Load-balancing in MPLS Core

How is load-balancing achieved in MPLS L3 vpns and equal cost multiple links exist to reach egress PE along with per-destination load-balancing enabled on interfaces.
I have tried to simulate the network below
Ingress PE--->P1--->>P2--->Egress PE
Multiple equal cost links exist between P1 and P2, cisco platform,LDP, IGP-ospf being used.

Hi,
Destination based load balancing in MPLS L3VPNs can be categorized into two scenarios:
1) multiple pathes between two PE routers
2) multiple access links to a single CE or site
Your question as I understand it was about the first scenario. So let me first quickly review how customer traffic is forwarded between VRFs on two different PE routers.
The VRF routing table will have BGP entries for the routes learned from the remote PE usually with next hop addresses being the remote PE loopback IP used for PE-to-PE BGP peering.
The traffic will be forwarded across P routers using the label for the BGP next hop.
Thus the load balancing accross the MPLS core in a first step is decided by the IGP, which has to insert several equal cost pathes into the global routing table for the BGP next hop networks (PE loopbacks).
Side note: MPLS traffic engineering in the core would allow for unequal cost load balancing.
The decision, which labeled packet to send across which path in the core is done by CEF using a hash algorithm. To achieve the same load balancing as with unlabeled IP traffic, a Cisco MPLS enabled router will look for the bottom label - the one with bottom-of-stack bit set to 1 - and try to determine, if the transported packet behind the bottom label is IP. If so, the hash is calculated for the customer IP header like for normal IP traffic. This ensures all traffic for a certain customer destination will always go through the same path. No unwanted packet reordering will occur.
Be aware, that the customer IP packet header will only be used for CEF hash calculation, no IP lookup will be performed, as core routers in MPLS L3VPNs do not have any knowledge about customer addresses.
As a side note: if the traffic transported is not IP (e.g. Ethernet over MPLS), the bottom label will be used for the CEF load balancing (e.g. the VC label).
For the second scenario - CE load balancing with multihomed CE/sites - it is first required to have two equal cost entries in the VRF routing tables. The difference will be the two different PE BGP next hop addresses. The first load balancing decision is the performed by CEF based on the IP packet received by the CE and the VRF routing table entries. Once CEF decided, which VRF entry to use, the required BGP next hop label (and the VPN label) is applied and the packet is transported across the MPLS core. load balancing there is done as described above.
Hope this helps! Please rate all posts.
Regards, Martin

Similar Messages

MPLS/VPN network load balancing in the core

Hi,
I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
CE---PE===P===PE---CE
I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
Thank you for your help!
Gabor

Hi,
On the PE router you could set different types and 2 levels of load-balancing.
For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                             eBGP
                     PE1 ---------CE1
PE3----------P1                          Subnet A
                     PE2----------CE2 /
                            eBGP
Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
2 MP-BGP routes are received on PE3:
PE3->PE1->CE1->subnet A
PE3->PE2->CE2->subnet A
To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
Then a 2nd load-sharing level can occur.
For instance:
         __P1__PE1__CE1
PE3           \/                   Subnet A
        \ __P2__PE2__CE2
There is still 2 MP-BGP paths :
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
But this time for 2 MP-BGP paths 4 IGP path are available:
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
PE3->P2->PE1->CE1->subnet A
PE3->P2->PE2->CE2->subnet A
For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
On an LSP each LSR could use this feature.
BR

Load balancing on CPU cores

Hi,
We have a supermicro server with 2 x E5-2660 processors and 160GB of memory.
The only role assigned to this server is Hyper-V and we have about 100 VMs each with two vCores provisioned on this server.
I checked the cpu load by monioring the %Processor Time counter and noticed that while 10 out of 32 cores are at 100%, 15 of them are below 10%.
I am wondering if it possible to balance the load on the CPU cores to improve the performance and utilize the full processing power of each CPU.

