Load balancer + preserving IPs
I seem to have encountered a rather severe limitation of the mod_loadbalancer, and I'm hoping there is a workaround.
I have a SJSAS 8.1EE cluster fronted by Apache (also tried SJS WS6.1 too) with SJSAS's loadbalancer plugin.
It seems that the appserver instances are seeing the IP of the loadbalancer instead of the original client IP address (web browser).
Several apps we run require to check the IP of the client system (for authentication and other reasons), so this is kind of an issue given mod_loadbalancer is now replacing them with it's IP.
Previously I've used mod_jk with JBoss clustering, and there's no such problem because they intelligently use the AJP protocol, so IP's are preserved.
Surely this would be a common scenario for ppl using loadbalancers, so I'm wondering if there's any way around it such that the destination appserver sees the client's IP, even when going through the loadbalancer.
Another idea that comes to mind is the question of examining another HTTP tag (eg <X-forwarded-by>) to get the client's original IP.
Any ideas would be greatly appreciated!
i believe i'm looking at the same issue. We have struts tags in our jsp's that are returning the incorrect client url from the loadbalancer. where i'm expecting a link with the url "https://mysite.com/", it's returning "http://mysite:443".
our configuration consists of a sun webserver (v6.1) with the lbplugin pointed to a cluster of two sun app servers (v8.1). the loadbalancer.xml is configured with the https-routing param set to false, meaning that ssl connections should be forwarded to the http port of the app servers.
the same problem (i believe) is documented elsewhere in sun's bug site.
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6269102
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6188932
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4814778
Similar Messages
-
Load Balancing -- preserve client IP?
Does the Flash Media Streaming Server need to know the client's IP address in a load-balanced environment?
We will be doing straight-forward hardware load balancing -- we are not architecting the cluster for communication between Flash Media Servers.
We're trying to determine whether we need to configure the hardware load balancer to use SNAT to preserve the original client IP, which for us has ramifications about subnet choices for both the LB and server.
Thanks!I dont think the server would need the client's IP. How do you plan to server your content - RTMP or HTTP ?
Shiven -
Hi everyone ...
I have two 6509 configured with VSS, in each 6509 we have one FWSM and IDSM2.
We have configured the FWSM with contexts and we have Failover working fine.
Now we want to configure IDMS as IPS inline but we want to use both IDSM in load balance for improve the performance and get high availability with security.
Is this possible ?
I know we can get load balance with IPS appliances using etherchannel in switching (ECLB) but I don't know if we can do this with the IDSM modules in catalyst 6509 considering VSS.
Any suggestions ?The VSS is a special configuration.
You can configure the FWSM modules to be Failover partners but in IDSM modules you need to configure the same input/output VLANs to get the Failover or balance behaviour. The Cisco IPS architecture has not Failover configuration. you can find some examples with Etherchannels or Port-Channels configuration shared with some IPS units to balance the bandwith. That's the case in VSS solucion, both chasis shared the VLANs and it's necesary to configure the input/output VLANs pairs shared between the modules to balance the bandwith. -
Adding a 2nd WFE to a Production Farm - Load balanced using F5 Virtual IPs
Hello all,
In much reading I haven't been able to find a more or less straight answer to this question: I have a small-ish SharePoint farm; 1 WFE, 1 App and a SQL cluster. I need to bring a 2nd web front end into the farm. What I am trying to find
out is, may I install the SharePoint bits and join the new web front end to the farm - without putting the web apps' IPs into my F5 pools - without adversely impacting the farm?
What I'm after is time to test the new web front end by redirecting my browser to it via my hosts file. Once I'm confident all is well, I would then configure WFE2 to have traffic forwarded to it through the F5. Is this a reasonable hope?
Thanks in advance for any advice you might provideYes, that will work.
Having an extra WFE that isn't included in your load balancer is actually a fairly common practice when you use it as a dedicated crawl target, there' no impact to having it there unused for a while.
Thanks very much for confirming; I appreciate that! -
IPS etherchannel load balancing design
Is it possible to do a etherchannel load balancing with the design attached? i know I need to configure vlan pairs but I'm not sure if it's possible with my current design
Etherchannel design will work with interface pair as well ,provided the design is appropriate to take care of the asymmetry.
