Load-balancing nat-t connections to VPN concentrators

Similar Messages

• Load balancing 10g forms - Connection from new browser window not supported

  Load balancing 10g forms - Connection from new browser window not supported
  We're experimenting with using webcache to load balance between multiple applications servers running OC4J forms processes.
  We currently have one machine with infrastructure and mid-tier (BI & Forms) installed, which is being used for the webcache functionality, this is load balancing between 2 other servers each of which just have the mid-tier (BI & Forms) installation
  In order to get this to work, I had to follow the instructions in the Forms deployment guide : http://download-uk.oracle.com/docs/cd/B14099_11/web.1012/b14032/tuning.htm#sthref707
  The main gist of this is that you need to set the following in the orion-web.xml file in order that the sessions are maintained:
  <session-tracking
  cookies="enabled">
  </session-tracking>
  This all works fine in most cases.
  The problem I am having is if I do one of the following on the client machine:
  1) From IE6 / IE7 run a copy of a forms application. Then open a new window using the "New Window" menu option, and attempt to run another forms application.
  2) In IE7 or Firefox 2.0 open a copy of the forms application, and then open a new tab and try and open another forms application.
  If I try either of these I get a FRM-92101 error, and the following is displayed in the java console:
  oracle.forms.net.ConnectionException: Connection from new browser window not supported
  From trawling various forums (including metalink and otn) it looks like a problem with the way coockies are handled.
  Unfortunately the usual workaround is to ensure that the session tracking option in the orion-web.xml file is disabled.
  The problem is that I need this enabled in order for the load balancing to work.
  Does anyone know of any other workarounds or patches that might help resolve this?
  We're using Application server 10.1.2.0.2 running on windows 2003 servers.

  You were right. Carriage returns were stopping it from working (the document is laid out over separate lines, so I assumed it would make no difference...).
  I've now managed to get it so the forms at least run, but they are all being run in the forms OC4J instance on the same machine as the OHS.
  Has anyone actually managed to get this to work, or am I doing something wrong?
  I did wonder if using an OHS instance on a machine with no forms installation would make any difference?
  I had raised a support call via metalink on this subject, but they eventually came to the conclusion that the only way to do this is with a hardware load balancer (Despite several documents suggesting that webcache is the way to go (including the forms deployment manual)).
  I'm at the point now of giving up and writing some custom scripts to do the job instead...

• Failover and Load Balancing with JNDI Connection Pools

  Hi,
  I am trying to figure out how would JNDI Connection Pooling work along with failover or DNS Load Balancing.
  Would connections be distributed equally among the list?
  Would the pool work with multiple heterogeneous connections (i.e. connections to different but equivalent servers ), or do all the connections in the pool have to be homogeneous (i.e. to the same server)?
  Thanks,
  Sergio

  Hi,
  I am trying to figure out how would JNDI Connection Pooling work along with failover or DNS Load Balancing.
  Would connections be distributed equally among the list?
  Would the pool work with multiple heterogeneous connections (i.e. connections to different but equivalent servers ), or do all the connections in the pool have to be homogeneous (i.e. to the same server)?
  Thanks,
  Sergio

• Load balancing to JDBC connection pool

  from http://e-docs.bea.com/wls/docs61///////cluster/overview.html
  "WebLogic Server provides limited load balancing support for managing JDBC
  connections in a cluster. If you create an identical JDBC DataSource in each
  clustered WebLogic Server instance and configure those DataSources to use
  different connection pools, the cluster can support load balancing for JDBC
  connections. Note, however, that WebLogic Server provides no special load
  balancing policies for accessing connection pools. If one of your connection
  pools runs out of JDBC connections, the load balancing algorithm may still
  direct connection requests to the empty pool."
  How is this different from creating one connection pool with one datasource
  and targetting the cluster. Are they talking about load-balancing to
  different databases, or different servers in WLS. from a servlet or from a
  client side app?
  Can anyone elaborate?
  Thanks in advance.

  hi,
  without knowing the entire set of requirements or the motivation behind doing this, a few words from me
  this is usually done transparently to the applications server, that is having eg. Oracle instances mirroring eachother for extreme high-availability requirements.
  1. I would have taken the liberty of calling this business funcionality and let my middleware do the implementation of this. The most elegant solution would probably be to call the master DB for the CUD operation, then post a message to a queue letting the slave DB be updated asynchronously. If the message could not be sent, throw an exception and have the entire operation rolled back.
  If however this must happen realtime and transactions must be consistent, there are a few points to consider. And the quieing bit would not work.
  if this is something that should be done for all Create, Update and Delete operations, an intercepting JDBC driver could do the trick. Although there are all sorts of different problems that could arise from this, for starters, at least one of the DBMS involved here should be XA compliant. If the entire transaction should be XA compliant, both DBMS must be XA compliant. Next as for the transaction towards the "mirroring" DBMS you would have to do all the transaction stuff your self.
  For an example of an intercepting JDBC driver, I found thisone
  http://media.datadirect.com/download/docs/jdbc/jdbcref/spy.html
  I would guess that there are quite a few more.
  - [url http://blog.thej2eestruggle.com]Anders Mathisen
  Edited by anders.mathisen at 01/21/2007 2:53 PM

• Load balancing across database connection

  Do you provide load balancing across database connections and allow RDBMS load
  balancing for read only access?
  Thanks in advance.

