IM sticky loadbal
Hi,
A new requirement with our client to run Instant Messaging (chat) servers behind CSS. Need to load balance between pool of "Microsoft Live Communications Server 2005 with SP1 Enterprise Edition".
Have anyone tried these servers behind a CSS?
What adv-bal sticky would you recommend. MS recommends a TCP-level affinity. I could not find anything other that src-ip-dest-port. Any help much appreciated.
thanks
I would use layer 4 sticky.
Using Layer 4 Sticky
Layer 4 sticky functions identically to Layer 3 sticky, except that it sticks based on a combination of source IP address, protocol, and destination port. Layer 4 sticky also uses a sticky table and has the same limitations as Layer 3 sticky.
If the CSS sees the same IP address with two different destination ports, it will use two entries. You can also apply sticky mask to Layer 4 sticky.
If you are concerned about whether your site can handle all of the simultaneous sessions, then consider using the Layer 5 advanced-balanced methods of arrowpoint-cookie, cookie, cookieurl, or url.
Read more about it at this link.
Please rate if you find it usefull.
http://www.cisco.com/en/US/customer/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080772d96.html#wp1073275
Similar Messages
-
ACE 3.0(0) SW / LB with SSL Session-ID
Hello!
I want to use "SSL Session-ID" sticky method in load-balancing, but can't find any info about it in 3.0(0)A1(2) sw configuration guides. Where i can find info about it? Or this method is supported only in old A2(1.0) release?
Thanks.SSL Session ID Sticky to ensure Client Persistence
1. Demonstrate the ability to provide stickiness using SSL
Session ID. To do this you will need to the Generic Protocol Parsing
framework on ACE. With the right regular expression you will be successful!!
2. Before you begin to configure the SSL Sticky group, be sure that
you have allocated resources to the sticky group. Note this done in the
Admin context.
resource-class cart
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 1.00 maximum equal-to-min
context Lab-Cart-11
allocate-interface vlan 211
allocate-interface vlan 411
member cart
3. Create an SSL-v3 sticky group and associate the serverfarm. Good
idea to configure a sticky timeout value. This specifies the period of time
that the ACE keeps the sticky information in the sticky table. Note the ACE
resets the timer each time ACE opens connections matching that entry. Also
configure the Layer 4 sticky parameters for 32 bytes session ID.
sticky layer4-payload ssl-v3
timeout 600
serverfarm HTTPS-FARM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
When a new session is established between client and server, the server
generates a session id. The session id is an arbitrary sequence of bytes.
The length of the session id is 16 bytes for SSLv2 sessions and between 1
and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
must be unique for the server. Additionally, the session id is transmitted
in the clear when reusing the session so it must not contain sensitive
information.
4. Create a class-map to match the layer 4 payload.
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
5. Create a new generic load balance policy map and assoiciate the
sticky-serverfarm understand the class.
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
6. Change to the client-vips policy map to represent the new
SSL-v3-Sticky policy you just created
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
7. Verify the VIP is accessible by trying to hit the VIP.
8. View the connection using the show cons command.
Pod1-ACE/Lab-Cart-11# show conn
total current connections : 1
conn-id np dir proto vlan source destination
state
----------+--+---+-----+----+---------------------+---------------------+---
---+
10 1 in TCP 211 209.165.201.11:1115 172.16.11.190:443
ESTAB
9. Interesting I can see that the first connection has been setup. Why
is ACE not load balancing the connection to the server?
10. Great I need to configure a L7 parameter map with a max parse-length
parameter-map type generic SSL-v3
set max-parse-length 70
11. Associate the parameter map to the client-vips policy map
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
appl-parameter generic advanced-options SSL-v3
12. Verify the VIP is now accessible by trying to hit the VIP. -
Hallo,
we have some trouble with our sticky configuration" on an ACE Module.
We would like to do session persistence on an URL cookie with the name jsessionid.
now, I found a presentation about HTTP cookie troubleshooting with following:
=> If the cookie is not found, then the ACE looks for a string in the URL, starting with one of the characters /?&#+ and
followed by a "=", then parses that value.
=> Our URL: https://www-testtest.de/test/index.do;jsessionid=B05404082849E51068A764120663B36E-!server=1
=> the cookie starts with a ";" Could this be our problem?
=> If yes, is it possible to configure the ACE to look also for the ";" string.