Coming to your design, if i understand the requirement correctly, you wish to create etherchannel between 3750 stacked switch and the pair of CAT6K. Enabling VSS on the pair of CAT6K switches and then creating etherchannel should help.But the flow symmetry will not be guaranteed ( meaning the same IPS may not see the forward and the reverse packets of the flow). -
Third Party Load Balancing Active Directory
We have serveral applications that target individual Active Directory domain controllers for authentication. If the domain controller goes down then that service stops working.
I'm interested in using a Citrix Netscaler to load balance authentication requests.
What I want to know is, "Does Microsoft support the use of an external load balancer", not from the perspective of third party device support obviously, rather functionally. Will AD work and be supported when using the Netscaler.
IT ManagerIf you simply plan to use the Citrix NetScaler to load balance say, reading LDAP on port 389 as an example, you will be OK.
Rather than pointing the app to a single DC, why not create multiple DNS records with the same host name, different IPs and use Round Robin. Not as sophistacted, but it isnt going to cost you tens of thousands of dolllars in load balancing.
Visit: anITKB.com, an IT Knowledge Base.
Have you actually tested and used this in a production environment? If I understand correctly, what you are suggesting is to take existing (hypothetical) domain controller DNS entries:
A record: dc1.contosso.com, 10.1.1.10
A record: dc2.contosso.com, 10.1.1.11
And add the following entries to create quasi fault tolerance?
A record: dc3.contosso.com, 10.1.1.10
A record: dc3.contosso.com, 10.1.1.11
I honestly don't think it will work, because of a few things, such as DC registration occurs every 60 min, including the netlogon service overwriting whatever static entries created for the quasi load balancing, and possibly Kerberos auth failing due to a different
IP authenticating from a different SPN. I know the hardware load balancers have options to preserve session cookies, which work fine for IIS implementations, such as Exchange HUB, and especially for CAS access, otherwise Outlook will not accept it if it sends
an auth request on one IP and another backend responds, which the LB help preserve this, however with AD LDAP, RPC, etc, I *don't* think it will work, due to Kerberos failing it thinking it's a spoof. If you get it working, I would be very curious to see the
documented implementation, settings, results, etc.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Lync 2013 Enterprise load balancing on the front end and edge pool
Hi,
I am setting up a Lync 2013 Enterprise deployment consisting of a Front End pool (x2 FE servers) and an Edge pool (x2 Edge servers). I'm seeing some conflicting advice regarding load balancing using hardware or DNS for the front end and the edge.
On the front end I have 2 internal DNS records 'lyncfepool1.contoso.local' each of which map to one of the IPs of the FE servers. I've used my details to populate the Detailed Design Planner excel spreadsheet and am told that I require a HLB to load
balance my front end pool. I'm aware of the need to load balance HTTPS traffic internally (which will be done by TMG) however other traffic to the front end (SIP, etc) can be balanced by DNS only, and not require a HLB?
Can someone clarify the front end requirement?
Also - looking now at the edge pool - this site again have two edge servers in a pool. We are using a total of six private IP addresses, two per edge service (2 x av.contoso.com, 2 x sip.contoso.com and 2 x webcon.contoso.com). These will be
NAT'ed by the external firewall and directed to the respective external (DMZ) IP addresses on the Edge servers on port 443. I know this isn't true roundrobin due to the intelligence of the Lync client when connecting (in that the Lync client will connect
to one of the public IPs and if it can't connect, it will know to connect to the other service IP), however I want to clarify this set up, particularly the need to direct the external public IP traffic at the DMZ Edge IP specified in the topology builder.
I've attached a basic diagram of the external/DMZ/Edge side which hopefully helps with this question
Persevere, Persevere, Per..That is because you will always need HLB for a front-end server since it hosts the Lync webservices which use HTTP/HTTPS traffic.
