IPSec (transport mode) load balancing via CSM

Suppouse that there is two servers providing service for remote aplications. Those aplications using IPSEC in transport mode. I would like to put at front CSM to load-balance beetwen both of them (persist via SRC IP is ok for me).
Have you any expirience with transort mode? IMHO it is not possible becouse of ip header changes? (I have no exact informatin that resign from AH transforms are possible)
What when changing to tunnel mode. Have you ever seen that configuraion working?

I think you can for the transport mode. I have not had any luck with the Tunnel mode.

Similar Messages

  • Load balancing via CHOC12/STS3

    Hi, our customer has a connection between 2 x 12012 via the 4 embedded channels of CHOC12/STS3 module.As every subinterface has its own ip-subnet we have 4 equal paths to every destinations.
    Customer wants to configure dCEF per-packet load balancing and is concerned if he can get packet sequence problems for his VoIP applications like it may happen on 'normal' equal path cost connections when load balancing per-packet instead of per-destination.
    Does anybody know if this can be a concern on the embedded channels ?
    Regards Guenther

    Generally speaking, for a given source-destination pair, with Per-packet load balancing enabled, packets might take different paths which could introduce reordering of packets. Thus Per-packet load balancing is inappropriate for voice over IP traffic and also for certain other types of data traffic that require packets received to be in sequence. For more information please see
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca62c.html#3589. Whether the CHOC12/STS3 module has some special meachanism built in to take care of this is unknown to me. Per-packet load balancing via CEF is not supported on Engine 2 Gigabit Switch Router (GSR) line cards (LCs).

  • IPSec Transport Mode

    Hi,
    I am trying to setup an IPSec transport mode policy from my test server in the office to a VM in Azure in order to replicate data to a RODC.
    Both servers sit behind a NAT firewall and have private IP addresses.
    I have created a security policy at each end which specifies both the private address of the server and the public address of the cloud service (Azure) and firewall (On Prem)
    I have opened firewall ports on both sides to allow both 500/udp and 4500/udp
    Using the Network Monitor tool, I can see some IKE transmissions but I can't ping/rdp either way.
    Any ideas?
    Thanks
    Dave

    Hi Dave,
    We've not heard from you yet. I assume the information provided by me has helped. I am marking my reply as answered now.
    In case the information did not help, please feel free to unmark the answer and come back to us with your comments.
    Best regards.
    Steven Lee
    TechNet Community Support

  • IPSEC transport mode and GET VPN

    All,
    I am about to implement GET VPN while read the following from Cisco's website:
    IPsec transport mode suffers from fragmentation and reassembly limitations and must not be used in
    deployments where encrypted or clear packets might require fragmentation.
    I just do not understand why transport mode will suffer fragmentation and reassembly while it had less overhead than tunnel mode.

    One thing to understand about Tran sport mode vs Tunnel mode (ipsec) is thst Transport is used between acyual source and destination of the ip protocol
    Tunnel mode actually not only authenticates but also encrypts at the higher layers of the pckt
    Pix
    VPN
    IP layers
    Tunnel actual source and destination is encrypted at the upper layers and therefor when the packet gets to the IP Layer, it really doesnt know about or care about the iCV signature already withinh the upper PIX layer.
    Also from a security standpoint because of the fact that tunnel mode encrpyts and authenticated the ip infoemation whereas transport only authenticates packets

  • RPC Load Balancing on CSM and SSL

    We are load-balancing SSL successfully but the Exchange people want to use RPC to access
    mailboxes using CSM.
    We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

    Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
    serverfarm EXCH-CAS
    nat server
    no nat client
    real x.x.248.100
      inservice
    real x.x.248.101
      inservice
    probe EXCH-CAS
    serverfarm EXCH-CAS-SSL
    nat server
    no nat client
    real x.x.254.60
      inservice
    real x.x.254.61
      inservice
    probe SSL-FARM
    ! vserver EXCH-CAS
      virtual x.x.254.154 tcp www
      vlan 460
      serverfarm EXCH-CAS
      sticky 1440 group 152
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    vserver EXCH-CAS-S
      virtual x.x.214.139 tcp https
      vlan 400
      serverfarm EXCH-CAS-SSL
      sticky 5 group 252
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    vserver EXCH-CAS-TEST-S
      virtual x.x.214.139 tcp 0
      vlan 400
      serverfarm EXCH-CAS
      sticky 5 group 252
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    Thanks,
    Mohamad

  • Load balance on CSM with both Firewalsl and Cache engines

    Hi,
    I'm come from VDC#3 ( Vietnam) , we have 2 CSM , 3 firewall , and 8 CE 7325. We configed dual CSMs load balance for 3 FW, and now we want to use one CSM to load balance for CEs. Can you hint me best topylogy network?
    Thanks

    your topology is correct.
    The problem is your config.
    If you need access to the CE ip addresses, you need to configure a vserver to allow this traffic.
    Something like
    serverfarm FORWARD
    no nat server
    no nat client
    predictor forward
    vserver access2ce
    vip x.x.x.0/24 any
    serverfarm FORWARD
    ins
    Replace x.x.x.0/24 with the subnet used by the CE.
    Regards,
    Gilles.
    Thanks for rating this answer.