The sticky configuration part looks like the following,
service-policy input pmap_TEST
policy-map multi-match pmap_TEST
class cmap-WWW_HTTPs
loadbalance vip inservice
loadbalance policy HTTPs-sticky
loadbalance vip icmp-reply
ssl-proxy server ssl-proxy_TFU-3
class-map match-any cmap-WWW_HTTPs
2 match virtual-address 1.2.3.4 tcp eq https
policy-map type loadbalance http first-match HTTPs-sticky
class class-default
sticky-serverfarm sticky-cookie
action actlist_HTTPMODIFY-http_https
sticky http-cookie jsessionid sticky-cookie
cookie offset 0 length 42
cookie secondary jsessionid
timeout 35
replicate sticky
serverfarm sfarm_Test
best regards
Bernd/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Hallo litrenta,
Thanks for your fast reply,
according the config guide there are two options:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1245246
=> Defining URL Delimiters
=> Defining the secondary cookie start
our URL cookie starts with an ";" so shouldn't we use "set secondary-cookie-start" instead of the "set secondary-cookie-delimiters " command, or will we have the some result with both commands?
Regards
bhoehenberger -
11503 Loadbalance SSL sticky and HTTP not sticky to proxy-cache
I am using a 11503 to balance 200 schools traffic to 5 caches. Some of the schools have firewalls so the CSS sees their PCs as coming from a single IP. If I set the rule to balance sticky then the load is not spread evenly to the 5 proxies causing them to get overloaded from time to time.
If I balance the load non-sticky (say leastconn) then users have trouble accessing certain SSL sites.
Does anyone know a good solution for this?Hi Joerg,
Thanks for your reply. How would you code your solution? Currently I am using the following to work around particular sites:
service Proxy1
ip address 10.0.0.11
type proxy-cache
active
service Proxy2 ... etc
**************************** DQL ****************************
dql domains-no-balance
domain www.dontbalancethissite.com
domain ... etc
!*************************** OWNER ***************************
owner admin
content Proxy-servers
add service Proxy1
add service Proxy2
add service Proxy3
add service Proxy4
add service Proxy5
protocol tcp
port 3128
vip address 10.0.0.100
sticky-inact-timeout 5
balance leastconn
active
content no-load-balance
vip address 10.0.0.100
advanced-balance sticky-srcip
balance leastconn
add service Proxy1
add service Proxy2
add service Proxy3
add service Proxy4
add service Proxy5
protocol tcp
port 3128
url "/*" dql domains-no-balance
sticky-inact-timeout 5
Regards,
Ben -
Connection is not following the Sticky database when one router is comming to up state.
Dear Team,
We have 2 routers configured in Cisco ACE.( Router 1: 10.250.226.4,Router 2: 10.250.226.6) and VIP 10.250.226.19. In a normal scenario all the client connections are perfectly handled by ACE and Its sending to client request to router as per the sticky database. When the router 10.250.226.4 is down, ACE cleared all the sticky database entry belongs to the 10.250.226.4. All the client connections are shifted to router 10.250.226.6.
when router 10.250.226.4 is comes, backup connections are not loadbalance properly. That is connection not following sticky database for second connections of the same ip and giving issue in establishing IPSEC connectivity. Please find the below output.
switch/RRI# sh sticky database client 10.239.10.86
sticky group : STIK-RRI-FRM
type : IP
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
10.239.10.86 CISCO-7206-06:0 65274 -
switch/RRI# show conn | i 10.239.10.86
1517152 2 in UDP 90 10.239.10.86:4500 10.250.226.19:4500 --
1427552 2 out UDP 9 10.250.226.4:4500 10.239.10.86:1637 --
3051606 2 in UDP 90 10.239.10.86:500 10.250.226.19:500 --
3049659 2 out UDP 9 10.250.226.6:500 10.239.10.86:44977 --
Please find the below sample configuration we are done in ACE.
parameter-map type connection UDP_PARAM_MAP
set timeout inactivity 86450
sticky ip-netmask 255.255.255.255 address source STIK-RRI-FRM
replicate sticky
serverfarm RRI-FRM
class-map match-all RRI-VIP
2 match virtual-address 10.250.226.19 any
policy-map type loadbalance first-match RRI-VIP-l7slb
class class-default
sticky-serverfarm STIK-RRI-FRM
policy-map multi-match RRI
class RRI-VIP
loadbalance vip inservice
loadbalance policy RRI-VIP-l7slb
loadbalance vip icmp-reply
connection advanced-options UDP_PARAM_MAP
interface vlan 90
ip address 10.250.226.17 255.255.255.240
peer ip address 10.250.226.18 255.255.255.240
access-group input ALL
access-group output ALL
service-policy input REMOTE_MGMT
service-policy input RRI
no shutdown
As per the analysis its looks seems to be tthe bug CSCsv63364, CSCsu95356. Kindly suggest how we can resolve this issue.
