IM sticky loadbal

Hi,
A new requirement with our client to run Instant Messaging (chat) servers behind CSS. Need to load balance between pool of "Microsoft Live Communications Server 2005 with SP1 Enterprise Edition".
Have anyone tried these servers behind a CSS?
What adv-bal sticky would you recommend. MS recommends a TCP-level affinity. I could not find anything other that src-ip-dest-port. Any help much appreciated.
thanks

I would use layer 4 sticky.
Using Layer 4 Sticky
Layer 4 sticky functions identically to Layer 3 sticky, except that it sticks based on a combination of source IP address, protocol, and destination port. Layer 4 sticky also uses a sticky table and has the same limitations as Layer 3 sticky.
If the CSS sees the same IP address with two different destination ports, it will use two entries. You can also apply sticky mask to Layer 4 sticky.
If you are concerned about whether your site can handle all of the simultaneous sessions, then consider using the Layer 5 advanced-balanced methods of arrowpoint-cookie, cookie, cookieurl, or url.
Read more about it at this link.
Please rate if you find it usefull.
http://www.cisco.com/en/US/customer/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080772d96.html#wp1073275

Similar Messages

  • ACE 3.0(0) SW / LB with SSL Session-ID

    Hello!
    I want to use "SSL Session-ID" sticky method in load-balancing, but can't find any info about it in 3.0(0)A1(2) sw configuration guides. Where i can find info about it? Or this method is supported only in old A2(1.0) release?
    Thanks.

    SSL Session ID Sticky to ensure Client Persistence
    1. Demonstrate the ability to provide stickiness using SSL
    Session ID. To do this you will need to the Generic Protocol Parsing
    framework on ACE. With the right regular expression you will be successful!!
    2. Before you begin to configure the SSL Sticky group, be sure that
    you have allocated resources to the sticky group. Note this done in the
    Admin context.
    resource-class cart
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 1.00 maximum equal-to-min
    context Lab-Cart-11
    allocate-interface vlan 211
    allocate-interface vlan 411
    member cart
    3. Create an SSL-v3 sticky group and associate the serverfarm. Good
    idea to configure a sticky timeout value. This specifies the period of time
    that the ACE keeps the sticky information in the sticky table. Note the ACE
    resets the timer each time ACE opens connections matching that entry. Also
    configure the Layer 4 sticky parameters for 32 bytes session ID.
    sticky layer4-payload ssl-v3
    timeout 600
    serverfarm HTTPS-FARM
    response sticky
    layer4-payload offset 43 length 32 begin-pattern "\x20"
    When a new session is established between client and server, the server
    generates a session id. The session id is an arbitrary sequence of bytes.
    The length of the session id is 16 bytes for SSLv2 sessions and between 1
    and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
    must be unique for the server. Additionally, the session id is transmitted
    in the clear when reusing the session so it must not contain sensitive
    information.
    4. Create a class-map to match the layer 4 payload.
    class-map type generic match-any SSL-v3-32
    2 match layer4-payload regex "\x16\x03\x00..\x01.*"
    3 match layer4-payload regex "\x16\x03\x01..\x01.*"
    5. Create a new generic load balance policy map and assoiciate the
    sticky-serverfarm understand the class.
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class SSL-v3-32
    sticky-serverfarm ssl-v3
    6. Change to the client-vips policy map to represent the new
    SSL-v3-Sticky policy you just created
    policy-map multi-match client-vips
    class VIP-HTTPS
    loadbalance vip inservice
    loadbalance policy SSL-v3-Sticky
    loadbalance vip icmp-reply active
    7. Verify the VIP is accessible by trying to hit the VIP.
    8. View the connection using the show cons command.
    Pod1-ACE/Lab-Cart-11# show conn
    total current connections : 1
    conn-id np dir proto vlan source destination
    state
    ----------+--+---+-----+----+---------------------+---------------------+---
    ---+
    10 1 in TCP 211 209.165.201.11:1115 172.16.11.190:443
    ESTAB
    9. Interesting I can see that the first connection has been setup. Why
    is ACE not load balancing the connection to the server?
    10. Great I need to configure a L7 parameter map with a max parse-length
    parameter-map type generic SSL-v3
    set max-parse-length 70
    11. Associate the parameter map to the client-vips policy map
    policy-map multi-match client-vips
    class VIP-HTTPS
    loadbalance vip inservice
    loadbalance policy SSL-v3-Sticky
    loadbalance vip icmp-reply active
    appl-parameter generic advanced-options SSL-v3
    12. Verify the VIP is now accessible by trying to hit the VIP.

