CSS 11500 Load balancing

Similar Messages

• Using a single CSS to load balance multiple services

  Is it possible to use a single CSS to load balance 3 different services (server farm) ? That mean the CSS need to advertise 3 VIP
  I'm thinking of two scenarios:
  1 - configure the CSS to use 4 interfaces: 1 to public, 3 to private (each interface will plug-in to a different vlan/server farm)
  2 - configure the CSS to use 2 interfaces: 1 to public, 1 to private (all 3 server farms are in the same vlan)
  Will both scenarios work ?
  Thanks
  --Phillip.

  Hi Phillip,
  both scenarios will work. One CSS can certainly manage more than 3 services! You can even use just one VIP for all traffic, then just create the proper rules to send specific traffic to the corresponding service(s). No need for 3 VIPs.
  Regards
  -juerg

• CSS 11503 load-balancing with MS Print Servers

  We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.

  Pete- Here is our config. See any problems?
  configure
  !*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
  !************************* INTERFACE *************************
  interface 1/2
  bridge vlan 2
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 1.100.101.110 255.0.0.0
  circuit VLAN2
  ip address 10.100.249.1 255.255.255.0
  !************************** SERVICE **************************
  service ps01
  ip address 10.100.249.5
  active
  service ps02
  ip address 10.100.249.6
  active
  !*************************** OWNER ***************************
  owner printserver
  content L3_Basic
  add service ps01
  add service ps02
  vip address 1.100.100.35

• CSS 11503 Load Balancing Verification

  Alright, so I have toiled long and hard to get this right.  I think I have the config down but I am unsure on how to verify how this load balancing is working.
  Here is the Content Config that I am speaking of:
  content cad-rule
      add service wls1-e0
      add service wls1-e1
      add service wls2-e0
      add service wls2-e1
      add service wls3-e0
      add service wls3-e1
      add service wls4-e0
      add service wls4-e1
      add service wls5-e0
      add service wls5-e1
      add service wls6-e0
      add service wls6-e1
      arrowpoint-cookie expiration 00:00:15:00
      advanced-balance arrowpoint-cookie
      redundant-index 2
      vip address 172.30.194.195 range 2
      arrowpoint-cookie name TOQ
      protocol tcp
      port 8001
      url "/*"
      active
  Each service in the rule above is configured as follows:
  service wls1-e1
    port 8001
    protocol tcp
    strin ags001-e1
    ip address 172.30.193.81
    keepalive type http
    keepalive uri "/cad/index.html"
    redundant-index 12
    keepalive frequency 20
    keepalive maxfailure 10
    keepalive retryperiod 2
    active
  I am using the advanced arrowpoint cookies because I need some stickiness here.  Straight round-robin would not have done what I needed it to do.
  Now, when I go to my show summary, this is what I see for this rule:
                   cad-rule    Master   wls1-e0 84274
                                              wls1-e1 13144
                                              wls2-e0 96884
                                              wls2-e1 26374
                                              wls3-e0 71145
                                              wls3-e1 16592
                                              wls4-e0 76403
                                              wls4-e1 8657
                                              wls5-e0 118623
                                              wls5-e1 22760
                                              wls6-e0 30836
                                              wls6-e1 20464
  The far right column indicates the services hits.  I originally had the E1's suspended and activated them later on. So if this was true round robin, all the E0's should have the same number of service hits and all the E1's should have the same number of service hits.  But as you can see, the wls5 server is getting hit the most while the wls6 server is sitting there twiddling its thumbs.
  Now understanding how the arrowpoint cookies do their load balancing (inserting a cooking into the flow and then timing out after 15 mins as configured above) I would not expect a 1:1 ratio of load balancing between servers.  But the distribution above seems rather extreme.
  Does anyone have any suggestions on how to both A) verify that this is the right config and B) suggest to my boss that this is working the way it should be working?
  Thanks!
  James

