Load balance LDAP with the CSS 501

Similar Messages

• Load Balance TMG with Cisco CSS

  I am working with a Customer that is using Cisco CSS to load balance Microsoft TMG 2010.
  From the Microsoft TMG, I can see the https probes hitting the TMG Servers. The TMG 2010 recongnizes that the Cisco is trying to establish a 3-way handshake and is dropping every 3rd connection with the following error: "non-SYN packet was dropped because it was sent by a source that does not hane an established connection with the Forefron TMG computer." Since the Microsoft Forefront TMG 2010 Server is Stateful packet inspection firewall, what is the best load balance method for this service? TCP or even worst ICMP.
  Below is a snipet of the configuration:
  Thank You
  Avery
  CSS-A# show service Server1-ssl
  Name: Server1-ssl  Index: 70   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 206
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:33:14
    Mtu:                       1500        State Transitions:            4
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2
  CSS-A#
  CSS-A# show service Server2-ssl 
  Name: Server2-ssl  Index: 71   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 207
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:53:49
    Mtu:                       1500        State Transitions:            6
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2

  Hi,
  It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.
  The CSS is going to use it's vlan IP to generate this keepalive.
  So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.
  ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.
  Thanks!

• Hardware clustering/load balancing/failover with Tomcat

  Hello forum!
  I recently bought a Cisco 1801, and it sure is capable! Anyhow, I've got a hobby website that is getting a fair bit of traffic - approaching too much for one node to handle and it's time to start thinking about distributing the load.
  I'd like to do a little clustering of server nodes running Apache Geronimo, which is J2EE running atop Apache Tomcat. For the sake of keeping things generic, let's just call it Tomcat because it configures the same way.
  I do not run Apache HTTP Server as a proxy, I only run Tomcat directly connected to the internet. I do this for performance reasons.
  Anyhow, I'm wondering if any of you evil geniuses could suggest a way that I could cluster Tomcat nodes directly using the router to serve as a hardware load balancer and have the whole sticky session thing with failover, etc... All of the documents I find on the subject discuss clustering by way of Apache HTTP with Mod_JK.
  I have already asked this question on the hardware side, and got great information about the capable load balancing features my router sports (but limited compared to Cisco CSS products.)
  Now I'm wondering if anyone has experience taking an open source application server like Geronimo or Tomcat or JBoss and clustering it using hardware load balancing. What kinds of Tomcat configurations, if any, do I need to add for things like sticky sessions and failover? Or, is all that automatic?
  Thanks so much for reading and for any replies. If there is a better forum for my question, please direct me there.
  Cheers,
  Dave Woldrich
  http://CardMeeting.com

  This occurs rarely when the Tomcat process is not able to connect to the database. The database connection problem is an internal cause which manifests externally as missing fields in reports.
  Workaround: Restart the Apache process and the Tomcat process. From the CLI on your CiscoWorks Server, enter the following commands in the specified sequence:
  1. pdterm Apache
  2. pdterm Tomcat
  3. pdexec Tomcat
  4. pdexec Apache

• I created a web page in Adobe Illustrator and I can not seem to load it properly with the hyperlinks

  I created a web page in Adobe Illustrator and I can not seem to load it properly with the hyperlinks. Is there a certain extension I should use? HELP!!

  Tiger,
  Have you sliced the images, converted your design into HTML/CSS and tried to click the links?
  Peter

• MPLS Load Balancing/Sharing with TE or CEF or Both?