Image version: A2(3.4)
Thanks in advance.
Regards,
RanjithHi,
Its important to know whether there was a sticky entry when the router went down and the time it came back up. Leastconnection shouldn't be a problem here.
If the IPSEC connection is active but not the UDP 500 connections, after timeout the UDP 500 connections will be removed as well as the sticky entry. If the current active IPSEC connection suddently needs to refresh SA's a new UDP 500 connection will be open and it could be sent to a different server. There is no evidence that this is the problem but want to try a higher sticky timeout has a fix for this.
Siva -
ACE SSL Sticky class-map generic vs class default differences.
There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
Can anyone explain the benefits and differences of using a specific class-map generic such as this:
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
Versus just matching class default?
So if I have a configuration such as this:
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
vs
policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
sticky-serverfarm ssl-v3
What's the benefit or drawback?The SSL session id is only available in version 3.0.1 and 3.1.1
So you can match this particular version and then attempt to do stickyness.
You are guaranteed to find what you're looking for.
If you match a class-default it means you apply stickyness to any version of ssl packet.
So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
Gilles. -
ACE Sticky Connections, Show Conn Output and Show serverfarm
Hi Community,
I'm deploying a Cisco ACE module and I have some questions about sticky connections and about the output of the show conn command and show serverfarm command.
I have the follwoing configuration:
rserver host srv_1 ip address 10.4.11.14 inservicerserver host srv_2 ip address 10.4.11.18 inserviceserverfarm host farm_144 rserver srv_1 144 weight 1 inservice rserver srv_2 144 weight 3 inservice
sticky ip-netmask 255.255.255.255 address source st_host144
timeout 10080
serverfarm farm_144
class-map match-all vip_144
2 match virtual-address 10.4.11.208 tcp eq 143
policy-map type loadbalance first-match lb_144
class class-default
policy-map multi-match policy_vip_webcache
class vip_webcache_144
loadbalance vip inservice
loadbalance policy lb_144
loadbalance vip icmp-reply active
nat dynamic 411 vlan 411
We can assume that service policy was applied at the interface vlan. So, let's go to the questions:
1- If sticky is enabled the output command "show conn" should show just one entry by ip address?
The real output is:
DC01-ACE-01-PRIMARY-SW1/context_servidores# show conn | inc :143333046 1 in TCP 411 10.2.158.87:3616 10.4.11.208:143 ESTAB 286390 3 in TCP 411 10.2.158.87:3562 10.4.11.208:143 ESTAB310233 1 in TCP 411 10.1.5.87:3424 10.4.11.208:143 ESTAB
Look that the ip address 10.2.158.87 is shown 2 times. In same times, the same ip address is shown 4 times to the same VIP and the same port. Is it a normal behavior?
2- According to the configuration, the srv_2 has weight 3 and srv_1 has weigth 1, but the output of show serverfarm show somethin strange:
DC01-ACE-01-PRIMARY-SW1/context_servidores# show serverfarm farm_144 serverfarm : farm_144, type: HOST total rservers : 2 state : ACTIVE DWS state : DISABLED --------------------------------- ----------connections----------- real weight state current total failures ---+---------------------+------+------------+----------+----------+--------- rserver: srv_1 10.4.11.14:144 1 OPERATIONAL 11 386 0 rserver: srv_2 10.4.11.18:144 3 OPERATIONAL 35 66 0
We can see that the weight is working good, but the total of connections is higher at srv_1 than srv_2. Why?
Somebody can help me to understand better this problem of if its a normal behavior?
Thanks in advance!!Hi Gaurav,
About question 1, I got some informations too. It's perfectly normal the client open 2 or more connections at the same time. The client's application is the responsable. We removed the ACE and put the client directly to the server and the result of the total connections opened was the same.
