IPSec (transport mode) load balancing via CSM
Suppouse that there is two servers providing service for remote aplications. Those aplications using IPSEC in transport mode. I would like to put at front CSM to load-balance beetwen both of them (persist via SRC IP is ok for me).
Have you any expirience with transort mode? IMHO it is not possible becouse of ip header changes? (I have no exact informatin that resign from AH transforms are possible)
What when changing to tunnel mode. Have you ever seen that configuraion working?
I think you can for the transport mode. I have not had any luck with the Tunnel mode.
Similar Messages
-
Load balancing via CHOC12/STS3
Hi, our customer has a connection between 2 x 12012 via the 4 embedded channels of CHOC12/STS3 module.As every subinterface has its own ip-subnet we have 4 equal paths to every destinations.
Customer wants to configure dCEF per-packet load balancing and is concerned if he can get packet sequence problems for his VoIP applications like it may happen on 'normal' equal path cost connections when load balancing per-packet instead of per-destination.
Does anybody know if this can be a concern on the embedded channels ?
Regards GuentherGenerally speaking, for a given source-destination pair, with Per-packet load balancing enabled, packets might take different paths which could introduce reordering of packets. Thus Per-packet load balancing is inappropriate for voice over IP traffic and also for certain other types of data traffic that require packets received to be in sequence. For more information please see
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca62c.html#3589. Whether the CHOC12/STS3 module has some special meachanism built in to take care of this is unknown to me. Per-packet load balancing via CEF is not supported on Engine 2 Gigabit Switch Router (GSR) line cards (LCs). -
Hi,
I am trying to setup an IPSec transport mode policy from my test server in the office to a VM in Azure in order to replicate data to a RODC.
Both servers sit behind a NAT firewall and have private IP addresses.
I have created a security policy at each end which specifies both the private address of the server and the public address of the cloud service (Azure) and firewall (On Prem)
I have opened firewall ports on both sides to allow both 500/udp and 4500/udp
Using the Network Monitor tool, I can see some IKE transmissions but I can't ping/rdp either way.
Any ideas?
Thanks
DaveHi Dave,
We've not heard from you yet. I assume the information provided by me has helped. I am marking my reply as answered now.
In case the information did not help, please feel free to unmark the answer and come back to us with your comments.
Best regards.
Steven Lee
TechNet Community Support -
IPSEC transport mode and GET VPN
All,
I am about to implement GET VPN while read the following from Cisco's website:
IPsec transport mode suffers from fragmentation and reassembly limitations and must not be used in
deployments where encrypted or clear packets might require fragmentation.
I just do not understand why transport mode will suffer fragmentation and reassembly while it had less overhead than tunnel mode.One thing to understand about Tran sport mode vs Tunnel mode (ipsec) is thst Transport is used between acyual source and destination of the ip protocol
Tunnel mode actually not only authenticates but also encrypts at the higher layers of the pckt
Pix
VPN
IP layers
Tunnel actual source and destination is encrypted at the upper layers and therefor when the packet gets to the IP Layer, it really doesnt know about or care about the iCV signature already withinh the upper PIX layer.
Also from a security standpoint because of the fact that tunnel mode encrpyts and authenticated the ip infoemation whereas transport only authenticates packets -
RPC Load Balancing on CSM and SSL
We are load-balancing SSL successfully but the Exchange people want to use RPC to access
mailboxes using CSM.
We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
serverfarm EXCH-CAS
nat server
no nat client
real x.x.248.100
inservice
real x.x.248.101
inservice
probe EXCH-CAS
serverfarm EXCH-CAS-SSL
nat server
no nat client
real x.x.254.60
inservice
real x.x.254.61
inservice
probe SSL-FARM
! vserver EXCH-CAS
virtual x.x.254.154 tcp www
vlan 460
serverfarm EXCH-CAS
sticky 1440 group 152
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-S
virtual x.x.214.139 tcp https
vlan 400
serverfarm EXCH-CAS-SSL
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-TEST-S
virtual x.x.214.139 tcp 0
vlan 400
serverfarm EXCH-CAS
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
Thanks,
Mohamad -
Load balance on CSM with both Firewalsl and Cache engines
Hi,
I'm come from VDC#3 ( Vietnam) , we have 2 CSM , 3 firewall , and 8 CE 7325. We configed dual CSMs load balance for 3 FW, and now we want to use one CSM to load balance for CEs. Can you hint me best topylogy network?
