Load balance 2 xDSL VPN from 2821 to PIX515e ?

I have a PIX515e terminating IPSEC tunnels from what is usually Draytek Vigor routers. I have a requirement to load balance across 2 (or more) ADSL circuits and I have a 2821 router available for the remote end. My question is, is it possible to load balance across these 2 circuits ? would this involve establishing 2 seperate tunnels with the PIX ? I have seen enough to suggest that load balancing across the circuits on a 2821 may be possible, but I am not sure whether the PIX can do this ? and if so, how ? Any suggestions ?

In addition to being an excellent primary WAN link, the cable HWICs are well suited for used as a secondary WAN link for businesses of all sizes. This secondary link can be used to offload Web traffic directly to the Internet, provide a redundant option for a primary link in case of failure, or provide load balancing with a xDSL or other type of WAN link.
Increasingly, Internet connectivity is crucial to a branch or small business employee's productivity. However, as more streaming media and rich content is placed on the Web, the WAN bandwidth requirements to provide this connectivity continue to grow. In the case of a branch office, as shown in Figure 2, using Policy-Based Routing, all HTTP (Port 80) traffic can be diverted from a primary low-bandwidth link to the DOCSIS link to minimize the amount of traffic being routed back to corporate headquarters. The ISRs can optionally provide end-to-end security with advanced firewall, intrusion prevention, and URL filtering capabilities to help ensure security and proper usage of the Internet.

Similar Messages

Load balancing 10g forms - Connection from new browser window not supported

Load balancing 10g forms - Connection from new browser window not supported
We're experimenting with using webcache to load balance between multiple applications servers running OC4J forms processes.
We currently have one machine with infrastructure and mid-tier (BI & Forms) installed, which is being used for the webcache functionality, this is load balancing between 2 other servers each of which just have the mid-tier (BI & Forms) installation
In order to get this to work, I had to follow the instructions in the Forms deployment guide : http://download-uk.oracle.com/docs/cd/B14099_11/web.1012/b14032/tuning.htm#sthref707
The main gist of this is that you need to set the following in the orion-web.xml file in order that the sessions are maintained:
<session-tracking
cookies="enabled">
</session-tracking>
This all works fine in most cases.
The problem I am having is if I do one of the following on the client machine:
1) From IE6 / IE7 run a copy of a forms application. Then open a new window using the "New Window" menu option, and attempt to run another forms application.
2) In IE7 or Firefox 2.0 open a copy of the forms application, and then open a new tab and try and open another forms application.
If I try either of these I get a FRM-92101 error, and the following is displayed in the java console:
oracle.forms.net.ConnectionException: Connection from new browser window not supported
From trawling various forums (including metalink and otn) it looks like a problem with the way coockies are handled.
Unfortunately the usual workaround is to ensure that the session tracking option in the orion-web.xml file is disabled.
The problem is that I need this enabled in order for the load balancing to work.
Does anyone know of any other workarounds or patches that might help resolve this?
We're using Application server 10.1.2.0.2 running on windows 2003 servers.

You were right. Carriage returns were stopping it from working (the document is laid out over separate lines, so I assumed it would make no difference...).
I've now managed to get it so the forms at least run, but they are all being run in the forms OC4J instance on the same machine as the OHS.
Has anyone actually managed to get this to work, or am I doing something wrong?
I did wonder if using an OHS instance on a machine with no forms installation would make any difference?
I had raised a support call via metalink on this subject, but they eventually came to the conclusion that the only way to do this is with a hardware load balancer (Despite several documents suggesting that webcache is the way to go (including the forms deployment manual)).
I'm at the point now of giving up and writing some custom scripts to do the job instead...

