Loadbalancers
can any body please help me that how to start my study for loadbalancers.
Loadbalancing in the context of Cisco is typically the ACE (Application Control Engine). The product-page has a lot of links and stuff to read:
http://www.cisco.com/en/US/products/ps6906/index.html
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Similar Messages
-
Internal load balance ilb on ServiceConfiguration LoadBalancers
Hi everybody, I try to setup an internal load balancer using this configuration:
from cscfg:
<NetworkConfiguration>
<VirtualNetworkSite name="WE" />
<AddressAssignments>
<InstanceAddress roleName="Role1">
<Subnets>
<Subnet name="WE_WWW" />
</Subnets>
</InstanceAddress>
<InstanceAddress roleName="Role">
<Subnets>
<Subnet name="WE_SERVICE" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
<LoadBalancers>
<LoadBalancer name="WEB_ILB">
<FrontendIPConfiguration type="private" subnet="WE_WWW" staticVirtualNetworkIPAddress="192.168.1.5" />
</LoadBalancer>
<LoadBalancer name="API_ILB">
<FrontendIPConfiguration type="private" subnet="WE_SERVICE" staticVirtualNetworkIPAddress="192.168.2.5" />
</LoadBalancer>
</LoadBalancers>
</NetworkConfiguration>
from csdef:
<WebRole name="Role1" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="httpIn" endpointName="httpIn" />
<Binding name="httpsIn" endpointName="httpsIn" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="httpIn" protocol="http" port="80" loadBalancer="WEBILB" />
<InputEndpoint name="httpsIn" protocol="https" port="443" certificate="Valuta" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
<Import moduleName="RemoteAccess" />
<Import moduleName="RemoteForwarder" />
</Imports>
<Certificates>
<Certificate name="Valuta" storeLocation="LocalMachine" storeName="CA" />
</Certificates>
</WebRole>
<WebRole name="Role2" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="httpIn" endpointName="httpIn" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="httpIn" protocol="http" port="8080" loadBalancer="APIILB" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
<Import moduleName="RemoteAccess" />
</Imports>
</WebRole>
as you can see I have two webroles linked to a vnet:
Role1 has two input endpoint: https and http (the one I want to "internal" load balance)
Role2 has only an http input endpoint (again the one I want to "internal" load balance)
and I try to configure an internal loadbalancer (see here:
vs2013-update3)
When I try to deploy the package I receive this error:
Error: The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers. Http Status Code: BadRequest OperationId:
874024071e88327f8cb73c16f15f3ac2
I'm sure it depends on the ilb configuration because when I remove it the deploy succeed...
Does anybody try something like this?
Thanks,
SimoneI've found a solution by myself with the help of a friend (Sandro Vecchiarelli): the "problem" is that I try to setup two load balancers in one cloud service. Trying with only one work correctly; the error probably is a schema validation and I
really don't know if the error is on "client" schema that allow me to configure more than one ILB (note the node name
LoadBalancers... its plural...) or online (the one on Azure).
By the way...at the moment use just one ILB per cloud service.
Hope this help. -
Managing CSS11500 loadbalancers in cluster mode
Hello All,
This is a newbie question regarding CSS11500 series loadbalancers as I trying to get up to speed with managing them as part of my job. I noticed that there are a couple of CSS "clustered together" since I see they are managed using a single ip address.
My question is around how to establish a session to each individual device in this cluster, if at all possible? If is not possible, how do manage the secondary device in this cluster to perform tasks such as copying new software to it, backing it up, etc.?
AdilHi Adil,
what i understood from "cluster" here is Box-to-box redundancy option in CSS where two CSS boxes share a common circuit IP's. If that is the case then we manage the CSS boxes using out of band mgmt interface available on SCM (can see the config in show run boot). -
Aaa configuration for steelhead and F5 loadbalancers?
Hi all,
I was trying to configure aaa authentication/authorization/accounting in steelhead and F5 loadbalnacers.