The description on the calculation tool also describes this correctly:
Supports Standard and Enterprise pools (up to 12 nodes), with pure device-based load balancing or a combination of DNS load balancing and device-based load balancing (for
Lync web services)
You can use either Hardware or DNS loadbalancing for SIP traffic only, but you will always need a HLB for the webservices. Both are applicable for the Front-End so you have either
full HLB for both SIP and HTTP(S) traffic
DNS LB for SIP traffic and HLB for HTTP(S) traffic
Hope this is more clear :-)
Lync Server MVP | MCITP Lync Server 2010 | If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it. -
Load balancing host named site collection
I am jumping into the realm of host named site collection. While the learning experience has been good, still there are some questions unanswered. Please bare patience since my questions are long.
- I have a non host header site on port 80 that has https certificate added to IIS for supporting app store in https mode.
- I tried to created the host name site collection using https in this default port 80 non host header web application and was greeted with error. Then i extended the web app to different zone with port 443 . Then created the host header site collection
with https with web application name for extended 443 one. Creation went in fine.
- I tired to use IPs on now extended IIS site and bind certificates on that one. The site does not load. I do the same again in the default zone iss site, bind ips on that one and site loads. Now question is even though host header site collection was created
using extended web application url , why binding had to be done on default zone IIS site?
- Second test, i changed the authentication mode for extended, no effect on host named site collection but as soon as i changed it in default zone it reflected in host named site collection. I am confused why it needs extended zone url to create the https
site but every change done in default zone is getting reflected on this host named site collection.
Now for load balancing , it works fine with IP? But how to load balance these host named site collection using url. I talked with f5 team and they said i need to send some reply query string from each site. Where do i do that? Or is it even needed?
Accoring to this link : https://devcentral.f5.com/articles/name-based-virtual-hosting-with-ltm
. If the site hosts an application, though, the monitor should request a dynamic page on each webserver which forces a transaction with the application to verify its health and returns a specific phrase upon success.
For application monitoring, the recommended best practice is to create such a script specific to your application, configure the monitor Send string to call that script, and set the Receive string to match that phrase.
Has any one done this before? I tired to search for resource regarding this for iis or sharepoint but was not able to get anything.
Thank you for your patience for reading such a long question.
Aditfirst part of question:
Default Web Appliction in port 80: Creating https host named site collection fails.
Extend default web application on port 443 : Https hostnamed site collection created when web application name is passed for extended web application on port 443. This means this site collection is associated with this extended web application correct? But
all the changes made in IIS only reflect if it is made to port 80 web application. Also changing authentication scheme from Central Admin, only changes on default zone reflects on site collection not the one in extended web application? Why if the site
was only created on extended web application paremeter, changes on default are reflecting on it but not from extended.
Second part of question:
Each Hostnamed site collection when load balanced thorough f5 using IP for 3 WFE uses 3 IPs for each. This way we will run out of IPs pretty soon. I want to know if there is way to load balance these sites using Hostname or anyother paramenter through f5
and if any body has done it?
https://devcentral.f5.com/articles/name-based-virtual-hosting-with-ltm link talks about sending reply string
from application but i do not know where to set it up or how to do it? No resources in the net. Just asking if any one else has done it.
Adit -
TMG load balance and publishing issues
Dear Experts,
I have some questions about publishing multiple services with TMG's ISP redundacny with load balancing:
We are using a single TMG 2010 server to protect our network and providing Internet connection to them. We manage our own domain providing the name service with the DNS server component installed on the TMG box and published it outside. We are using Exchange
for mail service, as well we publish web sites too and terminal services via RDP. There wasn't any problem till today, when we got an other, separate Internet connection via a new different ISP. When I set ISP Redundancy to Load Balance I faced to a problem.
The Internet connection works fine, but the partner SMTP's drop our letters, because they can not complete the reverse DNS check.
How can I set the TMG and/or the DNS to provide a correct mail publishing service? How should I set our DNS to provide access to our web sites and other services when one of the Internet connections brake down?
Thank you in advance!
ThomasDear Quan,
Yes, this is the problem.
Would you tell me, how should I configure my DNS for working properly if I publish my services to all my IPs/Internet connections? Do I have to double all my A and MX records?
Is it possible to publish services on all IPs/Internet connections or should I publish on only one an use NLB only for to provide Internet connection to our computers?
What is the good solution to make a fail-safe internet-gateway which publishes multiple services fail-safe too?