Hyper-V will schedule things appropriately - most likely better than any manual intervention could provide. It could be the nature of your applications.
Hyper-V does provide the ability to assign memory weightings to different VMs if you really want to get into that.
.:|:.:|:. tim

Load Balance with MPLS on a network with several links paralels

I have a question,...
Can you load balance on a network with mpls throght of several links with the same cost/metric?
Thanks!
Saul Barragan

O.k.
I dont know very well MPLS, neither VPN, but I know very well other type of protocols of IGP (like RIP,IGRP, EIGRP, OSPF) or EGP (like BGP), and I know how to balance the load by packets or by session, but I have this doubt and I want to know if its dificult or is the same but with something near/close-looks like it.
Can you tell me what does CE/TE Mean please.
Note: I know, I have to read a good book of MPLS.
Thanks a lot by your answer.
Saul Barragan

Load balance between MPLS and VPN

Dear All
There are two locations, site A and site B. I am confused with it. Any one can help to understand it? The site A and B are connected with two paths. One is MPLS and another is VPN over internet. we want MPLS as primary path and L2L VPN as backup. Only when primary path is down, VPN can be used. How can we configure it ? Can you give me suggestion ? or a link. Thank you.

Hello yangfrank,
You can set this with a floating static using tracking with ip sla.
Your primary route will be via MPLS
ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1 (via MPLS)
ip route 0.0.0.0 0.0.0.0 y.y.y.y 10 (via VPN)
ip sla 1
icmp-echo z.z.z.z source interface gix/x (MPLS interface)
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
here are examples:
http://networklessons.com/ip-routing/reliable-static-routing-with-ip-sla/
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
hope this helps

MPLS Load Balancing/Sharing with TE or CEF or Both?

So I am just playing around in GNS3 trying to set up multiple ECMP links between to P routers like this;
CE1 -- PE1 -- P1 == P2 -- PE2 -- CE2
(There are actually four links between P1 & P2!)
I have set up a pseudoswire xconnect from PE1 to PE2 so CE1 & 2 can ping each other on the same local subnet range. That works just fine.
My question is this:
I have configured "ip load-sharing per-packet" on each of the four interfaces on P1 and P2 that are facing each other (I know per-packet balancing is frowned upon but lets not talk about that right now!) and this works, traffic is distributed across all links (I can see with packet captures in GNS3).
Where does "ip load-sharing per-packet" fit in to the chain of events with regards to MPLS and CEF etc?; So, with MPLS enabled everywhere the two P routers are forwarding based on labels and not IP address. With MPLS enabled, does this command force the P routers to load-balance each MPLS frame as it comes in, round-robbin'ing the ingress frames across all links, the same as it would if it were a plain IP packet? So the command is ignorate of the kind of traffic being used? Or is the P router looking down into the MPLS frame for the IP in the IP packet?
Also, in order to get the same sort of performance boost you get from per-packet load balancing, seeing as I am using MPLS here, should I be using some francy MPLE TE to do this instead of that interface sub-command?
If I remove that command, I seem to always use link 2 for sending traffic towards P2 from P1, and link 3 for receiving the return traffic from P2 to P1. This is presumably because the ICMP packets have nothing to hash on except the source and destination IP addresses, so they always hash to the same physical links. Without using that command how else can I make use of the four links?

Hello Jwbensley,
first of all,
"ip load-sharing per-packet" is not a viable option as it causes out of order issues.
Real world devices perform load balancing based on the second (more internal ) label value so to achieve some load balancing for example multiple pseudowires must be defined between the same pair of PE nodes.
L3 VPN use different internal labels for different customer prefixes of the same VRF site ( unless some special command is used to say use one label per VRF site)
>> f I remove that command, I seem to always use link 2 for sending traffic towards P2 from P1, and link 3 for receiving the return traffic from P2 to P1
This is the expected behaviour in this scenario.
With MPLS TE you can achieve results similar to the use of multiple pseudowires /LSPs : forms of load sharing not true load balancing. In all cases in MPLS world flow based and not per packet
Hope to help
Giuseppe

Load-balancing in eompls

hy guys,
i read a previous post regarding how the
load-balancing is done for eompls.
someone says that the inner label (vc label) is responsable for this.
sincerely, if someone wants to explain me much deep how this works, it will be
very appreciate.
also, what is the meaning of the control word in the vc setup procedure ?