Any resouce or help to accomplish this task will be highly apreciated. Thanks!
Abehttp://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html
Also have you tried looking at F5's website and or posting in their forums as well? -
CF 10 Load-Balancing with Remote Instances
I was reading an article on Clustering/LB/HA using CF8, but have not found any updates for CF10.
Using VM VirtualBox to setup a few virtual servers, I am looking to setup a load balancing of ColdFusion 10 on 2 remote instances. The goal would be have ColdFusion Cluster Manager be able to point http request to one of the two servers based on load/availability. Not really having a hardware cluster/failover setup, just managing resources on two CF instances instead of a standalone.
The servers are Windows Server 2008 R2 with IIS7.5 and ColdFusion 10 Enterprise on installed on 3 of these machines. Let's call them CF-LBManager, CF-Web1, and CF-Web 2. In the CF Docs, they show the Cluster Manager adding the local CF instance and "if you want" a remote instance. However, this scenario would require the main instance to be running and not fail for it to direct to the other instance.
I am trying to set this up now with CF-LBManager as just a manager of the requests coming in. In the Enterprise Manager >> Instance Manager, the local instance is shown and I add the two remote instances with the correct Remote Port, JVM Route, etc. I also made sure the <Cluster>...</Cluster> block was added to the two remote instances (CF-Web1 and CF-Web2) \runtime\conf\server.xml file too, Jetty Services also is running. Now under the Enterprise Manager >> Cluster Manager I add the two remote instances to the cluster, not the local instance on CF-LBManager with Multicast Port and Sticky Sessions enabled. On Submit, I get a green message "You must restart all the server instances and any configured webservers for these changes to take effect.". I go ahead and reboot the servers and come back.
I now browse to the ColdFusion page as a test on CF-Web1 and CF-Web2 to make sure CF is running properly, they do. I then browse the IP of the CF-LBManager, however it only returns the local IIS web site and not redirect to one of the two cluster members. I am not seeing any message on the coldfusion-out.log on the remote instances. Am I not setting this up correctly or not enabling the Cluster Manager to take over and pass along the requests to those in the cluster?Unfortunatley I don't have a lot of experience with CF10 on Windows, but if you are running CF behind IIS I think you will need to update the Tomcat connector configuraiton to do load balancing. I'm not sure if re-running the wsconfig tool on all of the servers will do this or not, but that is what I would suggest trying first. If that doesn't work you will need to update the Tomcat connector configuraiton manually. You can find more information on load balancing with the Tomcat connector here: http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html.
-
Hi
We are facing problems with MOD_JK not redirecting to UI servers in case of fail over. We have 3 UI servers configured to MOD_JK. The three UI is pointed to individual MDEX.When one of the UI servers failed, the MOD_JK was not able to redirect the request to other servers. We see the log as "server not responding".
Is there any configuration that has to specifically enabled for server fail over? Also, does some one share idea on MOD PROXY? How far it will handle duing fail overs?
Below is the MOD_JK configuration
worker.server.type-ajp13
worker.server.lbfactor-1
worker.server.socket_keepalive-TRUE
worker.server.connection_pool_timeout-600
worker.vma-end-lb.type-lb
worker.vma-end-lb.balance_workers-server1,server2
worker.vma-end-lb.sticky_session-1
Tomcat Version-6
Any suggestions are welcome on how to configure the MOD_JK plugin.
Thanks
PradeepYour workers.properties config paste is unusual - it looks like you have a hyphen (-) instead of an equals sign (=) before each property value?
You might want to add a "redirect" directive to each worker [1]. Since you have enabled sticky-sessions, you may also want to check you have setup jvmRoute correctly [2].
Best
Brett
[1] http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html
[2] http://tomcat.apache.org/tomcat-6.0-doc/config/engine.html -
Weird case involving NTLM, Windows XP and the portal
I have a very peculiar case here for a few users.
