CSS Troubleshooting "advanced-balance url" based on string-range

Similar Messages

• How do you specify a string with advanced-balance url?

  I am trying to configure a CSS 11501 to send requests with a specific string in the URL to a specific server. How and where I would specify the string? The documentation, as far as I can tell, mentions that it can be done but does not show how. Any input is greatly appreciated.

  Thanks again, Syed. Now it makes sense, but I was digging more into the documentation and found a simpler way to accomplish this.
  service webServer1
  ip address 10.1.1.1
  keepalive type http
  active
  service webServer2
  ip address 10.1.1.2
  keepalive type http
  active
  content webServers
  add service webServer1
  add service webServer2
  balance aca
  vip address 10.2.2.1
  protocol tcp
  active
  content fileServer
  add service webServer1
  vip address 10.2.2.1
  protocol tcp
  url “/files/*”
  active
  The idea being that most requests will get load-balanced between both web servers, but if the URL starts with "/files/", then only webServer1 will receive the requests.

• LOAD BALANCE (CSS) and Portal Port Number based on Instance Number

  Hi,
  My doubt is about LOAD BALANCE (CSS) and Portal Port Number based on Instance Number.
  I have to install 3 servers machines and 2 servers databases cluster. There will be a HIGH AVAILABILITY environment. There will be a MIGRATION and UPGRADE.
  Today there are 2 servers machines in Windows NLB. Today my production Portal is 6 6.20.
  Once, I did something for LABORATORY TEST. Migration (6 6.40) and Upgrade (7.0)in two other machines. But they were with Windows NLB. When I did the installation, for each server machine and during the instalation I had to give one Instance Number for each and in result there was a different Port Number for each.
  But I accessed both machines throught a virtual url(dns) with a specific port number. And it works!
  NOW, with a HARDWARE LOAD BALANCE _ CSS I don't know how to do.
  A guy who works with it  tell us that couldn't redirect one Port Number for different port numbers. He couldn't configure the CSS like this.
  My question is: Is he write? And if he is, there is a  way to give the same instance number for my 3 new Portal servers machines? Example: 5(02)00.
  Could you understand?
  I need help.
  Regards,
  cheers,
  Nivia

  Nivia,
  I have used F5 for load balancing, I am sure you can do the same with CSS. Yes, you can configure a virtual IP on the load balancer with standard ports (80 or 443) and load balancing the traffic to multiple servers with different ports. You can have different ports for each instance.
  -Regards
  RK

• CSS 11501 SSL and port 80 advanced-balance of cookies

  I am trying to perform advanced cookie balancing with out pulling the cookie from the URL. The only cookie which is consistant is "ASP.NET_SessionId and it is not in the URL string.
  Also, Can in parallel can I balance last connection? I need to set a round robin to keep site traffice balanced.

  Thank you for the link.
  question? Can I also use the advanced-Balance Arrowhead-cookies ? and will I also need a keepalive:
  !*******************KEEPALIVE*************************
  keepalive IISsys01
  type http
  uri "/content.html"
  ip address 192.168.1.125
  active
  keepalive IISsys02
  type http
  uri "/content.html"
  ip address 192.168.1.165
  active
  keepalive IISweb01
  type http
  uri "/content.html"
  ip address 172.25.4.1
  active
  keepalive IISweb02
  type http
  uri "/content.html"
  ip address 172.25.4.3
  active

