CSS WEBNS 7.2/7.4 ssl balancing and sticky-inact
Hi,
just two questions in regards of load balancing:
1) Does the advanced-balance ssl notice if an sslid change is done in the SSL-Session (some clients reinitiate a session after some time)?
2) Is the sslid-stickiness aware of 1) and keeps the connection for this client to the former server; sticks the client to the same server...
2) the sticky-inact-timer: is it realy an inact timer which is counting as soon as a session is idle/closed or is it a timer that only get's resetted when the client start a new connection (like the idle time-out at the CSM)
TIA
Kind Regards,
Joerg
Hi Gilles,
thanks for the reply. My fears unfortunatley came truth.
Is an applicable workaround for 1) advanced balanced src-ip-dst-port? Unfortunaltey only src-ip is not working even if in the training materials is mentioned that adanced-balanced src-ip is possible with Layer3-5.
I had stickiness trouble with it so I changed it to advancded-balancde src-ip-dst-port and got a sticky behaviour but it seems as if the connections get assigned to a different server when the SSL-Session-ID changes even if the stickieness tells the CSS to stick that client to a certain server (inact timout 0).
I guess I've to do some investigations with my customer on this.
Btw we are talking of a citrix webfrontend using SSL as connection method and we are experiencing this problem with broswers and with the citrix client itself.
Regards,
Joerg
Similar Messages
-
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean -
Question about the CSS behavior when using layer 3 sticky and sticky table
Hi everyone,
I have a question about the CSS behavior when using layer 3 sticky and sticky table is full.
If I configure layer 3 sticky and specify the inactivity timeout as below, how does the CSS
handle subsequent needed sticky requests ?
advanced-balance sticky-srcip
sticky-inact-timeout 30
CSS document says that
Note:
If you use the sticky-inact-timeout command to specify the inactivity timeout
period on a sticky connection, when the sticky table becomes full and none of
the entries have expired from the sticky table, the CSS rejects subsequent
needed sticky requests.
My question is what is the next reaction by doing the CSS if the CSS is in the
following condition:
when the sticky table becomes full and none of the entries have expired from
the sticky table, the CSS rejects subsequent needed sticky requests
Does CSS just rejects/drops subsequent needed sticky requests ?
or
Does CSS does not stick subsequence requests to particular service but CSS forward
subsequence requests with round-robin basis ? which means if the sticky table is full,
the CSS just works round-robin load balancing fashion for subsequence requests ?
Your information would be appreciated.
Best regards,Hello,
There is a good document explaining this on Cisco web site
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080094b4b.shtml
It depends if the sticky-inact-timeout is used or not. If not, it's FIFO (the oldest entry in the sticky table is removed). If yes, the CSS will reject the next sticky request.
Rgds,
Gaetan
Rgds
Gaetan -
Persistance and sticky connections in css
what is the use of persistance command in CSS content rule.If using Layer 3 stcky configuration it is necesary to give persistance command in content rule?
what is the difference between flow-timeout-multiplier and sticky-inact-timeout?Hi Avinash,
This is an hot topic in content switching If using IP src sticky, as it seems you are doing, it wouldn't make much difference tweaking persistent parameter.
However, just for reference, it may occur that CSS may need to switch servers within the same rule due to two particular reasons:
1) sticky cookies/cookieurl/url
2) sorry servers
So, by default the CSS, once matched the content rule, will take only one LB decision per TCP connection, based on the first HTTP request.
With HTTP 1.1 a connection may be used for several requests and responses, and potentially a new LB decision might be needed on each request, if this is the case the CSS needs to be explicitly configured with:
#no persistent
Now regarding flow-timeout-multiplier and sticky-inact-timeout, the former refers to the connection idle timeout parameter, it regulates the time a flow will remain in the connection table while idle. In other words, it is the time period that must elapse for an idle flow before the CSS cleans up the flow.
Sticky-inact-timeout defines the inactivity timeout period on a sticky connection before the CSS removes the sticky entry from the sticky table.
For more details on these parameters check thEse links:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/command/reference/CmdGrpC.html#wp1139589
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/command/reference/CmdOwCnt.html#wp1141110 -
Load balance and 60 second sticky
Is possible to setup a content rule on my css11506 as:
A Round Robin scheme
60 second sticky on ports ?