The users have in common that they are all using windows xp (and just migrated), though most other person (even ones using windows XP do not have the problem).
We have implemented SSO to the portal, and done this using IIS on the portal servers. In front of that we are using IBM edge loadbalancers.
From a troubled user perspective, when the he opens the browser against the portal, he gets the portal logon page with a message saying user authentication failed.
I've found out what happens behind the scene and why the portal fails, but I can't explain it thoroughly.
The user's browser reaches the portal.company.com address. IIS requests NTLM login and after a few packets, the browser sends the user's userprincipalname ([email protected]) via the NTLM login (i've documented this in the network traces from ethereal). That the browser sends the userprincipalname is the core of the problems, all other user's send the SAMaccountname. The portal reads the NTLM information and parses the userinformation (here the userprincipalname) However, we have configured our portal to use the SAMaccountname when authentication against AD, and therefore the login fails.
If I use an DNS alias for the portal.company.com addresse, say aliasportal.company.com (actually portal.company.com is an alias for aliasportal.company.com, but don't let that confuse you), the same client that sent userprincipalname earlier, now sends the SAMaccountname and therefore gets SSO (and goes through the loadbalancer). And if I try to access one of the portal servers directly (without going through the load balancer), it also sends SAMaccountname. So basically, there has to be something with the address portal.company.com that makes the user's browser to send the userprincipalname.
Also, this problem is not tied to the user's profile, because if he uses another pc, it works like a charm.
<b>If you have any idea at all what could have caused this, please do contribute.. No answers are stupid (in this case). I am especially looking for details to what causes IE to send userprincipalnames, and what causes it to send SAMaccountname.</b>
Network sniffing(some minor changes to hide information):
This is the NTLM packet which "wrongly" contains the userprincipalname.
No. Time Source Destination Protocol Info
17 0.107258 xxxxx xxxxxx HTTP GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1, NTLMSSP_AUTH
Frame 17 (792 bytes on wire, 792 bytes captured)
Ethernet II, Src: 00:11:43:7d:52:94, Dst: 00:d0:05:04:8f:fc
Internet Protocol, Src Addr: xxxxxxxxx , Dst Addr: xxxxxxx
Transmission Control Protocol, Src Port: 2201 (2201), Dst Port: http (80), Seq: 403, Ack: 741, Len: 738
Hypertext Transfer Protocol
GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1\r\n
Accept: /\r\n
Accept-Language: da\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n
Host: portal.company.com\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHoAAACkAKQAkgAAAAAAAABIAAAAIAAgAEgAAAASABIAaAAAAAAAAAA2AQAABYKIogUBKAoAAAAPZABqAHcAbABAAHMAdABhAHQAbwBpAGwALgBjAG8AbQBQAEMALQAzADkAMwA3ADEANAAjkf2i0gE5YfLWa6LaFWq/QOJVBMBK+X/0eZk41NRM7wDew37l6/jmAQE
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: 2391FDA2D2013961F2D66BA2DA156ABF40E25504C04AF97F
NTLM Response: F4799938D4D44CEF00DEC37EE5EBF8E60101000000000000...
Domain name: NULL
User name: [email protected]
Host name: PC-393714
Session Key: Empty
Flags: 0xa2888205
\r\n
And this is the packet against the dns alias which works
No. Time Source Destination Protocol Info
17 0.103528 xxxxx xxxxx HTTP GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1, NTLMSSP_AUTH
Frame 17 (788 bytes on wire, 788 bytes captured)
Ethernet II, Src: 00:11:43:7d:52:94, Dst: 00:d0:05:04:8f:fc
Internet Protocol, Src Addr: xxxx, Dst Addr: xxxx
Transmission Control Protocol, Src Port: 1825 (1825), Dst Port: http (80), Seq: 403, Ack: 741, Len: 734
Hypertext Transfer Protocol
GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1\r\n
Accept: /\r\n
Accept-Language: da\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n
Host: aliasportal.company.com\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHgAAACkAKQAkAAAABYAFgBIAAAACAAIAF4AAAASABIAZgAAAAAAAAA0AQAABYKIogUBKAoAAAAPUwBUAEEAVABPAEkATAAtAE4ARQBUAEQASgBXAEwAUABDAC0AMwA5ADMANwAxADQAyhO3U1uCz0jn55samc+TUJmnyefvp0tXQN0VMytYEG3YDADHwRicxwEBAAA
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: CA13B7535B82CF48E7E79B1A99CF935099A7C9E7EFA74B57
NTLM Response: 40DD15332B58106DD80C00C7C1189CC70101000000000000...