  Hello, Christina.
  Load balancing with multiple machines is a little bit different than
  in the same machine. One of the important resource in this kind
  of application is network bandwidth, so tuxedo tries to keep the
  traffic among the machines as low as possible. So, it only
  balance the load (call services in other machine) in case all the
  services are busy in the machine where they are call.
  I mean, if you have workstation clients attached only to one
  machine, then tuxedo will call services in this machine untill
  all servers are busy.
  If you want load balancing, try to put one WSL in each machine,
  and the corresponding configuration in your WSC ( with the | to
  make tuxedo randomly choose one or the other) or spread your
  native clients among all the machines.
  And so, be carefull with the routing!
  Ramón Gordillo
  "Christina" <[email protected]> wrote:
  >
  I am looking for assistance in configuring Tuxedo to perform load balancing
  across
  multiple machines. I have successfully performed load balancing for a
  service
  across different servers hosted on one machine but not to another server
  that's
  hosted on a different machine.
  Any assistance in this matter is greatly appreciated.

• Load Balance unequal internet connections

  We have a single site customer with a 2821 router with a T1 internet connection. They recently added another internet connection which is a wireless broadband connection with 2Mbps/1Mbps rates. My goal is to be able to utilize both internet connections to load balance the traffic as well as using the T1 as the primary and the wireless as secondary if the T1 goes down. We have a NAT pool setup and some static translations on the T1 addresses for things like the internal mail server, VPN, etc. What are some of the things to be cautious about when trying to set this up?
  Thanks,
  Kevin

  Kevin
  There are several things to be cautious about in the situation that you describe. One is the possible impact of assymetric paths. This occurs when data goes out over one connection and the response comes back over the other connection. Another possible issue is whether the translations that you are doing for traffic out the T1 would also work for the secondary connection or whether different translations are called for.
  HTH
  Rick

• IPsec on hosts behind load balancing NAT

  Hi,
  I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
  I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
  So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
  On the side where the traffic comes from i allways see a debug output like this:
  ar  1 05:23:54.294: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
      local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
      remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
      protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
  195.10.0.1 is my global address for the FTP server
  on the side where the encryption should be terminated i allways see an output like this:
  *Mar  1 05:23:54.130: map_db_find_best did not find matching map
  *Mar  1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
  But i can see that there is a crypto map for address 10.0.10.1
  RA#sh cryp map
  Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
  I tried to use some of the NAT traversal techniques for IPSec but without any success.
  If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
  Thanks, Adrian

  This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
  I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
  I have configured 2 loopback. on R1: 100.1.1.1
  on R2: 200.1.1.1
  R1:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.1.1
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.0.2
  R2:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.1.2
  Now when i ping from R1:
  ping 200.1.1.1 source 100.1.1.1
  its not successful. Why doesnt it work any idea ?

• Load-balancing with OCI connections

  Gurus,
  Oracle Identity Federation (OIF) can leverage an Oracle database as its transient data store in which case it uses JDBC-OCI connections to connect. However, there is no provision in OIF of defining multiple databases for load-balancing purposes.
  Is this achievable using some load-balancer in front of multiple database instances and using a virtual hostname/IP in tnsnames.ora which OIF refers to?
  -Vinod

  I would say that using two seperate databases (with replication)
  as the backend would mean that one database, at any time,
  might be lagging the other, depending on which tables are updated
  and how replication is implemented.
  Connect Time Failover, rather than Load Balancing, might be an
  implementation -- to handle Instance Failure (eg node / site has gone down).
  Instead of Load Balancing.
  Load Balancng between two seperate databases would be usable
  if you are sure that either of
  a. The underlying data doesn't change
  OR
  b. The application and users are aware that they might see different data
  if there ARE changes to the data, not yet synchronised between the two DBs.