  • URL cookie

    Hallo,
    we have some trouble with our sticky configuration" on an ACE Module.
    We would like to do session persistence on an URL cookie with the name jsessionid.
    now, I found a presentation about HTTP cookie troubleshooting with following:
    => If the cookie is not found, then the ACE looks for a string in the URL, starting with one of the characters /?&#+ and
    followed by a "=", then parses that value.
    => Our URL: https://www-testtest.de/test/index.do;jsessionid=B05404082849E51068A764120663B36E-!server=1
    => the cookie starts with a ";" Could this be our problem?
    => If yes, is it possible to configure the ACE to look also for the ";" string.
    The sticky configuration part looks like the following,
    service-policy input pmap_TEST
    policy-map multi-match pmap_TEST
      class cmap-WWW_HTTPs
        loadbalance vip inservice
        loadbalance policy HTTPs-sticky
        loadbalance vip icmp-reply
        ssl-proxy server ssl-proxy_TFU-3
        class-map match-any cmap-WWW_HTTPs
      2 match virtual-address 1.2.3.4 tcp eq https
      policy-map type loadbalance http first-match HTTPs-sticky
      class class-default
        sticky-serverfarm sticky-cookie
        action actlist_HTTPMODIFY-http_https
      sticky http-cookie jsessionid sticky-cookie
      cookie offset 0 length 42
      cookie secondary jsessionid
      timeout 35
      replicate sticky
      serverfarm sfarm_Test
    best regards
    Bernd

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Normale Tabelle";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman","serif";}
    Hallo litrenta,
    Thanks for your fast reply,
    according the config guide there are two options:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1245246
    => Defining URL Delimiters
    => Defining the secondary cookie start
    our URL cookie starts with an ";" so shouldn't we use "set secondary-cookie-start" instead of the "set secondary-cookie-delimiters " command, or will we have the some result with both commands?
    Regards
    bhoehenberger

  • 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-cache

    I am using a 11503 to balance 200 schools traffic to 5 caches. Some of the schools have firewalls so the CSS sees their PCs as coming from a single IP. If I set the rule to balance sticky then the load is not spread evenly to the 5 proxies causing them to get overloaded from time to time.
    If I balance the load non-sticky (say leastconn) then users have trouble accessing certain SSL sites.
    Does anyone know a good solution for this?

    Hi Joerg,
    Thanks for your reply. How would you code your solution? Currently I am using the following to work around particular sites:
    service Proxy1
    ip address 10.0.0.11
    type proxy-cache
    active
    service Proxy2 ... etc
    **************************** DQL ****************************
    dql domains-no-balance
    domain www.dontbalancethissite.com
    domain ... etc
    !*************************** OWNER ***************************
    owner admin
    content Proxy-servers
    add service Proxy1
    add service Proxy2
    add service Proxy3
    add service Proxy4
    add service Proxy5
    protocol tcp
    port 3128
    vip address 10.0.0.100
    sticky-inact-timeout 5
    balance leastconn
    active
    content no-load-balance
    vip address 10.0.0.100
    advanced-balance sticky-srcip
    balance leastconn
    add service Proxy1
    add service Proxy2
    add service Proxy3
    add service Proxy4
    add service Proxy5
    protocol tcp
    port 3128
    url "/*" dql domains-no-balance
    sticky-inact-timeout 5
    Regards,
    Ben

  • Connection is not following the Sticky database when one router is comming to up state.

    Dear Team,
    We have 2 routers configured  in Cisco ACE.( Router 1: 10.250.226.4,Router 2: 10.250.226.6) and VIP 10.250.226.19. In a normal scenario all the client connections are perfectly handled by ACE and Its sending to client request to router as per the sticky database. When the router 10.250.226.4 is down, ACE cleared all the sticky database entry belongs to the 10.250.226.4. All the client connections are shifted to router 10.250.226.6.
    when router 10.250.226.4 is  comes, backup connections are not loadbalance properly. That is connection not following sticky database for second connections of the same ip and giving issue in establishing IPSEC connectivity. Please find the below output.
    switch/RRI# sh sticky database client 10.239.10.86
    sticky group : STIK-RRI-FRM
    type         : IP
    timeout      : 1440          timeout-activeconns : FALSE
      sticky-entry          rserver-instance                 time-to-expire flags
      ---------------------+--------------------------------+--------------+-------+
      10.239.10.86          CISCO-7206-06:0                  65274          -
    switch/RRI# show conn | i 10.239.10.86
    1517152    2  in  UDP   90   10.239.10.86:4500     10.250.226.19:4500    --
    1427552    2  out UDP   9    10.250.226.4:4500     10.239.10.86:1637     --
    3051606    2  in  UDP   90   10.239.10.86:500      10.250.226.19:500     --
    3049659    2  out UDP   9    10.250.226.6:500      10.239.10.86:44977    --
    Please find the below sample configuration we are done in ACE.
    parameter-map type connection UDP_PARAM_MAP
      set timeout inactivity 86450
    sticky ip-netmask 255.255.255.255 address source STIK-RRI-FRM
      replicate sticky
      serverfarm RRI-FRM
    class-map match-all RRI-VIP
      2 match virtual-address 10.250.226.19 any
    policy-map type loadbalance first-match RRI-VIP-l7slb
      class class-default
        sticky-serverfarm STIK-RRI-FRM
    policy-map multi-match RRI
      class RRI-VIP
        loadbalance vip inservice
        loadbalance policy RRI-VIP-l7slb
        loadbalance vip icmp-reply
        connection advanced-options UDP_PARAM_MAP
    interface vlan 90
      ip address 10.250.226.17 255.255.255.240
      peer ip address 10.250.226.18 255.255.255.240
      access-group input ALL
      access-group output ALL
      service-policy input REMOTE_MGMT
      service-policy input RRI
      no shutdown
    As per the analysis its looks seems to be tthe bug CSCsv63364, CSCsu95356. Kindly suggest how we can resolve this issue.
    Image version: A2(3.4)
    Thanks in advance.
    Regards,
    Ranjith

