Load Balancing with BigIP / SSL question

Similar Messages

• Safari cannot load balance with https

  I am a developer for a web site which runs ASP.NET pages on Windows Server 2003, IIS 6.0. We use Basic Authentication and HTTPS.
  We are using a load balancing solution to distribute the load to 4 web servers.
  We have been using this setup for over 5 years with IE and Firefox/Mozilla/Netscape browsers.
  Recently I have been asked to make Safari browsers work with our site ... MAC, Windows and iPhone versions.
  On all 3 platforms I am seeing the same problem ...
  The load balancer uses the SSL 3.0 Session ID to determine if the requests to the site are coming from the same client (browser) and thus will ensure that all requests from that browser go to the same web server.
  This works fine with IE, Firefox ... it does not work with any version of Safari. When the load balancer gets a request from a single Safari browser session, it sends the requests to multiple servers, causing issues with the pages returned.
  If I run Safari with an HTTP debugger ... like Fiddler (where it uses a proxy server) ... Safari works fine.
  Some questions:
  1. Does Safari expose the SSL 3.0 session id in the same manner as the other browsers ... i.e. an un-encrypted version of the header.
  2. Does Safari send many concurrent requests? Firefox and IE limit concurrent requests to 2.
  3. Could Safari be timing out it's SSL 3.0 session id frequently or quickly?
  4. Is there a reason Safari does not send the http Basic Authentication header with every request once it authenticates with a particular realm?
  3. Are there any other possible causes of this problem?
  What do you think?

  Thank you for your reply.
  The session server id is being maintained by Safari and when the connections are kept on a single server (like when I use Fiddler's proxy to connect) it works fine.
  The SSL 3.0 Session ID is part of the SSL handshake which is used to establish an https connection. It is established between the browser and the web server as part of encypting the traffic.
  As I understand it ... part of the SSL 3.0 protocol is to include an un-ecrypted header along with the encrypted data.
  Our load balancing sofware is using a portion of this header (as it is un-encrypted and thus it can read it) to establish when requests are coming from the same web browser. This is the SSL Session ID.
  If the Session ID is the same, it will send all traffic to the same web server ... as it knows it is the same web browser.
  The problem arises in that the load balancer is not able to indentify requests from the same Safari browser as part of the same secure session.
  So I am trying to understand what Safari is doing within the SSL header ... as it is not normally visible to standard web debugging tools ... they only show the http headers.
  Unfortunately I cannot easily change out the load balancing software or change it to use session state ids. I am trying to understand how Safari handles this to determine strategies to resolve this issue ... and thus allow my client base to use their Safari browsers to access out service.
  What do you think?

• Cache and Load Balancing with Oracle APEX Listener

  Hi,
  I intend to use only HTTP access.
  How to implement a Cache and Load Balancing with the Oracle APEX Listener?
  Is it possible to do with the the standalone running APEX Listener?
  Thanks by advance for any tips/documentation/references.
  Kind Regards.

  Hi,
  I think this question is best asked in the APEX Listener forum:
  ORDS, SODA & JSON in the Database
  Kind regards
  Sandro

• Load balancing with JSP

  Anyone and everyone,
  When configuring load balancing with Weblogic clusters, does load
  balancing take effect for all services or just EJB and RMI? Or another
  way of saying the same thing, can I setup weighted load balancing for
  the JSP engines across 2 weblogic servers.
  Thanks in advance,
  Mike

  The load-balancing documentation you read describing the different algorithms only applies to RMI stubs (e.g., EJB clients). Please see http://www.weblogic.com/docs51/cluster/concepts.html#1026091 for a description of how load-balancing/clustering works with servlets/JSPs.
  The short answer is that in using servlet clustering, most people want/need/use in-memory replication for HttpSession objects. In WLS 5.1 (and before), in-memory replication requires one or more proxy servers be set-up in front of the cluster. Typically, most people use something like BigIP to load-balance
  across the proxy servers and let the weblogic plug-in for the proxy server handle the routing to the cluster. The plug-in uses round-robin until an HttpSession is established for a user, then it always tries to route to the server where the user's session is located.
  Hope this helps,
  Robert
  Brian Lin wrote:
  All,
  I have a quesiton here regarding load balancing with DNS round robin. As of Chapter Adminstration of Clustering Weblogic server, Weblogic can be configured to balance by weight. How about Weblogic handle weight based balancing after DNS round robin ip response? or just can choose one way instead of both?
  What's the big difference between choosing BigIP and software balancing (WL)?
  Brian
  "Wei Guan" <[email protected]> wrote:
  I don't think you can configure this load balancing in weblogic in current
  release. However, if you have Big-IP or LocalDireoctr, you can set up
  weighted load-balancing there. Otherwise, weblogic proxy will use DNS round
  robin to do the load-balancing between JSP engins.
  My 2 cents.
  Cheers - Wei
  Michael Yakimisky <[email protected]> wrote in message
  news:[email protected]...
  Anyone and everyone,
  When configuring load balancing with Weblogic clusters, does load
  balancing take effect for all services or just EJB and RMI? Or another
  way of saying the same thing, can I setup weighted load balancing for
  the JSP engines across 2 weblogic servers.
  Thanks in advance,
  Mike