About question 2, I made some "clears" on the serverfarm, the sticky database and after that, the numbers were more real.
DC01-ACE-02-SECONDARY-SW1/context_servidores# sh serverfarm farm_webcache_144
serverfarm : farm_webcache_144, type: HOST
total rservers : 2
state : ACTIVE
DWS state : DISABLED
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: srv_webcache_1
10.4.11.14:144 1 OPERATIONAL 1025 15499 4436
rserver: srv_webcache_2
10.4.11.18:144 2 OPERATIONAL 1794 33471 471
DC01-ACE-02-SECONDARY-SW1/context_servidores#
Anyway thank you very much for your feedback.
Plínio Monteiro -
ACE: Can I loadbalance based on client Source IP/and client tcp source port?
We recently migrated serving a client from being thick client at the desktop to being served via a citrix farm. Prior to the migration the clients came from about 5000 unique source IP's to their VIP, now they come from only 31 unique source IP's from the citrix servers in the farm. A citrix server can host 400 client sessions, since the default action of the ACE is to loadbalance based on source IP's, the ACE is sending up to 400 sessions from one citrix server to 1 real server in the farm. Is there anyway I can loadbalance based on client source IP and tcp source port so the ACE views the 400 sessions from one citrix server as unique sessions? The application does not require persistence.
Hello,
Yes, you can configure a "Sticky Layer 4 Payload" as descirbed on this Link:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/sticky.html#wp1039276
Unfrotunately I do not have any working example. You must calculate the right values for the Offset and the Length to configure.
Regards Jean-Marc -
Hello,
I am trying to resolve an issue involving load balancing of Oracle using Cisco ACE Loadbalancers. It is not too complicated of a set up, at least I don't think. There are two rservers in a server farm. I have the server farm nested within a sticky http-cookie section so that server persistence using cookies is used. During the basic testing, the load balancing is working as expected. For example, Server 1 is manual brought down and I can verify that new sessions are being served to Server 2 and vice versa.
The issue comes in when, during testing, the user clicks on a module within the main Oracle web based application. Doing this, causes a new session to be created. When this new session is created, I believe it is sent to a new server in the pool instead of sending it to the same server. It needs to be sent to the same server because that is where the user logged into the main application. Because the new server where this new session is being sent to doesn't have any record of the original login it rejects this new session. So what I was told by the Oracle support is is that I need to have the ACE LB load balance by instance instead of session. I don't know if this is possible. I have pasted a sample of the config which is in use. Can someone advise if there is a command which I am not aware of which can accomplish the above stated goal.
probe tcp TCPHTTPTEST
port 80
interval 5
faildetect 2
passdetect interval 5
passdetect count 2
expect status 200
request method get url /forms/lservlet
rserver host ORACLE_TEST_1
ip address 10.10.110.101
inservice
rserver host ORACLE_TEST_2
ip address 10.10.110.103
inservice
serverfarm host ORACLE_TEST_HTTP_FARM
failaction reassign
predictor leastconns
probe TCPHTTPTOATST
rserver NOVHQERP_TOATST_1 80
inservice
rserver NOVHQERP_TOATST_2 80
inservice
sticky http-cookie ORACLE_TEST GROUP8
cookie insert
serverfarm ORACLE_TEST_HTTP
replicate sticky
class-map match-all ORACLE_TEST_VIP
2 match virtual-address 172.30.110.57 tcp eq 80
policy-map type loadbalance first-match ORACLE_TEST
class class-default
sticky-serverfarm GROUP8
policy-map multi-match CLIENT_VIPS
class ORACLE_TEST_VIP
loadbalance vip inservice
loadbalance policy ORACLE_TEST
loadbalance vip icmp-reply active
nat dynamic 1 vlan 110
Thanks in advance,
AdilHi Kanwalsi,
Thank you for your response. When I say new session, I mean a new browser window or tab is launched when a user clicks on a specific module within the main application. Or this can be translated to mean a new quintuple (source ip: source port -> destination ip: destination port and protocol) is initiated between the client and the server.
If you look at the sample config, server persistence using cookies is configured. I don't have persistence rebalance configured. Could this be the missing configuration I need to keep the client to use the same rserver within the same Oracle instance (for example, user logs into a single instance but clicks on multiple modules within an instance)?