• CSS 11500 Load balancing

  Hello,
  We have a CSS 11503 with the following partial config
  ==================
  service 10.10.10.221-1724
  ip address 10.10.10.1
  keepalive type tcp
  port 1724
  keepalive port 1724
  active
  service 10.10.10.222-1724
    ip address 10.10.10.1
    keepalive type tcp
    keepalive port 1724
    port 1724
    string string1
    active
  content 10.10.10.1-80-website
      vip address 10.10.10.1
      no persistent
      advanced-balance arrowpoint-cookie
      add service 10.10.10.221-1724
      add service 10.10.10.222-1724
      port 80
      protocol tcp
      url "/*"
      active
  ============================
  There is connectivity from CSS to both IP's, 10.10.10.221 and 10.10.10.222.  Problem we face is as following:
  A client can hit web site on both servers by going to http://10.10.10.221:1724 and http://10.10.10.222:1724.
  With service started on 10.10.10.221 and 10.10.10.222, a client PC can hit website by using http://10.10.10.1.
  With step 2 above, connection count increasing on "service 10.10.10.221-1724" service.
  There is no activty on "service 10.10.10.222-1724"
  When we stop services on 10.10.10.221, client can no longer access web site using http://10.10.10.1.  In this situation, connection counter on "service 10.10.10.222-1724" increases with each attempt to access web site but the page on client machine times out.
  With service stopped on 10.10.10.221, client can access web site using server IP, http://10.10.10.222:1724
  Restarting service on 10.10.10.221 makes access to website usig http://10.10.10.1, load balancer IP.
  When capturing packets using wireshark, we see that the client machine sends re-transmission on "HTTP Get" and evantually times out.
  With behavior above, it is clear that the server at 10.10.10.222 is active.  What we cannot understand is why web site is inaccessible thru load balancer using http://10.10.10.1.
  Please help.
  Thanks,
  Paresh.

  Hi Paresh,
  To troubleshoot this, I would recommend doing a traffic capture on the server vlan to see what is really happening with the connection.
  One thing worth checking would be comparing the routing configured on both servers. If the traffic back from the server towards the client is not going through the CSS, the connection would fail, with the exact symptoms you are describing.
  Regards
  Daniel

• CSS 11503 Load Balancing Verification

  Alright, so I have toiled long and hard to get this right.  I think I have the config down but I am unsure on how to verify how this load balancing is working.
  Here is the Content Config that I am speaking of:
  content cad-rule
      add service wls1-e0
      add service wls1-e1
      add service wls2-e0
      add service wls2-e1
      add service wls3-e0
      add service wls3-e1
      add service wls4-e0
      add service wls4-e1
      add service wls5-e0
      add service wls5-e1
      add service wls6-e0
      add service wls6-e1
      arrowpoint-cookie expiration 00:00:15:00
      advanced-balance arrowpoint-cookie
      redundant-index 2
      vip address 172.30.194.195 range 2
      arrowpoint-cookie name TOQ
      protocol tcp
      port 8001
      url "/*"
      active
  Each service in the rule above is configured as follows:
  service wls1-e1
    port 8001
    protocol tcp
    strin ags001-e1
    ip address 172.30.193.81
    keepalive type http
    keepalive uri "/cad/index.html"
    redundant-index 12
    keepalive frequency 20
    keepalive maxfailure 10
    keepalive retryperiod 2
    active
  I am using the advanced arrowpoint cookies because I need some stickiness here.  Straight round-robin would not have done what I needed it to do.
  Now, when I go to my show summary, this is what I see for this rule:
                   cad-rule    Master   wls1-e0 84274
                                              wls1-e1 13144
                                              wls2-e0 96884
                                              wls2-e1 26374
                                              wls3-e0 71145
                                              wls3-e1 16592
                                              wls4-e0 76403
                                              wls4-e1 8657
                                              wls5-e0 118623
                                              wls5-e1 22760
                                              wls6-e0 30836
                                              wls6-e1 20464
  The far right column indicates the services hits.  I originally had the E1's suspended and activated them later on. So if this was true round robin, all the E0's should have the same number of service hits and all the E1's should have the same number of service hits.  But as you can see, the wls5 server is getting hit the most while the wls6 server is sitting there twiddling its thumbs.
  Now understanding how the arrowpoint cookies do their load balancing (inserting a cooking into the flow and then timing out after 15 mins as configured above) I would not expect a 1:1 ratio of load balancing between servers.  But the distribution above seems rather extreme.
  Does anyone have any suggestions on how to both A) verify that this is the right config and B) suggest to my boss that this is working the way it should be working?
  Thanks!
  James