Two active active ISPs with load balancing, publishing and VPN connection

Hi,
I wonder how to enable a scenario where i have to use two ISP's to share 30/70 load on our internet traffic, have to configure almost 60 internal websites already published using microsoft TMG firewall and connect client VPN connections and site-to-site vpn connections. I know that ASA firewall has limitation when using security contexts. Is good idea that how to achieve this gool?
I previously tried connecting four sites running ASA devices with this fifth site running Microsoft TMG firewall but i was able to connect only two ASA firewalls using site-to-site VPN, though I was able to connect remaining two as well but last two were not able to access ASA-TMG resources. furthermore behavious of two ASA-TMG connected sites was strange: sometime i was not able to access cross site resources from one machine but was able to do so from another machine.
I noticed that two of ASA sites connected with TMG site has different internal IP class (e.g site one 192.168.0.* and site two using 172.16.*.*) while remaining two have same class like the first site e.g 192.168.128.* and 192.168.100.*
Did anyone has experiance connecting TMG-ASA with multiple sites within same IP class scenario?
OR
How to enable same features using Cisco devices as they are on a single Microsoft TMG?
Best,
Saulat (Contact# 0092-321-4025587)

Sulat,
You can load balance between the two ISPs. That is not possible. But, we do have some options that I have discussed here:
Hope the above link gives you some ideas to utilize both your ISP links.
-Kureli

Load Balancing on 3020 VPN concentrator

I am trying to configure load balancing on two 3020 concentrators. When I configured it, I keep getting the following messages
LBSSF received GRAT-ARP from duplicate master[0003a08ab42b]
6167 12/04/2007 16:15:15.240 SEV=3 LBSSF/85 RPT=527
LBSSF detected duplicate master[0003a08ab42b] and staying MASTER
6168 12/04/2007 16:15:18.450 SEV=4 LBSSF/49 RPT=529
LBSSF process dead peer[x.x.x.x (IP address of the secondary box)]
Does anyone know what is causing this?

Probably you have IP address conflict on net.

CSS11000 Load Balance over two VPN connections?

Is it possible to have a CSS11000 in a local site perform load balancing and fail over to two different destinations on the internet that require a VPN connection. The VPN will be a router to router VPN using 7206s.
Bruce
mailto:[email protected]

Hello Bruce !
CSS is designed to handle TCP- and UDP based traffic, not IPSec. When handling IPSec traffic Content Switching Module (CSM) inside Catalyst 6500 series is recommended for that purpose.
More info:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm/index.htm
- Tomi

Load Balance & redundancy for internet from 2 different sites?

Hi,
we have 2 core sites where our servers are situated. Both sites are connected via a ptp link.
All of our clients/sites reach these two sites via our MPLS network and they never route via the ptp link which is solely used between the two core sites.
One of the sites has an ASA which goes out to our internet. We are thinking of replicating this on our other site.
How would we go about load balancing the internet connection ie 50% go out on site A & 50% go out on site B?
And if site A goes down, everything goes out via site B and vice versa?
Diagram attached....
Thank you,
Louis

Hi Louis, you could set default routes on the ASA's with tracking, and use ospf downstream to inject the default route in to the network with default information originate - this will only advertise out a default route if it has it in the routing table. With SLA you can track internet reachability by IP SLA echo to something like 8.8.8.8. Both sides can advertise this in to the network, if one goes then there is one left. Just be mindful of the policies and NAT required, you will have to duplicate the rules on the ASA's. With the NAT you have to ensure, that outgoing traffic comes back in the same path it left so it doesn't break connections.

VPN load balance

1, Configuration
Two VPN concentrator 3000, VPN client 4.0. The concentrators directed connect to Internet and internal LAN.
2, Question
a)Do the two concentrators have to be configured exactly the same (rules, filters) prior to enable load balance cluster? or the secondary one can download configuration from the master?
b)Can virtual ip address in cluster be all 0s?
Thanks in advance!