Any comments will be appreciated
Thanks in advanceHave you tried to create a rule with the following commands:
balance roundrobin
sticky-inact-timeout 1
The time out on the sticky is in minutes.
Jim -
What SSL accelerator and load-balancer does anyone recommend?
Hi:
I wanted to find out:
Does anyone recommend SSL accelerator cards/boards or SSL accelerator appliances?
What SSL accelerator and load balancer does aynone recommend to help 9iAS?Ana_Alm wrote:
Hi there!
I just downloaded and installed OS X Lion, and I'm loving it so far.
However, I've seen that Mountain Lion will have some new features when it comes to social apps (what I call the ones that combine twitter, facebook, rss readers and so on).
So, does anyone knows any cools apps for that? I'm currently using Socialite, that combines all those three, but it has a few issues I don't particularly like. Plus, I'm using Adium for a msn client. I'm also thinking about downloading that beta version of "Messages" that will be realeased on Mountain Lion.
So, what do you think? Give me your ideas
Thanks a lot in advance!
As Mountain Lion has not been released to the public yet, then most of us have no idea which companies have updated the development of their Apps for ML. It is in Development phase so any App you try is at your own risk.
Good Luck
Pete -
What is the correct/recommended way to configure ssl through the load balancer with the DS or DPS? I see 3 options:
1. SSL termination at the load balancer level
2. using wildcard certs
3. specifying the subjectAlternativeName in the cert.
I am currently looking at using 2 or 3 and have some questions. 2 seems like the best option and makes it more seemless to applications if you bring in an additional backend server, then you dont need to load any other certs for any applications.
For option 3 how can you specify the subjectAlternativeName when generating a CSR? I dont see anyway of doing that except mentioned here . I see in the Access Manager [docs |http://docs.sun.com/app/docs/doc/819-5899/gcdvv?l=ru&a=view] to specify the Subject DN as the load balancer name. Will this work correctly without have the subject DN as the FQDN of the DS/DPS?I'm not sure your 3 options are mutually exclusive. We're going to be doing a combination of 1 and 2. We're going to purchase a wildcard certificate and put it on our load balancer. The SSL traffic will terminate at the load balancer and go straight LDAP from the load balancer to the DS host.
-
We have moved SSL termination to a loadbalancer (F5) from the Sun webservers. The load balancer after terminating SSL goes to the http listener on the webservers. We have some NSAPI code that does a redirect. It used to do the redirect based on the original scheme of the listener (if http then the redirect was http based. If https then redirect https). Of course, now all redirects come back http even though the user may have an https session.
For weblogic we can feed a header from the F5 (WL-PROXY-SSL) and it would recognize that a load balancer was used for SSL termination and perform java redirects using the correct scheme. Is there any header like this I can feed to the Sun Webserver so it recognizes that a loadbalancer has terminated the SSL session and any redirects should be https?It might be easiest to configure separate HTTP listeners (e.g. separate ports) for SSL and non-SSL requests. You can configure which scheme should be used in self-referencing URLs (such as those used in redirects) per HTTP listener. In Sun Java System Web Server 7.0, you can do that using the admin GUI, CLI, or by editing the server.xml configuration. If you edit server.xml, you need to specify the <server-name> element in the appropriate <http-listener> element.
-
1. ssl offload - how do I secure clear text pwd sent from ACE to serverfarm?
2. If 2 DR site say CA and UK, and CA has earthquake, can pair of ACE be design to keep website going in UK.Hi,
1/ ACE can be configured to setup a second ssl tunnel and encrypt data between ACE and server. For more details:
http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/initiate.html
Is this what you are looking for?
2/ Where are the ACEs? Are they load balancing traffic to servers in both CA and UK?
--Olivier -
Replacing SSL keys and certificates for already defined services
I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?"Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
Please check if the below URL: could help:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153 -
Opening Balances and Closing Balance of customer
Hi,
Does SAP provide any standard customer account statement for Opening Balances and Closing Balance for specific date range have given in selection screen?
The statement also contains reference number, order, and Delivery number.
Note: FBL5N Transaction code will not sufficient for the requirement, so looking for any other transaction code / report provided by SAP already for it.
Thanks in advance,
ShwethaHi,
There are several standard reports which could be easily accessed through the menu (Accounts Receivable - Information systems). If none of these reports does not suit your requirement, you have to develop your own.
