMEI: *****
-
List attachments display issue
I am using following code to display the list item attachments in the "All Items" view for a list. <td id="ItemAttchment{$ID}{generate-id()}" class="ms-vb" style="width: 92px"> <xsl:element name="SharePoint:AttachmentsField"> <xsl:attribute name="run
-
I'm trying to keyword multiple images by selecting them all and then checking off the box next to each keyword. The problem is that for some images, the checkmark disappears. It seems like the keyword is still in the metadata after it is unchecked, b
-
Flying Blind into a Mac OS X Server Password Reset
Let me preface my questions with the note that I am experienced with general OS X user administration but I am coming off of 5 years of heavy Windows network consulting and administration. I'm comfortable with the command line (have a good deal of *n
-
Error code - 0x80040fb3. Check Documentation
Hello. I continue to get the error message listed in the subject each time I try to sync me device with my computer. I tried uninstalling all of my Blackberry software, then re-installing and I still contine to get the error message (which makes me