Hi
While enabling the load balancing in your VPN boxes you need to configure them to have identical configruations like as you said the rules on both private and public interfaces as well as the filters on them.
The ip addressing part also needs to be taken care on both the private and public interface also the cluster group ip should be same on both the devices.
also refer this link for more info..
http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml
regds

Report server Load balancing

short description of the setup:
2 hosts running report services say reportsvc_1, reportsvc_2 in the sanme subnet.
reports are called using run_report_object from within oracle forms.
Is there any mechanism that these two hosts can share the load, load balanced. I know run_report_object requires report service name in order to run.
what other mechanism can be used to load balance report requests initiated from oracle forms.
Thanx

You will need a virtual server between the app server and report server. Something like this:
App server
....|
....|
....^ - virtual IP server
.|.....|
R1..R2 - report servers
The virtual IP server accepts the call from the app server and rotates which 'back end' report server per call. It is a crude, round-robin solution, but it works relatively well. You have to hope that every-other report isn't rough on the server.

Internal load balance ilb on ServiceConfiguration LoadBalancers

Hi everybody, I try to setup an internal load balancer using this configuration:
from cscfg:
<NetworkConfiguration>
<VirtualNetworkSite name="WE" />
<AddressAssignments>
  <InstanceAddress roleName="Role1">
   <Subnets>
    <Subnet name="WE_WWW" />
   </Subnets>
  </InstanceAddress>
  <InstanceAddress roleName="Role">
   <Subnets>
    <Subnet name="WE_SERVICE" />
   </Subnets>
  </InstanceAddress>
</AddressAssignments>
<LoadBalancers>
  <LoadBalancer name="WEB_ILB">
   <FrontendIPConfiguration type="private" subnet="WE_WWW" staticVirtualNetworkIPAddress="192.168.1.5" />
  </LoadBalancer>
  <LoadBalancer name="API_ILB">
   <FrontendIPConfiguration type="private" subnet="WE_SERVICE" staticVirtualNetworkIPAddress="192.168.2.5" />
  </LoadBalancer>
</LoadBalancers>
</NetworkConfiguration>
from csdef:
<WebRole name="Role1" vmsize="Small">
<Sites>
  <Site name="Web">
   <Bindings>
    <Binding name="httpIn" endpointName="httpIn" />
    <Binding name="httpsIn" endpointName="httpsIn" />
   </Bindings>
  </Site>
</Sites>
<Endpoints>
  <InputEndpoint name="httpIn" protocol="http" port="80" loadBalancer="WEBILB" />
  <InputEndpoint name="httpsIn" protocol="https" port="443" certificate="Valuta" />
</Endpoints>
<Imports>
  <Import moduleName="Diagnostics" />
  <Import moduleName="RemoteAccess" />
  <Import moduleName="RemoteForwarder" />
</Imports>
<Certificates>
  <Certificate name="Valuta" storeLocation="LocalMachine" storeName="CA" />
</Certificates>
</WebRole>
<WebRole name="Role2" vmsize="Small">
<Sites>
  <Site name="Web">
   <Bindings>
    <Binding name="httpIn" endpointName="httpIn" />
   </Bindings>
  </Site>
</Sites>
<Endpoints>
  <InputEndpoint name="httpIn" protocol="http" port="8080" loadBalancer="APIILB" />
</Endpoints>
<Imports>
  <Import moduleName="Diagnostics" />
  <Import moduleName="RemoteAccess" />
</Imports>
</WebRole>
as you can see I have two webroles linked to a vnet:
Role1 has two input endpoint: https and http (the one I want to "internal" load balance)
Role2 has only an http input endpoint (again the one I want to "internal" load balance)
and I try to configure an internal loadbalancer (see here:
vs2013-update3)
When I try to deploy the package I receive this error:
Error: The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers. Http Status Code: BadRequest OperationId:
874024071e88327f8cb73c16f15f3ac2
I'm sure it depends on the ilb configuration because when I remove it the deploy succeed...
Does anybody try something like this?
Thanks,
Simone

I've found a solution by myself with the help of a friend (Sandro Vecchiarelli): the "problem" is that I try to setup two load balancers in one cloud service. Trying with only one work correctly; the error probably is a schema validation and I
really don't know if the error is on "client" schema that allow me to configure more than one ILB (note the node name
LoadBalancers... its plural...) or online (the one on Azure).
By the way...at the moment use just one ILB per cloud service.
Hope this help.