  Hi James,
  There are several reasons of the uneven load balancing that you are seeing (based on the show summary). First
  of all, the CSS is configured to do stickiness (advance-balance).
  With arrowpoint-cookies (for HTTP only) method for stickiness, only the requests coming with the same cookie
  are going to get stuck to the same server, since the cookie is
  lost when the browser is closed (or based on the expiration), then the stickiness is going to be session
  based and if the same client open a new session is going to be load balanced.
  Is important to understand that when using stickiness, no real even load balancing is
  going to happen since we are sticking new flows to the same server; even when layer 5 stickiness would
  permit more even balancing than layer 3 stickiness (source IP based).
  Also consider that the "show summary" is a command to see the hits (requests) being balanced to an specific
  server, this is a good command to see the load balancing, anyway since the CSS balance
  connections (flows), a persistent connection could have a lot of requests, so all those requests are
  always going to the same server (incrementing the amount of hits in the counter) while a non-persistent
  connection would be just one request (refer to HTTP persistence).
  Also keep in mind that if a service is take out for maintenance, or is added to the load balancing later
  than another, or if goes down for a period of time, then the CSS will be balancing among the remaining alive
  servers. When you add the server again, the another servers are going to have connections
  already established, so since the CSS is doing round robin, the server last added will
  never have the same amount of connections (nor hits) that the other ones, because while one could
  have 55 for example, the new one will have it first connection, and when the first one
  gets the 56, the another will get the second, and so on.
  Please let me know if this makes any sense.
  Diego M

• CSS Scalable Load Balancing Method

  Greetings All,
  Looking to the brain trust here for some options on a requested load balancing schema.
  I have a CSS11506 for which I need to configure some 'scalable' load balancing.
  We have 2 servers configured for load balancing... we'll call the services S1 and S2.
  The requirement is to have S1 to service all traffic until its related server CPU reaches 80%. Once this occurs, then traffic should start being sent to S2 for load balancing.
  How can I accomplish this?
  Thanks!
  -Adam

  Gilles,
  Thanks for the reply.
  I'm not real savvy with creating scripted keep-alives from scratch.
  Can you direct me to some links where I can learn more about creating such a script on the CSS?
  Thanks again!
  -Adam

• CSS 11501 Load Balancing with X-forwarded-for

  Hi,
  We have a pair of CSS 11501,
  Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
  However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .
  This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
  Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
  This way we are able to also send it back to the same server when it uses SSL.
  I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
  Regards

  Hi,
  Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
  One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
  In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
  Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
    content HTTP-HTTPS
      vip address 10.198.44.70
      advanced-balance sticky-srcip
      add service server1
      add service server2
      add service server3
      add service server4
      add service server5
      protocol tcp
      active
  Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
  Thanks,
  Rodrigo

• CSS 11501 Load Balancing Issue

  Hi,
  We are facing some issue in load balancing in cisco CSS 11501 as we are not able to access the application  through virtual IP. Below is the ruuning configuration of the CSS:
  CSS11501# sh running-config
  !Generated on 10/06/2010 16:51:34
  !Active version: sg0810106
  configure
  !*************************** GLOBAL ***************************
    ip route 0.0.0.0 0.0.0.0 132.186.199.1 1
  !************************** CIRCUIT **************************
  circuit VLAN1
    ip address 132.186.199.145 255.255.255.0
  !************************** SERVICE **************************
  service Server1
    ip address 132.186.199.243
    port 5001
    protocol tcp
    keepalive port 5001
    active
  service Server2
    ip address 132.186.199.246
    protocol tcp
    port 5001
    keepalive port 5001
    active
  !*************************** OWNER ***************************
  owner L5_Owner
    content L3_Rule
      vip address 132.186.199.146
      protocol tcp
      port 5001
      add service Server1
      add service Server2
      active
    content L5_Rule
      vip address 132.186.199.146
      add service Server1
      add service Server2
      protocol tcp
      port 5001
      url "//132.186.199.146:5001/emi"
      active
  CSS11501#
  Observation : We are able to telnet on VIP: 132.186.199.146 on port 5001,  but not able to access the application.
  In Actual scenarion customer access  application by accessing URL: http://132.186.199.243:5001/emi and once he enter this URL in web browser the request redirects ( by server itself)  to URL: https://132.186.199.44:6002/cas/login?service=http%3A%2F%2F132.186.199.243%3A5001%2Femi%2Findex.jsp&acceptStrength=BASIC on backend server for user authenticaton and once user is authenticated then it again redirect to main URL ( http://132.186.199.243:5001/emi ) to access the application but when we are trying to access the application through VIP ( URL: http://132.186.199.146:5001/emi) we are not getting the login page as the request is not gettting redirected to backend server for user authentication.
  Please suggest a solution here.