    Hi,
    Its important to know whether there was a sticky entry when the router went down and the time it came back up. Leastconnection shouldn't be a problem here.
    If the IPSEC connection is active but not the UDP 500 connections, after timeout the UDP 500 connections will be removed as well as the sticky entry. If the current active IPSEC connection suddently needs to refresh SA's a new UDP 500 connection will be open and it could be sent to a different server. There is no evidence that this is the problem but want to try a higher sticky timeout has a fix for this.
    Siva

  • ACE SSL Sticky class-map generic vs class default differences.

    There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
    Can anyone explain the benefits and differences of using a specific class-map generic such as this:
    class-map type generic match-any SSL-v3-32
      2 match layer4-payload regex "\x16\x03\x00..\x01.*"
      3 match layer4-payload regex "\x16\x03\x01..\x01.*"
    Versus just matching class default?
    So if I have a configuration such as this:
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class SSL-v3-32
       sticky-serverfarm ssl-v3
    vs
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class class-default
       sticky-serverfarm ssl-v3
    What's the benefit or drawback?

    The SSL session id is only available in version 3.0.1 and 3.1.1
    So you can match this particular version and then attempt to do stickyness.
    You are guaranteed to find what you're looking for.
    If you match a class-default it means you apply stickyness to any version of ssl packet.
    So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
    Gilles.

  • ACE Sticky Connections, Show Conn Output and Show serverfarm

    Hi Community,
    I'm deploying a Cisco ACE module and I have some questions about sticky connections and about the output of the show conn command and show serverfarm command.
    I have the follwoing configuration:
    rserver host srv_1  ip address 10.4.11.14  inservicerserver host srv_2  ip address 10.4.11.18  inserviceserverfarm host farm_144  rserver srv_1 144    weight 1    inservice  rserver srv_2 144    weight 3    inservice
    sticky ip-netmask 255.255.255.255 address source st_host144
      timeout 10080
      serverfarm farm_144
    class-map match-all vip_144
      2 match virtual-address 10.4.11.208 tcp eq 143
    policy-map type loadbalance first-match lb_144
      class class-default
    policy-map multi-match policy_vip_webcache
      class vip_webcache_144
        loadbalance vip inservice
        loadbalance policy lb_144
        loadbalance vip icmp-reply active
        nat dynamic 411 vlan 411
    We can assume that service policy was applied at the interface vlan. So, let's go to the questions:
    1- If sticky is enabled the output command "show conn" should show just one entry by ip address?
    The real output is:
    DC01-ACE-01-PRIMARY-SW1/context_servidores# show conn | inc :143333046     1  in  TCP   411  10.2.158.87:3616      10.4.11.208:143       ESTAB 286390     3  in  TCP   411  10.2.158.87:3562      10.4.11.208:143       ESTAB310233     1  in  TCP   411  10.1.5.87:3424        10.4.11.208:143       ESTAB
    Look that the ip address 10.2.158.87 is shown 2 times. In same times, the same ip address is shown 4 times to the same VIP and the same port. Is it a normal behavior?
    2- According to the configuration, the srv_2 has weight 3 and srv_1 has weigth 1, but the output of show serverfarm show somethin strange:
    DC01-ACE-01-PRIMARY-SW1/context_servidores# show serverfarm farm_144 serverfarm     : farm_144, type: HOST total rservers : 2 state          : ACTIVE DWS state      : DISABLED ---------------------------------                                                ----------connections-----------       real                  weight state        current    total      failures    ---+---------------------+------+------------+----------+----------+---------   rserver: srv_1       10.4.11.14:144        1   OPERATIONAL     11         386        0   rserver: srv_2       10.4.11.18:144        3   OPERATIONAL     35         66         0
    We can see that the weight is working good, but the total of connections is higher at srv_1 than srv_2. Why?
    Somebody can help me to understand better this problem of if its a normal behavior?
    Thanks in advance!!