• Load Balancing of Chat connections on CSS11503

  I need to load balance between two servers namely " A " and " B " on TCP port 8057 for example with the help of CSS 11150. Lets assume I have a single user by name " Z "that wants to access the servers. " Z " hits the VIP of the Load Balancer to initiate a connection. I want the number of connections to be load balanced equally and at the same time the stickyness of the connection should be maintained. For example , when Z initiates the first connection assuming his connection goes to server " A " he should be connected to the same server until he disconnects the connection. And, the second connection should go to server " B " and the connection should be maintained with the same until he disconnects. Please keep in mind that the user " Z " initiates a connection not via a browser but instead he uses a chat application to connect to the servers.
  What algorithm we can use on CSS for this type of loadbalancing?
  Can we able to load balance on the basis of src ip & port on CSS or ACE Appliance?
  Kindly help me out in resolving above issue.

  Any application that uses standard Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) protocols can also be load-balanced including firewalls, mail, news, chat, and lightweight directory access protocol (LDAP).
  What port you are using for this , is this 8057.

• Load balance for HTTP Connection to ABAP System (Type H) RFC connection

  Experts,
  For proxy we are using HTTP Connection to ABAP System (Connection type H) RFC connection in PI to get connected to ECC. I only see the option to use Target host in the Target system settings than Load balance option. In general ABAP Connection (Connection type 3) has Load balancing status option in Target system settings.
  My requirement is I should use a logon group with the message server when PI connects to ECC. How can we achieve this? At the moment I can only use the Central Instance or any dialog server (App server) in RFC but not a logon group.
  Thanks in advance.
  Mahesh

  Hi Naga
  Could you check the link below?
  http://help.sap.com/saphelp_nwmobile71/helpdata/en/47/c5935087b62d66e10000000a42189c/content.htm
  https://service.sap.com/sap/support/notes/1040325

• Load-balancing inbound sftp connections with ACE

  Hi,
  Can anyone share experiences or any info relating to issues that might be encountered when load-balancing sftp protocol?
  The goal is to distribute inbound file deposits evenly across SFTP servers.
  High-level Overview
  Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
  Many Thanks

  SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
  So you are good.
  On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
  FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
  HTH
  Syed Iftekhar Ahmed

• Load Balancing 2 ISP connections on Cisco Router

  Hi all,
  I have a Cisco 3900 series Router with the following characteristics:
  Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M2, RELEASE SOFTWARE (fc2)
  I have two VDLS connections, my ISP cant really offer good speeds, so we have two connections of 3Mb/s each. (2x3Mbps).
  Each link has its own modem and we get a /29 on each connection.
  I have setup NAT on the router, but i am trying to use BOTH connections simultaneously. This is causing an issue for me. At the moment i am not able to use one of the connections for some reason.
  I have re-created the very same scenario i have LIVE at the moment, in packet Tracer.
  NOTE: uploading .pkt files is not allowed here, so i have uploaded it to http://192.210.197.186/DUAL_NAT.pkt
  When trying to ping from one of the computers in the LAN (192.168.1.0/24) to a Loopback address on Router 4 ( 31.7.57.1) for example, i have 50% packet loss. I assume this is because one 50% of the packets are being routed via each connection.
  Is there a practical way to solve this?
  Please note that i am using the same NAT statements in both interfaces connected to the ISP, same ACL for the NAT statements as well.
  Any advise is appreciated.
  Ezequiel

  An additional Note: The PKT Lab was done with the Packet Tracer Student Version, not the normal packet tracer version. Anyone yet?

• Configuring RFC connections for load balancing.

  Hi ,
  We have the following landscape for our systems.
  The database is installed on z/os , db2 (mainframe). The central services( SCS and ASCS) are also on the mainframe. So the message server is on mainframe.
  The CI is on AIX and The DI is on AIX.
  We have Logon groups configured and load balancing Configured and is RFC enabled.
  1) When we connect to SAP using the SAPGUI and  the portal connection is made to either CI or DI depending upon the best response times.  Now recently we are running the mercury load testing, all the users are connecting to DI. Why are the users connecting to DI even though we have load balancing?
  2) I have a system with SID BP0, with one CI and one DI. The logon group is BP0 and the message server name is cyrix. Now I have other another system EP0. I have created a RFC connection from EP0 to BP0. In SM59 I have selected the load balancing option, and provide the message server name, SID and logon group name. The connection does not work. If I connect directly to the CI or DI the connection works. Please tell me how can I configure load balancing for RFC connections.
  Thanks
  Manmath.

