CSS Troubleshooting "advanced-balance url" based on string-range
Hi together,
a questions for troubleshooting "string range stickyness".
I configured a content rule:
content L5_HTTP_81
vip address 192.168.1.1
balance aca
no persistent
protocol tcp
port 81
url "/*"
advanced-balance url
add service service1 weight 1
add service service2 weight 1
string range 30 to 255
string eos-char "_"
string prefix "shopId="
active
service service1
ip address 10.1.128.23
keepalive maxfailure 2
protocol tcp
redundant-index 2102
keepalive frequency 15
keepalive retryperiod 10
keepalive type http
keepalive port 80
keepalive method get
keepalive uri "/admin/Ping.simple"
string 148.49
port 80
active
service service2
ip address 10.1.128.22
keepalive maxfailure 2
protocol tcp
redundant-index 2101
keepalive type http
keepalive method get
keepalive frequency 15
keepalive retryperiod 10
keepalive port 80
keepalive uri "/admin/Ping.simple"
string 148.48
port 80
active
1. I take a string from the 30rd to 255 character out of the URL starting at "/".
2. Now I search for a string between "shop_Id=" and "_", on which the stickyness is based.
3. string "148.49" is allocated to service1, string "148.48" is allocated to service2.
Is there any possibillity to view or debug the handling, how the string is matched in the http request and on which service the request is forwarded ?
thanks in advance
sascha
Here is the command reference. take a look at the available commands.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_710/cmdrefgd/index.htm
Similar Messages
-
How do you specify a string with advanced-balance url?
I am trying to configure a CSS 11501 to send requests with a specific string in the URL to a specific server. How and where I would specify the string? The documentation, as far as I can tell, mentions that it can be done but does not show how. Any input is greatly appreciated.
Thanks again, Syed. Now it makes sense, but I was digging more into the documentation and found a simpler way to accomplish this.
service webServer1
ip address 10.1.1.1
keepalive type http
active
service webServer2
ip address 10.1.1.2
keepalive type http
active
content webServers
add service webServer1
add service webServer2
balance aca
vip address 10.2.2.1
protocol tcp
active
content fileServer
add service webServer1
vip address 10.2.2.1
protocol tcp
url â/files/*â
active
The idea being that most requests will get load-balanced between both web servers, but if the URL starts with "/files/", then only webServer1 will receive the requests. -
LOAD BALANCE (CSS) and Portal Port Number based on Instance Number
Hi,
My doubt is about LOAD BALANCE (CSS) and Portal Port Number based on Instance Number.
I have to install 3 servers machines and 2 servers databases cluster. There will be a HIGH AVAILABILITY environment. There will be a MIGRATION and UPGRADE.
Today there are 2 servers machines in Windows NLB. Today my production Portal is 6 6.20.
Once, I did something for LABORATORY TEST. Migration (6 6.40) and Upgrade (7.0)in two other machines. But they were with Windows NLB. When I did the installation, for each server machine and during the instalation I had to give one Instance Number for each and in result there was a different Port Number for each.
But I accessed both machines throught a virtual url(dns) with a specific port number. And it works!
NOW, with a HARDWARE LOAD BALANCE _ CSS I don't know how to do.
A guy who works with it tell us that couldn't redirect one Port Number for different port numbers. He couldn't configure the CSS like this.
My question is: Is he write? And if he is, there is a way to give the same instance number for my 3 new Portal servers machines? Example: 5(02)00.
Could you understand?
I need help.
Regards,
cheers,
NiviaNivia,
I have used F5 for load balancing, I am sure you can do the same with CSS. Yes, you can configure a virtual IP on the load balancer with standard ports (80 or 443) and load balancing the traffic to multiple servers with different ports. You can have different ports for each instance.
-Regards
RK -
CSS 11501 SSL and port 80 advanced-balance of cookies
I am trying to perform advanced cookie balancing with out pulling the cookie from the URL. The only cookie which is consistant is "ASP.NET_SessionId and it is not in the URL string.