Domain name: COMPANY-NET
User name: DAPA
Host name: PC-393714
Session Key: Empty
Flags: 0xa2888205
\r\n
I'll be truely impressed if anyone solves this one!Hi Dagfinn,
There are a few things I would check in the Internet explorer settings on the client, namely :
-The security zones (which addresses are in Intranet, Trusted sites, etc.)
-Check in the security settings if automatic logon with current username is enabled.
-Look if "Enable integrated Windows authentication" is enabled in the advanced settings.
Are you using Kerberos authentication? There's a long article on Microsoft's website about troubleshooting Kerberos errors which might give a few clues :
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx -
Load balancer + preserving IPs
I seem to have encountered a rather severe limitation of the mod_loadbalancer, and I'm hoping there is a workaround.
I have a SJSAS 8.1EE cluster fronted by Apache (also tried SJS WS6.1 too) with SJSAS's loadbalancer plugin.
It seems that the appserver instances are seeing the IP of the loadbalancer instead of the original client IP address (web browser).
Several apps we run require to check the IP of the client system (for authentication and other reasons), so this is kind of an issue given mod_loadbalancer is now replacing them with it's IP.
Previously I've used mod_jk with JBoss clustering, and there's no such problem because they intelligently use the AJP protocol, so IP's are preserved.
Surely this would be a common scenario for ppl using loadbalancers, so I'm wondering if there's any way around it such that the destination appserver sees the client's IP, even when going through the loadbalancer.
Another idea that comes to mind is the question of examining another HTTP tag (eg <X-forwarded-by>) to get the client's original IP.
Any ideas would be greatly appreciated!i believe i'm looking at the same issue. We have struts tags in our jsp's that are returning the incorrect client url from the loadbalancer. where i'm expecting a link with the url "https://mysite.com/", it's returning "http://mysite:443".
our configuration consists of a sun webserver (v6.1) with the lbplugin pointed to a cluster of two sun app servers (v8.1). the loadbalancer.xml is configured with the https-routing param set to false, meaning that ssl connections should be forwarded to the http port of the app servers.
the same problem (i believe) is documented elsewhere in sun's bug site.
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6269102
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6188932
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4814778 -
10g AS: How to run 2 Midtiers in one infrastructure
We are trying to install two midtiers of Portal 10g (let�s call them internet and intranet) using one and the same infrastructure (infstr1).
So far we installed the 10g infstr1 using an existing Database placed on a different server. We also installed the internet-midtier of 10g Portal. The installation went, isntead of some minor adjustments, very well, thanks for the good programming.
Then we installed the intranet-midtier of 10g Portal on the same machine in a new oracle home. But now we are no more able to access the internet-midtier of 10g Portal.
My Question: In general, is it possible to install two midtiers on the same machine using the same infrastructure also installed on the same machine by having the database placed on a different server?
Regards,
Michael Kiefer-BerkmannMy Question: In general, is it possible to install two midtiers on the same machine using the same infrastructure also installed on the same machine by having the database placed on a different server?Though it is possible to install multiple midtiers against the same Portal repository, using these midtiers to access the same Portal with different site url's in not possible. Portal maintains the details of the webcache of the midtier in the repository for cache functionality. Anytime new Portal midtiers are added the new webcache entries would overwrite the existing entries (unless one selects not to configure Portal during the midtier install.) How to add new midtiers without overwriting the existing entries is detailed in the loadbalacer section (advanced Portal configuration chapter) of the Portal Configuration guide.
