CSS 11503 load-balancing with MS Print Servers
We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.
Pete- Here is our config. See any problems?
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
!************************* INTERFACE *************************
interface 1/2
bridge vlan 2
!************************** CIRCUIT **************************
circuit VLAN1
ip address 1.100.101.110 255.0.0.0
circuit VLAN2
ip address 10.100.249.1 255.255.255.0
!************************** SERVICE **************************
service ps01
ip address 10.100.249.5
active
service ps02
ip address 10.100.249.6
active
!*************************** OWNER ***************************
owner printserver
content L3_Basic
add service ps01
add service ps02
vip address 1.100.100.35
Similar Messages
-
CSS 11503 Load Balancing Verification
Alright, so I have toiled long and hard to get this right. I think I have the config down but I am unsure on how to verify how this load balancing is working.
Here is the Content Config that I am speaking of:
content cad-rule
add service wls1-e0
add service wls1-e1
add service wls2-e0
add service wls2-e1
add service wls3-e0
add service wls3-e1
add service wls4-e0
add service wls4-e1
add service wls5-e0
add service wls5-e1
add service wls6-e0
add service wls6-e1
arrowpoint-cookie expiration 00:00:15:00
advanced-balance arrowpoint-cookie
redundant-index 2
vip address 172.30.194.195 range 2
arrowpoint-cookie name TOQ
protocol tcp
port 8001
url "/*"
active
Each service in the rule above is configured as follows:
service wls1-e1
port 8001
protocol tcp
strin ags001-e1
ip address 172.30.193.81
keepalive type http
keepalive uri "/cad/index.html"
redundant-index 12
keepalive frequency 20
keepalive maxfailure 10
keepalive retryperiod 2
active
I am using the advanced arrowpoint cookies because I need some stickiness here. Straight round-robin would not have done what I needed it to do.
Now, when I go to my show summary, this is what I see for this rule:
cad-rule Master wls1-e0 84274
wls1-e1 13144
wls2-e0 96884
wls2-e1 26374
wls3-e0 71145
wls3-e1 16592
wls4-e0 76403
wls4-e1 8657
wls5-e0 118623
wls5-e1 22760
wls6-e0 30836
wls6-e1 20464
The far right column indicates the services hits. I originally had the E1's suspended and activated them later on. So if this was true round robin, all the E0's should have the same number of service hits and all the E1's should have the same number of service hits. But as you can see, the wls5 server is getting hit the most while the wls6 server is sitting there twiddling its thumbs.
Now understanding how the arrowpoint cookies do their load balancing (inserting a cooking into the flow and then timing out after 15 mins as configured above) I would not expect a 1:1 ratio of load balancing between servers. But the distribution above seems rather extreme.
Does anyone have any suggestions on how to both A) verify that this is the right config and B) suggest to my boss that this is working the way it should be working?
Thanks!
JamesHi James,
There are several reasons of the uneven load balancing that you are seeing (based on the show summary). First
of all, the CSS is configured to do stickiness (advance-balance).
With arrowpoint-cookies (for HTTP only) method for stickiness, only the requests coming with the same cookie
are going to get stuck to the same server, since the cookie is
lost when the browser is closed (or based on the expiration), then the stickiness is going to be session
based and if the same client open a new session is going to be load balanced.
Is important to understand that when using stickiness, no real even load balancing is
going to happen since we are sticking new flows to the same server; even when layer 5 stickiness would
permit more even balancing than layer 3 stickiness (source IP based).
Also consider that the "show summary" is a command to see the hits (requests) being balanced to an specific
server, this is a good command to see the load balancing, anyway since the CSS balance
connections (flows), a persistent connection could have a lot of requests, so all those requests are
always going to the same server (incrementing the amount of hits in the counter) while a non-persistent
connection would be just one request (refer to HTTP persistence).
Also keep in mind that if a service is take out for maintenance, or is added to the load balancing later
than another, or if goes down for a period of time, then the CSS will be balancing among the remaining alive
servers. When you add the server again, the another servers are going to have connections
already established, so since the CSS is doing round robin, the server last added will
never have the same amount of connections (nor hits) that the other ones, because while one could
have 55 for example, the new one will have it first connection, and when the first one
gets the 56, the another will get the second, and so on.
Please let me know if this makes any sense.
Diego M -
CSS 11501 Load Balancing with X-forwarded-for
Hi,
We have a pair of CSS 11501,
Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .
This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
This way we are able to also send it back to the same server when it uses SSL.
I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
RegardsHi,
Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
content HTTP-HTTPS
vip address 10.198.44.70
advanced-balance sticky-srcip
add service server1
add service server2
add service server3
add service server4
add service server5
protocol tcp
active
Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
Thanks,
Rodrigo -
CSS 11050 Load Balancing with Single VLAN (no NAT)
We have several CSS 11050's in use on our network, cheifly for load-balancing web servers. In a test network I've set up, I've configured our test servers' IP addresses and our load-balanced IP address to be on the same subnet. This way our developers can easily check both single servers as well as the LB configuration. This got me thinking...
All the config documentation I've seen on the CSS seems to assume that you are putting the VIP for the content rule on a different VLAN than the IPs for the services. Is there any particular need for this? I'm in the process of setting up another network that will have its services NATed behind a PIX. There are some services (WWW) that I want load balanced and some services (passive FTP with one server) where there's really no need. Would I do any harm by putting the content rules' VIPs on the same subnet as the servers themselves? I can still plug the servers into the other ports on the CSS so that I'm not really doing a "one-arm" configuration.
-Mark RomerYou shouldn't have any problem doing this. In addition to load balancing web servers we've also balanced terminal servers that are configured to be accessed by remote users through VPN connections. Because we have over 90 remote locations, I didn't want the services and the VIP addresses to be on different VLAN's because I'd have to reconfigure the routers in all the remote locations. I was in the same position you're in, all the documentation indicated different VLAN's but I thought it would be a worth a try. Everything works perfectly...
Cody Rowland -
CSS Load Balancing with Cookies
We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
Restrictions
ServerA is unable to accept cookies generated from ServerB.
ServerA and ServerB are generating random cookies
Unable to modify cookie string with a constant.
How can we load balance based on cookies considering the above restrictions?
We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
The configuration we tried is written below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSIONID="
advanced-balance cookies
port 80
add service ServerB
string skip-length 5
string process-length 16
string operation hash-xor
protocol tcp
vip address 172.16.32.1
active
Can we change the string prefix to JSESSION instead of JSESSIONID= ?
The only place the app guys can add a constant string to match on is before the = sign.
Is it possible for CSS to match on a constant string before = sign e.g below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
string id567=
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
string id123=
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSION"
advanced-balance cookies
port 80
add service ServerB
string skip-length 0
string process-length 6
protocol tcp
vip address 172.16.32.1
activeIt should work.
There is no reason for it not to work...
This is the best method you can have on the CSS for stickyness.
Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
also send me the config so I can verify everything is ok.
If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
Gilles. -
CSS ACTIVE/ACTIVE SCENARIO WITH JUST TWO SERVERS ??? POSSIBLE??
Hi
I'm gonna have a setup of TWO CSS11503 Content Switches with standard WEBNS feature set
in an ACTIVE / ACTIVE VIP and Virtual interface redundancy scenario for load-balancing just
two web servers initially.
Can I hv this setup up & running if I configure the two servers with different default
gateway addresses on the private side and two static routes in the private side Layer3
for two different VIP addresses in the public side ??
Any better suggestions for this scenario.
ThanxFirstly - what Gilles said.
Having said that, I'm using some content switches in active/active modes in a couple of places in a geographically distributed gateway. Active/Active lets us improve our redundancy characteristics and allow for device failures as well as link failures between the gateways.
There are lots of complexities that arise if you take this path - you will need to do a lot of logical math and testing about traffic symmetry under all of the different failure conditions, because you introduce the possibility that response traffic could come back at L2/L3 through a different CSS than the request traffic. -
CF 10 Load-Balancing with Remote Instances
I was reading an article on Clustering/LB/HA using CF8, but have not found any updates for CF10.
Using VM VirtualBox to setup a few virtual servers, I am looking to setup a load balancing of ColdFusion 10 on 2 remote instances. The goal would be have ColdFusion Cluster Manager be able to point http request to one of the two servers based on load/availability. Not really having a hardware cluster/failover setup, just managing resources on two CF instances instead of a standalone.
The servers are Windows Server 2008 R2 with IIS7.5 and ColdFusion 10 Enterprise on installed on 3 of these machines. Let's call them CF-LBManager, CF-Web1, and CF-Web 2. In the CF Docs, they show the Cluster Manager adding the local CF instance and "if you want" a remote instance. However, this scenario would require the main instance to be running and not fail for it to direct to the other instance.