    Hi Gaurav,
    About question 1, I got some informations too. It's perfectly normal the client open 2 or more connections at the same time. The client's application is the responsable. We removed the ACE and put the client directly to the server and the result of the total connections opened was the same.
    About question 2, I made some "clears" on the serverfarm, the sticky database and after that, the numbers were more real.
    DC01-ACE-02-SECONDARY-SW1/context_servidores# sh serverfarm farm_webcache_144
    serverfarm     : farm_webcache_144, type: HOST
    total rservers : 2
    state          : ACTIVE
    DWS state      : DISABLED
                                                    ----------connections-----------
           real                  weight state        current    total      failures
       ---+---------------------+------+------------+----------+----------+---------
       rserver: srv_webcache_1
           10.4.11.14:144        1   OPERATIONAL     1025       15499      4436
       rserver: srv_webcache_2
           10.4.11.18:144        2   OPERATIONAL     1794       33471      471
    DC01-ACE-02-SECONDARY-SW1/context_servidores#
    Anyway thank you very much for your feedback.
    Plínio Monteiro

  • ACE: Can I loadbalance based on client Source IP/and client tcp source port?

    We recently migrated serving a client from being thick client at the desktop to being served via a citrix farm.  Prior to the migration the clients came from about 5000 unique source IP's to their VIP, now they come from only 31 unique source IP's from the citrix servers in the farm. A citrix server can host 400 client sessions, since the default action of the ACE is to loadbalance based on source IP's, the ACE is sending up to 400 sessions from one citrix server to 1 real server in the farm.  Is there anyway I can loadbalance based on client source IP and tcp source port so the ACE views the 400 sessions from one citrix server as unique sessions?  The application does not require persistence.

    Hello,
    Yes, you can configure a "Sticky Layer 4 Payload" as descirbed on this Link:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/sticky.html#wp1039276
    Unfrotunately I do not have any working example. You must calculate the right values for the Offset and the Length to configure.
    Regards Jean-Marc

  • Oracle Loadbalance Issue

    Hello,
    I am trying to resolve an issue involving load balancing of Oracle using Cisco ACE Loadbalancers.  It is not too complicated of a set up, at least I don't think.  There are two rservers in a server farm.  I have the server farm nested within a sticky http-cookie section so that server persistence using cookies is used.  During the basic testing, the load balancing is working as expected.  For example, Server 1 is manual brought down and I can verify that new sessions are being served to Server 2 and vice versa. 
    The issue comes in when, during testing, the user clicks on a module within the main Oracle web based application.  Doing this, causes a new session to be created.  When this new session is created, I believe it is sent to a new server in the pool instead of sending it to the same server.  It needs to be sent to the same server because that is where the user logged into the main application.  Because the new server where this new session is being sent to doesn't have any record of the original login it rejects this new session.  So what I was told by the Oracle support is is that I need to have the ACE LB load balance by instance instead of session.  I don't know if this is possible.  I have pasted a sample of the config which is in use.  Can someone advise if there is a command which I am not aware of which can accomplish the above stated goal.
    probe tcp TCPHTTPTEST
      port 80
      interval 5
      faildetect 2
      passdetect interval 5
      passdetect count 2
      expect status 200
      request method get url /forms/lservlet
    rserver host ORACLE_TEST_1
      ip address 10.10.110.101
      inservice
    rserver host ORACLE_TEST_2
      ip address 10.10.110.103
      inservice
    serverfarm host ORACLE_TEST_HTTP_FARM
      failaction reassign
      predictor leastconns
      probe TCPHTTPTOATST
      rserver NOVHQERP_TOATST_1 80
        inservice
      rserver NOVHQERP_TOATST_2 80
        inservice
    sticky http-cookie ORACLE_TEST GROUP8
      cookie insert
      serverfarm ORACLE_TEST_HTTP
      replicate sticky
    class-map match-all ORACLE_TEST_VIP
      2 match virtual-address 172.30.110.57 tcp eq 80
    policy-map type loadbalance first-match ORACLE_TEST
      class class-default
        sticky-serverfarm GROUP8
    policy-map multi-match CLIENT_VIPS
      class ORACLE_TEST_VIP
        loadbalance vip inservice
        loadbalance policy ORACLE_TEST
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 110
    Thanks in advance,
    Adil

    Hi Kanwalsi,
    Thank you for your response.  When I say new session, I mean a new browser window or tab is launched when a user clicks on a specific module within the main application.  Or this can be translated to mean a new quintuple (source ip: source port -> destination ip: destination port and protocol) is initiated between the client and the server.
    If you look at the sample config, server persistence using cookies is configured.  I don't have persistence rebalance configured.  Could this be the missing configuration I need to keep the client to use the same rserver within the same Oracle instance (for example, user logs into a single instance but clicks on multiple modules within an instance)?
    Adil