Multiple midtiers are added to the Portal for scalability and performance reasons and not for accessing it from multiple url's. These multiple midtiers are always frontended by loadbalancers. Please refer to the advanced configuration chapter of the Portal configuration guide which details how to setup reverse proxy, virtual hosts, load balancers based on your deployment requirements. iAS also provides a list of recommended deployment topologies in its documentation. -
Hi
Im setting up a ISE (1.3) in distributed deployment with a primary and secondary node.
Both nodes are running admin and PSN role.
The 2 nodes are up and running and synchronised, and now i want to set up a CWA guest solution.
So my question is:
In case I need to do a failover to the secondary node how do we need to do the DNS registration of the portal url ?
Do I have to have a uniqe url for each ISE or do I need to set up the DNS pointing to both of the ip addresses that is set up on the interface of the ise that is used for the guest portal.
And also a seperate public cert on each ISE pointing to the CN ?
Hope my question was understandable :)Redundancy for the sponsor portal falls into two categories. With load-balancers and without load-balancers. In both two node environments and and more than two nodes the design is the same.
With network loadbalancers you simply create a VIP for port 8443 and use the PSNs as member servers. Then simply configure the DNS hostname that is configured in the sponsor portal to the VIP.
The other options are DNS based. You can simply have two A records for the sponsor.example.com and DNS will naturally round robin between the records. The last option is to use a DNS load-balancer to accomplish the same task as the round robin, but with more control over which record is used when.
As for the cert the recommendation for using loadbalancers is to have a shared cert on all of your PSNs. the cert should contain both the FQDN of the sponsor portal and the hostnames of all of your PSNs if you are planning on using the same cert for EAP and not just HTTPS.
Here is the documentation on how to use F5 Big IP load-balancers
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf -
Hello,
I am trying to resolve an issue involving load balancing of Oracle using Cisco ACE Loadbalancers. It is not too complicated of a set up, at least I don't think. There are two rservers in a server farm. I have the server farm nested within a sticky http-cookie section so that server persistence using cookies is used. During the basic testing, the load balancing is working as expected. For example, Server 1 is manual brought down and I can verify that new sessions are being served to Server 2 and vice versa.
The issue comes in when, during testing, the user clicks on a module within the main Oracle web based application. Doing this, causes a new session to be created. When this new session is created, I believe it is sent to a new server in the pool instead of sending it to the same server. It needs to be sent to the same server because that is where the user logged into the main application. Because the new server where this new session is being sent to doesn't have any record of the original login it rejects this new session. So what I was told by the Oracle support is is that I need to have the ACE LB load balance by instance instead of session. I don't know if this is possible. I have pasted a sample of the config which is in use. Can someone advise if there is a command which I am not aware of which can accomplish the above stated goal.
probe tcp TCPHTTPTEST
port 80
interval 5
faildetect 2
passdetect interval 5
passdetect count 2
expect status 200
request method get url /forms/lservlet
rserver host ORACLE_TEST_1
ip address 10.10.110.101
inservice
rserver host ORACLE_TEST_2
ip address 10.10.110.103
inservice
serverfarm host ORACLE_TEST_HTTP_FARM
failaction reassign
predictor leastconns
probe TCPHTTPTOATST
rserver NOVHQERP_TOATST_1 80
inservice
rserver NOVHQERP_TOATST_2 80
inservice
sticky http-cookie ORACLE_TEST GROUP8
cookie insert
serverfarm ORACLE_TEST_HTTP
replicate sticky
class-map match-all ORACLE_TEST_VIP
2 match virtual-address 172.30.110.57 tcp eq 80
policy-map type loadbalance first-match ORACLE_TEST
class class-default
sticky-serverfarm GROUP8
policy-map multi-match CLIENT_VIPS
class ORACLE_TEST_VIP
loadbalance vip inservice
loadbalance policy ORACLE_TEST
loadbalance vip icmp-reply active
nat dynamic 1 vlan 110
Thanks in advance,
AdilHi Kanwalsi,
Thank you for your response. When I say new session, I mean a new browser window or tab is launched when a user clicks on a specific module within the main application. Or this can be translated to mean a new quintuple (source ip: source port -> destination ip: destination port and protocol) is initiated between the client and the server.