Also, Can in parallel can I balance last connection? I need to set a round robin to keep site traffice balanced.Thank you for the link.
question? Can I also use the advanced-Balance Arrowhead-cookies ? and will I also need a keepalive:
!*******************KEEPALIVE*************************
keepalive IISsys01
type http
uri "/content.html"
ip address 192.168.1.125
active
keepalive IISsys02
type http
uri "/content.html"
ip address 192.168.1.165
active
keepalive IISweb01
type http
uri "/content.html"
ip address 172.25.4.1
active
keepalive IISweb02
type http
uri "/content.html"
ip address 172.25.4.3
active -
Hello,
We have a CSS 11503 with the following partial config
==================
service 10.10.10.221-1724
ip address 10.10.10.1
keepalive type tcp
port 1724
keepalive port 1724
active
service 10.10.10.222-1724
ip address 10.10.10.1
keepalive type tcp
keepalive port 1724
port 1724
string string1
active
content 10.10.10.1-80-website
vip address 10.10.10.1
no persistent
advanced-balance arrowpoint-cookie
add service 10.10.10.221-1724
add service 10.10.10.222-1724
port 80
protocol tcp
url "/*"
active
============================
There is connectivity from CSS to both IP's, 10.10.10.221 and 10.10.10.222. Problem we face is as following:
A client can hit web site on both servers by going to http://10.10.10.221:1724 and http://10.10.10.222:1724.
With service started on 10.10.10.221 and 10.10.10.222, a client PC can hit website by using http://10.10.10.1.
With step 2 above, connection count increasing on "service 10.10.10.221-1724" service.
There is no activty on "service 10.10.10.222-1724"
When we stop services on 10.10.10.221, client can no longer access web site using http://10.10.10.1. In this situation, connection counter on "service 10.10.10.222-1724" increases with each attempt to access web site but the page on client machine times out.
With service stopped on 10.10.10.221, client can access web site using server IP, http://10.10.10.222:1724
Restarting service on 10.10.10.221 makes access to website usig http://10.10.10.1, load balancer IP.
When capturing packets using wireshark, we see that the client machine sends re-transmission on "HTTP Get" and evantually times out.
With behavior above, it is clear that the server at 10.10.10.222 is active. What we cannot understand is why web site is inaccessible thru load balancer using http://10.10.10.1.
Please help.
Thanks,
Paresh.Hi Paresh,
To troubleshoot this, I would recommend doing a traffic capture on the server vlan to see what is really happening with the connection.
One thing worth checking would be comparing the routing configured on both servers. If the traffic back from the server towards the client is not going through the CSS, the connection would fail, with the exact symptoms you are describing.
Regards
Daniel -
CSS 11503 Load Balancing Verification
Alright, so I have toiled long and hard to get this right. I think I have the config down but I am unsure on how to verify how this load balancing is working.
Here is the Content Config that I am speaking of:
content cad-rule
add service wls1-e0
add service wls1-e1
add service wls2-e0
add service wls2-e1
add service wls3-e0
add service wls3-e1
add service wls4-e0
add service wls4-e1
add service wls5-e0
add service wls5-e1
add service wls6-e0
add service wls6-e1
arrowpoint-cookie expiration 00:00:15:00
advanced-balance arrowpoint-cookie
redundant-index 2
vip address 172.30.194.195 range 2
arrowpoint-cookie name TOQ
protocol tcp
port 8001
url "/*"
active
Each service in the rule above is configured as follows:
service wls1-e1
port 8001
protocol tcp
strin ags001-e1
ip address 172.30.193.81
keepalive type http
keepalive uri "/cad/index.html"
redundant-index 12
keepalive frequency 20
keepalive maxfailure 10
keepalive retryperiod 2
active
I am using the advanced arrowpoint cookies because I need some stickiness here. Straight round-robin would not have done what I needed it to do.
Now, when I go to my show summary, this is what I see for this rule:
cad-rule Master wls1-e0 84274
wls1-e1 13144
wls2-e0 96884
wls2-e1 26374
wls3-e0 71145
wls3-e1 16592
wls4-e0 76403
wls4-e1 8657
wls5-e0 118623
wls5-e1 22760
wls6-e0 30836
wls6-e1 20464
The far right column indicates the services hits. I originally had the E1's suspended and activated them later on. So if this was true round robin, all the E0's should have the same number of service hits and all the E1's should have the same number of service hits. But as you can see, the wls5 server is getting hit the most while the wls6 server is sitting there twiddling its thumbs.