Thanksyour topology is correct.
The problem is your config.
If you need access to the CE ip addresses, you need to configure a vserver to allow this traffic.
Something like
serverfarm FORWARD
no nat server
no nat client
predictor forward
vserver access2ce
vip x.x.x.0/24 any
serverfarm FORWARD
ins
Replace x.x.x.0/24 with the subnet used by the CE.
Regards,
Gilles.
Thanks for rating this answer. -
IPsec transport mode with IPv6?
I am trying to set up IPsec in a IPv6 environment. However, when I configure "crypto map" I wasn't able to "set peer" to a IPv6 peer address. Why is that?
I used Virtual Tunnel Interface instead of Crypto Map and it worked. But I need to IPsec in transport mode instead of tunnel mode.I think here is no support for mixed mode which is ipv6 traffic through ipv4 tunnel and vice versa in VTI . Better solution is Gre tunnel.
-
ACE load balance based on Source IP Address
Hi Cisco Support,
I have question related to Cisco ACE behavior in term to taking a decision based on source address
I currently have two servers sits behind ACE part of one server farm, these servers are load balanced via one VIP on ACE module and every things looks fine.
Now service owners want to replace these old servers with new hardware hence before the migration we need to make sure these new servers are working as required standard hence need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we can't engage all our partner to participate in this test therefore decided to engage only one partner to carry our test with us.
For that reason can we some how configure the ACE so when packet arrive on ACE from one test partner mentioned above, ACE send only that partner's traffic based on it's source address (define via class/policy map on ACE if possible) towards new servers in the existing server farm and not to the old server in the same server farm.
Thanks for your supportHi,
Just to put some config sample that might help you to get this done.
First create the new rservers and include them under a new serverfarm (New-APP)/
serverfarm host Webfarm
rserver SVR1
inservice
rserver SVR2
inservice
serverfarm host New-APP
rserver New-1
inservice
rserver New-2
inservice
- Same VIP already working.
class-map match-all VIP-HTTP
2 match virtual-address 10.10.10.10 tcp eq www
- Create a new class that will include your partner's IP(s).
class-map type http loadbalance match-any 3rd-Party
2 match source-address 200.200.200.1 255.255.255.255
3 match source-address 200.200.200.10 255.255.255.255
Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
policy-map type loadbalance first-match L7-SLB
class 3rd-Party
serverfarm New-APP
class class-default
serverfarm Webfarm
Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
HTH
Pablo -
PIX balancing with CSMs on both ends...
I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:
Configuring Regular Firewall Load Balancing, page 5-17
where we got:
Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs
where DMZs could be internet users, intranet with FW-1 and so on.
I had configuration exactly as in mentioned document:
cat6509 (Internet side):
module ContentSwitchingModule 5
vlan 100 client
ip address 100.0.0.25 255.255.255.0
gateway 100.0.0.13
vlan 101 server
ip address 100.0.0.25 255.255.255.0
alias 100.0.0.20 255.255.255.0
serverfarm FORWARD-SF
no nat server
no nat client
predictor forward
serverfarm INSEC-SF
no nat server
no nat client
predictor hash address source
real 100.0.0.3
inservice
real 100.0.0.4
inservice
vserver FORWARD-VS
virtual 0.0.0.0 0.0.0.0 any
vlan 101
serverfarm FORWARD-SF
persistent rebalance
inservice
vserver INSEC-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 100
serverfarm INSEC-SF
persistent rebalance
inservice
interface Vlan100
ip address 100.0.0.13 255.255.255.0
ip route 10.0.0.0 255.0.0.0 100.0.0.20
ip route 200.0.0.0 255.0.0.0 100.0.0.20
cat6509:DMZs/intRAnet side:
module ContentSwitchingModule 5
vlan 201 server
ip address 200.0.0.26 255.255.255.0
alias 200.0.0.20 255.255.255.0
vlan 20 server
ip address 10.1.0.26 255.255.255.0
vlan 200 client
ip address 200.0.0.26 255.255.255.0
serverfarm GENERIC-SF
nat server
no nat client
real 10.1.0.66
inservice
serverfarm SEC-SF
no nat server
no nat client
predictor hash address destination
real 200.0.0.3
inservice
real 200.0.0.4
inservice
vserver GENERIC-VS
virtual 200.0.0.127 tcp 0
vlan 201
serverfarm GENERIC-SF
persistent rebalance
inservice
vserver SEC-20-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 20
serverfarm SEC-SF
persistent rebalance
inservice
vserver SEC-200-VS
virtual 200.0.0.0 255.255.255.0 any
serverfarm SEC-SF
persistent rebalance
inservice
VLANs:
100 - Internet
101 - PIX Outisdes
201 - PIX Insides
200 - sample DMZ with users..
