CSS 11501 http load balancing
Hi,
i have configured to load balancing the http traffic to 2 servers, servers have the ip address 10.10.50.100 and 10.10.50.101 resp and the vip is 10.10.46.10
iam not able to access the http through the vip, can some one help on this
am i required to the nating, below is the connectivity
User -->SW->ASA->CSS->SW->server1 & server2
iam not able to access the server through vip
Please help
Thanks
Ravi
Ravi
What is the default gateway defined on Servers?
Is it CSS circuit IP or the ASA?
How is CSS conected? Are there diff vlans connected to servers and ASA? Or CSS is connected to the Switch in one arm mode?
You need to make sure that the return traffic from Servers should pass through the CSS.
Syed
Similar Messages
-
Cisco CSS 11503 Arrowpoint/Load Balance question
I am troubleshooting an issue with my 11503. I am running version 07.40.0.04. I have it configured as follows:
content upcadtoa-rule
add service cadtoa-wls1-e0
add service cadtoa-wls1-e1
add service cadtoa-wls2-e0
add service cadtoa-wls2-e1
add service cadtoa-wls3-e0
add service cadtoa-wls3-e1
add service cadtoa-wls4-e0
add service cadtoa-wls4-e1
add service cadtoa-wls5-e0
add service cadtoa-wls5-e1
add service cadtoa-wls6-e0
add service cadtoa-wls6-e1
arrowpoint-cookie expiration 00:00:15:00
protocol tcp
port 8001
advanced-balance arrowpoint-cookie
redundant-index 2
vip address 172.30.194.195 range 2
arrowpoint-cookie name TOA
active
However, the load-balancing across the servers does not seem to be doing much balancing. One of those servers is getting hit with 5 times as much traffic as another and another server is lucky to get a connection at all. With the cookie expiration set, one would think that this would all balance out over time.
I just came across this information from Cisco and I am wondering if it is relevant:
If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.
In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.
content testing
vip address 192.168.128.131
add service s1
balance url
active
The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.
In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.
content testing
vip address 192.168.128.131
add service s1
advanced-balance arrowpoint-cookie
active
The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.
Thanks in advance for any help you can give. The thing is not down, it is just balancing strangely causing application performance issues.
JamesHey James,
You will need to suspend the content rule in order to add the url statement. This will cause a quick downtime until the content rule is activated again. I have shown below the commands to add the statement. Perhaps you can create your commands in a Notepad file, then paste them all in so they execute quickly to minimize your downtime:
content MY-SITE
vip address 10.201.130.140
port 80
protocol tcp
add service MY-SERVER
active
CSS11503# config t
CSS11503(config)# owner TEST
CSS11503(config-owner[TEST])# content MY-SITE
CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
%% Attribute may not be modified on active rule
CSS11503(config-owner-content[TEST-MY-SITE])# suspend
CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
CSS11503(config-owner-content[TEST-MY-SITE])# active
CSS11503(config-owner-content[TEST-MY-SITE])# exit
CSS11503(config-owner[TEST])# exit
CSS11503(config)# exit
CSS11503# show run
content MY-SITE
vip address 10.201.130.140
add service MY-SERVER
port 80
protocol tcp
url "/*" <--------
active
Hope this helps,
Sean -
OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer
I have configured OAM 11gR2 to use an https load balancer on 14100 and have set my managed servers SSL listen port to 14100 (Could not use 14101 because the HTTPS VIP created was listing on 14100) everything works fine with this configuration, but my logs are filling up the the following warning.
<Oct 3, 2012 1:41:54 PM UTC> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer 10.228.0.1 - 10.228.0.1 instead of an SSL handshake.>
I know that 10.228.0.1 is the DNS server, but I'm not sure why this happening. Any ideas?What is WLS and OHS versions are you using in this environment?
If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
I hope this helps,
Thiago Leoncio. -
Best HTTP load balancing method
This is probably basic, but how satisfactory is this http load balancing method:
service http-1
ip address 192.168.1.10
protocol tcp
port 80
keepalive type tcp
active
service http-2
ip address 192.168.1.9
protocol tcp
port 80
keepalive type tcp
active
owner http
content web-domains
vip address 10.0.0.1
add service http-1
add service http-2
protocol tcp
port 80
balance leastconn
active
Should I rather use sticky-mask 255.255.255.255 or advanced-balance sticky-srcip?It really depends what you are doing.
Some people will find this acceptable and for others it will just not work.
Do you need persistency ?
To answer this question check with your webserver admin.
does this website have a shopping basket ?
Finally, changing the sticky-mask is useless if you do not have sticky-srcip. So your question should be ..or .. but .. and ..
Anyway, it all depends what is required for your website to work.