  • ACE sorry server and sticky

    I have configured 3 different serverfarms with including realservers
    2 of them are with websites, the other 1 is with webservices
    I also have configured a sorry server farm and the including rserver.
    On the sorry rserver i have configured 2 maintenance websites, listening to an unique hostheader.
    So for serverfarm A & B i have configured a seperate maintenance website.
    Now when i take rservers from serverfarm A or B down, the sorry server will get active for the needed farm.
    However i can only reach 1 maintenance website. And even so, an url used to reach farm A gets on maintenance site from B
    This is strange behaviour, doesnt a sorryserver just accept requests with the requested hostheader by the client ?
    Also, when i put the rservers from A and B back into service i have to do a "clear stick database all" otherwise the sorryserver will remain active.
    What is wrong here ?
    probe http EHIC-http
    description Test op WWW functionaliteit
    interval 10
    passdetect interval 30
    request method get url http://acc.site-B.nl/web/
    expect status 200 200
    header Host header-value "acc.site-B.nl"
    expect regex 1.8.0.2
    probe http WWW-http
    description Test op WWW functionaliteit
    interval 10
    passdetect interval 30
    request method get url http://acc.site-A.nl/web/default.aspx
    expect status 200 200
    header Host header-value "acc.site-A.nl"
    expect regex v1.9.2.327
    serverfarm host EHIC-FARM
    failaction purge
    predictor leastconns slowstart 30
    probe EHIC-http
    rserver ehic_server01.site-B.nl
    inservice
    serverfarm host SORRY-FARM
    failaction purge
    predictor leastconns
    rserver sorrypage.site-C.nl
    inservice
    serverfarm host WBS-FARM
    failaction purge
    predictor leastconns slowstart 30
    probe ICMP-PROBE
    rserver acc-wbs01v.site-D
    inservice
    rserver wbs_01.site-D
    inservice
    rserver wbs_02.site-D
    inservice
    serverfarm host WWW-FARM
    failaction purge
    predictor leastconns slowstart 30
    probe WWW-http
    rserver acc-www01v.site-A
    inservice
    rserver acc_server01.site-A
    inservice
    rserver acc_server02.site-A
    inservice
    sticky ip-netmask 255.255.255.255 address source EHIC-FARM-STICKY
    serverfarm EHIC-FARM backup SORRY-FARM
    sticky ip-netmask 255.255.255.255 address source WWW-FARM-STICKY
    serverfarm WWW-FARM backup SORRY-FARM
    class-map match-any EHIC-VIP
    2 match virtual-address 172.30.9.4 tcp eq https
    3 match virtual-address 172.30.9.4 tcp eq www
    class-map match-any WBS-VIP
    6 match virtual-address 172.30.5.4 tcp eq www
    7 match virtual-address 172.30.5.4 tcp eq https
    class-map match-any WWW-VIP
    2 match virtual-address 172.30.6.4 tcp eq www
    3 match virtual-address 172.30.6.4 tcp eq https
    policy-map type loadbalance first-match EHIC-FARM-STICKY-BALANCE
    class class-default
    sticky-serverfarm EHIC-FARM-STICKY
    policy-map type loadbalance first-match WBS-FARM-BALANCE
    class class-default
    serverfarm WBS-FARM
    policy-map type loadbalance first-match WWW-FARM-STICKY-BALANCE
    class class-default
    sticky-serverfarm WWW-FARM-STICKY
    policy-map multi-match LOADBALANCING-EHIC
    class EHIC-VIP
    loadbalance vip inservice
    loadbalance policy EHIC-FARM-STICKY-BALANCE
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options EHIC-PARAMETERS
    policy-map multi-match LOADBALANCING-WBS
    class WBS-VIP
    loadbalance vip inservice
    loadbalance policy WBS-FARM-BALANCE
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options WBS-PARAMETERS
    policy-map multi-match LOADBALANCING-WWW
    class WWW-VIP
    loadbalance vip inservice
    loadbalance policy WWW-FARM-STICKY-BALANCE
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options WWW-PARAMETERS
    Regards,
    Sebastian

    Hi Gilles,
    Here is our full config, i only changed some domain names.
    I'll try to describe the problem again ;
    We have published a website by vip 172.30.6.4
    We have another website published by vip 172.30.9.4
    These websites are hosted by realservers configured in 2 serverfarms and can be reached from the internet (secured by an ASA)
    For both of these farms i have configured a sorryserver. This sorry server should serve a webpage containing a maintenance message whenever a farm should get down.
    The sorry server is configured with 2 websites, each listening to the specific hostheader. This hostheader is the same as configured on the rservers for the specific farm 172.30.6.4 or 172.30.9.4.
    So what i am trying to accomplish is that i only need 1 sorryserver to server 2 sorry webpages, ofcourse listening to a hostheader to get 2 different sorrypages to be returned.
    Now when i take all realservers for both serverfarms down, except for the sorryserver, i can only reach 1 sorrypage.
    For example, site A and B are down, when i try to reach site A i get to the sorrypage of site A. But when i try to reach site B i too get served the sorrypage of site A.
    And also when i "inservice" all rservers again i have to do a "clear sticky database", otherwise the sorryserver will remain active.
    Now i have upgraded to the last version of the ACE ios, but i still have to test if the same problem persists so i will give feedback on this later.
    Regards,
    Sebastian