I am trying to set this up now with CF-LBManager as just a manager of the requests coming in. In the Enterprise Manager >> Instance Manager, the local instance is shown and I add the two remote instances with the correct Remote Port, JVM Route, etc. I also made sure the <Cluster>...</Cluster> block was added to the two remote instances (CF-Web1 and CF-Web2) \runtime\conf\server.xml file too, Jetty Services also is running. Now under the Enterprise Manager >> Cluster Manager I add the two remote instances to the cluster, not the local instance on CF-LBManager with Multicast Port and Sticky Sessions enabled. On Submit, I get a green message "You must restart all the server instances and any configured webservers for these changes to take effect.". I go ahead and reboot the servers and come back.
I now browse to the ColdFusion page as a test on CF-Web1 and CF-Web2 to make sure CF is running properly, they do. I then browse the IP of the CF-LBManager, however it only returns the local IIS web site and not redirect to one of the two cluster members. I am not seeing any message on the coldfusion-out.log on the remote instances. Am I not setting this up correctly or not enabling the Cluster Manager to take over and pass along the requests to those in the cluster?Unfortunatley I don't have a lot of experience with CF10 on Windows, but if you are running CF behind IIS I think you will need to update the Tomcat connector configuraiton to do load balancing. I'm not sure if re-running the wsconfig tool on all of the servers will do this or not, but that is what I would suggest trying first. If that doesn't work you will need to update the Tomcat connector configuraiton manually. You can find more information on load balancing with the Tomcat connector here: http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html.
-
How do I load balance TFTP between two servers and a client on the same subnet?
Hi,
I have trawled through several documents and tried umpteen different configs, all to no avail. I have a PXE boot client trying to access a boot file via TFTP from a couple of TFTP servers on the same VLAN/subnet. For HA purposes I want to load balance the two TFTP servers.
Config is currently;
=====
probe icmp ICMP_PROBE
description icmp probe for default gateway tracking
interval 5
passdetect interval 15
rserver host server1
description Server1
ip address 10.0.0.1
inservice
rserver host server2
description Server 2
ip address 10.0.0.2
inservice
serverfarm host serverfarm_01
description servers used
probe ICMP_PROBE
rserver server1
inservice
rserver server2
inservice
class-map match-all L4_VIP_TFTP
10 match virtual-address 10.0.0.10 udp eq 69
policy-map type loadbalance first-match L7_TFTP
class class-default
serverfarm serverfarm_01
policy-map multi-match L4_LB_VIP_POLICY
class L4_VIP_TFTP
loadbalance vip inservice
loadbalance policy L7_TFTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
ip address 10.0.0.250 255.255.255.0
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.255 pat
service-policy input L4_LB_VIP_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.254
=====
I have read the doco by Ivan Kovacevic amongst many others but as my clients and servers are on the same subnet, the config doesnt work.
Can anybody point me in the right direction please. The devices are ACE 4710 running A3(2.3).
ThanksTry using the following configuration:
Note: Please make sure to configure also a udp probe to probe udp port 69, in case the application is down.
You need to configure a management policy on the interface when using a UDP probe.
That is because, when port 69 on the server will be unreachable, the server will send an ICMP unreachable.
ACE will consider a udp probe as "failed" only when it sees ICMP unreachable.
Without a management policy-map, the ICMP unreachable message will be dropped.
Also, add an ICMP probe to the rserver because udp probe will not be enough when the physical interface will be down.
That is because UDP is a connection-less protocol. To consider a UDP probe successfull, ACE need to see NO answer from the server in respose to the probe.
The ACE will not see any answer from the server when the interface is down and thus, will consider the probe as "sucessful".
With ICMP probe attached to the rserver, you also test the reachability of the server and not only the UDP port.