Load-balancing in the core is indeed based on the inner label (vc label) for EoMPLS.
So if the P router has many outbound interfaces for a given LSP, it will use that innner label to compute the hash value to select the outbound interface for that specific packet.
For an explanation on the control word please refer to the Martini encapsulation draft:
http://www.ietf.org/internet-drafts/draft-martini-l2circuit-encap-mpls-10.txt
Hope this helps,

CEF and per-packet load balancing

We have four OC3 links across the atlantic and I was looking for a solution which would allow load balacing across the four links on a per-packet basis (not session). The objective is both resiliency i.e. being able to handle link failures transparently & balancing the load across all the links. BGP multptah looked like the ideal soultion. However, I was told that the CEF packet based load balancing is no longer supported by CISCO. Is this correct ? Is it applicable for all models ? Are there any other potential solutions?
Appreciate a response from the experts.

Hello Rittick,
an MPLS pseudowire will use only one link of the 4 links based on inner MPLS label, it cannot be spread over multiple parallel links.
The MPLS pseudowire can travel within an MPLS TE LSP that can be protected by FRR.
per packet load balancing does not apply to your scenario.
You need to mark traffic of the critical application with an appropriate EXP settings. The EXP bits are copied to the outer (external) label.
On the OC-3 physical interfaces you will configure a CBWFQ scheduler providing 100 Mbps of bandwidth to traffic with specific EXP marking. This is elastic and over unused links bandwidth will be left available to other traffic.
On the LAN interface you need to mark the EXP bits in received packets using a policy-map
access-list 101 permit tcp host x.x.x.x host y,y,y,y
class CLASSIFY-BACKUP
match access-group 101
policy-map MARKER
class CLASSIFY-BACKUP
set mpls exp 3
class class-default
set mpls exp 0
int gex/y/z
service-policy in MARKER
class-map BACKUP
match mpls exp 3
policy-map SCHED-OC3
class BACKUP
bandwidth 100000
class class-default
fair-queue
int posx/y/z
service-policy out SCHED-OC3
applied on all pos interfaces. The MPLS pseudowire will use one link only. Different pseudowires can use different OC-3 links. Load balancing of MPLS traffic is based on internal label (the VC label of the pseudowire)
Note:
you should check if it is possible to mark traffic received on the incoming interface of the pseudowire otherwise you need to mark IP precedence nearer to the host.
Hope to help
Giuseppe

FAT A-VPLS core load-balance

Dears
I need your assistance please regarding A-VPLS core load-balance
As I understood, A-VPLS inserts a new label "Flow Label" so that this label can be used in core routers to acheive load-balancing as shown in figure 2
Now my questions
1- P router has to use port-channel so it can calculate a hash based on the flow label, correct ?
2- Also I should configure "port-channel load-balance mpls" at P router, correct ?
3- If I am correct, flow label is the 3rd label according to figure 1 and according to command reference for "port-channel load-balance label" only last 2 labels are taken into considersation !?
------------Quote----------
If you select label, these guidelines apply:
• With only one MPLS label, the last MPLS label is used.
• With two or more MPLS labels, the last two labels (up to the fifth label) are used.
---------Unquote------------
Regards,
Sherif Ismail

Hello Sherif,
I am not completely sure of the guidelines that cisco have quoted, but the document which you are referring doesnt seem to be updated to the RFC recomendations. According to the RFC 6790, the Flow label ( or the entropy label ) is no longer placed after the application label ( which is the pseudowire label in your diagram ). This is now placed after the tunnel label ( which is the ldp label or RSVP label ). There should also be an Entropy label indicator ( reserved label value of 7 ) after the tunnel label ( and before the entropy label ) to indicate that the following label is the one that will be used for load balancing.
In the initial drafts of this RFC, the egress had to infer from the BOS bit on the application label whether or not there was an entropy label
All the hashing is calculated at the ingress. The output of the hash is the entropy label. The core routers would just use the label to loadbalance the traffic.
Regards,
Shreeram