Adil -
I have configured 3 different serverfarms with including realservers
2 of them are with websites, the other 1 is with webservices
I also have configured a sorry server farm and the including rserver.
On the sorry rserver i have configured 2 maintenance websites, listening to an unique hostheader.
So for serverfarm A & B i have configured a seperate maintenance website.
Now when i take rservers from serverfarm A or B down, the sorry server will get active for the needed farm.
However i can only reach 1 maintenance website. And even so, an url used to reach farm A gets on maintenance site from B
This is strange behaviour, doesnt a sorryserver just accept requests with the requested hostheader by the client ?
Also, when i put the rservers from A and B back into service i have to do a "clear stick database all" otherwise the sorryserver will remain active.
What is wrong here ?
probe http EHIC-http
description Test op WWW functionaliteit
interval 10
passdetect interval 30
request method get url http://acc.site-B.nl/web/
expect status 200 200
header Host header-value "acc.site-B.nl"
expect regex 1.8.0.2
probe http WWW-http
description Test op WWW functionaliteit
interval 10
passdetect interval 30
request method get url http://acc.site-A.nl/web/default.aspx
expect status 200 200
header Host header-value "acc.site-A.nl"
expect regex v1.9.2.327
serverfarm host EHIC-FARM
failaction purge
predictor leastconns slowstart 30
probe EHIC-http
rserver ehic_server01.site-B.nl
inservice
serverfarm host SORRY-FARM
failaction purge
predictor leastconns
rserver sorrypage.site-C.nl
inservice
serverfarm host WBS-FARM
failaction purge
predictor leastconns slowstart 30
probe ICMP-PROBE
rserver acc-wbs01v.site-D
inservice
rserver wbs_01.site-D
inservice
rserver wbs_02.site-D
inservice
serverfarm host WWW-FARM
failaction purge
predictor leastconns slowstart 30
probe WWW-http
rserver acc-www01v.site-A
inservice
rserver acc_server01.site-A
inservice
rserver acc_server02.site-A
inservice
sticky ip-netmask 255.255.255.255 address source EHIC-FARM-STICKY
serverfarm EHIC-FARM backup SORRY-FARM
sticky ip-netmask 255.255.255.255 address source WWW-FARM-STICKY
serverfarm WWW-FARM backup SORRY-FARM
class-map match-any EHIC-VIP
2 match virtual-address 172.30.9.4 tcp eq https
3 match virtual-address 172.30.9.4 tcp eq www
class-map match-any WBS-VIP
6 match virtual-address 172.30.5.4 tcp eq www
7 match virtual-address 172.30.5.4 tcp eq https
class-map match-any WWW-VIP
2 match virtual-address 172.30.6.4 tcp eq www
3 match virtual-address 172.30.6.4 tcp eq https
policy-map type loadbalance first-match EHIC-FARM-STICKY-BALANCE
class class-default
sticky-serverfarm EHIC-FARM-STICKY
policy-map type loadbalance first-match WBS-FARM-BALANCE
class class-default
serverfarm WBS-FARM
policy-map type loadbalance first-match WWW-FARM-STICKY-BALANCE
class class-default
sticky-serverfarm WWW-FARM-STICKY
policy-map multi-match LOADBALANCING-EHIC
class EHIC-VIP
loadbalance vip inservice
loadbalance policy EHIC-FARM-STICKY-BALANCE
loadbalance vip icmp-reply active
appl-parameter http advanced-options EHIC-PARAMETERS
policy-map multi-match LOADBALANCING-WBS
class WBS-VIP
loadbalance vip inservice
loadbalance policy WBS-FARM-BALANCE
loadbalance vip icmp-reply active
appl-parameter http advanced-options WBS-PARAMETERS
policy-map multi-match LOADBALANCING-WWW
class WWW-VIP
loadbalance vip inservice
loadbalance policy WWW-FARM-STICKY-BALANCE
loadbalance vip icmp-reply active
appl-parameter http advanced-options WWW-PARAMETERS
Regards,
SebastianHi Gilles,
Here is our full config, i only changed some domain names.
I'll try to describe the problem again ;
We have published a website by vip 172.30.6.4
We have another website published by vip 172.30.9.4
These websites are hosted by realservers configured in 2 serverfarms and can be reached from the internet (secured by an ASA)
For both of these farms i have configured a sorryserver. This sorry server should serve a webpage containing a maintenance message whenever a farm should get down.