Here is the configuration (of course, you can chage the names of the of the objects to the name you are using if you want) :
access-list ALL line 10 extended permit ip any any
probe udp TFTP
port 69
interval 5
passdetect interval 15
probe icmp ICMP_PROBE
interval 5
passdetect interval 15
rserver host TFTP_1
ip address 10.0.0.1
probe TFTP
probe ICMP_PROBE
inservice
rserver host TFTP_2
ip address 10.0.0.2
probe TFTP
probe ICMP_PROBE
inservice
serverfarm host TFTP-SFARM
rserver TFTP_1
inservice
rserver TFTP_2
inservice
sticky ip-netmask 255.255.255.255 address source TFTP-STICKY
timeout 10
replicate sticky
serverfarm TFTP-SFARM
class-map type management match-any MANAGE
2 match protocol icmp any
class-map match-all NAT
2 match virtual-address 0.0.0.0 0.0.0.0 udp any
class-map match-all TFTP
2 match virtual-address 10.0.0.10 udp eq 69
policy-map type management first-match MANAGE
class MANAGE
permit
policy-map type loadbalance first-match ROUTE
class class-default
forward
policy-map type loadbalance first-match TFTP-POL
class class-default
sticky-serverfarm TFTP-STICKY
policy-map multi-match TFTP-MULTI
class TFTP
loadbalance vip inservice
loadbalance policy TFTP-POL
nat dynamic 1 vlan 212
class NAT
loadbalance vip inservice
loadbalance policy ROUTE
nat dynamic 2 vlan 212
interface vlan 212
ip address 10.0.0.250 255.255.255.0
no normalization
access-group input ALL
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.0 pat
nat-pool 2 10.0.0.10 10.0.0.10 netmask 255.255.255.0 pat
service-policy input TFTP-MULTI
service-policy input MANAGE
no shutdown
Let me know how it goes.
Good luck! -
Anyone and everyone,
When configuring load balancing with Weblogic clusters, does load
balancing take effect for all services or just EJB and RMI? Or another
way of saying the same thing, can I setup weighted load balancing for
the JSP engines across 2 weblogic servers.
Thanks in advance,
MikeThe load-balancing documentation you read describing the different algorithms only applies to RMI stubs (e.g., EJB clients). Please see http://www.weblogic.com/docs51/cluster/concepts.html#1026091 for a description of how load-balancing/clustering works with servlets/JSPs.
The short answer is that in using servlet clustering, most people want/need/use in-memory replication for HttpSession objects. In WLS 5.1 (and before), in-memory replication requires one or more proxy servers be set-up in front of the cluster. Typically, most people use something like BigIP to load-balance
across the proxy servers and let the weblogic plug-in for the proxy server handle the routing to the cluster. The plug-in uses round-robin until an HttpSession is established for a user, then it always tries to route to the server where the user's session is located.
Hope this helps,
Robert
Brian Lin wrote:
All,
I have a quesiton here regarding load balancing with DNS round robin. As of Chapter Adminstration of Clustering Weblogic server, Weblogic can be configured to balance by weight. How about Weblogic handle weight based balancing after DNS round robin ip response? or just can choose one way instead of both?
What's the big difference between choosing BigIP and software balancing (WL)?
Brian
"Wei Guan" <[email protected]> wrote:
I don't think you can configure this load balancing in weblogic in current
release. However, if you have Big-IP or LocalDireoctr, you can set up
weighted load-balancing there. Otherwise, weblogic proxy will use DNS round
robin to do the load-balancing between JSP engins.
My 2 cents.
Cheers - Wei
Michael Yakimisky <[email protected]> wrote in message
news:[email protected]...
Anyone and everyone,
When configuring load balancing with Weblogic clusters, does load
balancing take effect for all services or just EJB and RMI? Or another
way of saying the same thing, can I setup weighted load balancing for
the JSP engines across 2 weblogic servers.
Thanks in advance,
Mike -
Load Balancing with BigIP / SSL question
I have an oddball question. We're load balancing ColdFusion
MX7 across 3 servers using a BigIP load balancing server. We
decided to go the hardware approach and it has been great except
for one small configuration issue.
We use a mix of SSL and non SSL pages, prior to the switch
from a single server to a load balanced setup I used to script that
would determine if a page that was supposed to be SSL had the
variable CGI.HTTPS turned on or off. If it was off, the page would
redirect back to itself with the SSL turned on.
The problem we have is that we followed BigIP's instruction
to secure the load balancing hardware instead of the three servers
running behind it. So what happens is that the traffic goes to the
load balancer port 441, but then the calls from the load balancer
to the individual servers is port 80. So even if a page is called
as HTTPS://... the coldfusion server says that CGI.HTTPS is "off"
since the traffic is port 80.
This isn't much of a problem, our SSL pages are linked as
HTTPS:// and the only problem would actually arise if someone was
to type in the URL and call it as HTTP rather than HTTPS.