Thank you
Thomas -
ACE load-balancing-Cookie problem
In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
There are only two possibilities how this could happen:
a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
b) The predictor in the serverfarm chooses a new realserver within the same request.
If that is really the cause of that problem this would be bug in the cisco ace.
What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
For example:
GET /ips-opdata/scripts/jquery.js HTTP/1.1
Host: www.xxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxx.com/
Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
HTTP/1.1 200 OK
Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
ETag: W/"72181-1298537508000"
Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
Content-Type: text/javascript
Content-Length: 72181
Date: Mon, 28 Mar 2011 06:15:19 GMT
As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
We hope that this helps you to figure out the reason of the problem.The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config. -
Load Balancing Directory Servers with Access Manager - Simple questions
Hi.
We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
[14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
Will be really grateful for any help / insight / experience on dealing with the above.
Thanks!Update to the above, incase anyone is reading:
We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
3. Host 1: Started replication. Set to Master
4. Host 2: Started replication. Set to Master
5. Host 1: Setup replication agreement to Host 2
6. Host 2: Setup replication agreement to Host 1
7. Initiated the remote replica from Host 1 ----> Host 2
Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
9. Started webserver for Host 1 and logged into AM as amadmin.
10. Added Host 2 FQDN in DNS Aliases / Realms
11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
At this stage, note the following:
a) Host 1:
AMConfig.properties file has
com.iplanet.am.directory.host=host1_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
b) Host 2:
AMConfig.properties file has
com.iplanet.am.directory.host=host2_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
Returning back to the configuations:
13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
a) Network Group
b) LDAP servers
c) Load Balancing
d) Change Group
e) Action on-bind
f) Allow all actions (permit modification / deletion etc.).
g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
LDAP Authentication
MSISDN server
Membership Service
Policy configuation.
Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
17. When you start the webserver, it will refuse to start. Will spew errors such as:
[https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
[https-host1_FQDN]: info: CORE3016: daemon is running as super-user
[https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
[https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
[https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
[https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: ----- Root Cause -----
[https-host1_FQDN]: java.lang.NullPointerException
[https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]:
[https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
[https-host1_FQDN]: startup: server started successfully
Success!
The server https-host1_FQDN has started up.
The server infact, didn't start up (nothing even listening on 58080).
However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
Differences in Solaris and Windows are as follows:
1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
No other difference from an architectural perspective.
Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
Thanks a bunch! -
IDSM-2 load balancing on inline mode is it possible ..?
Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
Thanks !!!To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800 -
Ise & vlan load balancing (user balancing)
As far as I know anb based on some esperience in a test environment it seems that cisco ISE among two load balancing radius kind of attributes supports only vlan gropu assignment, this means that on the switches vlan group assignment is required.
A second method of passing multiple vlans or vlan IDs by radius attributes is not allowed.
Am I wrong?
The issue I'm trying to overcome is the following
Subnet1 /24
Subnet2 /22
Many, many switches
(and the situation can't be changed)
Assuming the vlan assignment is local to the switch and with a round robin method, once the IPs are exhausted on Subnet1 only half of the clients that authenticate will obtain an IP (on Subnet2) while the rest will get stuck on Subnet1 without an IP
The same situation comes up when considering an odd number of authenticated clients on every switch and with two /24 subnets: it is likely possible that Subnet1 will be "full" before the second subnet does falling in the previous situation.
is there any solution?
thank you in advanceDon,
You are right. I should have said - Forte uses its own partitioning scheme
not the default scheme you see when you open partition workshop.
Nirmal
From: Don Nelson <[email protected]>
To: Nirmal P Uppalapati <[email protected]>
Cc: [email protected]
Subject: Re: Load Balancing, User Visible Service objects, Running man
Date: Wednesday, October 22, 1997 10:45 PM
Nirmal,
One note on the "running man"...
At 08:12 PM 10/22/97 -0500, Nirmal P Uppalapati wrote:
3. Running Man
When you run an application by clicking on the running man Forte uses
its
default partitioning scheme and runs the application. The partitionscheme
that you made will be used only when you run the application distributedor
from the partition workshop. This is the time you might encounter errorsif
your partitioning is not right.
Actually, clicking on the "running man" from the repository or project
workshop will cause the application to be run VERY differently thanrunning
it distributed.