20 - sample DMZ with servers
Internet need access to servers@VLAN20
Hosts from VLAN 200 and VL 20 need access to Internet
Trafice beetwen DMZs need to be allowedI see one problem already.
Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.
Your MSFC probably can't ping 100.0.0.20
You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.
Also, the 2nd CSM does not have a serverfarm FORWARD.
You will need one normally to forward traffic to your local subnet without loadbalancing.
[what you configured is possible but I'm not sure this is the result you are expecting]
Regards,
Gilles. -
ACE load balancing and testing using soapUI
Hey, I am trying to crowd source a solution for this problem.
A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
class-map match-all EAI_PWS_9083
2 match virtual-address 10.5.68.29 tcp eq 9083
serverfarm host EAI_PWS_9083
description WebSphere Porduction
failaction purge
probe tcp9083
rserver ESSWSPAPP01 9083
inservice
rserver ESSWSPAPP02 9083
inservice
policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
class class-default
serverfarm EAI_PWS_9083
policy-map multi-match L4SLBPOLICY
class EAI_PWS_9083
loadbalance vip inservice
loadbalance policy L7_POLICY_EAI_PWS_9083
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
parameter-map type http CASE_PARAM
case-insensitiveHi,
Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
Do you know if there is a difference while using soapUI and normal request using browser?
Regards,
Kanwal -
Load balancing v/s Clustering with BOXI enterprise premium
We are planning to install Businessobjects enterprise premium on windows2008 server (64 bit) and we are going to use oracle database. my question is
"Can we set up Crystal reports and businessobjects (web intelligence) both either on clustered environment or load balancer ? "
If not, can you please let me know what is the best option ?Oh. All BOE (this includes Crystal) servers support clustering (and software load balancing via corba). Only the input and output FRS do not support load balancing. i.e. while you can have mulitple input/output FRS, only one of each is active at a time. The others are passive and will only be used if the active FRS is unavailable.
As an aside, if I remember correctly, a BOE Premium license is required for clustering.
So, in essence, you do not need a hardware load balancer to support load balancing for both Crystal and Webi. -
Srv2008 r2, Load balancing causing sessions to Stack and halt logon
Hello all,
We have currently using Appv 4.6 sp3, across 14 terminal servers. These then have access to 2 app servers and also 2 bkr servers.
We are running a srv2008 r2 environment, and running a windows 7 user experience on the terminal servers.
We are running microsoft load balancing via a farm setup. The member of staff that set they system up has recently left and with limited documentation I am struggling a bit to get my head around why the stacking occurs
The problem we have come across is that the system work ok load balancing works a treat, then all of a sudden a user will come along try log on and will take longer than usual to connect there session. This is causing all users that try connecting
to be stacked behind this slower user logging on and so to a point where there could be 20 + people waiting to log on.
This causes us a huge problem as we can have almost 700+ use at a time on the thin client environment.
Is there a setting that can be set to stop this situation happening, ??
Thanks in advance
LeeHi Lee,
Does this issue occurs with all users at a time?
Do you have printer redirection enabled?
If yes, then please try below Hotfix and check the result.
Long logon time when you establish an RD session to a Windows Server 2008 R2-based RD Session Host server if Printer Redirection is enabled
http://support.microsoft.com/en-us/kb/2655998
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Create Logon Group on EP for Load Balancing
Dear All,
How to create logon group on EP.
This group will include group of dialogue instance systems.
(di01, di02, di03)
Current landscape is
all these 3 di are under CI(production system).