• Multihomed eBGP load balancing with 3 ISP's

  We currently peer with 2 ISPs using BGP in an active/failover configuration.  My company wants to move to a 3 ISP model where Internet traffic is split across the 3 providers so that bandwidth is equally distributed on outgoing traffic across our 2 /22 ARIN IP ranges.  This is from our 2 edge switches that have VSS.  
  Within my limited knowledge of BGP, I have determined that we could do load sharing pretty easily by adding multiple default routes and breaking up our /22's into /24 and advertising them that way.  However, I don't think this satisfies the request that downtime must be seamless, should one link drop.  
  Currently, our ISP's advertise default routes.  From the research that I've done, we could get close to load balanced links if we receive full BGP routes and community settings and definitions.  I'm nervous about this because it looks really complicated, and I don't want our AS to turn into a transit AS.  I've been told the same can be accomplished with only partial BGP routes and community settings and definitions.  
  Personally, I think we just need a WAN load balancer.  However, given the request, is there a thread out there that can explain this, or can someone discuss this requested scenario a little bit?  
  Thanks!

  Hi there
  First question would be what is the required reconvergence time for the applications using the Internet? Should an outage occur, when do they lose their state? Once you know that, you then have a target to aim for in terms of recovery
  With regards load-balancing, with BGP we are always talking inbound and outbound.
  The outbound solution is relatively simple - each ISP advertises a default route to your Internet edge router(s). Create an eBGP session from each edge router to the core, advertise the default route and redistribute into the IGP. Ensure the IGP cost to each BGP next hop is equal and you have ECMP for outbound routing.
  Inbound influence is usually via MED (not likely in this case given 3 ISPs), adjusting local-pref in the ISP via BGP EXT communities configured your end, or via AS-PATH prepending for longer prefixes from your /22. Prepending would be simplest, but your unlikely to get an exact inbound traffic split, however a relatively even distribution should be sufficient. 

• How does load-balancing with WebCache work - is there still a bottleneck?

  Hello,
  We're migrating an old Forms 6i app to 10.1.2.0.2 (apps servers = Redhat Linux), and are starting to consider using WebCache to loadbalance between two application servers.
  My question is this - say we have apps servers A and B, both running Forms and Reports Services. We use Webcache on server A (don't have the luxury of a third apps server...) to load balance between A and B. So all initial requests come into A, which in some cases may then be diverted to start a new Forms session on B.
  For those users whose middle-tier sessions are now running on B - will all network traffic for their Forms session continue to be routed through Webcache on A, then to B, over the course of the session? Or does Webcache somehow shunt the whole connection to be straight between the client PC and server B, for the duration of that Forms session?
  If the former, does that mean that the server hosting Webcache can still be a significant bottleneck for network traffic? Have people found load-balancing with Webcache to be useful..?
  Thanks in advance,
  James

  Hi gudnyc,
  Thanks for posting on Adobe forums.
  For HDPI you do not have to do any It will adjust automatically.
  http://helpx.adobe.com/photoshop-elements/using/whats-new.html
  Regards,
  Sandeep

• ACE 4710 and load balancing with sticky cookie

  Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

  Hi David,
  As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
  When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.
  You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.
  My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
  Sean

• T3 Load Balancing with Weblogic Server 6.1

  We are using rwo weblogic 6.1 servers A and B behind a load balancer with a DNS name (eg. www.loadbalancer.com). We are using T3 for Java client to application server communication. The client creates the Initial context with the load balancer url,creates remote objects using the context, closes the initial context and then tries to get a new initial Context. What we noticed is even though the client closes the first context and gets a new one, the client is always hooked on to only one server making load balancing ineffective. Is there a T3 configuration to release the connection when we close the context ? The documentation says only one T3 is established per client JVM.