Now understanding how the arrowpoint cookies do their load balancing (inserting a cooking into the flow and then timing out after 15 mins as configured above) I would not expect a 1:1 ratio of load balancing between servers. But the distribution above seems rather extreme.
Does anyone have any suggestions on how to both A) verify that this is the right config and B) suggest to my boss that this is working the way it should be working?
Thanks!
JamesHi James,
There are several reasons of the uneven load balancing that you are seeing (based on the show summary). First
of all, the CSS is configured to do stickiness (advance-balance).
With arrowpoint-cookies (for HTTP only) method for stickiness, only the requests coming with the same cookie
are going to get stuck to the same server, since the cookie is
lost when the browser is closed (or based on the expiration), then the stickiness is going to be session
based and if the same client open a new session is going to be load balanced.
Is important to understand that when using stickiness, no real even load balancing is
going to happen since we are sticking new flows to the same server; even when layer 5 stickiness would
permit more even balancing than layer 3 stickiness (source IP based).
Also consider that the "show summary" is a command to see the hits (requests) being balanced to an specific
server, this is a good command to see the load balancing, anyway since the CSS balance
connections (flows), a persistent connection could have a lot of requests, so all those requests are
always going to the same server (incrementing the amount of hits in the counter) while a non-persistent
connection would be just one request (refer to HTTP persistence).
Also keep in mind that if a service is take out for maintenance, or is added to the load balancing later
than another, or if goes down for a period of time, then the CSS will be balancing among the remaining alive
servers. When you add the server again, the another servers are going to have connections
already established, so since the CSS is doing round robin, the server last added will
never have the same amount of connections (nor hits) that the other ones, because while one could
have 55 for example, the new one will have it first connection, and when the first one
gets the 56, the another will get the second, and so on.
Please let me know if this makes any sense.
Diego M -
CSS 11501 Load Balancing with X-forwarded-for
Hi,
We have a pair of CSS 11501,
Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .
This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
This way we are able to also send it back to the same server when it uses SSL.
I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
RegardsHi,
Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
content HTTP-HTTPS
vip address 10.198.44.70
advanced-balance sticky-srcip
add service server1
add service server2
add service server3
add service server4
add service server5
protocol tcp
active
Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
Thanks,
Rodrigo -
HTTP POST with advance balance cookies
Hello
I am trying to keep a session sticky for 20 mins based on cookies. The problem is the application is using HTTP POSTs and the balance method only looks into the HTTP GET. How can I get the CSS to look into the HTTP POST?
Any examples would be great.
Thanks.
DonaghHi Gilles
Thanks for your reply. I have obviously been misinformed about the POST and the GET. That is good but now I don't have an answer to my problem!! I am balancing on a cookie called ASP.NET_SessionId=
Here is my config
content Toughbook_PDAs
vip address 10.40.21.28
add service w2k-eolasprd1
add service w2k-eolasprd2
protocol tcp
port 80
string prefix "ASP.NET_SessionId="
sticky-inact-timeout 20
advanced-balance cookies
active
I have attached a trace and I am looking for
ASP.NET_SessionId=1w0cql550wou04albf4jrjfoy45
Hopefully my config is incorrect.
Thank You
Donagh -
Random failures to CSS doing https balancing.
So I have a cluster of about 10 machines behind a 11503, each server is setup like
service server-1
ip address 192.168.10.171
port 443
string cluster01
keepalive type script ap-kal-httplist "192.168.10.171 /webct/about.jsp"
keepalive frequency 15
active
and clustered in a service via
content ssl-rule
balance leastconn
protocol tcp
port 443
advanced-balance sticky-srcip-dstport
vip address 192.168.200.19
add service server-1
add service server-2
add service server-3
add service server-9
add service server-10
active
I am not currently doing ssl termination, just balancing.
Ok, so recently the load has started to rise (it is an e-learning application for a university and it's finals time) and now I see a scenario where random users are unable to connect to the https://elearningapp.somedomain.ca URL, while the person sitting next to them (both physically and IP-wise) connects fine. It is only a percentage of users who see this, seemingly no correlation between them, and if I reset the css it goes away for a while.You'll need to collect some info.
First, capture a sniffer trace on one of the host showing the problem.
Check if the client gets a response to the SYN.
Check if the client can ping the CSS.
Then verify that the SYN comes to the CSS.