User restrication on load balance VIP

we need to implement below requirement can any one suggest how to imlement it
1.Sticky command
Once a connection is opened to a physical server, any requests coming from a particular client always go to that server, until either the timeout is reached or the user session is terminated
2.Client-assigned load balancing
All requests coming from a specific client always go to the same physical server. This is done through recognition of the clients IP address.
3.User session restrictions
User name / IP session restriction based on parameter values(ie only 1 user can login at a time).
Please find the below config
service test1
ip address 10.8.1.25
protocol tcp
keepalive type http
keepalive port 80
active
service test2
ip address 10.8.1.26
protocol tcp
keepalive type http
keepalive port 80
active
content DSS-R1
protocol tcp
vip address 10.8.1.1
port 80
advanced-balance sticky-srcip-dstport
add service test1
add service test2
active
please suggest me how to implement all three points whereas point 3 is very crucial & urgent.

1/ is done with the advanced-balance command.
I would suggest to replace the current one with 'advanced-balance sticky-srcip' since the destination port is always 80 [per config].
2/ you can force a client to go to a particular server with an acl and the prefer option.
ie:
acl 1
clause 10 permit tcp x.x.x.x destination content owener/DSS-R1 prefer test1
clause 99 permit any any destination any
apply all
acl enable
3/ we will need more details.
Not much can be done so, because the CSS only counts active connections.
So, you can restrict 1 user at a time with the command 'maxconn 1' but I'm not sure if it will help.
You should test it first and see if it does what you need.
Regards,
Gilles.

FCoE Load balance question on 7k and 5k

Hi,
Let me start from basic step to verify the fundamental. Does the fcoe storage load balance SID/DID refer to source-dest-mac or source-dest-ip? in 5k
Can the PO load balance be specified exclusively to storage VDC? only?. Currently, the load balance is configurable only from default-vdc. This being the case, is there a way to achieve as a storage VDC specific?
Thanks,
Damodaran

Hi,
Let me start from basic step to verify the fundamental. Does the fcoe storage load balance SID/DID refer to source-dest-mac or source-dest-ip? in 5k
Can the PO load balance be specified exclusively to storage VDC? only?. Currently, the load balance is configurable only from default-vdc. This being the case, is there a way to achieve as a storage VDC specific?
Thanks,
Damodaran

Portal Drive not working with external load balancer

Hi,
We have a portal cluster and we are using external Load balancer from
Juniper for load balancing the portal cluster. When given the direct
portal URL (Central instance URL or Dialog instance URL), Portal Drive
is able to connect to portal and shows the KM documents properly. But
when given the Load balancer URL, it gives error saying "Can
not connect to host using WebDAV protocol". Load balancer URL works
fine from the browser without any problems. Any help is highly appreciated.
Helpful points will be rewarded.
Regards,
Chandra

Hi Steve,
For Portal Drive, Windows integrated authentication, client certificates,basic authentication and Kerberos is supported.
(in the default delivery of com.sap.km.cm.docs iview the authentication Scheme is set to basicauthentication - switching that to form based authenticationis not being supportedbywebdav clients).
ALso now Integrated Windows Authentication (NTLM) has been made available with latest patch.
Also read through SAP NOTE 1084683 for further clarifications.
Regards,
Shailesh

Howto load balancing

Hi
Using Dell 2U servers running FreeBSD 6, we are very exciting to get some new Xserve for our web needs.
We plan to buy 2 XServe for sharing performances for a huge website and a Xserve RAID.
As MySQL can be master-master replicated on its own, we only want to balance network load coming from the internet. What do you suggest to buy in front of the 2 Xserve ? How to sync files between the 2 Xserve but with manual rsyncs ?
Thank you for your tips
PowerBook 12" + MacBook rev1 Mac OS X (10.4.8) Airport Express / 23" Cinema Display / Freebox