MPLS TE equal or unequal load balancing doesn't work? - step2

Previous question in thread:
Dear Sir!
I've two MPLS TE tunnels from one PE to another PE.
And there are traffic share count between them
(as tunnel mpls traffic-eng load-share command define).
But in real life all traffic from the same source to the same destination go through only one tunnel
(as CEF define - i.e. how sh ip cef exact-route says).
PEs are 3660 platforms with c3660-jk9o3s-mz.123-8.T
installed.
How can I correct this problem?
But this answer does not solved my issue:
hritter - Network Consulting Engineer, CISCO SYSTEMS, CCIE
Aug 4, 2004, 7:20am PST
This is expected behavior since CEF is used at the head end to perform label imposition. I wouldn't recommend changing the default bahavior to per=packet loadsharing since this could lead to of of sequence packets, which could lower the overall performance.
Hope this helps,
so my secound question:
Dear Sir!
I'm agree with you as MPLS TE tunnels are opened from PE to PE, so CEF does it work.
But if I open this tunnels from P to PE, ONLY ONE of this tunnels are used instead of load-sharing, if traffic go from one source (of site1 of VPN1) to the same destination (located at site2 of VPN1).
Why? Packet through P-devices swithes by labels, so I mean that CEF cannot does src-dst load sharing?
My problem are that I must to do load sharing between this two tunnels in the case above.
Q: How can I solve this problem?
Best regards,
Maxim Denisov

The per session load-balancing is also used by MPLS when multiple paths are available. Changing this behavior to per-packet is still not recommended.
Hope this helps,

MPLS TE load-balancing --- CEF Problem

Dears
Would like your assistance please regarding below issue
We are having 5 TE tunnels going to same destination and we are doing load-balancing between these 5 LSPs TE tunnels.
Command "mls ip cef load-sharing full simple" is configured so that CEF will use L4 ports in its algorithm
Problem that due to CEF behavior, 2 link are v.highly utilized and the other 3 utilization are below average
What I am thinking of but not sure If this will help or not is to have 2 TE tunnels instead of 5
1 TE tunnel load balancing on 3 links ( This can be done by using static route to tail loopback poiting to the 3 links) and another TE tunnel load balancing on the other 2 links
By doing this, I think CEF would be used 2 times; first to determine which TE tunnel to use then to determine which link within the tunnel
Will this help ?
For example
interface Tunnel1
ip unnumbered Loopback0
mpls ip
tunnel destination 10.0.0.1
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 dynamic
tunnel mpls traffic-eng fast-reroute
ip route 10.0.0.1 255.255.255.255 link-1
ip route 10.0.0.1 255.255.255.255 link-2
ip route 10.0.0.1 255.255.255.255 link-3

Hello Sherif,
traffic of a single TE tunnel will not be load balanced over multiple physical links as the TE tunnel is setup using a reservation and the path will use only one link for each router hop.
So moving to two TE tunnels is not an option for you.
Hope to help
Giuseppe

FR-MPLS load balancing

Hi All,
i hv 3 Fr circuits and 1 mpls circuits from india to Usa. is it possible that i will go fro load balancing? pls give me the solution
Thanks

Yes it possible depending on your routing protocol being used,
1) With BGP,Static being used on your PE-CE and as well as other FR links you can control the routing, and install four paths towards your other end destinations.
2) If you have OSPF then you will need help form your MPLS service provider to give you intra-area routes of the other side, as over MPLS VPN you will see the other side routes as Inter-Area routes and hence only your FR links would be preferred for load balancing exlcuding the MPLS VPN circuit.
HTH-Cheers,
Swaroop

2 locations, 2 core switch stacks, fibre in between, equal cost load balancing between?