  Rick,
  You may want to look at the Alteon and F5 configuration we have on edocs.
  Take a look at the following URLs for a possible solution
  http://edocs.bea.com/wls/docs61/cluster/alteon.html#591902
  http://edocs.bea.com/wls/docs61/cluster/bigip.html#591902
  Chuck Nelson
  DRE
  BEA Technical Support

• CF 10 Load-Balancing with Remote Instances

  I was reading an article on Clustering/LB/HA using CF8, but have not found any updates for CF10.
  Using VM VirtualBox to setup a few virtual servers, I am looking to setup a load balancing of ColdFusion 10 on 2 remote instances. The goal would be have ColdFusion Cluster Manager be able to point http request to one of the two servers based on load/availability. Not really having a hardware cluster/failover setup, just managing resources on two CF instances instead of a standalone.
  The servers are Windows Server 2008 R2 with IIS7.5 and ColdFusion 10 Enterprise on installed on 3 of these machines. Let's call them CF-LBManager, CF-Web1, and CF-Web 2. In the CF Docs, they show the Cluster Manager adding the local CF instance and "if you want" a remote instance. However, this scenario would require the main instance to be running and not fail for it to direct to the other instance.
  I am trying to set this up now with CF-LBManager as just a manager of the requests coming in. In the Enterprise Manager >> Instance Manager, the local instance is shown and I add the two remote instances with the correct Remote Port, JVM Route, etc. I also made sure the <Cluster>...</Cluster> block was added to the two remote instances (CF-Web1 and CF-Web2) \runtime\conf\server.xml file too, Jetty Services also is running. Now under the Enterprise Manager >> Cluster Manager I add the two remote instances to the cluster, not the local instance on CF-LBManager with Multicast Port and Sticky Sessions enabled. On Submit, I get a green message "You must restart all the server instances and any configured webservers for these changes to take effect.". I go ahead and reboot the servers and come back.
  I now browse to the ColdFusion page as a test on CF-Web1 and CF-Web2 to make sure CF is running properly, they do. I then browse the IP of the CF-LBManager, however it only returns the local IIS web site and not redirect to one of the two cluster members. I am not seeing any message on the coldfusion-out.log on the remote instances. Am I not setting this up correctly or not enabling the Cluster Manager to take over and pass along the requests to those in the cluster?

  Unfortunatley I don't have a lot of experience with CF10 on Windows, but if you are running CF behind IIS I think  you will need to update the Tomcat connector configuraiton to do load balancing. I'm not sure if re-running the wsconfig tool on all of the servers will do this or not, but that is what I would suggest trying first. If that doesn't work you will need to update the Tomcat connector configuraiton manually. You can find more information on load balancing with the Tomcat connector here: http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html.

• CSS Load Balancing with Cookies

  We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
  Restrictions
  ServerA is unable to accept cookies generated from ServerB.
  ServerA and ServerB are generating random cookies
  Unable to modify cookie string with a constant.
  How can we load balance based on cookies considering the above restrictions?
  We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
  The configuration we tried is written below:
  service ServerA
  ip address 192.168.10.2
  keepalive type tcp
  keepalive port 80
  active
  service ServerB
  ip address 192.168.20.2
  keepalive type tcp
  keepalive port 80
  active
  content ABC
  url "/*"
  add service ServerA
  string prefix "JSESSIONID="
  advanced-balance cookies
  port 80
  add service ServerB
  string skip-length 5
  string process-length 16
  string operation hash-xor
  protocol tcp
  vip address 172.16.32.1
  active
  Can we change the string prefix to JSESSION instead of JSESSIONID= ?
  The only place the app guys can add a constant string to match on is before the = sign.
  Is it possible for CSS to match on a constant string before = sign e.g below:
  service ServerA
  ip address 192.168.10.2
  keepalive type tcp
  keepalive port 80
  string id567=
  active
  service ServerB
  ip address 192.168.20.2
  keepalive type tcp
  keepalive port 80
  string id123=
  active
  content ABC
  url "/*"
  add service ServerA
  string prefix "JSESSION"
  advanced-balance cookies
  port 80
  add service ServerB
  string skip-length 0
  string process-length 6
  protocol tcp
  vip address 172.16.32.1
  active

  It should work.
  There is no reason for it not to work...
  This is the best method you can have on the CSS for stickyness.
  Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
  also send me the config so I can verify everything is ok.
  If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
  Gilles.

• Load Balancing With Round Robin

  Hi,
  I have two iAS instances, each on their own box, and one iWS instance
  running on a third box. I have setup the web connector to use round
  robin and added the server weights. I believe that is all that is to it
  to do simple load balancing with iAS. The problem is is that the
  requests only go to one iAS instance. The server weights are 1 and 1.
  Am I missing something here?
  Thanks

  Could be lots of things.
  The most common misconfiguration is testing an application that is deployed "local". This application option effectively disables load balancing.
  Another common mistake is to either not update the configuration of the webconnector (if the webconnector
  has a seperate configuration LDAP) or to not restart
  the webconnector after the configuration change.
  Hope this helps. There's more things we could try, but I'll hope its one of these two easy things.

• Load balancing with use of router 881.