  • IPsec transport mode with IPv6?

    I am trying to set up IPsec in a IPv6 environment. However, when I configure "crypto map" I wasn't able to "set peer" to a IPv6 peer address. Why is that?
    I used Virtual Tunnel Interface instead of Crypto Map and it worked. But I need to IPsec in transport mode instead of tunnel mode.

    I think here is no support for mixed mode which is ipv6 traffic through ipv4 tunnel and vice versa in VTI . Better solution is Gre tunnel.

  • ACE load balance based on Source IP Address

    Hi Cisco  Support,
    I have question  related to Cisco ACE behavior in term to taking a decision based on source  address
    I currently have two  servers sits behind ACE part of one server farm, these servers are load balanced  via one VIP on ACE module and every things looks fine.
    Now service  owners want to replace these old servers with new hardware hence before the  migration we need to make sure these new servers are working as required standard hence  need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we  can't engage all our partner to participate in this test therefore decided to  engage only one partner to carry our test with us.
    For that reason can  we some how configure the ACE so when packet arrive on ACE from one test partner  mentioned above, ACE send only that partner's traffic based on it's source address  (define via class/policy map on ACE if possible) towards new servers in the existing server  farm and not to the old server in the same server farm.
    Thanks for your  support

    Hi,
    Just to put some config sample that might help you to get this done.
    First create the new rservers and include them under a new serverfarm (New-APP)/
    serverfarm host Webfarm
      rserver SVR1
        inservice
      rserver SVR2
        inservice
    serverfarm host New-APP
      rserver New-1
        inservice
      rserver New-2
        inservice
    - Same VIP already working.
    class-map match-all VIP-HTTP
      2 match virtual-address 10.10.10.10 tcp eq www
    - Create a new class that will include your partner's IP(s).
    class-map type http loadbalance match-any 3rd-Party
      2 match source-address 200.200.200.1 255.255.255.255 
      3 match source-address 200.200.200.10 255.255.255.255 
    Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
    policy-map type loadbalance first-match L7-SLB
      class 3rd-Party
        serverfarm New-APP
      class class-default
        serverfarm Webfarm
    Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
    HTH
    Pablo

  • PIX balancing with CSMs on both ends...

    I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:
    Configuring Regular Firewall Load Balancing, page 5-17
    where we got:
    Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs
    where DMZs could be internet users, intranet with FW-1 and so on.
    I had configuration exactly as in mentioned document:
    cat6509 (Internet side):
    module ContentSwitchingModule 5
    vlan 100 client
    ip address 100.0.0.25 255.255.255.0
    gateway 100.0.0.13
    vlan 101 server
    ip address 100.0.0.25 255.255.255.0
    alias 100.0.0.20 255.255.255.0
    serverfarm FORWARD-SF
    no nat server
    no nat client
    predictor forward
    serverfarm INSEC-SF
    no nat server
    no nat client
    predictor hash address source
    real 100.0.0.3
    inservice
    real 100.0.0.4
    inservice
    vserver FORWARD-VS
    virtual 0.0.0.0 0.0.0.0 any
    vlan 101
    serverfarm FORWARD-SF
    persistent rebalance
    inservice
    vserver INSEC-VS
    virtual 200.0.0.0 255.255.255.0 any
    vlan 100
    serverfarm INSEC-SF
    persistent rebalance
    inservice
    interface Vlan100
    ip address 100.0.0.13 255.255.255.0
    ip route 10.0.0.0 255.0.0.0 100.0.0.20
    ip route 200.0.0.0 255.0.0.0 100.0.0.20
    cat6509:DMZs/intRAnet side:
    module ContentSwitchingModule 5
    vlan 201 server
    ip address 200.0.0.26 255.255.255.0
    alias 200.0.0.20 255.255.255.0
    vlan 20 server
    ip address 10.1.0.26 255.255.255.0
    vlan 200 client
    ip address 200.0.0.26 255.255.255.0
    serverfarm GENERIC-SF
    nat server
    no nat client
    real 10.1.0.66
    inservice
    serverfarm SEC-SF
    no nat server
    no nat client
    predictor hash address destination
    real 200.0.0.3
    inservice
    real 200.0.0.4
    inservice
    vserver GENERIC-VS
    virtual 200.0.0.127 tcp 0
    vlan 201
    serverfarm GENERIC-SF
    persistent rebalance
    inservice
    vserver SEC-20-VS
    virtual 200.0.0.0 255.255.255.0 any
    vlan 20
    serverfarm SEC-SF
    persistent rebalance
    inservice
    vserver SEC-200-VS
    virtual 200.0.0.0 255.255.255.0 any
    serverfarm SEC-SF
    persistent rebalance
    inservice
    VLANs:
    100 - Internet
    101 - PIX Outisdes
    201 - PIX Insides
    200 - sample DMZ with users..
    20 - sample DMZ with servers
    Internet need access to servers@VLAN20
    Hosts from VLAN 200 and VL 20 need access to Internet
    Trafice beetwen DMZs need to be allowed