The sorry server is configured with 2 websites, each listening to the specific hostheader. This hostheader is the same as configured on the rservers for the specific farm 172.30.6.4 or 172.30.9.4.
So what i am trying to accomplish is that i only need 1 sorryserver to server 2 sorry webpages, ofcourse listening to a hostheader to get 2 different sorrypages to be returned.
Now when i take all realservers for both serverfarms down, except for the sorryserver, i can only reach 1 sorrypage.
For example, site A and B are down, when i try to reach site A i get to the sorrypage of site A. But when i try to reach site B i too get served the sorrypage of site A.
And also when i "inservice" all rservers again i have to do a "clear sticky database", otherwise the sorryserver will remain active.
Now i have upgraded to the last version of the ACE ios, but i still have to test if the same problem persists so i will give feedback on this later.
Regards,
Sebastian -
ACE - Balance HTTP and sticky only SSL/TLS
Hi there,
I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers.
I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only for connections that need it, and leave other HTTP traffic without this feature.
I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
Here is the actual configuration:
probe tcp HTTP
description Keepalive web servers
interval 20
passdetect interval 30
rserver host Server1
ip address 10.1.1.1
inservice
rserver host Server2
ip address 10.1.1.2
inservice
rserver host Server3
ip address 10.1.1.3
inservice
rserver host Server4
ip address 10.1.1.4
inservice
rserver host Server5
ip address 10.1.1.5
inservice
rserver host Server6
ip address 10.1.1.6
inservice
serverfarm host PRX
failaction purge
predictor leastconns
probe HTTP
rserver Server1
inservice
rserver Server2
inservice
rserver Server3
inservice
rserver Server4
inservice
rserver Server5
inservice
rserver Server6
inservice
sticky ip-netmask 255.255.255.0 address source sticky-PRX
timeout 60
serverfarm PRX
class-map match-any VIP-PRX
2 match virtual-address 10.10.10.101 tcp eq www
policy-map type loadbalance first-match POLICY-L7-PRX
class class-default
sticky-serverfarm sticky-PRX
policy-map multi-match PRX-Balance
class VIP-PRX
loadbalance vip inservice
loadbalance policy POLICY-L7-PRX
loadbalance vip icmp-reply
interface vlan 100
ip address 10.10.10.11 255.255.255.0
alias 10.10.10.10 255.255.255.0
peer ip address 10.10.10.12 255.255.255.0
no normalization
access-group output SOLO-SLB
service-policy input PRX-Balance
Thanks
AlexisYou might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
Hi,
I have an http session between Web Server farm and Application Server Farm.
After firt http request, Application Server send this pck (see file http_header.txt ).
So, I configured http cookie Stickiness with Dynamic cookie learning:
sticky http-cookie JSESSIONID Cookie-Bea-Group
cookie offset 0 length 64
timeout 70
timeout activeconns
replicate sticky
serverfarm BEA8-SFARM-3
But it doesn't work. But if web server received an answer from Application server with only one set-cookie
Set-Cookie:JSESSIONID=xxxxx
It work
if in the http header there are two set-cookie doesn't work.
I need stick the session based only on JSESSIONID cookie.
Is it possible and how?
Thanks
DinoHi Dear,
The ACE appliance/module has the dynamic cookie feature.
You then just need configure the cookie name and the box does the rest.
When static cookies are used there will only be one entry in the cookie database per real server. So, if ace-cookie is the only cookie defined and there are two servers, there will only be two entries in the sticky database, even if there are thousands of user sessions.
Dynamic cookie learning is another option for keeping the SAP session persistent. The sticky table can hold a maximum of four million dynamic entries (four million simultaneous users). The key is choosing the right cookie name.
Lets take an example of SAP sets a number of cookies for various purposes (note the ace_cookie was set by Cisco ACE using cookie insert, not SAP), but the saplb_* cookie is set by SAP specifically for load-balancers. It has the format saplb_=()[].
Here, the cookie value also helps to verify which server instance and physical node you are connected to.
The configuration process for cookie learning is similar-with a few changes in the syntax.
