LB configuration on ACE
I have configured 2 SMTP Servers ,to balance traffic on port 25,and using source IP as sticky and doing a source nat .
And the algorithm is Round Robin
The traffic from different mailservers need to hit my vip and balancer the traffic between the two servers.But instead all my the mailtraffic is going to only one SMTP server.
Please advise me on this if I need to change the sticky or add any thing to my configuration ,so that the traffic is LB equally between the 2SMTP servers.
probe smtp PROBE_SMTP
interval 20
passdetect interval 5
passdetect count 2
receive 1
open 1
expect status 211 250
rserver host SMTP1
ip address 10.24.133.15
inservice
rserver host SMTP2
ip address 10.24.133.16
inservice
serverfarm host SMTP
probe PROBE_SMTP
rserver SMTP1
inservice
rserver SMTP2
inservice
sticky ip-netmask 255.255.255.255 address source SMTP_STICKY
timeout 30
replicate sticky
serverfarm SMTP
class-map match-all SMTP_class
2 match virtual-address 10.24.133.10 tcp eq
policy-map type loadbalance first-match SMTP_POLICY
class class-default
sticky-serverfarm SMTP_STICKY
policy-map multi-match POLICY
class SMTP_class
loadbalance vip inservice
loadbalance policy SMTP_POLICY
loadbalance vip icmp-reply active
nat dynamic 2 vlan 10
Asharmav
The request to the VIP comes from various mailservers.But not sure why its not being LB equally between the 2SMTP servers
serverfarm : SMTP, type: HOST
total rservers : 2
state : ACTIVE
DWS state : DISABLED
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SMTP1
10.24.133.15:0 8 OPERATIONAL 18 23772 968
rserver: SMTP2
10.24.133.16:0 8 OPERATIONAL 7 20664 1012
Please advise me if I need to change the sticky setting or any other options
Similar Messages
-
Query on probe configuration in ACE
Hi All,
If the URI is www.cisco.com/books/videos/test.xml
what could be the probe URL which need to be configured in ACE?
Regards,
ThiyaguHello,
Probably something like this:
probe http testing
request method get url /books/videos/test.xml
expect status 200 200
Here you have a link about it:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/probe.html#wp1031398
Jorge -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
How to Virtual IP configuration in ACE module?
Hi,
I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
Regards,
Rachit.Hi Rachit,
Here is a basic configuration example:
access-list Allow_Access line 10 extended permit ip any any
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
inservice
rserver test2 80
inservice
sticky http-cookie test group2
cookie insert
serverfarm test
class-map match-all VIP
2 match virtual-address 10.198.16.122 tcp eq www
policy-map type loadbalance first-match test
class class-default
sticky-serverfarm group1
policy-map multi-match clients
class VIP
loadbalance vip inservice
loadbalance policy test
loadbalance vip icmp-reply active
nat dynamic 1 vlan 112
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
ip route 0.0.0.0 0.0.0.0 10.198.16.65
Here is the configuration guide:
http://tools.cisco.com/squish/101AD
Cesar R -
Sticky issue for an application configured in ACE
Hi All,
We are facing a strange issue with ACE. We have a sticky configured for an application in ACE.
Sometimes the application is not working, We have to clear sticky session on ACE to fix the issue.
Can anbody help me to troubleshoot this issue?
Regards,
ThiyaguHi Jorge,
Here is the sticky configuration of the application which is having issue.
sticky ip-netmask 255.255.255.255 address source SG
timeout 15
serverfarm SF
Please let me know if you need the complete configurarion.
Regards,
Thiyagu -
I have been given the task of configuring a Cisco ACE20 initially for SLB. I have configured IOS SLB sucesfully but the ACE appears far more complex. Does anyone have any confgiuration guides with diagrams. The Cisco documentation only gives command guides which I am finding difficult to follow. I have set up a test scenario as follows:
Client side vlan 10 - 172.22.152.0 / 21
Server side vlan 17 - 172.22.244.0 /24
Vlan 10 is set up on Sup720 as L2/3
Vlan 17 is set up on Sup720 as L2 only
PC with IIS running with IP address 172.22.244.101
VIP address 172.22.152.6
Rserver address 172.22.244.101
Route on ACE 0.0.0.0 0.0.0.0 172.22.152.2
I can ping the rserver from ACE OK as I have captured the ICMP traffic with analyser, when I attempt to HTTP to the vserver address I see the traffic hit the ACE but it sends TCP resets.