EP d/b is connected and mapped over this production system.
Now I want whenever user access EP they should not login to PRD sys but thy shd login to any one of the DI SYS.
Responce Awaited.
Regards,
Puravplease believe me, the portal has no such mechanism itself for this kind of load balancing - it is ALWAYS done by an external solution such as web dispatcher.
In a portal cluster the CI may or may not have the SCS installed (it depends on the specific installation) but each node has its own inbuilt load balancing via the dispatcher - however this is purely round robin not based on any kind of exta intelligence.
Although portal can be installed in a cluster, any nodes (app or otherwise) can be treated as individual servers. In order to balance load across any / all servers in this configuration an external mechanism must be employed.
Chances are anyone claiming to have done load balancing this way without hardware is almost certainly using the web dispatcher as an additional layer.
Haydn -
Hi:
The XI prd has 2 servers with load balance via web dispatch.But in the engine status of component monitor,i find there is no messages in one of the server nodes at the tab "message overview"!
I did a test of sending about 3000 records from ECC(ABAP PROXY) to DB(JDBC) through XI.During its processing,both of the 2 server works well in SM51,so i think the IE works well with load balance!
But all of the records are processed by one server node in engine status,what can i do for the AE?
I did another test of sending data from third party sys(SOAP) to ECC(ABAP PROXY) through XI.The sender pushed data through port 8080.Both the IE and AE works well with load balance.
regards
Yu MingHi Ming,
you can check the IE load balancing in SM51 but not the AE load balancing. AE load balancing you can check in RWB. check the below
1) check in SXI_cache what the adapter engine URL is maintained in both application server(IE).
2)check the connectivty test between the web dispatcher to AE( in which message not visivle).
3) ChecK the configuration between sap web dispatcher to AE.
4) check the configuration and URL maintained in SLD
Regards,
Sushama -
I have an interesting problem. I have a VIP with a two server, serverfarm. Originally the VIP and serverfarm were doing load balancing in the switch IOS and the vip was configured with a 27 bit subnet mask. I moved the configuration to our csm mod and removed the subnet mask. The original sticky was set to 120 and I reset the sticky to 30 as part of the move. Now the load balancing is extremely off kilter (200 connections to 7). Any ideas what could be amiss?
Real servers are physical devices assigned to a server farm. Real servers provide the services that are load balanced. When the server receives a client request, it pulls matching information from a disk and sends it to the CSM for forwarding to the client.
You configure the real server in the real server configuration mode by specifying the server IP address and port when you assign it to a server farm. You enter the real server configuration mode from the serverfarm mode where you are adding the real server.
This URl should help me:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guide09186a00801760d0.html#xtocid439743
Maybe you are looking for
-
IPod Nano Not Seen/Recognized by iTunes
My iPod Nano 2G Model PA478LL running software 1.1.3 is not recognized by iTunes 11.0.4 running on either a MacBookPro (10.8.4) or a MacAir (10.7.8). First time using it in a while. Any ideas why it doesn't show in iTunes anymore? Otherwise the uni
-
Belkin stereo doesn't work on iPod Touch 2g??!!
Hi, I just bought that little Belkin stereo attachment for audio recording using my iPod Touch 2g, but it doesn't seem to work! Or at least I don't know how. The manaul for the stereo only has directions for using it on iPod nano 2g, iPod nano 3g, iP
-
For Mom who needs little: Old mini or new mini?
I am upgrading my Mom from a 1994 Performa to a Mini, but I am on the fence as to previous version for $400ish or new version for $500ish. I want this to be as low budget as you go for a new mac. If it was a $3,000 mac I would get newer, but for $100
-
Removing movies from iPhoto 11
I wish to remove all my movies from iPhoto 11. I will then store on a separate HDD as my iPhoto is now up to 100GB :-/ Previous posts (https://discussions.apple.com/message/10649344#10649344) suggest flagging movies and send to Trash BUT I have 93 p
-
Public Server on 2 external interfaces
I suspect this is relatively simple, but I'm brand new to the Cisco line (and to the forums), so my apologies if I'm unclear or in violation of forum etiquette. I have an ASA5515 which will be using 2 external interfaces, and I need to make a single