  Hello,
  I have two MPLS line and i want load balancing with the help of CISCO router 881. is it necessary that i require two router on both location.? if one location have firewall and one location have cisco router 881 then can i do a load balancing or i require two router each on both location ? What are the basic requirement that i need.
  Thanks,
  Kuntal

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  An 881 should be able to load share across multiple ports.  Many routing protocol support ECMP, including BGP, but you need "special" hidden/secret commands to enable.  EIGRP also supports unequal cost load sharing.
  If an 881 supports OER or PfR, those too will do unequal load sharing, dynamically.

• Load balancing with A-Gate

  Hi All,
  I wish to configure my single W-Gate (Linux) to load balance with 2 A-Gate (Window). Can anyone help?
  Regards
  Lauran

  Hello Lauran,
  I'm assuming that you already have the ITS working with one AGate server.  To load balance between two you need to install the ITS AGate again on the second server with the same ITS instance name.  Then on the WGate server you will need to modify the ItsRegistryWgate.xml.  Under the <key name="Instances"> you will find a section already for this ITS instance name, like ITS1.  You will need to copy and paste the Agate1 section and make it Agate2, change the Host name and the PortAGate and PortMManager and then save and restart.  The finished section should look like:
  - <key name="ITS1">
  - <key name="Values">
    <value name="Available" type="text">yes</value>
    <value name="Name" type="text">ITS1</value>
    <value name="DocumentRoot" type="text">c:\its1081</value>
    <value name="ServerName" type="text">Apache2 (virtual host: default:1081)</value>
    <value name="NIReceiveRetryCount" type="text">0</value>
    <value name="NIReceiveTimeout" type="text">0</value>
    <value name="NISendTimeout" type="text">0</value>
    </key>
  - <key name="Agates">
  - <key name="Agate1">
    <value name="Host" type="text">Hostname1</value>
    <value name="PortAGate" type="text">sapavw00_ITS1</value>
    <value name="PortMManager" type="text">sapavwmm_ITS1</value>
    <value name="Type" type="text">1</value>
    <value name="SncNameAGate" type="text" />
    <value name="SncNameWGate" type="text" />
    <value name="MultiProcess" type="text">no</value>
    <value name="Available" type="text">yes</value>
    </key>
  - <key name="Agate2">
    <value name="Host" type="text">Hostname2</value>
    <value name="PortAGate" type="text">sapavw00_ITS1</value>
    <value name="PortMManager" type="text">sapavwmm_ITS1</value>
    <value name="Type" type="text">1</value>
    <value name="SncNameAGate" type="text" />
    <value name="SncNameWGate" type="text" />
    <value name="MultiProcess" type="text">no</value>
    <value name="Available" type="text">yes</value>
    </key>
    </key>

• Load Balancing with a CSM & SSL Module

  I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
  Thanks..

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• Question about Load balancing with IISPROXY

            Hi,
            We are running WLS 5.1.0 SP5 on NT 4.0 SP6. We are not using clustering.
            We are able to round robin between multiple instances of the WLS successfully.
            Question: If one of the instances of WLS goes down, is there any way to configure
            the plugin to take it out of the loop automatically (without using clustering)?
            Thanks,
            Anil.
            

  This is not the syntax. Syntax is just this:
            MaxSkips=something.
            eg: MaxSkips=25
            The doc says:
            5:10:1000 for min:default:max
            By which we mean that default value is 10, max is 1000 and min is 5. I guess the
            docs are confusing about the syntax here. We will correct them.
            --Vinod.
            Anil Kommareddi wrote:
            > Vinod,
            > I could not find any documentation on the MaxSkips parameter except in the Service Pack
            > docs. The syntax is MaxSkips=min:default:max.
            >
            > how do the min and max parameters work?
            >
            > Vinod Mehra wrote:
            >
            > > Even if the servers in the WebLogicCluster list are non clustered you WILL be
            > > able to do load balancing. But the problem is if the servers go down the plugin
            > > will not remove them. But it not that bad. If an connection attempt fails the
            > > server is marked as bad and will be skipped for the next MaxSkips (default=10)
            > > cycles of load balancing. MaxSkips parameter is configurable for IISProxy
            > > (SP4 onwards, I think).
            > >
            > > -Vinod.
            > >
            > > Prasad Peddada wrote:
            > >
            > > > I believe there won't be any load balancing unless you use servers in a cluster. As
            > > > an alternative you can use hardware load balancers directly in a situation like this.
            > > >
            > > > Anil Kommareddi wrote:
            > > >
            > > > > Hi,
            > > > >
            > > > > We are running WLS 5.1.0 SP5 on NT 4.0 SP6. We are not using clustering.
            > > > > We are able to round robin between multiple instances of the WLS successfully.
            > > > >
            > > > > Question: If one of the instances of WLS goes down, is there any way to configure
            > > > > the plugin to take it out of the loop automatically (without using clustering)?
            > > > >
            > > > > Thanks,
            > > > > Anil.
            > > >
            > > > --
            > > > Cheers
            > > >
            > > > - Prasad