I can provide the full config of the ACE etc if needed.
With IOS SLB (without NAT) I used loopback addresses on the real servers from the ACE documentation it appears the VIP address has to be completely unique, does this mean there is no need for loopback interfaces. Also does the VIP address have to be in a different subnet than the clients as mine is not but it is in the same subnet as my client side vlan as was stated in the ACE getting started guide.
I am very new to content swithing especially classifying traffic etc, can anyone please help ?Giles
Capture attached (etherreal).
I am the client on 172.21.17.20, the VIP address 172.22.152.6 replies with a RST/ACK. I can see the connection attempt on the ACE:
switch/Admin# sh conn
total current connections : 6
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 10 172.21.17.20:1291 172.22.152.6:80 SYNSEEN
1 1 out TCP 17 172.22.152.6:80 172.21.17.20:1291 INIT
3 1 in TCP 10 172.21.17.20:1285 172.22.152.5:23 ESTAB
5 1 out TCP 10 172.22.152.5:23 172.21.17.20:1285 ESTAB
4 2 in UDP 17 172.22.244.101:1042 172.28.7.25:161 --
2 2 out UDP 10 172.28.7.25:161 172.22.244.101:1042 --
switch/Admin#
Do I need a loopback address on the real server. Also I only have one real server set-up at the moment - I didn't think this would matter.
Hope this helps....
Paul -
Configuration help - ACE redirection
Please see the below ACE configuration. It is currently in place for both load balancing and redirection. Here are the 4 current scenarios...
1. https://www.URL1.com is the desired URL and will be load balanced. Certificate is for this URL.
2. http://www.URL1.com will redirect the client to https://www/URL1.com for appropriate load balancing.
3. URL1.com resolves to the same vip ip address as www.URL1.com, so http://URL1.com will redirect the client to https://URL1.com
4. https://URL1.com will be load balanced, but client gets a certificate error since the cert is not associated with this address.
How can I redirect http://URL1.com and https://URL1.com to https://www.URL1.com? Can I create a L7 policy map in addition to the existing L4 policy map?
Thanks for any help you can give.
rserver host URL1-ws07
ip address 1.1.1.1
inservice
rserver host URL1-ws08
ip address 1.1.2.1
inservice
rserver host URL1-ws09
ip address 1.1.3.1
inservice
rserver host URL1-ws10
ip address 1.1.4.1
inservice
rserver host URL1-ws06
ip address 1.1.5.1
inservice
!************** Generic redirect rserver used by many policy maps to redirect clear text addresses to secure addresses *************
rserver redirect server-rd
webhost-redirection https://%h%p 301
inservice
ssl-proxy service URL1
key URL10911-key
cert URL10911-cert
chaingroup verisign-ev-cg
serverfarm host URL1
description www.URL1.com
probe port_80
rserver URL1-ws07 80
inservice
rserver URL1-ws08 80
inservice
rserver URL1-ws09 80
inservice
rserver URL1-ws10 80
inservice
rserver URL1-ws06 80
inservice
sticky http-cookie acecookie sticky-URL1
cookie insert browser-expire
replicate sticky
serverfarm URL1
!***************** Redirect to https *****************
class-map match-all URL1-vip
2 match virtual-address 2.2.2.2 tcp eq https
class-map match-all URL1-vip-rd
2 match virtual-address 2.2.2.2 tcp eq www
policy-map type loadbalance first-match URL1-lb
class class-default
sticky-serverfarm sticky-URL1
action https-rewrite
insert-http X-Forwarded-For header-value "%is"
policy-map type loadbalance first-match URL1-rd
class class-default
serverfarm server-rd
policy-map multi-match yellow-policy
class URL1-vip-rd
loadbalance vip inservice
loadbalance policy URL1-rd
loadbalance vip icmp-reply active
class URL1-vip
loadbalance vip inservice
loadbalance policy URL1-lb
loadbalance vip icmp-reply active
appl-parameter http advanced-options generic-http-parameter-map
ssl-proxy server URL1Hi there,
If all the URLs respond to the same VIP then you need to modify your server-rd as follows:
rserver redirect server-rd
webhost-redirection https://www.URL1.com/%p 301
inservice
That would take care of the HTTP part.