  Hi James,
  There are several reasons of the uneven load balancing that you are seeing (based on the show summary). First
  of all, the CSS is configured to do stickiness (advance-balance).
  With arrowpoint-cookies (for HTTP only) method for stickiness, only the requests coming with the same cookie
  are going to get stuck to the same server, since the cookie is
  lost when the browser is closed (or based on the expiration), then the stickiness is going to be session
  based and if the same client open a new session is going to be load balanced.
  Is important to understand that when using stickiness, no real even load balancing is
  going to happen since we are sticking new flows to the same server; even when layer 5 stickiness would
  permit more even balancing than layer 3 stickiness (source IP based).
  Also consider that the "show summary" is a command to see the hits (requests) being balanced to an specific
  server, this is a good command to see the load balancing, anyway since the CSS balance
  connections (flows), a persistent connection could have a lot of requests, so all those requests are
  always going to the same server (incrementing the amount of hits in the counter) while a non-persistent
  connection would be just one request (refer to HTTP persistence).
  Also keep in mind that if a service is take out for maintenance, or is added to the load balancing later
  than another, or if goes down for a period of time, then the CSS will be balancing among the remaining alive
  servers. When you add the server again, the another servers are going to have connections
  already established, so since the CSS is doing round robin, the server last added will
  never have the same amount of connections (nor hits) that the other ones, because while one could
  have 55 for example, the new one will have it first connection, and when the first one
  gets the 56, the another will get the second, and so on.
  Please let me know if this makes any sense.
  Diego M

• CSS 11501 Load Balancing with X-forwarded-for

  Hi,
  We have a pair of CSS 11501,
  Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
  However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .
  This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
  Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
  This way we are able to also send it back to the same server when it uses SSL.
  I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
  Regards

  Hi,
  Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
  One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
  In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
  Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
    content HTTP-HTTPS
      vip address 10.198.44.70
      advanced-balance sticky-srcip
      add service server1
      add service server2
      add service server3
      add service server4
      add service server5
      protocol tcp
      active
  Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
  Thanks,
  Rodrigo

• HTTP POST with advance balance cookies

  Hello
  I am trying to keep a session sticky for 20 mins based on cookies. The problem is the application is using HTTP POSTs and the balance method only looks into the HTTP GET. How can I get the CSS to look into the HTTP POST?
  Any examples would be great.
  Thanks.
  Donagh

  Hi Gilles
  Thanks for your reply. I have obviously been misinformed about the POST and the GET. That is good but now I don't have an answer to my problem!! I am balancing on a cookie called ASP.NET_SessionId=
  Here is my config
  content Toughbook_PDAs
  vip address 10.40.21.28
  add service w2k-eolasprd1
  add service w2k-eolasprd2
  protocol tcp
  port 80
  string prefix "ASP.NET_SessionId="
  sticky-inact-timeout 20
  advanced-balance cookies
  active
  I have attached a trace and I am looking for
  ASP.NET_SessionId=1w0cql550wou04albf4jrjfoy45
  Hopefully my config is incorrect.
  Thank You
  Donagh

• Random failures to CSS doing https balancing.

  So I have a cluster of about 10 machines behind a 11503, each server is setup like
  service server-1
  ip address 192.168.10.171
  port 443
  string cluster01
  keepalive type script ap-kal-httplist "192.168.10.171 /webct/about.jsp"
  keepalive frequency 15
  active
  and clustered in a service via
  content ssl-rule
  balance leastconn
  protocol tcp
  port 443
  advanced-balance sticky-srcip-dstport
  vip address 192.168.200.19
  add service server-1
  add service server-2
  add service server-3
  add service server-9
  add service server-10
  active
  I am not currently doing ssl termination, just balancing.
  Ok, so recently the load has started to rise (it is an e-learning application for a university and it's finals time) and now I see a scenario where random users are unable to connect to the https://elearningapp.somedomain.ca URL, while the person sitting next to them (both physically and IP-wise) connects fine. It is only a percentage of users who see this, seemingly no correlation between them, and if I reset the css it goes away for a while.