You can try this config and if you run into problem capture a sniffer trace and identify the problem to see if a configuration change is needed.
Regards,
Gilles. -
Hi,
I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
real server http://192.168.17.12/irs.htm
real server http://192.168.17.14/irs.htm
real server http://192.168.10.37/irs.htm
VIP
http://192.168.200.58/irs.htm
Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
==========================================================================================
http://tptest.enoc.com/forms/frmservlet?config=tp (This is working fine).
========================================================================
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
=============================================================================
service IRC_1
ip address 192.168.17.12
keepalive type tcp
keepalive port 80
active
service IRC_2
ip address 192.168.17.14
keepalive type tcp
keepalive port 80
service IRC_DR
ip address 192.168.10.37
keepalive type tcp
keepalive port 80
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
owner ENOC_GIT
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
group ENOC_IRC
add destination service IRC_1
add destination service IRC_2
add destination service IRC_DR
vip address 192.168.200.58
active
===================================================================================================
ENOCDC-CSS01(config)# show service summary
Service Name State Conn Weight Avg State
Load Transitions
IRC_1 Alive 0 1 2 0
IRC_2 Suspended 0 1 255 1
IRC_DR Suspended 0 1 255 1
ENOCDC-CSS01(config)# show summary
Global Bypass Counters:
No Rule Bypass Count: 0
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
ENOC_GIT
ENOC_IRC Active IRC_1 103
IRC_2 10
IRC_DR 7
=======================================================================================================
Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
Kindly let me know what I am missing and how to fix the problem.
I have also attached the full configuration of CSS.Hi,
My point of concern is that I did the same for Oracle server and this is working fine
http://192.168.200.95/forms/frmservlet?config=tp
only when I am doing the load balancing for
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
I am doing almost 8 differenceservers load balancing in this CSS.
your expert opinion will definately help me. -
11i load balancing web nodes without use of Hardware http load balancer
I am looking at note 217368.1 (Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i) and some other notes on load balancing but some aspects are not clear.
Aim is to implement load balancing traffic to web nodes without using Hardware ( BigIP, cisco etc) for HTTP layer load balancing.
Which is more preferable between dns or Apache Jserv load balancer ?
Need details like failover capabilities, death detection of node, functionality testing and ways to monitor Apache Jserv load balancer.
Any help in this regard is welcome .
thx
arunOracle recommends using loadbalancing hardware rather than using DNS. If you want the features you mention above, you will need a hardware loadbalancer.
http://blogs.oracle.com/stevenChan/2006/06/indepth_loadbalancing_ebusines.html
http://blogs.oracle.com/stevenChan/2009/01/using_cisco_ace_series_hardware_load-balancers_ebs12.html
HTH
Srini -
Best way for HTTP load balancing in OSB
Hi everybody,
We have setup an OSB cluster and we need to load balance HTTP requests across managed servers. Looking for info about load balancing in OSB I found that there are mainly two options: using a hardware load balancer or a software solution like Weblogic HttpClusterServlet. At the moment we have no hardware balancer available so we will have to take the software option. I found some articles about configuring HttpClusterServlet like http://redstack.wordpress.com/2010/12/20/using-weblogic-as-a-load-balancer.
But I have a question about this configuration. If we use a managed server as an HTTP proxy that balances requests between OSB managed servers, what would happen if this server goes down? I think one of the main goals of a clustered deployment is avoiding a single point of failure but with that setup all requests would depend on the availability of the proxy managed server.
Could you recommend us a setup for implementing load balancing in OSB?
Thank you in advance,
Daniel.Load balancing in a cluster for http requests can be achieved using atleast 4 different ways:
(1)- use a hardware load balancer like F5 BigIP LTM
(2)- use a web server with weblogic plugin to frontend the cluster
(3)- use weblogic with HTTPClusterServlet
(4)- use DNS round robin - this works if you have managed servers running on 2 machines (say mach1, mach2) but on the same port. HTTP clients use hostname 'mach' to access the URL's and the dns does a round robin name resolution of mach to mach 1 and mach2 IP addresses..
All the options except (1) achieve only load balancing and not auto failover on all instances.. Hardware load balancers has the extra feature of probing [ sending periodic pings to the targets] , by which it can detect whether the target resource is alive and if not send the traffic to other nodes which are alive.. this is why hardware load balancers are worth their investment..
other options may work if client is coded to do retrying on failure.. so on 2nd or subsequent attempt, the routing is done to the machine which is alive..
For options (1),(2) and (3), you also need some redundancy of load balancing device ( web server, weblogic or hardware load balancer) to prevent single point of failure.. Hardware load balancers are usually deployed in redundant pairs to achieve this..