  The problem is that you are in one-armed mode.
  So you need to configure client nat.
  Without nating the client ip address, the server response goes back directly to the client and bypasses the CSS.
  Therefore the client receives a response from an unknown server ip address (not the vip).
  So configure a group.
  For example
  group Client
      vip address 132.186.199.146
      add destination service Server1
       add destination service Server2
      active
  Also, remove the url command from your content rule.
  It is useless in your case and will just make performance worst.
  Gilles.

• CSS 11050 Load Balancing with Single VLAN (no NAT)

  We have several CSS 11050's in use on our network, cheifly for load-balancing web servers. In a test network I've set up, I've configured our test servers' IP addresses and our load-balanced IP address to be on the same subnet. This way our developers can easily check both single servers as well as the LB configuration. This got me thinking...
  All the config documentation I've seen on the CSS seems to assume that you are putting the VIP for the content rule on a different VLAN than the IPs for the services. Is there any particular need for this? I'm in the process of setting up another network that will have its services NATed behind a PIX. There are some services (WWW) that I want load balanced and some services (passive FTP with one server) where there's really no need. Would I do any harm by putting the content rules' VIPs on the same subnet as the servers themselves? I can still plug the servers into the other ports on the CSS so that I'm not really doing a "one-arm" configuration.
  -Mark Romer

  You shouldn't have any problem doing this. In addition to load balancing web servers we've also balanced terminal servers that are configured to be accessed by remote users through VPN connections. Because we have over 90 remote locations, I didn't want the services and the VIP addresses to be on different VLAN's because I'd have to reconfigure the routers in all the remote locations. I was in the same position you're in, all the documentation indicated different VLAN's but I thought it would be a worth a try. Everything works perfectly...
  Cody Rowland

• CSS 11500 Re-balance services after service failure

  We have 3 servers in our server farm and under normal circumstances wish to balance them unevenly such that the 3rd server only gets a small proportion of the traffic. The other two should be equally balanced. (Say 45, 45, 10).
  When one of the prime servers (1st or 2nd) fails we wish to distribute the load across the remaining 2 evenly.
  We are currently considering a cmd-sched script which will monitor the status of all three servers and reset the weights in the case of a server failure.
  Is there a better way, preferably without a cmd-sched script?

  Andrew,
  This is messy but it should work. Configure multiple services for each server. Then use keepalive scripts to make some of the server3 services show as down if both the other servers are up, but if one of server1 and server2 is down, then all the server3 services show as up. You need to end up with the same number of reals configured for each physical box and vary the scripts so that most of the server3 services are down when the other 2 servers are OK.
  Peter

• CSS load balance - Lock Outlook 2007 - RPC over http

  I have problema whit load balance for configuration of client Outlook 2007. (using protocol RPC over http). Through the CSS, after a period of utilization, the Outlook lock. And without the CSS doind load balance, no ocurred the problem.
  I appreciate any help.
  Thanks!

  Jason,
  CSS is not created in a source group of "exchange2007rcvir. Is that the problem is that?
  **** OWNER ****
  content exchange2007rcvir
  vip address 10.58.32.123
  add service scmt801cto
  add service scmt801cas
  redundant-index 205
  protocol tcp
  advanced-balance sticky-srcip
  sticky-inact-timeout 30
  active
  content exchangehtvir
  vip address 10.58.32.89
  add service scmt700cto
  add service scmt700cas
  redundant-index 201
  protocol tcp
  advanced-balance sticky-srcip
  sticky-inact-timeout 30
  active
  content exchangewavir
  vip address 10.58.32.33
  add service scmt800cto
  add service scmt800cas
  redundant-index 51
  protocol tcp
  advanced-balance sticky-srcip
  sticky-inact-timeout 30
  active
  ***** GROUP *****
  group exchangehtvir
  add destination service scmt700cto
  add destination service scmt700cas
  vip address 10.58.32.91
  active
  group grp_axiavir
  vip address 10.58.32.83
  add destination service scxt393cas
  add destination service scxt394cas
  add destination service scxt395cas
  add destination service scxt393cto
  add destination service scxt394cto
  add destination service scxt395cto
  active
  ** No have exchange2007rcvir