My questions is this, does anyone know of a way that I can
detect if the page should be HTTPS and is not without changing our
configuration and putting SSL certificates on each individual
server?Hey,
Well the load balancing with the BigIP device is really very
amazing. I think
what i liked most was swapping out servers when their lease
was up, through the
BigIP manager I just stopped all traffic to a server, shut it
down, plugged in
the new one and turned traffic back on. It was really very
easy.
The SSL stuff still gives me a headache to think about. but
I should mention I
no longer work where I was, plus now I'm all .net C# but
that's a different
story.
I think if I was going to do this all again I would not have
secured the bigIP
unit. It was nice to buy one SSL cert for all the servers I
attached rather
than one per server, but getting the SSL sites to work
properly was a headache.
We also use windows file replication where now I would go
with like a pair of
Dell MD1000's mirrored for storage and just have tons of ram
and cpu on the
front end units. Depends what you want to spend I guess. I
think the bigIP unit
we bought was like 20 grand, i think they are cheaper now
though.
Hope I helped. -
How does load-balancing with WebCache work - is there still a bottleneck?
Hello,
We're migrating an old Forms 6i app to 10.1.2.0.2 (apps servers = Redhat Linux), and are starting to consider using WebCache to loadbalance between two application servers.
My question is this - say we have apps servers A and B, both running Forms and Reports Services. We use Webcache on server A (don't have the luxury of a third apps server...) to load balance between A and B. So all initial requests come into A, which in some cases may then be diverted to start a new Forms session on B.
For those users whose middle-tier sessions are now running on B - will all network traffic for their Forms session continue to be routed through Webcache on A, then to B, over the course of the session? Or does Webcache somehow shunt the whole connection to be straight between the client PC and server B, for the duration of that Forms session?
If the former, does that mean that the server hosting Webcache can still be a significant bottleneck for network traffic? Have people found load-balancing with Webcache to be useful..?
Thanks in advance,
JamesHi gudnyc,
Thanks for posting on Adobe forums.
For HDPI you do not have to do any It will adjust automatically.
http://helpx.adobe.com/photoshop-elements/using/whats-new.html
Regards,
Sandeep -
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean -
Trying to load Balance several Cisco ISE servers.
Trying to load Balance several Cisco ISE servers. For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it. I have documentation for the Cisco ACE, but using F5 LTM's. Assuming this has to be done with an I-Rule as none of these are available as a default. Not sue where to begin. I tried attaching the Cisco PDF, but not able for whatever reason.
Please also keep in mind that When using a Load-Balancer (anyone's) you must ensure a few things.
Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT). No Source-NAT. This includes the Accounting messages, not just the Authentication ones.
This means the Load-Balancer must be in the direct path between the clients and the ISE PSNs.
Some organizations have used Policy Based Routing (PBR) to accomplish the path, without physically locating the Load-Balancer between the clients and the PSNs.
Endpoints (clients) must be able to reach each Policy Services Node Directly (not going through the VIP) for redirections/Centralized Web Authentication/Posture Assessments/Native Supplicant Provisioning, and more.
You may want to "hack" the certs to include the VIP FQDN in the SAN field (my next blog post should cover this trick).
Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address.
VIP gets listed as the RADIUS server of each NAD for all 802.1X related AAA.
Dynamic-Authorization (CoA):
If you use Server NAT to replace the PSN IP address with the VIP Address for Change of Authorization, then you would use the VIP address as the Dynamic-Authorization (CoA) client.
Otherwise, use the real IP Address of the PSN, not the VIP.
The LoadBalancers get listed as NADs in ISE so their test authentications may be answered, to keep the probes alive.
ISE uses the Layer-3 Address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a big reason to avoid SNAT.
Failure Scenarios:
The VIP is the RADIUS Server, so if the entire VIP is down, then the NAD should fail over to the Secondary DataCenter VIP (listed as the secondary RADIUS server on the NAD).
Use probes on the Load-Balancers to ensure that RADIUS is responding, as well as HTTPS (at minimum).
LB Probes should send test RADIUS messages to each PSE periodically, to ensure that RADIUS is responding, not just look for open UDP ports.
LB Probe should also examine the response for HTTPS, not just look for the open port(s).
Use node-groups with the L2-adjacent PSN's behind the VIP.
If the session was in process and one of the PSN's in a node-group fails, then another member of the node-group will issue a CoA-reauth; forcing the session to begin again.