Edited by: atheek1 on 22/11/2011 15:31 -
CSS arrowpoint cookie load balancing issue
Hi guys,
I need some advice on a load balancing issue.
We have connections hitting the CSS via a proxy environment. As a result i see only one source ip address. I want to use arrowpoint cookies for session stickeyness. However when i enable the rule the tcp session negotiation fails. The CSS sends a TCP/RST which terminates the session.
Here's the rule config:
content HTTP_rule
add service ZSTS299102
add service ZSTS281101
vip address <filtered>
add service LONS299102
add service LONS281101
balance weightedrr
change service ZSTS299102 weight 5
change service ZSTS281101 weight 5
advanced-balance arrowpoint-cookie
protocol tcp
port 80
url "/*"
active
Any help would be much appreciated.Remko,
in L3/L4 the CSS sends the SYN directly to the server.
So when the FIN comes in, we simply pass it to the server.
With L5 the CSS spoofs the connection and we select the server only after receiving the GET.
If there was some delay between the GET and the FIN, the CSS would have time to establish a connection with the server and the FIN could be simply forwarded.
Unfortunately, in this case the FIN is right after the GET with no delay.
Gilles. -
Hi,
I'm looking to get an opinion as to whether we should see even load balancing over two services. The content rule is configured as follows :-
content secure_cag
add service citrix_cag_1
port 443
protocol tcp
vip address 10.80.2.150
balance srcip
add service citrix_cag_2
sticky-inact-timeout 240
flow-timeout-multiplier 1800
active
Services :-
service citrix_cag_x
keepalive type tcp
keepalive port 443
ip address 10.200.16.18
active
At present we only have around 40 users using it but at times we are seeing a very uneven distribution of sessions, as much as 80% on one server. Do we have too few users to see effective load balancing? Maybe our long timeout settings are breaking load balancing?
Thanks for any insight anyone can share.Hi Chris,
You might want to try balance leastconn for your balancing method. Also, note that you are not currently configured for sticky, so the sticky timeout you have configured isn't doing anything. Do you require sticky? If you do not require sticky, then leastconn should give you the best distribution across services at any given point in time. Adding sticky, such as with advanced-balance sticky-srcip, will skew load balancing as clients become stuck to one service.
Hope this helps,
Sean -
ACE 4710 HTTPS load balance configuration
Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later.
I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
Any configuration examples would be helpful.
Thanks.IF you terminate SSL on the ACE you need certificates and key on ace in the context in which you are doing the termination. The certs and keys need to be installed on the active and standby (manually unless using anm to manage).
when speaking of SSL
SSL termination refers to ace terminating SSL and sending to server as clear text
end to end - ACE terminates SSL (to look into payload to make a loadbalance decision or sticky decision) and then re-encrypts to the server, so to the client ACE is an ssl server and to the server the ace is an ssl client.
You can find some config examples at
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples -
Problem with HTTP load balancing
Hello Experts
I have a problem when i do loadbalancing for links like http://1.1.1.1/site/home where 1.1.1.1 is the VIP address (i got http not found), while it is working fine when the link is http://1.1.1.1,
the link is working fine on the real servers for example when i try http://2.2.2.2/site/home it works
by the way, im not doing URL loadbalancing,
any ideas
Thank you in advanceIt is generally good idea for this type of cases to get a sniffer trace (in ACE module span 10G backplane interface from supervisor or if ACE appliance take parallel span session of client and server vlan).
This case was investigated in TAC SR and this is a small summary of the traces that may help other users hitting this issue (usually it is good idea to filter by http and client IP) :
This is what we have seen for the non-working scenario.
Packet 1: Client sends HTTP GET to ACE VIP
Packet 2: ACE forwards HTTP GET to RSERVER
Packet 3: RSERVER answers ACE with HTTP 404
Packet 4: ACE forwards the real server response (HTTP 404) to the client
ACE was not changing anything in the packets that were being loadbalanced. And the HTTP 404 error sent from the server that ACE was forwarding indicates that the Web server thinks that the HTTP data stream sent by the client was correct, but simply can not provide the access to the resource specifief by URL.
Bottom line it was found that in this case the server behaves in a different way based on the hostname used to connect to the application, and this should be addressed on the application/server side. An easy way to check this is by using the server name pointing to the vip in local client hostfile. -
Cookie for HTTP Load Balancing
I'm getting a lot of bots hitting my site.
Log entries are very similar (except for the source IP):
1.247.32.58 - - [11/Dec/2012:22:57:03 -0800] "POST /?ptrxcz_Ah5qDayLi6TrEbzVtPwSqMtGmJgDa7
HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Can someone give me an example of how I can filter these out based the "/?ptrxcz..." part? Most of these requests
have this string in them.
100 match http cookie testcookie1 cookie-value ptrxcz?