• Load Balance TMG with Cisco CSS

  I am working with a Customer that is using Cisco CSS to load balance Microsoft TMG 2010.
  From the Microsoft TMG, I can see the https probes hitting the TMG Servers. The TMG 2010 recongnizes that the Cisco is trying to establish a 3-way handshake and is dropping every 3rd connection with the following error: "non-SYN packet was dropped because it was sent by a source that does not hane an established connection with the Forefron TMG computer." Since the Microsoft Forefront TMG 2010 Server is Stateful packet inspection firewall, what is the best load balance method for this service? TCP or even worst ICMP.
  Below is a snipet of the configuration:
  Thank You
  Avery
  CSS-A# show service Server1-ssl
  Name: Server1-ssl  Index: 70   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 206
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:33:14
    Mtu:                       1500        State Transitions:            4
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2
  CSS-A#
  CSS-A# show service Server2-ssl 
  Name: Server2-ssl  Index: 71   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 207
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:53:49
    Mtu:                       1500        State Transitions:            6
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2

  Hi,
  It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.
  The CSS is going to use it's vlan IP to generate this keepalive.
  So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.
  ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.
  Thanks!

• CSS11503 load balancing virtual server IP's

  Hi CSS experts,
  We have a Cisco Content Services Switch 11503 Load Balancer which seems to require Real Server NICs to be plugged in. When I plug a cable from our Cisco 3560 switch into the Cisco Load Balancer, it can't see the 2 web server IP's that I'm trying to load balance for HTTP/HTTPS. The virtual IP does not display the webpage of either web servers.
  On the otherhand, when I use two physically separate 1U web servers and physically plug 2 cables (1 for each server) into the CSS 8 port switch, the virtual IP is able to redirect the traffic to both web servers.
  How do I configure the CSS to load balance and actually see 2 IP's on the network which isn't plugged in physically per server into the CSS 8 port switch.
  Internet->CSS->1 cable plugged into Cisco switch which host 2 web servers.
  Thanks,
  Mike
  Configuration:
  circuit VLAN1
  ip address 192.168.1.10 255.255.255.0
  service Websrv1
  ip address 192.168.1.104
  protocol tcp
  port 80
  keepalive type http non-persistent
  active
  service Websrv1SSL
  ip address 192.168.1.104
  protocol tcp
  port 443
  keepalive type ssl
  active
  service Websrv2
  ip address 192.168.1.101
  protocol tcp
  port 80
  keepalive type http non-persistent
  active
  service Websrv2SSL
  ip address 192.168.1.101
  protocol tcp
  port 443
  keepalive type ssl
  active
  owner Web
  content NG
  add service Websrv1
  add service Websrv2
  vip address 192.168.1.7
  port 80
  protocol tcp
  advanced-balance arrowpoint-cookie
  url "/*"
  active
  content NGSSL
  add service Websrv1SSL
  add service Websrv2SSL
  vip address 192.168.1.7
  port 443
  protocol tcp
  advanced-balance sticky-srcip
  sticky-inact-timeout 60
  active

  I checked the connectivity to the servers form the CSS and it was good. I was able to ping, and the connection status in sh service summary incremented by 1 each time I tried to connect. From the server, I was able to ping back to the IP of the CSS and the VIP address as well. I have tried using only 1 server for 1 VIP. I have tried changing the default gateway on the server to the IP of the CSS and the VIP IP as well. It still doesn't seem to help. Anymore suggestions for me to try?
  Thanks
  Mike