  So I am just playing around in GNS3 trying to set up multiple ECMP links between to P routers like this;
  CE1 -- PE1 -- P1 == P2 -- PE2 -- CE2
  (There are actually four links between P1 & P2!)
  I have set up a pseudoswire xconnect from PE1 to PE2 so CE1 & 2 can ping each other on the same local subnet range. That works just fine.
  My question is this:
  I have configured "ip load-sharing per-packet" on each of the four interfaces on P1 and P2 that are facing each other (I know per-packet balancing is frowned upon but lets not talk about that right now!) and this works, traffic is distributed across all links (I can see with packet captures in GNS3).
  Where does "ip load-sharing per-packet" fit in to the chain of events with regards to MPLS and CEF etc?; So, with MPLS enabled everywhere the two P routers are forwarding based on labels and not IP address. With MPLS enabled, does this command force the P routers to load-balance each MPLS frame as it comes in, round-robbin'ing the ingress frames across all links, the same as it would if it were a plain IP packet? So the command is ignorate of the kind of traffic being used? Or is the P router looking down into the MPLS frame for the IP in the IP packet?
  Also, in order to get the same sort of performance boost you get from per-packet load balancing, seeing as I am using MPLS here, should I be using some francy MPLE TE to do this instead of that interface sub-command?
  If I remove that command, I seem to always use link 2 for sending traffic towards P2 from P1, and link 3 for receiving the return traffic from P2 to P1. This is presumably because the ICMP packets have nothing to hash on except the source and destination IP addresses, so they always hash to the same physical links. Without using that command how else can I make use of the four links?

  Hello Jwbensley,
  first of all,
  "ip load-sharing per-packet" is not a viable option as it causes out  of order issues.
  Real world devices perform load balancing based on the second (more internal ) label value so to achieve some load balancing for example multiple pseudowires must be defined between the same pair of PE nodes.
  L3 VPN use different internal labels for different customer prefixes of the same VRF site ( unless some special command is used to say use one label per VRF site)
  >> f I remove that command, I seem to always use link 2 for sending traffic towards P2 from P1, and link 3 for receiving the return traffic from P2 to P1
  This is the expected behaviour in this scenario.
  With MPLS TE you can achieve results similar to the use of multiple pseudowires /LSPs : forms of load sharing not true load balancing. In all cases in MPLS world flow based and not per packet
  Hope to help
  Giuseppe

• SIP load balancing issue with ACE 4710

  SIP Load balancing Issue with ACE 4710
  I have a Cisco ace 4710 with vesion Version A4(2.2). i configued simple SIP load balancing first without stickiness. without stikeiness we are having a problem because bye packet at the was not going to the same server all the time that left our port in used even though user hang up the phone. its happen randmly. i have a total 20 licenced ports and its fill out very quickly. so i dicided to use the stickiness with call-ID but still same issue. below is the config
  rserver host CIN-VOX-31
    ip address 172.20.130.31
    inservice
  rserver host CIN-VOX-32
    ip address 172.20.130.32
    inservice
  serverfarm host CIN-VOX
    probe SIP-5060
    rserver CIN-VOX-31
      inservice
    rserver CIN-VOX-32
      inservice
  sticky sip-header Call-ID VOX_SIP_GROUP
    timeout 1
    timeout activeconns
    replicate sticky
    serverfarm CIN-VOX
  class-map match-all CIN_VOX_L4_CLASS
    2 match virtual-address 172.22.12.30 any
  class-map match-all CIN_VOX_SIP_L4_CLASS
    2 match virtual-address 172.22.12.30 udp eq sip
  policy-map type loadbalance sip first-match CIN_VOX_LB_SIP_POLICY
    class class-default
      sticky-serverfarm VOX_SIP_GROUP
  policy-map multi-match GLOBAL_DMZ_POLICY
     class CIN_VOX_SIP_L4_CLASS
      loadbalance vip inservice
      loadbalance policy CIN_VOX_LB_SIP_POLICY
      loadbalance vip icmp-reply
    class CIN_VOX_L4_CLASS
      loadbalance vip inservice
      loadbalance policy CIN_VOX_LB_SIP_POLICY
      loadbalance vip icmp-reply
  interface vlan 20
    description VIP_DMZ_VLAN
    ip address 172.22.12.4 255.255.255.192
    alias 172.22.12.3 255.255.255.192
    peer ip address 172.22.12.5 255.255.255.192
    access-group input PERMIT-ANY-LB
    service-policy input GLOBAL_DMZ_POLICY
  could you please help me on this...
  thanks
  Rakesh Patel

  I mean there should be one more statement-
  class-map type sip loadbalance match-any CIN_VOX_LB_SIP_POLICY 
  match sip header Call_ID header-value sip:
  and that will be called under-
  policy-map multi-match GLOBAL_DMZ_POLICY
     class CIN_VOX_SIP_L4_CLASS
      loadbalance vip inservice
      loadbalance policy CIN_VOX_LB_SIP_POLICY
      loadbalance vip icmp-reply
  is that missing in your config ?