    I see one problem already.
    Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.
    Your MSFC probably can't ping 100.0.0.20
    You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.
    Also, the 2nd CSM does not have a serverfarm FORWARD.
    You will need one normally to forward traffic to your local subnet without loadbalancing.
    [what you configured is possible but I'm not sure this is the result you are expecting]
    Regards,
    Gilles.

  • ACE load balancing and testing using soapUI

    Hey, I am trying to crowd source a solution for this problem.
    A client is testing using soapUI to an application that is being load balanced via ACE. There are two webservers behind the VIP servicing the client request. When client tests, requests are timing out per the soapUI log. A packet capture was taken and it clearly shows that ACE is not forwarding the HTTP data back to the client. When client tests by bypassing the ACE load balancer, it works fine. But, there are other clients from other applications that are making successful connection to the load balanced application via the VIP.
    Question, is there any thing unique with making HTTP/XML based requests using soapUI? LB configuration is shown below:
    class-map match-all EAI_PWS_9083
      2 match virtual-address 10.5.68.29 tcp eq 9083
    serverfarm host EAI_PWS_9083
      description WebSphere Porduction
      failaction purge
      probe tcp9083
      rserver ESSWSPAPP01 9083
        inservice
      rserver ESSWSPAPP02 9083
        inservice
    policy-map type loadbalance first-match L7_POLICY_EAI_PWS_9083
      class class-default
        serverfarm EAI_PWS_9083
    policy-map multi-match L4SLBPOLICY
    class EAI_PWS_9083
        loadbalance vip inservice
        loadbalance policy L7_POLICY_EAI_PWS_9083
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options CASE_PARAM
    parameter-map type http CASE_PARAM
      case-insensitive

    Hi,
    Your configuration looks fine. I am not familiar with soapUI but if it is like a normal TCP connection followed by HTTP requests, i don't see why this shouldn't work.
    Do you know if there is a difference while using soapUI and normal request using browser?
    Regards,
    Kanwal

  • Load balancing v/s Clustering with  BOXI enterprise premium

    We are planning to install Businessobjects enterprise premium on windows2008 server (64 bit) and we are going to use oracle database. my question is
    "Can we set up Crystal reports and businessobjects (web intelligence) both either on clustered environment or load balancer ? "
    If not, can you please let me know what is the best option ?

    Oh. All BOE (this includes Crystal) servers support clustering (and software load balancing via corba).  Only the input and output FRS do not support load balancing. i.e. while you can have mulitple input/output FRS, only one of each is active at a time. The others are passive and will only be used if the active FRS is unavailable.
    As an aside, if I remember correctly, a BOE Premium license is required for clustering.
    So, in essence, you do not need a hardware load balancer to support load balancing for both Crystal and Webi.

  • Srv2008 r2, Load balancing causing sessions to Stack and halt logon

    Hello all,
    We have currently using Appv 4.6 sp3, across 14 terminal servers. These then have access to 2 app servers and also 2 bkr servers.
    We are running a srv2008 r2 environment, and running a windows 7 user experience on the terminal servers.
    We are running microsoft load balancing via a farm setup. The member of staff that set they system up has recently left and with limited documentation I am struggling a bit to get my head around why the stacking occurs
    The problem we have come across is that the system work ok load balancing works a treat, then all of a sudden a user will come along try log on and will take longer than usual to connect there session.  This is causing all users that try connecting
    to be stacked behind this slower user logging on and so to a point where there could be 20 + people waiting to log on. 
    This causes us a huge problem as we can have almost 700+ use at a time on the thin client environment.
    Is there a setting that can be set to stop this situation happening, ?? 
    Thanks in advance
    Lee

    Hi Lee,
    Does this issue occurs with all users at a time?
    Do you have printer redirection enabled?
    If yes, then please try below Hotfix and check the result.
    Long logon time when you establish an RD session to a Windows Server 2008 R2-based RD Session Host server if Printer Redirection is enabled
    http://support.microsoft.com/en-us/kb/2655998
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Create Logon Group on EP for Load Balancing