Example configuration:
ssticky http-cookie saplb_* ep-cookie
replicate sticky
serverfarm EP-HTTP
policy-map type loadbalance http first-match ep-policy
class class-default
sticky-serverfarm ep-cookie
In the above examples, the replicate sticky command is used so that the cookie information is replicated to the standby Cisco ACE context. With this implementation, session persistence is maintained in the event of a failover. The default timeout is one day.
The show sticky data command retrieves the active sticky entries that have been dynamically learned. The value shown is not the actual cookie value, but a function of it created by Cisco ACE.
Example configuration:
switch/SAP-Datacenter# show sticky data
sticky group : ep-cookie
type : HTTP-COOKIE
timeout : 100 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
6026630525409626373 SAP-EP:50000 5983
Load Balancing Identifier
The Load Balancing Identifier used for Load balancing to Web AS Java instances has the following syntax.
saplb_=()[]
The cookie is set on path=â/â and domain=.
The same syntax applies if the identifier is used via url rewriting.
The applies only to the J2EE Engine where session stickyness on a process (JVM) level is required. The uniquely identifies a set of instances. If there are no special group definitions then the special group identifier '*' is used. This will be the case for a default installation.
The SAP Web Dispatcher checks for path prefix match and thereby determines group name. This allows to obtain from the set of dispatch cookies or to do initial load balancing for the group. The Java dispatcher receives the request and also checks for the group. The Java dispatcher then reads from the appropriate dispatch cookie or performs initial dispatch on his local nodes.
The CSS does not have the possibility to learn dynamic cookie value created on the server.
So, you can either use arrowpoint cookies which is quite simple or have your server team add a static value to the jsessionid in order to identify the server.
We can then configure the CSS to locate this static value and match it to a service.
If possible kindly rate.
Keep in touch.
Kind regards,
Sachin Garg -
Using "predictor hash address" to maintain sticky sessions
I have a question about predictor.
We have two proxy servers balanced on the front end by a CSM. These servers then use a "backend" VIP to access two web/application servers. Each proxy server session must stay stuck to the same backend web/app server.
Because traffic has been evenly balanced on the proxy servers we used "predictor hash address source" to balance traffic to the web/app servers. Sticky connections could have been used but the predictor method was less complex and suited our purposes (traffic balanced evenly and sessions stayed stuck).
The proxy servers are changing from active/active to active/backup (obviously now there is no load balancing of the proxy servers). All traffic is now from a single source IP so therefore the "predictor hash address source" won't balance between the two backend servers.
My question is can we use "predictor hash address" to balance based on a hash of source AND destination IP? This will reduce the changes required on the CSM. My primary concern is that the traffic won't be balanced to the two backend web/app servers.
I know sticky groups can be configured for this but I want to keep changes to a minimum.
OLD SETUP ("predictor hash address source" balanced traffic to backend servers and "stuck" the sessions)
proxy: 10.1.1.1 or 10.1.1.2
CSM VIP: 10.2.2.2
Backend web/application servers: 10.3.3.3 or 10.3.3.4
NEW SETUP ( Will "predictor hash address" still balance traffic to backend servers and keep sessions "stuck"?)
proxy: 10.1.1.1
CSM VIP: 10.2.2.2
Backend web/application servers: 10.3.3.3 or 10.3.3.4if the src is the same 10.1.1.1 and the destination also always the same 10.2.2.2, I don't see how you can maintain stickyness and also loadbalance the connection between 2 servers.
Only a cookie would let you identify the real source of the traffic [ a client ] and split the connection from the single proxy to different servers.
Gilles. -
Hi Folks,
First of all I am new the job and have very little ACE expierence. I work on a large campus. We have to 6513's with an ACE blade in each. A few contexts configured for different applications. Basically the server guys have come to me and asked me to enabled stickiness on one of there contexts.
Now I am sure this is basic stuff to ye guys but I am just wondering what I need to do? Can I implement this on the fly without causing an outage? I have cut and paste the relevant context below. And added the changes I think that need to be made. Do you guys think this will work and will it cause any outage?