  You'll need to collect some info.
  First, capture a sniffer trace on one of the host showing the problem.
  Check if the client gets a response to the SYN.
  Check if the client can ping the CSS.
  Then verify that the SYN comes to the CSS.
  [capture a sniffer trace in front of CSS].
  Then use 'sho flows x.x.x.x' to see if a flow is created.
  Verify if the SYN is forwarded to a server.
  Could be the server not responding.
  What version do you run ?
  Gilles.

• Advance Balance and Https pages

  Hello,
  I have setup load blancing on our web server, using a content rule and services, with Protocol tcp and any port.
  I find that it will allow Https traffic through when the Advance Balance option is not enabled but i get a "server or DNS error" when i have A.B enabled.
  My switch is the former Arrowpoint CS-100 software ver 3.02.
  Help!!
  Pearl

  the type of "Advanced Balance" option selected is important. Note that the HTTPS traffic is encrypted so we can NOT do any advanced balance that needs to look at the payload (it's encrypted so the CSS can NOT see it). The "advanced-balance sticky-srcip" would work.
  Cookies can't be used because they are encrypted,
  SSL is not useful as IE will change the SSL session ID,
  URL can't be used because it's encrypted.

• CSS SSL L5 balancing

  Hello
  I have four servers that I want to load balance based on a URL both HTTP and HTTPS. Two are tomcat and two are IIS and I would like to use something like /jsp/* and /aspx/*. I can get the http L5 rules setup just fine but when I try and use port 443 with a layer 5 content rule I get nothing. The show flows command shows the external ip, the vip but 0.0.0.0 for the NAT IP. Is it possible to do what I'm trying to do?
  my config is
  service iis1
  ip address 10.0.0.1
  active
  service iis2
  ip address 10.0.0.2
  active
  service tomcat1
  ip address 10.0.0.3
  active
  service tomcat2
  ip address 10.0.0.4
  active
  owner test
  content iis
  vip address 10.1.1.1
  url "/aspx/*"
  advanced-balance arrowpoint-cookie
  add service iis1
  add service iis2
  protocol tcp
  port 80
  active
  content iis_ssl
  vip address 10.1.1.1
  url "/aspx/*"
  advanced-balance ssl
  application ssl
  add service iis1
  add service iis2
  protocol tcp
  port 443
  active
  Thanks in advance
  Justin

  Thanks for the response Giles. I've been working on doing that and I think I have it working but the problem now is that we have some apps that look to make sure the conversation is secure and redirect if not. With the SSL module, it doesn't look like the servers will ever see whether or not the user is connecting via HTTPS. Is there any way around that?

• FF5 error parsing CSS font-face with url inline base64 data

  Firefox 5 refuses to parse CSS @font-face with url inline base64 data.
  I use the declaration:
  <style type="text/css">
  @font-face {
  font-family: 'MyFont';
  src: url(data:font/truetype;charset=utf-8;base64,[base64data]);
  </style>
  then used this way:
  <div style="font-family:'MyFont'; font-size:12.0pt">Test text</div>
  But Firefox is not using the font and in the error console, there is always the message:
  ''Error parsing the "src" value. Skipped to next declaration.''
  (more or less, I actually have this message in Czech)
  Tried with different mime types (font/ttf,font/otf,font/opentype,application/x-font-ttf etc.), with or without charset specification, with or without quoting the font family name, with different specifications:
  <style type="text/css">
  @font-face {
  font-family: 'MyFont';
  src: url(data:font/truetype;charset=utf-8;base64,[base64data]) format(truetype);
  </style>
  (tried also with opentype format, etc.)
  <style type="text/css">
  @font-face {
  font-family: 'MyFont';
  src: url('myfont-webfont.eot?');
  src: local('☺'), url(data:font/truetype;charset=utf-8;base64,[base64data]);
  </style>
  If I provide the font path:
  <style type="text/css">
  @font-face {
  font-family: 'MyFont';
  src: url('Arial.ttf');
  </style>
  (the font actually is Arial, for testing), it works (but I need to embed the font in the HTML for specific reason, so having the font externally is not the option).