Regards,
Eli -
when Update to 10.7.2 ,I cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.
OS:10.7.2
Macbook Pro 2010-mid 13inchI also have the same problem, however if I use Firefox or Opera sites with ssl connection work fine. Still, I can't use Google Chrome (ssl), Safari (ssl), the Mac app store (generally), or the iTunes store (generally). Both the iTunes store, Safari and the app store won't respond, and Chrome displays this error: (net::ERR_TIMED_OUT). The problem persists regardless of what network I'm using. Also, when trying to access the keychain or iCloud, the process will not start (will hang). I didn't have these problems at all before updating to 10.7.2.
Sometimes rebooting helps, and sometimes not. If the problem disappears by rebooting, then it only lasts a few minutes before it reappears. It is very frustrating, especially since there doesn't seem to be any obvious or consistent way of which to fix it.
I'm also using a Macbook Pro 13-inch mid 2010. -
S_ALR_87012247 - Customer Balances and Line Items in Local Currency
Hi All,
This report S_ALR_87012247 - Customer Balances and Line Items in Local Currency is not displaying line items for customers in ECC6. Is there any configuration required to get the line items? Please help
Thanks
SrideviIf you see this report S_ALR_87009950, you will get
Opening Balance at the start of fiscal year
Debits and Credit during the reporting period
and the Cumulative Balance.
Please note the above report will not give you line item details.
S_ALR_87012247 report is specifically for poland, in the description it is mentioned that the line items will be displayed, unfortunately, for other countries, there are no line items visible. Therefore, you may explore the possibility of copying this report and changing the code in order to bring the line items along with the totals. -
Deifference between GL balance and Vendor Subledger account
Dear
I have found the difference between GL A/C balance and vendor Balance report on the reconciliation account for the comapny code.
What i haev observed is that every year , the balance carry forward amount if difference on General Ledger report (S_ALR_87012277) and Sub Ledger report (S_ALR_87012082)..
Why the amount is different on these two report. Principally, when ever we post any amount to vendor account , the entry is passed on to Subledger account.
Here when i do run Gl report and Subledger report for same account lets say 1610000 recon account, he balances are different.
What can be the reason and how to correct it?
ThanksHi
There could be many reasons:
1. You have posted Special GL Transactions to vendor, which is a subledger A/c. In such a case, system would post to different reconciliation accounts. Check for totals of all the reconciliation a/c
2. There is a change in the reconciliation a/c in the vendor master and you have not run F101 for the same
Regards
Sanil Bhandari -
House bank account balances and turnovers
Hello,
at our customer company we have configured few G/L accounts for multiple bank accounts - e.g. one for each house bank ID per local/foreign currency - so for each bank we have two G/L accounts configured. This works very well until we need to see the turnovers and opening and closing balances per each house bank account. Are there any alternative possibilities to see that in SAP apart from customizing a report from FEBKO and FEBEP tables?
Thanks in advance,
JoaniukaHi,
When you enter the transaction and select a statement or group of statements you can click on u201Cother displayu201D. Then you can see an ALV with all the entries in the statements you have selected. Opening Balance, closing balance and posting date are available in the ALV among many other fields.
Regards,
Daniel
Maybe you are looking for
-
I am creating a subVI state machine (case structure) which will run inside a while loop which will be executing every 250ms. The reason I wanted to make the state machine case structure into a subVI is because I want to execute 64 of the machines wit
-
How can I get iCloud inbox to receive incoming mail
I am unable to receive incoming messages in iCloud inbox on iPad 2. I followed all troubleshooting steps Including adding and deleting iCloud account.
-
Is it possible to set a port number for a server as a value from env ?
Hello, I'm using the version 6.1 - sp8 and I'd like to set the port number of a server as a value returned by an environment variable. Will this be achievable somehow through the admin console? In fact, I have an environment variable called '$WEB_SER
-
Hi Forum, We have one requirement in BOM, When we are creating sales BOM (sales order) as per BOM master data it will expolde in sales order level as header item and sub-items(components),but when it explode the header level item number(for ex:10) wi
-
Lightroom5 'An unexpected end-of-line occurred'
Hi I have been using LR5 for nearly a year without any problems. Last weekend I imported 120 RAW NEF images via SD card straight into my laptop I akso import via card reader from my CF card. On quite a few of them I had the above 'An unexpected end-o