If you look at the sample config, server persistence using cookies is configured. I don't have persistence rebalance configured. Could this be the missing configuration I need to keep the client to use the same rserver within the same Oracle instance (for example, user logs into a single instance but clicks on multiple modules within an instance)?
Adil -
Trying to load Balance several Cisco ISE servers.
Trying to load Balance several Cisco ISE servers. For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it. I have documentation for the Cisco ACE, but using F5 LTM's. Assuming this has to be done with an I-Rule as none of these are available as a default. Not sue where to begin. I tried attaching the Cisco PDF, but not able for whatever reason.
Please also keep in mind that When using a Load-Balancer (anyone's) you must ensure a few things.
Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT). No Source-NAT. This includes the Accounting messages, not just the Authentication ones.
This means the Load-Balancer must be in the direct path between the clients and the ISE PSNs.
Some organizations have used Policy Based Routing (PBR) to accomplish the path, without physically locating the Load-Balancer between the clients and the PSNs.
Endpoints (clients) must be able to reach each Policy Services Node Directly (not going through the VIP) for redirections/Centralized Web Authentication/Posture Assessments/Native Supplicant Provisioning, and more.
You may want to "hack" the certs to include the VIP FQDN in the SAN field (my next blog post should cover this trick).
Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address.
VIP gets listed as the RADIUS server of each NAD for all 802.1X related AAA.
Dynamic-Authorization (CoA):
If you use Server NAT to replace the PSN IP address with the VIP Address for Change of Authorization, then you would use the VIP address as the Dynamic-Authorization (CoA) client.
Otherwise, use the real IP Address of the PSN, not the VIP.
The LoadBalancers get listed as NADs in ISE so their test authentications may be answered, to keep the probes alive.
ISE uses the Layer-3 Address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a big reason to avoid SNAT.
Failure Scenarios:
The VIP is the RADIUS Server, so if the entire VIP is down, then the NAD should fail over to the Secondary DataCenter VIP (listed as the secondary RADIUS server on the NAD).
Use probes on the Load-Balancers to ensure that RADIUS is responding, as well as HTTPS (at minimum).
LB Probes should send test RADIUS messages to each PSE periodically, to ensure that RADIUS is responding, not just look for open UDP ports.
LB Probe should also examine the response for HTTPS, not just look for the open port(s).
Use node-groups with the L2-adjacent PSN's behind the VIP.
If the session was in process and one of the PSN's in a node-group fails, then another member of the node-group will issue a CoA-reauth; forcing the session to begin again.
At this point, the LB should have failed the dead PSN due to the probes configured in the LB; and so this new authentication request will reach the LB & be directed to a different PSN… -
SOAMANAGER - Alternative URLs for WSDLs and Endpoints in ECC
Hi All,
We are publishing enterprise services using SOAMANGER transaction in ECC system. In
our development environments we have no problem with the process.
However in our cert and production environments we have loadbalancers,
with SSL offload, and so both port and URLs for the endpoints and WSDLs
need to reflect the different port/url introduced via our loadbalancer
and SAP web-dispatchers.