  • ACE - Balance HTTP and sticky only SSL/TLS

    Hi there,
    I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
    I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
    I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
    I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
    Here is the actual configuration:
    probe tcp HTTP
      description Keepalive web servers
      interval 20
      passdetect interval 30
    rserver host Server1
      ip address 10.1.1.1
      inservice
    rserver host Server2
      ip address 10.1.1.2
      inservice
    rserver host Server3
      ip address 10.1.1.3
      inservice
    rserver host Server4
      ip address 10.1.1.4
      inservice
    rserver host Server5
      ip address 10.1.1.5
      inservice
    rserver host Server6
      ip address 10.1.1.6
      inservice
    serverfarm host PRX
      failaction purge
      predictor leastconns
      probe HTTP
      rserver Server1
        inservice
      rserver Server2
         inservice
      rserver Server3
        inservice
      rserver Server4
        inservice
      rserver Server5
        inservice
      rserver Server6
        inservice
    sticky ip-netmask 255.255.255.0 address source sticky-PRX
      timeout 60
      serverfarm PRX
    class-map match-any VIP-PRX
      2 match virtual-address 10.10.10.101 tcp eq www
    policy-map type loadbalance first-match POLICY-L7-PRX
      class class-default
        sticky-serverfarm sticky-PRX
    policy-map multi-match PRX-Balance
      class VIP-PRX
        loadbalance vip inservice
        loadbalance policy POLICY-L7-PRX
        loadbalance vip icmp-reply
    interface vlan 100
      ip address 10.10.10.11 255.255.255.0
      alias 10.10.10.10 255.255.255.0
      peer ip address 10.10.10.12 255.255.255.0
      no normalization
      access-group output SOLO-SLB
      service-policy input PRX-Balance
    Thanks
    Alexis

    You might want to check out this new product called ITD.
    Simple and faster solution:
    ITD provides :
    ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
    No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
    Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
    Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
    IP-stickiness
    Resilient (like resilient ECMP)
    VIP based L4 load-balancing
    NAT (available for EFT/PoC). Allows non-DSR deployments.
    Weighted load-balancing
    Load-balances to large number of devices/servers
    ACL along with redirection and load balancing simultaneously.
    Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
    Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
    Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
    The servers/appliances don’t have to be directly connected to N7k
    Monitoring the health of servers/appliances.
    N + M redundancy.
    Automatic failure handling of servers/appliances.
    VRF support, vPC support, VDC support
    Supported on both Nexus 7000 and Nexus 7700 series.
    Supports both IPv4 and IPv6
    N5k / N6k support : coming soon
    Blog
    At a glance
    ITD config guide
    Email Query or feedback:[email protected]

  • Http cookie stickiness

    Hi,
    I have an http session between Web Server farm and Application Server Farm.
    After firt http request, Application Server send this pck (see file http_header.txt ).
    So, I configured http cookie Stickiness with Dynamic cookie learning:
    sticky http-cookie JSESSIONID Cookie-Bea-Group
    cookie offset 0 length 64
    timeout 70
    timeout activeconns
    replicate sticky
    serverfarm BEA8-SFARM-3
    But it doesn't work. But if web server received an answer from Application server with only one set-cookie
    Set-Cookie:JSESSIONID=xxxxx
    It work
    if in the http header there are two set-cookie doesn't work.
    I need stick the session based only on JSESSIONID cookie.
    Is it possible and how?
    Thanks
    Dino