Do I need a secondary name? I don't quite understand the syntax.
Thanks!Here you go:
policy-map type loadbalance first-match abc.ca.prod.http-l7slb
class abc.ca.http-l7class
drop
class class-default
serverfarm SF_nocms.prod
policy-map multi-match int194-webhosting
class abc.ca.prod.http
loadbalance vip inservice
loadbalance policy abc.ca.prod.http-l7slb
class-map match-all abc.ca.prod.http
2 match virtual-address 111.111.111.167 tcp eq www
class-map type http loadbalance match-all abc.ca.http-l7class
10 match http cookie secondary ptrxcz.* cookie-value ".*"
Here's a bigger snippet of what I see in the logs:
187.244.110.209 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_uCVmQegPo4Y4Y3YYoCqB0mj5Ptk8ev HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
87.69.255.148 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_MMMMMMMMMMMMMNNNNNNNNNNNNNNNNN HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
180.246.22.189 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_555555566666666666667777777777 HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.137.39.236 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_pppqqqqqqqrrrrrrrssssssstttttu HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
203.127.8.98 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_WXXXXXXXYYYYYYYYYYYZZZZZZZZZZZ HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Thanks again. -
Load Balancing simple question
Hi,
i'm using CSS 11501 to load balance some web servers using src IP.
if one src IP is directed to certain web server,
How much time has to pass for this same src IP to be directed to other web server?
Thank you in advance!By default, entries in the sticky table do not time out. The table works on a first-in, first-out basis. The size of the table depends on the amount of memory in the CSS (SCM 144 MB --> 32k, SCM 288 MB --> 128k).
You can change the default timeout value using the 'sticky-inact-timeout ' command.
~Zach -
CSS: BoxToBox and Global Server Load Balancing
Hi,
I'm going to setup a CSS based Global Load Balancing architecture in two different sites with 2xCSS11503 in each site.
I need DNS Sticky but I'm not going to configure a Global Sticky Database since I would like to configure the two CSS in each site in Box To Box redunancy.
Is it possible to configure on a CSS two app session, one for the Zone-based DNS with remote site and the other one for local Box-to-Box redund?
Thank you
Kind Regards
FulvioHi Fulvio,
Take a look at the NOTE on the below link
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/gslb/guide/DNS.html#wp1170057
Box to box should be at part of the caveat
Thanks
Venky -
HTTP type connectivity between XI and R3 - load balancing options ?
Hi
We have a http type connectivity setup between XI and R3 in order enable XI to communicate with R3 using ABAP proxies. We did this by creating a RFC destination on the ABAP stack of XI of type 'H' ( http connection between R3 systems ). Now, while setting up this rfc destination, there is no option to specify a message server on R3 - we just see a target server field that can be filled in.
In an rfc destination of type 3 - on the XI box ( which is used for a XI --> R3 idoc adapter ) , I can see an option for specifying message server.
Does this mean that using type 'H' connectivity between XI and R3 does not give us an option of hitting the load balancing - message server on R3 and thus cannot use the load balancing setup on R3 ? Is this is a limitation of type 'H' connectivity between XI and R3 ?for HTTP load balancing the options seems to be somewhat different....check if these threads provide you any help:
http://help.sap.com/saphelp_nw04s/helpdata/en/ae/9bfc3f9ec4e669e10000000a155106/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/79/a1ce9569444647956b0ec1cf443c4d/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/43/39c7b227b91bcbe10000000a1553f7/content.htm
Regards,
Abhishek.
Maybe you are looking for
-
Calendar in List view different from Day and Month view
When I look at my Calendar in 'List' view all of the Birthdays and Events are in the wrong date but in 'Day' and 'Month' view they are correct. Has anybody found a fix for this yet? I have looked at similar discussions but they are all a couple of
-
Mid 2012 display hinge loose (oh no not again)
Just purchased 7 of the brand new mid-2012 13" MBA's. I've noticed with all of them that when I use the protective case I've been using for more than a year that the display cannot hold itself up once I open the screen to approxiamtely 100deg-- it fa
-
Object link navigation for opening a document using the document id
Hi All, I am facing a problem with setting up the object link for the transaction id field. My requirement is when i click on the order id, it should open up the particular order. For example this kind of scenario is done in application CRMD_BUS20001
-
Captivate 8 Issue with IOS Safari
Hi I'm new on here and have been searching for a resolution to a HTML5 issue. I published a course in both Flash and HTML5. Flash works great, but when I access the LMS and it launches the HTML5 version for mobile I get different issues. I've trie
-
What's the latest Firefox version for an iBook G4 with OS X 5.8?
When I tried to update to version 15.? I got the logo with the slash. I'm currently running version 5.0.