    Dear All,
    How to create logon group on EP.
    This group will include group of dialogue instance systems.
    (di01, di02, di03)
    Current landscape is
    all these 3 di are under CI(production system).
    EP d/b is connected and mapped over this production system.
    Now I want whenever user access EP they should not login to PRD sys but thy shd login to any one of the DI SYS.
    Responce Awaited.
    Regards,
    Purav

    please believe me, the portal has no such mechanism itself for this kind of load balancing - it is ALWAYS done by an external solution such as web dispatcher.
    In a portal cluster the CI may or may not have the SCS installed (it depends on the specific installation) but each node has its own inbuilt load balancing via the dispatcher - however this is purely round robin not based on any kind of exta intelligence.
    Although portal can be installed in a cluster, any nodes (app or otherwise) can be treated as individual servers.  In order to balance load across any / all servers in this configuration an external mechanism must be employed.
    Chances are anyone claiming to have done load balancing this way without hardware is almost certainly using the web dispatcher as an additional layer.
    Haydn

  • Load balance setting in AE

    Hi:
      The XI prd has 2 servers with load balance via web dispatch.But in the engine status of component monitor,i find there is no messages in one of the server nodes at the tab "message overview"!
      I did a test of sending about 3000 records from ECC(ABAP PROXY) to DB(JDBC) through XI.During its processing,both of the 2 server works well in SM51,so i think the IE works well with load balance!
      But all of the records are processed by one server node in engine status,what can i do for the AE?
      I did another test of sending data from third party sys(SOAP) to ECC(ABAP PROXY) through XI.The sender pushed data through port 8080.Both the IE and AE works well with load balance.
    regards
    Yu Ming

    Hi Ming,
    you can check the IE load balancing in SM51 but not the AE load balancing. AE load balancing you can check in RWB.  check the below
    1) check in SXI_cache what the adapter engine URL is maintained in both application server(IE).
    2)check the connectivty test between the web dispatcher to AE( in which message not visivle).
    3) ChecK the configuration between sap web dispatcher to AE.
    4) check the configuration and URL maintained in SLD
    Regards,
    Sushama

  • CSM load balancing

    I have an interesting problem. I have a VIP with a two server, serverfarm. Originally the VIP and serverfarm were doing load balancing in the switch IOS and the vip was configured with a 27 bit subnet mask. I moved the configuration to our csm mod and removed the subnet mask. The original sticky was set to 120 and I reset the sticky to 30 as part of the move. Now the load balancing is extremely off kilter (200 connections to 7). Any ideas what could be amiss?

    Real servers are physical devices assigned to a server farm. Real servers provide the services that are load balanced. When the server receives a client request, it pulls matching information from a disk and sends it to the CSM for forwarding to the client.
    You configure the real server in the real server configuration mode by specifying the server IP address and port when you assign it to a server farm. You enter the real server configuration mode from the serverfarm mode where you are adding the real server.
    This URl should help me:
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guide09186a00801760d0.html#xtocid439743

Maybe you are looking for

  • IPod Nano Not Seen/Recognized by iTunes

    My iPod Nano 2G Model PA478LL running software 1.1.3 is not recognized by iTunes 11.0.4 running on either a MacBookPro (10.8.4) or a MacAir (10.7.8).  First time using it in a while.  Any ideas why it doesn't show in iTunes anymore? Otherwise the uni

  • Belkin stereo doesn't work on iPod Touch 2g??!!

    Hi, I just bought that little Belkin stereo attachment for audio recording using my iPod Touch 2g, but it doesn't seem to work! Or at least I don't know how. The manaul for the stereo only has directions for using it on iPod nano 2g, iPod nano 3g, iP

  • For Mom who needs little: Old mini or new mini?

    I am upgrading my Mom from a 1994 Performa to a Mini, but I am on the fence as to previous version for $400ish or new version for $500ish. I want this to be as low budget as you go for a new mac. If it was a $3,000 mac I would get newer, but for $100

  • Removing movies from iPhoto 11

    I wish to remove all my movies from iPhoto 11. I will then store on a separate HDD as my iPhoto is now up to 100GB :-/ Previous posts (https://discussions.apple.com/message/10649344#10649344)  suggest flagging movies and send to Trash BUT I have 93 p

  • Public Server on 2 external interfaces

    I suspect this is relatively simple, but I'm brand new to the Cisco line (and to the forums), so my apologies if I'm unclear or in violation of forum etiquette. I have an ASA5515 which will be using 2 external interfaces, and I need to make a single