  Dear 917996,
  There are two types of load balancing:
  - Client-side load balancing (setting up the tnsnames.ora on client side). More information here (http://ggsig.blogspot.co.uk/2012/04/client-side-
  load-balancing-in-oracle.html). Very good video produced my friend Igor Melnikov is here (http://www.dsvolk.ru/oracle/racdd4d/demos/video/loadbalance/client/clientloadbalance_viewlet_swf.html)
  -Server-side load balancing (remote_listener and setting service parameter clb_goal). Very good Igor Melnikov's video is here (http://www.dsvolk.ru/oracle/racdd4d/demos/video/loadbalance/server/serverloadbalance_viewlet_swf.html).
  I have read about client side and server side load balancing. By editing tnsnames.ora I have enabled client side load balancing which is suppose to select listeners at random. then why does it only go to second node?Could you please show your tnsnames.ora on client?
  Please can anyone help me to configure server side load balancing with SCAN. I have read many many post but couldn't find a clear answer.Based on your output (remote_listener string cmbtrnrac-scan:1521) you have already configured the server side load balancing.
  SQL> show parameter listener
  NAME TYPE VALUE
  listener_networks string
  local_listener string (DESCRIPTION=(ADDRESS_LIST=(AD
  DRESS=(PROTOCOL=TCP)(HOST=10.1
  7.67.214)(PORT=1521))))
  remote_listener string cmbtrnrac-scan:1521How many SCANs do you use? Do you use DNS?
  regards,
  Gennady

• KB2830477 breaks RDS load balancer connections

  All clients worked fine prior to KB2830477. Once that patch is installed the clients are unable to connect to our load balancer from outside our office; such as from home or on the road.
  Removal of that patch allows them to connect once again.
  The events on the RDS load balancer show clients connecting properly. The balancer sends the redirection info back to the client.
  The events on the RDS server where the client was redirected show nothing.
  It's as if the latest RDC patch breaks the ability for redirection. Or, perhaps, there's a special setting on our load balancer that needs to be updated due to this new patch?
  ... any helpful tips?
  Thanks,
  Jason Morrill

  Just some additional info regarding this problem.
  These first few paragraphs represent the eventviewer entries for the failed connection coming from outside our network:
  RD Connection Broker received connection request for user SOMEDOMAIN/someuser.
  Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.rdpfarm
  Initial Application = 
  Call came from Redirector Server = my.fqdn.org
  Redirector is configured as Farm member
  RD Connection Broker has successfully determined the end point for this connection request.
  Endpoint name = rdpfarm
  Endpoint type = Farm
  Resource plugin name = MS Terminal Services Plugin
  RD Connection Broker successfully processed the connection request for user SOMEDOMAIN/someuser. Redirection info:
  Target Name = RDSSERVER2
  Target IP Address = INSIDE_IP, OUTSIDE_IP
  Target Netbios = RDSSERVER2
  Target FQDN = my.fqdn.org
  Disconnected Session Found = 0x0
  ========================
  And the entries below come from the eventviewer when connecting successfully from within our intranet.
  ========================
  RD Connection Broker received connection request for user SOMEDOMAIN/someuser.
  Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.rdpfarm
  Initial Application = 
  Call came from Redirector Server = my.fqdn.org
  Redirector is configured as Farm member
  RD Connection Broker has successfully determined the end point for this connection request.
  Endpoint name = rdpfarm
  Endpoint type = Farm
  Resource plugin name = MS Terminal Services Plugin
  RD Connection Broker successfully processed the connection request for user SOMEDOMAIN/someuser. Redirection info:
  Target Name = RDSSERVER2
  Target IP Address = INSIDE_IP, OUTSIDE_IP
  Target Netbios = RDSSERVER2
  Target FQDN = my.fqdn.org
  Disconnected Session Found = 0x0
  This connection request has resulted in a successful session logon (User successfully logged on to the end point). Remote Desktop Connection Broker will stop monitoring this connection request.
  Session for user SOMEDOMAIN/someusersuccessfully added to RD Connection Broker's database.
  Target Name = my.fqdn.org
  Session ID = 2
  Farm Name = rdpfarm
  ========================
  It's almost as if something is failing and preventing a successful session logon. Like, perhaps, the updated RDC doesn't like how our internal and external IP addresses are being returned?

• Load Balance & redundancy for internet from 2 different sites?

  Hi,
  we have 2 core sites where our servers are situated. Both sites are connected via a ptp link.
  All of our clients/sites reach these two sites via our MPLS network and they never route via the ptp link which is solely used between the two core sites.
  One of the sites has an ASA which goes out to our internet. We are thinking of replicating this on our other site.
  How would we go about load balancing the internet connection ie 50% go out on site A & 50% go out on site B?
  And if site A goes down, everything goes out via site B and vice versa?
  Diagram attached....
  Thank you,
  Louis

  Hi Louis, you could set default routes on the ASA's with tracking, and use ospf downstream to inject the default route in to the network with default information originate - this will only advertise out a default route if it has it in the routing table. With SLA you can track internet reachability by IP SLA echo to something like 8.8.8.8. Both sides can advertise this in to the network, if one goes then there is one left. Just be mindful of the policies and NAT required, you will have to duplicate the rules on the ASA's. With the NAT you have to ensure, that outgoing traffic comes back in the same path it left so it doesn't break connections.