• Recommended configuration for load balanced Portal with load balancer, multiple gateways and multiple servers.

  Does anyone have a recommended network, hardware and software configuration guide for a Portal installation running with multiple gateways load balanced (ie one URL) that talk to multiple servers?

  David,
  We've used Resonate (software) to load balance the gateways. It allows
  you to group all the gateways under 1 virtual URL and load balance the
  incoming connections over each gateway depending on the rules that you
  define in Resonate. Look in the SUN portal whitepapers there is one that
  talks about it specifically.
  As far as load balancing the calls to the portals, the gateways will
  automatically load balance across all the portals that they know about
  using a simple round-robin rotation. You may be able to use Resonate in
  front of the portals but you may need to activate persistance within
  Resonate to ensure that the user always ends up on the portal that he
  established his initial connection on (if you want that), check with Sun
  on this one.
  David Broeren wrote:
  Recommended configuration for load balanced Portal with load balancer,
  multiple gateways and multiple servers.
  Does anyone have a recommended network, hardware and software
  configuration guide for a Portal installation running with multiple
  gateways load balanced (ie one URL) that talk to multiple servers?
  Try our New Web Based Forum at http://softwareforum.sun.com
  Includes Access to our Product Knowledge Base!

• CISCO Load Balancing Mechanism with SAP

  Hello Experts,
  Explain me the steps How CISCO Load balancing Mechanism works with SAP Enterprise Portal?
  If anyone implemented and achieved the same,please explain me the steps to follow from Initial Stage to end of implementation.
  Or If you have any documentation on this just share with me to my google id kekarthick or point me to the particular link.
  I have seen the below SAP help which is somewhat helpful.
  http://help.sap.com/saphelp_nw04s/helpdata/en/d3/e12840d89d185de10000000a1550b0/frameset.htm
  I would like to know how CISCO will connect to Java Dispatcher.
  And explain me the steps to follow to implement External Facing Portal using Cisco Loadbalancer.
  This should be achieved in Unix and Windows 2003 environment.
  Any idea?
  Regards,
  Karthick Eswaran
  Edited by: Karthick Eswaran on May 21, 2008 12:40 AM

  Hello Karthick,
  let's say you have 2 servers for your portal:
  host1 -> e.g. DB, SCS + CI --> http://host1.my.company:50000/irj/portal
  host2 -> DI --> http://host2.my.company:50000/irj/portal
  Now you can implement an CISCO hardware load balancer. You have to connect it to your network and reserve one port and another ip adress of it for the portal.
  After that you have to add the ip adress of the both servers (host1+host2) to this port, so that the CISCO load balancer knows to which servers it has to forward the incoming connections.
  If you use DNS in your company you can now map a more user-friendly name to the CISCO port (e.g. http://portal.my.company:50000/irj/portal) and distribute this link to the users of the portal.
  When they connect to the portal via this link the CISCO load balancer will forward the request to one of the configured servers (host1 or host2) depending which one is online and/or the load of them.
  I hope I understood your question right and my answer helps a little.
  Regards,
  Norman Schröder

• I just uploaded the latest IPad software to my IPad and am now having loads of trouble with the device recognizing "online buttons", that is, links, etc.

  I just uploaded the latest IPad software to my IPad and am now having loads of trouble with the device recognizing "online buttons", that is, links, etc.  what can I do?

  Try:
  - Reset the iOS device. Nothing will be lost
  Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
  least ten seconds, until the Apple logo appears.
  - Reset all settings
  Go to Settings > General > Reset and tap Reset All Settings.
  All your preferences and settings are reset. Information (such as contacts and calendars) and media (such as songs and videos) aren’t affected.
  - Restore from backup. See:
  iOS: How to back up
  - Restore to factory settings/new iOS device.
  -  Make an appointment at the Genius Bar of an Apple store.
  Apple Retail Store - Genius Bar

• Would love to see the slider and breaks features added to Muse along with the CSS editor?