[capture a sniffer trace in front of CSS].
Then use 'sho flows x.x.x.x' to see if a flow is created.
Verify if the SYN is forwarded to a server.
Could be the server not responding.
What version do you run ?
Gilles. -
Advance Balance and Https pages
Hello,
I have setup load blancing on our web server, using a content rule and services, with Protocol tcp and any port.
I find that it will allow Https traffic through when the Advance Balance option is not enabled but i get a "server or DNS error" when i have A.B enabled.
My switch is the former Arrowpoint CS-100 software ver 3.02.
Help!!
Pearlthe type of "Advanced Balance" option selected is important. Note that the HTTPS traffic is encrypted so we can NOT do any advanced balance that needs to look at the payload (it's encrypted so the CSS can NOT see it). The "advanced-balance sticky-srcip" would work.
Cookies can't be used because they are encrypted,
SSL is not useful as IE will change the SSL session ID,
URL can't be used because it's encrypted. -
Hello
I have four servers that I want to load balance based on a URL both HTTP and HTTPS. Two are tomcat and two are IIS and I would like to use something like /jsp/* and /aspx/*. I can get the http L5 rules setup just fine but when I try and use port 443 with a layer 5 content rule I get nothing. The show flows command shows the external ip, the vip but 0.0.0.0 for the NAT IP. Is it possible to do what I'm trying to do?
my config is
service iis1
ip address 10.0.0.1
active
service iis2
ip address 10.0.0.2
active
service tomcat1
ip address 10.0.0.3
active
service tomcat2
ip address 10.0.0.4
active
owner test
content iis
vip address 10.1.1.1
url "/aspx/*"
advanced-balance arrowpoint-cookie
add service iis1
add service iis2
protocol tcp
port 80
active
content iis_ssl
vip address 10.1.1.1
url "/aspx/*"
advanced-balance ssl
application ssl
add service iis1
add service iis2
protocol tcp
port 443
active
Thanks in advance
JustinThanks for the response Giles. I've been working on doing that and I think I have it working but the problem now is that we have some apps that look to make sure the conversation is secure and redirect if not. With the SSL module, it doesn't look like the servers will ever see whether or not the user is connecting via HTTPS. Is there any way around that?
-
FF5 error parsing CSS font-face with url inline base64 data
Firefox 5 refuses to parse CSS @font-face with url inline base64 data.
I use the declaration:
<style type="text/css">
@font-face {
font-family: 'MyFont';
src: url(data:font/truetype;charset=utf-8;base64,[base64data]);
</style>
then used this way:
<div style="font-family:'MyFont'; font-size:12.0pt">Test text</div>
But Firefox is not using the font and in the error console, there is always the message:
''Error parsing the "src" value. Skipped to next declaration.''
(more or less, I actually have this message in Czech)
Tried with different mime types (font/ttf,font/otf,font/opentype,application/x-font-ttf etc.), with or without charset specification, with or without quoting the font family name, with different specifications:
<style type="text/css">
@font-face {
font-family: 'MyFont';
src: url(data:font/truetype;charset=utf-8;base64,[base64data]) format(truetype);
</style>
(tried also with opentype format, etc.)
<style type="text/css">
@font-face {
font-family: 'MyFont';
src: url('myfont-webfont.eot?');
src: local('☺'), url(data:font/truetype;charset=utf-8;base64,[base64data]);
</style>
If I provide the font path:
<style type="text/css">
@font-face {
font-family: 'MyFont';
src: url('Arial.ttf');
</style>
(the font actually is Arial, for testing), it works (but I need to embed the font in the HTML for specific reason, so having the font externally is not the option).Finally I got it work! Thanks, cor-el, you pointed me the right way to solve this problem.
There was problem with the encoding too (there was part of the font missing at the end, because of the bug in the program - I forgot to flush the buffered output stream), after then I was able to download the same copy of the TTF. - I didn't know about the possibility to put the entire url data to the location bar and try to download it, thanks cor-el.