We have looked at note 11325985, which provides good guidance - however
when we use the alternative host / port as described on page 2 of the
note the service cannot be saved and activated -
Steps for Reconstruction
Run Transaction SOAMANAGER in one of our ECC systems SED/SEQ/SEP
Activate a standard SAP enterprise service, i.e
ECC_CUSTBASICDATABYIDQR_V2
In the Transport Settings tab of the Configuration of Web Service we
enter alternative URL - our load balancers URL for cert is
erp.XXX.com and for prod erp.XXX.com. When we save the
service it produces the following error ( when we don't specify an
alternative Access URL there is no error;
ERROR: ICF: Error when creating alias node: rc: unknown nMethod:
Alias Create; return code 15
Error Message Number Screen Number Transaction Program Table
Regards,
Ramesh1-Use the Tx: SRT_TOOLS
2-Double-click on "Display of Extended Service in Current Client Configurations"
3-Complete the "Configuration Name" with the name of the endpoint / service
4-Click on run
5-Double-click on the "Configuration Name" found in the left tree
6-You will obtain the url you are looking for without using the SOAMANAGER
7-Enjoy -
Can the ACE be setup with only one interface configured and not having to place the servers on another interface?
Some of the "lesser" loadbalancers have a "Direct Server Return" mode. Where requests come in one interface and out the same interface to the server. This way you dont have to place servers inline with the LB.
Any way to do this with the ACE?Yes.
Both ACE module and ACE appliance can be configured in one arm mode.
For One arm mode you will have to configure source NAT to ensure the server responses are routed via ACE.
Direct server return is also possible with ACE.
HTH
Syed Iftekhar Ahmed -
I have ACE 4710 and I need configuration:
I have real web-server with folders : /1/index.html, /2/index.html, /3/index.html
I need to balance virtual service:
If I try to connect URL: http://server/index.html, then ACE balance among
http://real_server/1/index.html,
http://real_server/2/index.html,
http://real_server/3/index.htm
How can I configure ACE ?ACE, can't modify the url.
But it can send redirect.
So you could build 3 redirect rservers, and have ACE loadbalance between them.
rserver redirect HTTP-REDIRECT1
webhost-redirection http://real_server/1/index.html
inservice
rserver redirect HTTP-REDIRECT2
webhost-redirection http://real_server/2/index.html
inservice
rserver redirect HTTP-REDIRECT3
webhost-redirection http://real_server/3/index.html
inservice
serverfarm redirect SF_REDIRECT
rserver HTTP-REDIRECT1
inservice
rserver HTTP-REDIRECT2
inservice
rserver HTTP-REDIRECT3
inservice
But even if it works, this does not sound good.
It seems like a design done by an application server person who does not know how network loadbalancers work.
It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
But this can be done differently with cookies or by just doing stickyness on source ip address.
Gilles.
Maybe you are looking for
-
I am trying to edit the default forms/reports that come with CM14, trying to edit the data model, data set, (to get to the old Infomaker style graphic view) , the Query model does not display (error the list of tables is too long..) Oracle tell me th
-
I dont get more than 2-2.5 Hours out of my MacBook Air (at lowest settings)
I have a serious problem with my MBA. I mainly use it to take notes at University. So my normal usage is: Screen brightness turned to the lowest possible point, WLAN+Bluetooth OFF and Word running. How many hours do I get? If I'm lucky, 2.5! And I'm
-
Hi I'm having problems with my pearl 8100 phone will ring and call out but when it says connected I can't hear anyone nor do I hear peoples phone ringing when I call them, I've talked to the people i've called and their phone does ring but they can't
-
Front Row Movie Trailers don't work on Airport Network
I can't view Front Row movie trailers when using an airport network. However, I can see the movies if I bypass the Airport Base Station and connect my iMac straight to my DSL modem via ethernet. I can access all other internet services via Airport -
-
I dropped my iPhone and the back cracked. immediately after that, it wouldnt charge fuly or at all sometimes, i'm having the same problem now, and the back of my phone is falling off in pieces. I would like ti get it replaced or trade it in for a new