  Would love to see the slider and breaks features added to Muse along with the CSS editor?

  "I would love to have iTunes and my iPod sync the songs that the iPod played since its last updating into the song count in iTunes"
  It does already do this... unless you use manual updating. Under auto updating, tracks played on your iPod should up the count in iTunes on your next sync.
  Patrick

• Working with the CSS in JDeveloper 11g

  Hi All,
  I am working on the CSS of the JSF and the ADF Components in JDeveloper11g.
  When adding the components it is generating the css for those component dynamically .
  When seeing the CSS file Iam unable to understand for which component this particular css is getting affected.
  How can I get a clear Idea of how to work with the css of the JDeveloper 11g Components are there any jar files that are generating this css.
  Please help me out.
  Thanks
  Madhavi.

  Hi,
  the use of CSS hasn't change between JDeveloper 11 and 10.1.3. You have two options:
  1) create an external CSS file that uses ADF Faces skin selectors and configure it as a skin to ADF Faces
  2) Use the inlineStyle property of the components to customize the look and feel
  See 10.1.3 documentation:
  http://www.oracle.com/technology/products/jdev/htdocs/partners/addins/exchange/jsf/doc/skin-selectors.html
  Frank

• [svn:bz-trunk] 13477: Bug: BLZ-455 - Document client-load-balancing property in the sample config

  Revision: 13477
  Revision: 13477
  Author:   [email protected]
  Date:     2010-01-13 05:17:10 -0800 (Wed, 13 Jan 2010)
  Log Message:
  Bug: BLZ-455 - Document client-load-balancing property in the sample config
  QA: No
  Doc: No
  Ticket Links:
      http://bugs.adobe.com/jira/browse/BLZ-455
  Modified Paths:
      blazeds/trunk/resources/config/services-config.xml

• Why will safari not load web pages with the prefix "fhp"?

  Why will safari not load web pages with the prefix "fhp"?

  Because it doesn't recognise them as valid addresses - just as the error message  says.
  Firefox is similar : Firefox doesn't know how to open this address, because the protocol (fhp) isn't associated with any program.
  Where are you seeing this problem ?.

• Having an issue with vpn load balancing certificate on the vip

                     Hi all,
  I am setting up vpn load balancing in a lab. I have two asa's running 8.6. I created a ucc cert from our internal CA  that has the vip as the CN in the cert and the two ASA's themselves as subject alternative names. I used open ssl to create the request. In each asa I am using encryption between the ASA's to encrypt the psk's. Since this is a lab and I do not have the DNS servers at my disposal I've added the hostnames and addresses of each ASA to the config in the ASA's. The problem I have is that when I connect to the vip I get a cert error saying the cert doesn't match the name on the site. See below:
  "The security certificate presented by this website was issued for a different website's address."
  I have a hostfile on my lab pc connected directly to the outside of the ASA that can resolve the name of the vip but when I browse to the vip I get the cert error. If I click proceed anyway the asa redirects me and the page opens without error on one of the two ASA's.
  Does any one know what the CN of the cert should be for vpn load balancing. I thought the CN would be the vip but sometinhg is not right.
  Any help is appreciated.
  Thanks.

  Issue resolved. Switched the order of the trustpoints on the outside and vpn load balance.

• Load balancing LDAP Servers

  Hi
  Load balancing to be achieved on two LDAP Servers.
  In CSS, round robin configuration is carried out between the LDAP Servers.
  My query is when the client initiates the tcp connection to CSS VIP Address and which in turn redirected the request to server A termed as LDAP binding. During that and any activities like LDAP modify comunication from the client will the CSS sees that as different request and redirect it to the Server B( as Round robin configuration carried out) ?
  Any help on this higly appreciated.
  Thanks & regards
  R.Sundara Rajan

  If I am reading your question correctly, it sounds like you are asking if, once a TCP session is established to the VIP, if subsequent LDAP transactions from that connecting client will be load balanced.
  The answer is no, once the TCP session is established, you will continue to use the same backend server until the TCP session ends(fin or rst or whatever).
  Simply described in a healthy system, from TCP SYN to FIN everything will be directed to the same server.