But it still didn't solve the problem ... the problem was, that the base64 stream was divided to multiple lines, like
data:font/truetype;charset=utf-8;base64,
AAEAAAAYAQAABACARFNJRwMaCRYAC8m8AAAXfEdERUaJ+Y1JAAr/JAAAAsJHUE9T
e1arnwALAegAAKwaR1NVQt5CYFEAC64EAAAbmEpTVEZtKmkGAAvJnAAAAB5MVFNI
RExjrAAAN8wAAA1dT1MvMhAyXXMAAAIIAAAAYFBDTFT9ez5DAAr+7AAAADZWRE1Y
After I removed the line breaks, it works now! (the line is quite long then, because the base64 string is about 1MB, but it works)
Strange that I do the same for images (jpeg, png) and there is no problem with base64 string divided to multiple lines.
But anyway, I'm fine with that. -
Load Balancing proxy based firewalls
I need to load balance http and ssl traffic through proxy based firewalls (Gauntlet)to a server farm. I've been told I can't use the usual paths through the firewalls but need to load balance the firewalls as if they were servers which would then proxy the session to the Internal content switch which will load balance to the servers.
Any ideas if this will work or how to do it? I need to keep the SSL sessions sticky as well.could you clarify what you mean by proxy firewall.
Is it just a proxy server with some filtering feature ?
If so, what was suggested to you is correct.
You define your proxy servers as services and then you simply configure
a content rule for 8080 or 80 (whatever your proxy listen on) and another content rule for port 443 SSL (or whatever port your proxy is setup for).
If the proxy is setup to use its own ip address to request HTML data, the response all aways come back to the right proxy. No need for the firewall loadbalancing feature.
An example is this
service proxyfw1
ip address x.x.x.x1
active
service proxyfw2
ip address x.x.x.x2
active
owner mycompany
content HTTPproxy
vip address x.x.x.x
add service proxyfw1
add server proxyfw2
proto tcp
port 8080
active
content SSLproxy
vip address x.x.x.x
add serv proxyfw1
add serv proxyfw2
proto tcp
port 443
application ssl
advanced-balance ssl
active
Then you setup your browser to point to proxy address x.x.x.x port 8080 for http and 443 for ssl.
Gilles. -
Advanced-balance and weighting
Hello,
I'd like to assign weights to services, but it says in the documentation that this works for weighted round-robin load-balance algorithm. will this work for an advance-balance scenario? i.e. will the config below work?
content Serv1-Rule
add service Serv-1
add service Serv-2 weight 2
add service Serv-3 weight 4
protocol tcp
redundant-index 1
port 80
advanced-balance arrowpoint-cookie
vip address 12.18.27.20
active
thanks,
dayothe way it works, is that the CSS tries to do an advanced-balance decision.
In your case, the CSS looks for a cookie ARPT=...
If this CSS can't make an advanced-balance decision (ie: there is no cookie) it will make a basic balancing decision.
This is where you can use a weight.
So, your config is good except that you didn't specify the basic loadbalancing method so the CSS will do roundrobin.
You need to configure something like 'balance weightedrr'
Gilles. -
How to get SSO userid to URL-based app?
I'm developing a web-app using Struts that will be accessed by Portal (I guess as a URL-based app). The web-app will not require login. The web-app will not be Portal "aware", except that it requires the SSO userid for auditing/logging purposes.
I know little about Portal and SSO. How can Portal be configured to send the Portal userid of the logged-in Portal user? Can it send it as a parameter in a GET or POST?
The version of Portal will be 9.0.2 (or greater).This topic is answered in the PDK forum here:
How to get SSO userid to URL-based app?
Maybe you are looking for
-
Deployment from 11g to 10g connection string cannot get provider error.
Hi, I'm doing a deployment from oracle client 11g to 10g. Is this possible? there are yes and no answer I have try out from the forum. All did not workout with any of the configuration setup. For development I am using VS2012, MVC 4. EF 4. Oracle 11g
-
I admit i downloaded ios7 from the internet illeagally and now my phone needs to be activated. My iPhone 4 cannot be used and it cannot be restored. I love all of my apple products and i will never download illegal software.
-
In my computer some of the iTunes files got deleted accidently and I couldn't reinstall it . Evrytime I try torun setup file I am getting this error message"C:\Users\Rif\AppData\Local\Apple\Apple Software Update\" ,appreciate if anyone can help me o
-
Anyone know why PowerPoint files import into Captivate with low resolution images? The PowerPoint file has high res images, but in Captivate, looks horrfic.
-
How do I fill in missing album artwork?
How do I fill in missing album artwork for my music library?