    Hi Dear,
    The ACE appliance/module has the dynamic cookie feature.
    You then just need configure the cookie name and the box does the rest.
    When static cookies are used there will only be one entry in the cookie database per real server. So, if ace-cookie is the only cookie defined and there are two servers, there will only be two entries in the sticky database, even if there are thousands of user sessions.
    Dynamic cookie learning is another option for keeping the SAP session persistent. The sticky table can hold a maximum of four million dynamic entries (four million simultaneous users). The key is choosing the right cookie name.
    Lets take an example of SAP sets a number of cookies for various purposes (note the ace_cookie was set by Cisco ACE using cookie insert, not SAP), but the saplb_* cookie is set by SAP specifically for load-balancers. It has the format saplb_=()[].
    Here, the cookie value also helps to verify which server instance and physical node you are connected to.
    The configuration process for cookie learning is similar-with a few changes in the syntax.
    Example configuration:
    ssticky http-cookie saplb_* ep-cookie
    replicate sticky
    serverfarm EP-HTTP
    policy-map type loadbalance http first-match ep-policy
    class class-default
    sticky-serverfarm ep-cookie
    In the above examples, the replicate sticky command is used so that the cookie information is replicated to the standby Cisco ACE context. With this implementation, session persistence is maintained in the event of a failover. The default timeout is one day.
    The show sticky data command retrieves the active sticky entries that have been dynamically learned. The value shown is not the actual cookie value, but a function of it created by Cisco ACE.
    Example configuration:
    switch/SAP-Datacenter# show sticky data
    sticky group : ep-cookie
    type : HTTP-COOKIE
    timeout : 100 timeout-activeconns : FALSE
    sticky-entry rserver-instance time-to-expire flags
    ---------------------+--------------------------------+--------------+-------+
    6026630525409626373 SAP-EP:50000 5983
    Load Balancing Identifier
    The Load Balancing Identifier used for Load balancing to Web AS Java instances has the following syntax.
    saplb_=()[]
    The cookie is set on path=”/” and domain=.
    The same syntax applies if the identifier is used via url rewriting.
    The applies only to the J2EE Engine where session stickyness on a process (JVM) level is required. The uniquely identifies a set of instances. If there are no special group definitions then the special group identifier '*' is used. This will be the case for a default installation.
    The SAP Web Dispatcher checks for path prefix match and thereby determines group name. This allows to obtain from the set of dispatch cookies or to do initial load balancing for the group. The Java dispatcher receives the request and also checks for the group. The Java dispatcher then reads from the appropriate dispatch cookie or performs initial dispatch on his local nodes.
    The CSS does not have the possibility to learn dynamic cookie value created on the server.
    So, you can either use arrowpoint cookies which is quite simple or have your server team add a static value to the jsessionid in order to identify the server.
    We can then configure the CSS to locate this static value and match it to a service.
    If possible kindly rate.
    Keep in touch.
    Kind regards,
    Sachin Garg

  • Using "predictor hash address" to maintain sticky sessions

    I have a question about predictor.
    We have two proxy servers balanced on the front end by a CSM. These servers then use a "backend" VIP to access two web/application servers. Each proxy server session must stay stuck to the same backend web/app server.
    Because traffic has been evenly balanced on the proxy servers we used "predictor hash address source" to balance traffic to the web/app servers. Sticky connections could have been used but the predictor method was less complex and suited our purposes (traffic balanced evenly and sessions stayed stuck).
    The proxy servers are changing from active/active to active/backup (obviously now there is no load balancing of the proxy servers). All traffic is now from a single source IP so therefore the "predictor hash address source" won't balance between the two backend servers.
    My question is can we use "predictor hash address" to balance based on a hash of source AND destination IP? This will reduce the changes required on the CSM. My primary concern is that the traffic won't be balanced to the two backend web/app servers.
    I know sticky groups can be configured for this but I want to keep changes to a minimum.
    OLD SETUP ("predictor hash address source" balanced traffic to backend servers and "stuck" the sessions)
    proxy: 10.1.1.1 or 10.1.1.2
    CSM VIP: 10.2.2.2
    Backend web/application servers: 10.3.3.3 or 10.3.3.4
    NEW SETUP ( Will "predictor hash address" still balance traffic to backend servers and keep sessions "stuck"?)
    proxy: 10.1.1.1
    CSM VIP: 10.2.2.2
    Backend web/application servers: 10.3.3.3 or 10.3.3.4

    if the src is the same 10.1.1.1 and the destination also always the same 10.2.2.2, I don't see how you can maintain stickyness and also loadbalance the connection between 2 servers.
    Only a cookie would let you identify the real source of the traffic [ a client ] and split the connection from the single proxy to different servers.
    Gilles.