• Load-balancing of transparent cache + IP spoofing + RTSP + MMS not working

  We have already in production an architecture with load-balancing of
  transparent cache + ip spoofing.
  We are unable to do the same for streaming flows (MMS and RTSP).
  We are doing PBR from our core network (2 * C6K) to redirect port 80, 554 and
  1755 toward CSS boxes, same in our access router (2* Ciso7200).
  In this config desired flows are redirected toward the CSS.
  Then CSS should load balance the traffic toward our BlueCoat proxy-cache farm.
  It's working fine for HTTP but we are unable to make it works for MMS and
  RTSP.
  Note that we are requiered to use ECMP to perform IP Spoofing on the CSS, meaning we need 4 routes for each client subnet (one route toward upstream C6K, and 3 routes for each proxy cache). We use acl to get rid off looping condition.
  Anyone who has already put in place Load-balancing of Streaming transparent cache + IP spoofing could give us some hint.
  Many thanks.
  Regards,
  Pierre Viennet

  Gilles, thanks for your input.
  Here where we are at with streaming implementation:
  - HTTP on all type off client is working
  - RTSP: TCP 554 with Real Media client is working
  - RTSP: TCP 554 with WMP not working, but it's due to a bug in Bluecoat implementation, the proxy send an error when he see a request with ( User-Agent: WMPlayer ) for RTSP content.
  - MMS: TCP 1755 not working with IP spoofing enable on the proxy but OK without IP spoofing...
  - UDP 554: not working
  - UDP 1755: not working
  I fully understand the limitation for UDP traffic.
  But I don't see why it's not working for MMS over TCP traffic.
  Note that I have the exact same configuration for RTSP and MMS.
  Why is it not working for MMS with IP spoofing? Are you aware of a difference on the way CSS handle MMS flows? or a specificity of the MMS protocol?
  Below what we can see on the different equipement when trying to launch a MMS over TCP Stream:
  c6k-Faaa#sh mls ip source 195.83.182.72
  Displaying Netflow entries in Supervisor Earl
  DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
  Pkts Bytes Age LastSeen Attributes
  202.3.225.5 195.83.182.72 tcp :1755 :1504 0 : 0
  3 124 17 18:58:12 L3 - Dynamic
  202.3.225.5 195.83.182.72 tcp :1755 :1527 0 : 0
  2 84 3 18:58:20 L3 - Dynamic
  202.3.225.5 195.83.182.72 tcp :554 :1503 0 : 0
  4 360 17 18:58:06 L3 - Dynamic
  c6k-Faaa#
  CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
  202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
  2/3 2/1
  202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
  2/7 2/3
  CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
  202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
  2/3 2/1
  202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
  2/7 2/3
  CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
  202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
  2/3 2/1
  202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
  2/7 2/3
  CSS11503_CORE1#
  TCP 192.168.4.19:1491 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1492 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1493 195.83.182.72:1755 TIME_WAIT
  TCP 192.168.4.19:1502 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1503 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1504 195.83.182.72:1755 TIME_WAIT
  TCP 192.168.4.19:1525 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1526 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1527 195.83.182.72:1755 TIME_WAIT
  Many Thanks for your input.
  Pierre Viennet.

• Load balancing 2 DNS server

  how to configure the CSS to load balance 2 DNS server ?

  first configure the services like this :
  service dns1
  ip address x.x.x.x
  active
  service dns2
  ip address x.x.x.x
  active
  Then configure the content rule
  owner mycompany
  content dns
  vip address x.x.x.x
  add service dns1
  add service dns2
  active
  Then we need to setup something for the dns answer
  group dns
  vip address x.x.x.x !!!!! same as for the content rule
  add service dns1
  add service dns2
  portmap disable
  The portmap disable requires software 5.03(33) or above.
  The command is also in 5.01
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note09186a00800ba0c6.html

• One-Armed Load Balancing

  Can CSS 11000 load balance multiple server farms, using different load balancing algorithms on the same ip subnet and having multiple VIPs in the one-armed configuration.
  I know this is not an ideal configuration but have to do it for a relocation project.
  Thank yoi

  yes you can.
  No need for a trunk.
  But you have to keep in mind that the CSS must see both sides of a connection.
  So, obviously the traffic from the client will hit the CSS vip, but for the server response, you have to make sure it goes back to the CSS.
  This can be done with source nating or policy routing.
  Gilles.