At this point, the LB should have failed the dead PSN due to the probes configured in the LB; and so this new authentication request will reach the LB & be directed to a different PSN… -
T3 Load Balancing with Weblogic Server 6.1
We are using rwo weblogic 6.1 servers A and B behind a load balancer with a DNS name (eg. www.loadbalancer.com). We are using T3 for Java client to application server communication. The client creates the Initial context with the load balancer url,creates remote objects using the context, closes the initial context and then tries to get a new initial Context. What we noticed is even though the client closes the first context and gets a new one, the client is always hooked on to only one server making load balancing ineffective. Is there a T3 configuration to release the connection when we close the context ? The documentation says only one T3 is established per client JVM.
Rick,
You may want to look at the Alteon and F5 configuration we have on edocs.
Take a look at the following URLs for a possible solution
http://edocs.bea.com/wls/docs61/cluster/alteon.html#591902
http://edocs.bea.com/wls/docs61/cluster/bigip.html#591902
Chuck Nelson
DRE
BEA Technical Support -
Configure Barracuda Load Balancer with Exchange 2010
I have following scenario:
1 x DB
1 x Exchange multi role server on VLAN1 on site 1
1 x Exchange multi role Server on VLAN2 on site 2
1 x cas array on site 1
1 x cas array on site 2
1 x Barracuda at site 1.
How barracuda will load balance my 2 exchange servers located on different subnets and sites? Do i need to make them SINGLE SITE? and make them part of single array or i can do it without bringing them into single site. Barracuda can access both exchange servers.
I cannot move servers, all i have to do is in the same scenario and that is to load balance CAS services.
HasanIf your network supports(i.e. Bandwidth between Vlan1 and Vlan2) and if it is single ADsite you can. You have to add both Vlan1 server and Vlan2 server to the load balancer.
Enable DAC on both servers http://technet.microsoft.com/en-us/library/dd979790(v=exchg.150).aspx
Cconfigure alternatewitness on DAG properties. http://technet.microsoft.com/en-us/library/dd297934(v=exchg.150).aspx
One server with all roles in Vlan1 IP 192.168.1.101
One server with all roles in Vlan2 IP 192.168.2.101
Assume you configured 192.168.1.100 as Barracuda VIP and pointed the names to this IP.
If your Vlan1 network goes down your Exchange will go offline till you point the CAS Array FQDN to the IP of the Vlan2 server in Vlan2 DNS server. (i.e point CAS array FQDN to 192.168.2.101 as per above example)
If you are not sure about the configuration on Barracuda I suggest you take help from Barracuda support to configure as per the above scenario.
If you want to reduce the traffic between Vlans you can switchoff shadow redundancy. Please read about
shadow redundancy before switching off
Set-TransportConfig -ShadowRedundancyEnabled $false
Thanks, MAS
Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
I got you. Now if i make both Vlans server part of single array and that array FQDN IP will obviously be one of VLANs IP, so if that VLAN goes down then i need to change the IP of CAS array FQDN from local DNS (Pick one IP from another VLAN) and also on
Barracuda... right?
Also correct me that VLAN IP on Barracuda will be the IP of CAS Array FQDN right?
Hasan
Maybe you are looking for
-
Explication about the Delta process in SAP BI - ROCANCEL and 0RECORDMODE
Hello, I use the delta process with cockpit datasources (2LIS_17_I3HDR and 2LIS_17_I0NOTIF). I have transfered all data from the extraction queue to the BW queue. After, when I will launch the delta process in SAP BI (with the infopackage), two ODS w
-
Focus on mouse pointer on click- WPF
hi, I want to focus the position of the mouse pointer when the user clicks. Exactly like the focus we get on clicking the ctrl key to locate mouse pointer after enabling it here. Can anyone help me with this. Thanks, Shaleen TheHexLord
-
I was in server management studio doing some work and I notice, but can't remember now what, but I lost some basic functionality like not being able to right click and get my context menu and this affected all programs. I did a restart and the proble
-
Files to copy so laptop and desktop are similiar
I want my laptop version of Firefox to be the same as my desktop. What files do I need to copy so this happens.
-
Can PS CS3 and PS-Elements live on same drive?
I finally have my new dream PC (and Win-7 Pro) for video projects and all of the CS apps. I bought PSE-7 for use on my laptop and have CS3 Design Premium that's never been installed - (waited for the new PC). Will I have any problems with both PS CS3