For HTTPS we can't do much as decryption happens before URL matching, you'll get the certificate
error before being sent to the correct domain. The only way you can get HTTPS working is either with:
- Wildcard Certificate: *.URL1.com
- SAN certificate: You can include multiple domains into the same SSL certificate.
HTH
Pablo -
ACE 4700 configuring SSL termination weblogic server 10.3.6
Hello,
Im trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance.
I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine
Was reading http://docs.oracle.com/cd/E23943_01/web.1111/e13709/load_balancing.htm#i1045186
Can anyone point me to a working config example for doing this with the ACE4700 or give me some directions here?
Kind regards,
LaurensHi Laurens,
Here is a basic configuration for SSL termination:
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
inservice
rserver test2 80
inservice
ssl-proxy service TEST
key cert
cert cert
class-map match-all VIPSSL
2 match virtual-address 10.198.16.122 tcp eq https
policy-map type loadbalance first-match test
class class-default
serverfarm test
policy-map multi-match clients
class VIPSSL
loadbalance vip inservice
loadbalance policy test
loadbalance vip icmp-reply active
nat dynamic 1 vlan 112
ssl-proxy server TEST
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
Cesar R
ANS Team -
Cookie stickiness configuration issue with Cisco ACE
Hi,
We have configured a ACE (in standby mode) with ip netmask stickiness and wanted to configure cookie stickiness for a remedy server placed behind the ace. BMC has said that they use JSESSIONID field on the remedy application and i want to know the procedure for configuring ace to see this field and deploy cookie stickiness feature on the ace.
We tried configuring the ace to learn the cookie string dynamically and tried to insert the cookie in the server response to the client but both methods have failed and the user is not able to see the remedy app webpage in both occassions.
Are there any pre-requisites to be configured on the ace before configuring cookie stickiness feature? We would appreciate your timely response.
Thanks in advance.Hi,
Refer the document below for sample configuration. If this still doesn't work a full config and sniffer capture required to verify this.
http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
Regards,
Siva -
Configuring ACE 4710 for Load Balancing Speech servers
Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
hostname ace471001
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
rserver host nss01
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 10.20.17.21 255.255.248.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
How would I configure my speech server to isten on 554?
Thanks in advanceHello Reginald
Currently you have only basic network configuration, there is no loadbalancing config
I'm not sure what exactly you're asking about , but basically you need to have
- real servers configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
- serverfarm configured on ACE (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
- L7 policy map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
- L4 policy map , class-map (
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
And then apply it on necessary interface.
This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
links are for old config guids , but basic is pretty much the same for all versions.
Please check them and try to narrow down your question a bit. -
We would like to configure on ace like below:
the virtual ip address and port like this
: 10.10.10.10:8000,this ip address will be use to outside user request servie
and we have to configure server farm like below
real server 10.10.10.1:8001, 10.10.10.1:8002, 10.10.10.1:8003 ...
the ip address is same on 10.10.10.10:8000's serverfarm, but real server service is different, and this port should be loadbalanced and healchecked.
Is it possible solution? F5 big ip , Nortal is possible, but I don't know on ACE above issue.
If you ok. could you give me a sample configuration?page 2....
Also i forget to tell you to
8.create resourse-class
9. create context othr then admin context if you need multiple contexts:
(inside context add resource class)
10 class map type management (for remote access)
as follows:
Kindly find some config sample as follows:
ACE/Admin# sh run
Generating configuration....