It's not technically correct to say that the default partitioning schemeis
used with the running man.
Forte consulting offers a deployment workshop that covers the finerpoints
of this and other distributed issues.
Don
============================================
Don Nelson
Regional Consulting Manager - Rocky Mountain Region
Forte Software, Inc.
Denver, CO
Corporate voice mail: 510-986-3810
aka: [email protected]
============================================
"If you ask me, though, any game without push-ups, hits, burns or noogies
is a sissy game." - Calvin -
Interesting ACE URL Header & Load-balance & SSL on 2 VIPs
Hi There
I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
So, RSERVER = SERVER = 192.168.0.1
Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
OUTSIDE:
website1.abc.com = 172.16.0.1:443
website2.abc.com = 172.16.0.1:443
website3.abc.com = 172.16.0.2:443
website4.abc.com = 172.16.0.2:443
On the server we have:
INSIDE: 192.168.0.1
SERVER:8001 = website1.abc.com
SERVER:8002 = website2.abc.com
SERVER:8003 = website3.abc.com
SERVER:8004 = website4.abc.com
So, in a nutshell what I need to do is:
Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
But .... things are going hey-wire.
So, steps are:
RSERVER
SFARMs = RSERVER:PORTs
ACLs = VIPs
CMAP = HEADER = URL
LB PMAP = HEADER CMAP & SFARM
PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
SVC-POL = PMAP MULTIMHi Surya
Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
regards
Sent from Cisco Technical Support iPad App -
Dual ISP load balancing with 2 routers and 2 FW without using BGP
Hi all,
Based on the attachment diagram, is the design viable?
Do anyone has a similar deployment before and can you share with me the config guide to this because I'm at lost on a few configs:
1. On core switch A and B, I understood we need to have a default route pointing to the firewall interface. For this case, I have different IPs for the same context on both the firewalls.
So, how should the config be?
CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.110
CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.111
I don't think the above will work as the core switch will load balance the traffic to both firewalls even if one of the context is on standby mode?
2. The area from the firewall to the internet would all be public IP. Thus, if i put a switch in between the firewall and the router, then i would waste some public IP addresses but if i remove the switch, I would not have enough ports on the ASA firewall. What is the best recommended solution for this?
3. How do I load balance traffic to both R1 and R2 to their respective ISPs without using BGP? I may be using only a 2811 router.
Thanks alot!!.. really much looking forward for some guidance and tips on this as I havent found any guides on this deployment yet.. mostly are LAN HA.For policy based routing, I would need to create route maps on the core switch itself right?
Correct me if I'm wrong, if i use route-maps, i would be assigning e.g. internal network A to go through firewall context A and internal network B to go through firewall context B.
Context A will only have path to Router A and context B will only have path to Router B. But if router B goes down, network B won't be able to access the Internet, right?
I'm not sure whether it's a PI or PA for this as the ISP will assign us a block of IP address, for example 202.111.1.8/29 (these IPs can be used for webservers, etc). There will also be a public IP of /30 on the serial interface to connect to their router.
Thanks alot..
Maybe you are looking for
-
Is it possible to migrate WebCenter Portal data from a SQL database to an Oracle database?
We have our WebCenter Portal applications set up using a SQL database. Now we're wanting to migrate to an Oracle database and I'm wondering if that is possible.
-
Old Itunes library (from PC) on external hard drive - Mac won't recognise
I feel like I've tried absolutely everything, so hopefully someone here can help. I had my Itunes library stored on an external disc. This was when I was using Itunes on a PC. It all ran fine.... Now we've upgraded to a Mac and for the life of me I c
-
Hi, I'm trying to build an ADF Faces component tree dynamically. In particular, I'm trying to add an HtmlRowLayout to an HtmlTableLayout. Although my code appears to run without throwing errors, the <TABLE> tag that gets generated is empty. I'm not s
-
I connected up my eprint and have a address for it. I sent a photo to the printer. Where do I find the photo to print it? This question was solved. View Solution.
-
Is the Company Application Portal available in Config Man 2012 SP1?
I heard while at Teched this year, that a company application portal was part of Config Man 2012 SP1. Is that true or is that a new 2012 R2 feature? thanks Thanks Lance