  Finally I got it work! Thanks, cor-el, you pointed me the right way to solve this problem.
  There was problem with the encoding too (there was part of the font missing at the end, because of the bug in the program - I forgot to flush the buffered output stream), after then I was able to download the same copy of the TTF. - I didn't know about the possibility to put the entire url data to the location bar and try to download it, thanks cor-el.
  But it still didn't solve the problem ... the problem was, that the base64 stream was divided to multiple lines, like
  data:font/truetype;charset=utf-8;base64,
  AAEAAAAYAQAABACARFNJRwMaCRYAC8m8AAAXfEdERUaJ+Y1JAAr/JAAAAsJHUE9T
  e1arnwALAegAAKwaR1NVQt5CYFEAC64EAAAbmEpTVEZtKmkGAAvJnAAAAB5MVFNI
  RExjrAAAN8wAAA1dT1MvMhAyXXMAAAIIAAAAYFBDTFT9ez5DAAr+7AAAADZWRE1Y
  After I removed the line breaks, it works now! (the line is quite long then, because the base64 string is about 1MB, but it works)
  Strange that I do the same for images (jpeg, png) and there is no problem with base64 string divided to multiple lines.
  But anyway, I'm fine with that.

• Load Balancing proxy based firewalls

  I need to load balance http and ssl traffic through proxy based firewalls (Gauntlet)to a server farm. I've been told I can't use the usual paths through the firewalls but need to load balance the firewalls as if they were servers which would then proxy the session to the Internal content switch which will load balance to the servers.
  Any ideas if this will work or how to do it? I need to keep the SSL sessions sticky as well.

  could you clarify what you mean by proxy firewall.
  Is it just a proxy server with some filtering feature ?
  If so, what was suggested to you is correct.
  You define your proxy servers as services and then you simply configure
  a content rule for 8080 or 80 (whatever your proxy listen on) and another content rule for port 443 SSL (or whatever port your proxy is setup for).
  If the proxy is setup to use its own ip address to request HTML data, the response all aways come back to the right proxy. No need for the firewall loadbalancing feature.
  An example is this
  service proxyfw1
  ip address x.x.x.x1
  active
  service proxyfw2
  ip address x.x.x.x2
  active
  owner mycompany
  content HTTPproxy
  vip address x.x.x.x
  add service proxyfw1
  add server proxyfw2
  proto tcp
  port 8080
  active
  content SSLproxy
  vip address x.x.x.x
  add serv proxyfw1
  add serv proxyfw2
  proto tcp
  port 443
  application ssl
  advanced-balance ssl
  active
  Then you setup your browser to point to proxy address x.x.x.x port 8080 for http and 443 for ssl.
  Gilles.

• Advanced-balance and weighting

  Hello,
  I'd like to assign weights to services, but it says in the documentation that this works for weighted round-robin load-balance algorithm. will this work for an advance-balance scenario? i.e. will the config below work?
  content Serv1-Rule
  add service Serv-1
  add service Serv-2 weight 2
  add service Serv-3 weight 4
  protocol tcp
  redundant-index 1
  port 80
  advanced-balance arrowpoint-cookie
  vip address 12.18.27.20
  active
  thanks,
  dayo

  the way it works, is that the CSS tries to do an advanced-balance decision.
  In your case, the CSS looks for a cookie ARPT=...
  If this CSS can't make an advanced-balance decision (ie: there is no cookie) it will make a basic balancing decision.
  This is where you can use a weight.
  So, your config is good except that you didn't specify the basic loadbalancing method so the CSS will do roundrobin.
  You need to configure something like 'balance weightedrr'
  Gilles.

• How to get SSO userid to URL-based app?

  I'm developing a web-app using Struts that will be accessed by Portal (I guess as a URL-based app). The web-app will not require login. The web-app will not be Portal "aware", except that it requires the SSO userid for auditing/logging purposes.
  I know little about Portal and SSO. How can Portal be configured to send the Portal userid of the logged-in Portal user? Can it send it as a parameter in a GET or POST?
  The version of Portal will be 9.0.2 (or greater).

  This topic is answered in the PDK forum here:
  How to get SSO userid to URL-based app?