What kind of traffic levels are you planning for?
There are various load balancing techniques around ranging from the free to the very expensive, and the inefficient to the highly effective.
At the lowest end of the scale is simple round-robin DNS. You configure your site's address with two IP addresses and the DNS server alternates between the answers. This gives you a crude load balancing option - there's no direct control over which server gets the traffic, levels may be uneven and, worst of all, there's no redundancy in case one server is down - the DNS server will continue to hand out it's IP address. Its advantage, though, is that it's free.
Moving up the scale a little there are various Linux based solutions that can do simple load balancing through its IPTables (or ipchains in older distributions).
I've never used them, so I don't know how effective they are.
At the top end of the scale are load balancing appliances such as those from F5, Cisco, NetScaler and others.
These move up the price chain a fair way but offer far more features, server health monitoring (to make sure the server is able to service the request), advanced load balancing rules to decide which server should handle the request, and multi-gigabit per second throughput.
If you just have a couple of servers, the appliance path may be overkill, although if you expect to grow then it may be something worth considering.
As for the replication question, there are many ways of doing that. At its simplest level, rsync can replicate a directory or filesystem using an efficient protocol that just transfers the differences. It's included in Mac OS X and the man page gives examples of its use.

Server Farm load balance

Is it possible to load balance servers that reside from the server side and the request comes from the server farm??
Sent from Cisco Technical Support iPad App

Hello,
Yes, you can but you may need a nat-pool to have the response going back to the ACE. Please send me the running-config or showtech of the Context and let me know the VIP with this issue

Safari cannot load balance with https

I am a developer for a web site which runs ASP.NET pages on Windows Server 2003, IIS 6.0. We use Basic Authentication and HTTPS.
We are using a load balancing solution to distribute the load to 4 web servers.
We have been using this setup for over 5 years with IE and Firefox/Mozilla/Netscape browsers.
Recently I have been asked to make Safari browsers work with our site ... MAC, Windows and iPhone versions.
On all 3 platforms I am seeing the same problem ...
The load balancer uses the SSL 3.0 Session ID to determine if the requests to the site are coming from the same client (browser) and thus will ensure that all requests from that browser go to the same web server.
This works fine with IE, Firefox ... it does not work with any version of Safari. When the load balancer gets a request from a single Safari browser session, it sends the requests to multiple servers, causing issues with the pages returned.
If I run Safari with an HTTP debugger ... like Fiddler (where it uses a proxy server) ... Safari works fine.
Some questions:
1. Does Safari expose the SSL 3.0 session id in the same manner as the other browsers ... i.e. an un-encrypted version of the header.
2. Does Safari send many concurrent requests? Firefox and IE limit concurrent requests to 2.
3. Could Safari be timing out it's SSL 3.0 session id frequently or quickly?
4. Is there a reason Safari does not send the http Basic Authentication header with every request once it authenticates with a particular realm?
3. Are there any other possible causes of this problem?
What do you think?

Thank you for your reply.
The session server id is being maintained by Safari and when the connections are kept on a single server (like when I use Fiddler's proxy to connect) it works fine.
The SSL 3.0 Session ID is part of the SSL handshake which is used to establish an https connection. It is established between the browser and the web server as part of encypting the traffic.
As I understand it ... part of the SSL 3.0 protocol is to include an un-ecrypted header along with the encrypted data.
Our load balancing sofware is using a portion of this header (as it is un-encrypted and thus it can read it) to establish when requests are coming from the same web browser. This is the SSL Session ID.
If the Session ID is the same, it will send all traffic to the same web server ... as it knows it is the same web browser.
The problem arises in that the load balancer is not able to indentify requests from the same Safari browser as part of the same secure session.
So I am trying to understand what Safari is doing within the SSL header ... as it is not normally visible to standard web debugging tools ... they only show the http headers.
Unfortunately I cannot easily change out the load balancing software or change it to use session state ids. I am trying to understand how Safari handles this to determine strategies to resolve this issue ... and thus allow my client base to use their Safari browsers to access out service.
What do you think?

Load balance 2 xDSL VPN from 2821 to PIX515e ?

Similar Messages

Maybe you are looking for