I appreciate any help at all guys:
Here is current config:
probe tcp APPS-PROBE
port 8080
interval 3
passdetect interval 5
parameter-map type ssl SSL-APPS-ADVANCED
cipher RSA_WITH_RC4_128_MD5
rserver host SERVER1
ip address 10.10.10.1
inservice
rserver host SERVER2
ip address 10.10.10.2
inservice
ssl-proxy service SSL-APPS-PROXY
key appfiles.pem
cert appfilesCAcert
chaingroup APPFILES-CHAINGRP
ssl advanced-options SSL-APPS-ADVANCED
serverfarm host APPS-FARM
predictor leastconns
probe APPS-PROBE
rserver SERVER1 8080
inservice
rserver SERVER2 8080
inservice
class-map match-any APPS-VIP
2 match virtual-address 10.10.10.4 tcp eq https
policy-map type management first-match MGT-POLICY
class class-default
policy-map type loadbalance first-match APPS-POLICY
class class-default
serverfarm APPS-FARM
policy-map multi-match APPSPOLICY
class APPS-VIP
loadbalance vip inservice
loadbalance policy APPS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-APPS-PROXY
service-policy input APPSPOLICY
Will adding the following to the context make stickiness work?
sticky ip-netmask 255.255.255.255 address source STICKY-APPS-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm APPS-FARM
policy-may type loadbalance first-match APPS-POLICY
class class-default
sticky-serverfarm STICKY-APPS-FARM
I am really lost on this and only getting this from looking at stickiness on other configs. Can you guys advise will this work.Also look at the following :
www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html
Autogenerating a MAC Address for a VLAN Interface
By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer 2 domains, unless it is a shared VLAN. The ACE allocates the same MAC address to the VLANs.
When you are using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, you must assign two Layer 3 VLANs to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses.
To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
mac address autogenerate
For example, enter:
host1/Admin(config-if)# mac address autogenerate
To disable MAC address autogeneration on the VLAN, use the no mac address autogenerate command. For example, enter:
host1/Admin(config-if)# no mac address autogenerate -
Hi all,
a question:
if a configure a serverfarm with backup-server
serverfarm host S_Das
rserver DAS1
backup-rserver DAS1_1
inservice
rserver DAS_1
inservice standby
rserver DAS2
backup-rserver DAS2_1
inservice
rserver DAS_1
inservice standby
sticky ip-netmask 255.255.255.255 address both SF_DAS
timeout 10
replicate sticky
serverfarm S_Das
and rserver DAS1 goes down what will be behaviour of sticky and balancing?
New connection wel'll go towards DAS2 or a tricky and clever sticky take precedence? (i mean persistence on DAS1_1 that is my backup server..)
tnx
DasHi Danilo,
If your primary rserver goes down the sticky entries associated with that server will be automatically flushed from the sticky table so that
all new incoming connections will be diverted to your backup rserver.
In case that primary rserver comes back then:
- Existing connections on backup keep accessing backup.
- For new connection requests ACE looks up sticky entries, if there's already an entry for backup server the connections is sent to the standby rserver.
- If a new client request (connection) doesn't match any sticky entry for backup rserver ACE forwards this request to primary.
In case that you want to use the primary rserver for all the connections after coming back to operational state then the backup option would be configured like this:
rserver Primary
ip address 10.10.10.2
inservice
rserver Standby
ip address 10.10.10.3
inservice
serverfarm host Primary
rserver Primary
inservice
serverfarm host Standby
rserver Standby
inservice
policy-map type loadbalance http first-match slb
class class-default
serverfarm Primary backup Standby
HTH
Maybe you are looking for
-
CompactFlash do not boot on 1841
Hi, Recently bought a compact flash to upgrade a Cisco1841. But it does not pass in the boot up process. I can format it, can pass the IOS by tftp, or any other ways, but seems that the ATA monlib part of it do not work well. Here are some output of
-
i connected my apple tv to my denon amplifier (AVR 4308), which is connected to my first tv set in the living room. I can successfully play video and music from my itunes library and video/music are streamed to my home theater/sound systems through m
-
Printing format control in ALV TREE
Hello there, I searched all over SDN but I couldn't find a solution for my problem ! It would be nice of you if you can help me sort it out. I'm using an ALV TREE : DATA: gv_tree TYPE REF TO cl_gui_alv_tree CALL METHOD gv_tree->set_tabl
-
A folder from my desktop is showing up at the top of my finder windows and I have no idea why it is there or how to get rid of it. When I throw the folder from my desktop into the trash, the folder image in the finder window turns into a question mar
-
Upgraded to yosemite now no email images. Anyone know how to fix?
I upgraded to Yosemite 2 days ago and now my emails come in without images. How do I fix it?