Hi,
We've recently inherited a job that another company was doing, so we've had our hand slightly forced on the kit and overall topology involved, however that's all fine and we can make it work.
This is a collapsed core topology with core and access switches, split over 3 blocks (fibre connections between), one core switch/stack is in block B and the other in block C, with access switches throughout.
They require all access switches to be connected to the Core in B and the Core in C, and then obviously cross connects between the two cores.
They state:
"Core switches shall be linked with 2x 1Gbps links bonded into a standard compliant Etherchannel"
"Uplinks between access and core switches shall be non-blocking - for example equal cost load balancing at layer 3, or layer 2 bonded multi-chassis Etherchannel"
The specced kit for the core are 3850's, in an ideal world I'd use VSS (Virtual Switch System) to achieve the above statements beyond repute; but this is only supported on 4500/6500 and Nexus platforms.
Do we think a cross stack etherchannel (LACP between both core switch stacks) would satisfy the above statements? Or the statements may just be badly worded...
I look forward to your thoughts and views on this! Thanks!

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As the others have noted, the 3850s, to stack, are restricted to the length of the longest stack cables.
As you have noted, VSS physical units would allow the "logical" unit to be far apart.
For a "small" VSS core, the 4500-X might be an idea unit. (Other than cost, the 4500 would be a better choice for a core device.)
Something to watch for, or understand, when running VSS, Etherchannel doesn't load balance as it does on a single chassis or stack. VSS will avoid using the VSL cross link unless it must.
As many access switches, today, support basic L3 routing, you might also determine whether a L3 edge would be a suitable alternative choice. It would allow retention of the 3850s and can offer some advantages even over VSS. (Where VSS is very nice [as too the Nexus] supporting servers with Etherchannels.)

Load Balance & redundancy for internet from 2 different sites?

Hi,
we have 2 core sites where our servers are situated. Both sites are connected via a ptp link.
All of our clients/sites reach these two sites via our MPLS network and they never route via the ptp link which is solely used between the two core sites.
One of the sites has an ASA which goes out to our internet. We are thinking of replicating this on our other site.
How would we go about load balancing the internet connection ie 50% go out on site A & 50% go out on site B?
And if site A goes down, everything goes out via site B and vice versa?
Diagram attached....
Thank you,
Louis

Hi Louis, you could set default routes on the ASA's with tracking, and use ospf downstream to inject the default route in to the network with default information originate - this will only advertise out a default route if it has it in the routing table. With SLA you can track internet reachability by IP SLA echo to something like 8.8.8.8. Both sides can advertise this in to the network, if one goes then there is one left. Just be mindful of the policies and NAT required, you will have to duplicate the rules on the ASA's. With the NAT you have to ensure, that outgoing traffic comes back in the same path it left so it doesn't break connections.

Load Balancing Directory Servers with Access Manager - Simple questions

Hi.
We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
[14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
Will be really grateful for any help / insight / experience on dealing with the above.
Thanks!

Update to the above, incase anyone is reading:
We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
3. Host 1: Started replication. Set to Master
4. Host 2: Started replication. Set to Master
5. Host 1: Setup replication agreement to Host 2
6. Host 2: Setup replication agreement to Host 1
7. Initiated the remote replica from Host 1 ----> Host 2
Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
9. Started webserver for Host 1 and logged into AM as amadmin.
10. Added Host 2 FQDN in DNS Aliases / Realms
11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
At this stage, note the following:
a) Host 1:
AMConfig.properties file has
com.iplanet.am.directory.host=host1_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
b) Host 2:
AMConfig.properties file has
com.iplanet.am.directory.host=host2_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
Returning back to the configuations:
13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
a) Network Group
b) LDAP servers
c) Load Balancing
d) Change Group
e) Action on-bind
f) Allow all actions (permit modification / deletion etc.).
g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
LDAP Authentication
MSISDN server
Membership Service
Policy configuation.
Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
17. When you start the webserver, it will refuse to start. Will spew errors such as:
[https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
[https-host1_FQDN]: info: CORE3016: daemon is running as super-user
[https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
[https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
[https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
[https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: ----- Root Cause -----
[https-host1_FQDN]: java.lang.NullPointerException
[https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]:
[https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
[https-host1_FQDN]: startup: server started successfully
Success!
The server https-host1_FQDN has started up.
The server infact, didn't start up (nothing even listening on 58080).
However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
Differences in Solaris and Windows are as follows:
1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
No other difference from an architectural perspective.
Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
Thanks a bunch!

Load-balancing in MPLS Core

Similar Messages

Maybe you are looking for