resource-class ABCD_Resource
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_1.bin
hostname ACE
context Admin
member ABCD_Resource
access-list everyone line 10 extended permit icmp any any
access-list everyone line 20 extended permit ip any any
access-list for-cap line 8 extended permit ip any any
probe http HTTP-Probe
port 8000
interval 2
faildetect 2
passdetect interval 15
request method head
probe icmp ICMP-Probe
interval 2
faildetect 2
passdetect interval 60
probe tcp TCP-8000
port 8000
interval 2
faildetect 2
passdetect interval 15
passdetect count 2
open 1
rserver host A
ip address 10.10.10.1
inservice
rserver host B
ip address 10.10.10.2
inservice
rserver host C
ip address 10.10.10.3
inservice
rserver host D
ip address 10.10.10.4
inservice
serverfarm host SF-8000-1
probe ICMP-Probe
probe TCP-8000
rserver A 8000
inservice
rserver B 8000
inservice
serverfarm host SF-8000-2
probe HTTP-Probe
probe ICMP-Probe
probe TCP-8000
rserver C 8000
inservice
rserver D 8000
inservice
class-map match-all L4-CLASS-REDIRECT-1
2 match virtual-address 10.10.60.10 tcp eq www
class-map match-all VIP-PORT-8000-1
2 match virtual-address 10.10.60.10 tcp eq https
class-map match-all VIP-PORT-8000-2
2 match virtual-address 10.10.60.12 tcp eq https
class-map type management match-any remote-mgmt
10 match protocol ssh any
20 match protocol telnet any
30 match protocol icmp any
40 match protocol http any
50 match protocol https any
class-map match-any server-initiated
3 match source-address 10.10.10.4 255.255.255.255
4 match source-address 10.10.10.3 255.255.255.255
policy-map type management first-match remote-access
class remote-mgmt
permit
policy-map type loadbalance first-match VIP-POLICY-8000-1
class class-default
policy-map multi-match Service-Policy-8000-1
class VIP-PORT-8000-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
class L4-CLASS-REDIRECT-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
policy-map multi-match Service-Policy-8000-2
class VIP-PORT-8000-2
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-2
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
ssl-proxy server SSL-Offload-Proxy-2
policy-map multi-match server-side
class server-initiated
nat dynamic 1 vlan 60
interface vlan 10
description APPPROD-Client-Vlan
bridge-group 10
mtu 1500
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
interface vlan 30
description management-vlan-interface
ip address 10.10.30.22 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
continued page 3...... -
VIP : 10.10.10.10:8000
rserver server1
ip address 10.10.10.1
serverfarm SFARM1
rserver server1 8001
probe Probe_8001
rserver server2 8002
probe Probe_8002
rserver server3 8003
probe Probe_8003
rserver server4 8004
probe Probe_8004
I would like to loadbalance on just one single ip address and multiple ports like
above configuration on ACE. Is It possible configuration? please check
thank you.ok. thank your response.
I picked up your configuration as follows:
rserver Server1
ip address 10.10.10.1
inservice
serverfarm Farm1
rserver Server1 8001
inservice
rserver Server1 8002
inservice
rserver Server1 8003
inservice
class-map MyVip
match virtual 10.10.10.10 tcp eq 8000
policy type loadbalance http first MyPolicy
class class-default
serverfarm Farm1
policy multimatch SLB
class MyVip
load policy MyPolicy
load vip inservice
interface vlan X
service in SLB
I know that there is no problem to configure one real server attached multiple service port for configuring SLB.
But I must healcheck on each multiple ports although one real server.
for example:
rserver Server1 8001
probe probe_8001
inservice
Is it working well? -
Hi all,
i configured ACE in multi context for failover. then i configured primary ACE using GUI after configuring server farm and click DM sync and SYNC all.Then i checked secondary ACE whether configuration is synced but its not sync with secondary.what might be the problem.do a 'show ft group detail' and make sure you have config synch enabled
"Running cfg sync enabled : Enabled"
If not, you need to turn it on.
Also check the status.
"Running cfg sync status "
Sometimes it is enabled but not working because files can't be synched like ssl keys/certs or script probes.
Gilles. -
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
ACE in Direct Server Return mode not working as expected
Dear all,
I configured my ACE as I found it here:
https://supportforums.cisco.com/docs/DOC-22555
the VIP is working, that means I can ping it, routing is working etc.
I created a loopback on the win2012 Server with the IP of the VIP. When I try now to test the LB with telnet on port 25 e.g. it is not working. direclty on the server it works, also in my last deployment where I use SNAT/PAT. But we want the real client IPs visible on the Exchange Server.