  • ACE Stickiness Question

    Hi Folks,
    First of all I am new the job and have very little ACE expierence. I work on a large campus. We have to 6513's with an ACE blade in each. A few contexts configured for different applications. Basically the server guys have come to me and asked me to enabled stickiness on one of there contexts.
    Now I am sure this is basic stuff to ye guys but I am just wondering what I need to do? Can I implement this on the fly without causing an outage? I have cut and paste  the relevant context below. And added the changes I think that need to be made. Do you guys think this will work and will it cause any outage?
    I appreciate any help at all guys:
    Here is current config:
    probe tcp APPS-PROBE
    port 8080
    interval 3
    passdetect interval 5
    parameter-map type ssl SSL-APPS-ADVANCED
    cipher RSA_WITH_RC4_128_MD5
    rserver host SERVER1
    ip address 10.10.10.1
    inservice
    rserver host SERVER2
    ip address 10.10.10.2
    inservice
    ssl-proxy service SSL-APPS-PROXY
    key appfiles.pem
    cert appfilesCAcert
    chaingroup APPFILES-CHAINGRP
    ssl advanced-options SSL-APPS-ADVANCED
    serverfarm host APPS-FARM
    predictor leastconns
    probe APPS-PROBE
    rserver SERVER1 8080
    inservice
    rserver SERVER2 8080
    inservice
    class-map match-any APPS-VIP
    2 match virtual-address 10.10.10.4 tcp eq https
    policy-map type management first-match MGT-POLICY
    class class-default
    policy-map type loadbalance first-match APPS-POLICY
    class class-default
    serverfarm APPS-FARM
    policy-map multi-match APPSPOLICY
    class APPS-VIP
    loadbalance vip inservice
    loadbalance policy APPS-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server SSL-APPS-PROXY
    service-policy input APPSPOLICY
    Will adding the following to the context make stickiness work?
    sticky ip-netmask 255.255.255.255 address source STICKY-APPS-FARM
    timeout 720
    timeout activeconns
    replicate sticky
    serverfarm APPS-FARM
    policy-may type loadbalance first-match APPS-POLICY
    class class-default
    sticky-serverfarm STICKY-APPS-FARM
    I am really lost on this and only getting this from looking at stickiness on other configs. Can you guys advise will this work.

    Also look at the following :
    www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html
    Autogenerating a MAC Address for a VLAN Interface
    By default, the ACE does not allow traffic from one context to another  context over a transparent firewall. The ACE assumes that VLANs in  different contexts are in different Layer 2 domains, unless it is a  shared VLAN. The ACE allocates the same MAC address to the VLANs.
    When you are using a firewall service module (FWSM) to bridge traffic  between two contexts on the ACE, you must assign two Layer 3 VLANs to  the same bridge domain. To support this configuration, these VLAN  interfaces require different MAC addresses.
    To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
    mac address autogenerate
    For example, enter:
    host1/Admin(config-if)# mac address autogenerate
    To disable MAC address autogeneration on the VLAN, use the no mac address autogenerate command. For example, enter:
    host1/Admin(config-if)# no mac address autogenerate

  • ACE backup-server and sticky

    Hi all,
    a question:
         if a configure a serverfarm with backup-server
    serverfarm host S_Das
      rserver DAS1
        backup-rserver DAS1_1
        inservice
      rserver DAS_1
        inservice standby
      rserver DAS2
        backup-rserver DAS2_1
        inservice
      rserver DAS_1
        inservice standby
    sticky ip-netmask 255.255.255.255 address both SF_DAS
      timeout 10
      replicate sticky
      serverfarm S_Das
    and rserver DAS1 goes down what will be behaviour of sticky and balancing?
    New connection wel'll go towards DAS2 or a tricky and clever sticky take precedence? (i mean persistence on DAS1_1 that is my backup server..)
    tnx
    Das

    Hi Danilo,
    If your primary rserver goes down the sticky entries associated with that server will be automatically flushed from the sticky table so that
    all new incoming connections will be diverted to your backup rserver.
    In case that primary rserver comes back then:
    - Existing connections on backup keep accessing backup.
    - For new connection requests ACE looks up sticky entries, if there's already an entry for backup server the connections is sent to the standby rserver.
    - If a new client request (connection) doesn't match any sticky entry for backup rserver ACE forwards this request to primary.
    In case that you want to use the primary rserver for all the connections after coming back to operational state then the backup option would be configured like this:
    rserver Primary
    ip address 10.10.10.2
      inservice
    rserver Standby
    ip address 10.10.10.3
      inservice
    serverfarm host Primary
      rserver Primary
        inservice
    serverfarm host Standby
      rserver Standby
        inservice
    policy-map type loadbalance http first-match slb
    class class-default
    serverfarm Primary backup Standby
    HTH

Maybe you are looking for

  • CompactFlash do not boot on 1841

    Hi, Recently bought a compact flash to upgrade a Cisco1841. But it does not pass in the boot up process. I can format it, can pass the IOS by tftp, or any other ways, but seems that the ATA monlib part of it do not work well. Here are some output of

  • Using apple tv with 2 tv sets

    i connected my apple tv to my denon amplifier (AVR 4308), which is connected to my first tv set in the living room. I can successfully play video and music from my itunes library and video/music are streamed to my home theater/sound systems through m

  • Printing format control in ALV TREE

    Hello there, I searched all over SDN but I couldn't find a solution for my problem ! It would be nice of you if you can help me sort it out. I'm using an ALV TREE : DATA: gv_tree             TYPE REF TO cl_gui_alv_tree   CALL METHOD gv_tree->set_tabl

  • Strange folder

    A folder from my desktop is showing up at the top of my finder windows and I have no idea why it is there or how to get rid of it. When I throw the folder from my desktop into the trash, the folder image in the finder window turns into a question mar

  • Upgraded to yosemite now no email images. Anyone know how to fix?

    I upgraded to Yosemite 2 days ago and now my emails come in without images. How do I fix it?