Where is my problem ? Any ideas would be great..
rserver host YY
description AServer-1
ip address 10.1.x.2
inservice
rserver host XX
description AServer-2
ip address 10.1.x.3
inservice
serverfarm host Mail
description Mail
transparent
predictor leastconns
rserver AServer-1
inservice
rserver AServer-2
sticky ip-netmask 255.255.255.255 address both Mail
timeout 5
replicate sticky
serverfarm Mail
class-map match-all Exchange_ALL
2 match virtual-address 192.168.1.1 any
class-map type management match-any remote_access
2 match protocol xml-https source-address 10.a.b.0 255.255.255.0
3 match protocol icmp source-address 10.a.b.0 255.255.255.0
5 match protocol ssh source-address 10.a.b.0 255.255.255.0
7 match protocol https source-address 10.a.b.0 255.255.255.0
8 match protocol snmp source-address 10.a.b.0 255.255.255.0
9 match protocol xml-https source-address 10.d.e.1 255.255.255.255
10 match protocol icmp source-address 10.d.e.1 255.255.255.255
11 match protocol ssh source-address 10.d.e.1 255.255.255.255
12 match protocol https source-address 10.d.e.1 255.255.255.255
13 match protocol snmp source-address 10.d.e.1 255.255.255.255
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match mail
class class-default
sticky-serverfarm Mail
policy-map multi-match VLAN20
class Exchange_ALL
loadbalance vip inservice
loadbalance policy mail
loadbalance vip icmp-reply
interface vlan 2
ip address 10.a.b.2 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 20
description Server
ip address 10.1.x.20 255.255.255.0
peer ip address 10.1.x.30 255.255.255.0
no normalization
access-group input ALL
service-policy input VLAN20
no shutdown
ft interface vlan 4
ip address 10.f.g.2 255.255.255.252
peer ip address 10.f.g.1 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 4
ft group 1
peer 1
associate-context Admin
inservice
ip route 10.d.e.0 255.255.255.255 10.1.x.1
ip route 0.0.0.0 0.0.0.0 10.a.b.1Oh, I see. Very interesting indeed!
Do you get the BAD CHECKSUM and IP CHECKSUM OFFLOAD on the remote sites?
It could be this that is the problem. I read this and it seems as though it causes disconnects just as you experience too.
or just disable - it worked for some here, but for others, they upgraded the drivers of the NIC:
http://www.techsupportforum.com/forums/f137/wireshark-question-tcp-checksum-offload-248812.html
1. Open Device manager (right click "Computer" and click "Manage")
2. Click on "Device Manager"
3. Expand "Network Adapters"
4. Right click your network adapter
5. click "properties"
6. click the tab named "Advanced"
7. Find "IP Checksum Offload" and click it
8. Put the value to the right to "Disabled"
9. Find "TCP Checksum offload (IPvX)
10. Set the value to the right to "Disabled"
The Wiki Wireshark article had this:
In Windows, go to Control Panel->Network and Internet Connections->Network Connections, right click the connection to change and choose 'Properties'. Press the 'Configure...' button, choose the 'Advanced' tab to see or modify the "Offload Transmit TCP Checksum" and "Offload Receive TCP Checksum" values.
It seems like a server side issue rather than Load Balancer problem.
Hope this helps
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
Maybe you are looking for
-
Adobe Reader 9, Form Fields, Digital Signature
I have already posted this in Adobe Reader forum and had no replies... probably the wrong area... We are a software company and we are developing a simple application, as follows: Any number of pdf documents are provided by a third party (our custome
-
Which is better,websphere or weblogic?
Our company want to establish a network serving for PC ,wap ,pda and so on using j2ee.but I don��t know which is better Between Websphere application server and Weblogic. Who can tell me in detail?
-
I don't know what I did to make this happen. I am not sure how to change it back. Thanks
-
ITunes Match not upload tracks
Hi, I have a problem with iTunes Match. I tried several things, including Logout and subsequent Login, convert songs to AAC but nothing; iTunes still does not upload tracks! Do you have any idea? THANK YOU in advance!
-
Delivery Number and EKBE table
I have a requirement to find out and print Delivery number all I have is PO number. and I was told that In EKBE if the PO history cat is "L" then fetch the Delivery Number. My question is from which table and which field i need to pull if the PO his