Loadbalancing using waas with ace

Similar Messages

• WAAS with ACE - Use Ace or use WCCP or use PBR?

  Wich is better to use, i need use two aces in HA (active x active). But the model of Switch Router is Enterasys and Enterasys dont have WCCP, but have TWCB(Transparent Web Cache Balancing (https://extranet.enterasys.com/sites/dms/DMSAssetLib/Documents/Feature%20Guides/twcbFeatGde041609.pdf), but my questions are:
  1) I have two Aces too, the better is use Ace to do this or not? (In reality i think that is not the best way).
  2) Somebody can say me if TWCB is the same of WCCP?
  3) With PBR can i use two WAAS in active x active mode?
  Thanks

  Hi Luciano,
  I tried to open the link you provided, but it's asking me for an Enterasys username and password so I couldn't find out what exactly this feature is. My guess is that it allows some transparent redirection similar to WCCP, but I have no clue how this is achieved. Therefore, I'm just going to speak about the other options.
  The first thing I would like to say is that, if you have to choose between PBR and ACE, I would recommend you to use the ACE. The main problem of PBR is that the redirection needs to be statically configured based on ACLs maching on the source or destination addresses, so, you don't have any kind of redundancy if a WAE goes down, and you may have to rewrite the ACLs if something changes in your environment. With the ACE, the load-balancing is dynamically done, so, if one of the WAE fails or the traffic patterns change, the load distribution will be dynamically adjusted
  Regards
  Daniel

• Problem with ACE and Internet Explorer 8

  I have a problem with ACE (system A2(1.1)) and Internet Explorer 8.
  exactly:
  ACE is configured as end-to-end ssl with 2 rserver and with the sticky source address. When user is opening the virtual address from IEv7, the web portal (On Microsoft IIS) works fine.
  If user opens the same web portal but using IEv8, the session is suspended after 60 seconds.
  I think, that the reason is http keep-allive, which is sending every 60 seconds from the user's internet browser.
  Here is some information about this. http://en.wikipedia.org/wiki/HTTP_persistent_connection
  Do you have any idea how to resolve this problem: upgrade ACE, change the configuration on IIS or ACE ??
  Please help.

  Hi Kazik,
  Using a persistent connection or HTTP keepalives should not have any negative effect on the ACE, so, giving you a straight-forward answer to fix it is not going to be easy.
  I would recommend you to open a TAC case to have this investigated further. When you do, please, provide the following data:
  A showtech from the Admin context of the ACE
  A traffic capture taken on the TenGig interface connecting the switch with the ACE backplane while doing a test connection (preferably one with IE7 and one with IE8 to compare)
  If possible, a copy of the SSL private key. Being able to decrypt the traffic capture to look inside the HTTP flow would really make troubleshooting much easier.
  Regards
  Daniel

• SIP load balancing issue with ACE 4710

  SIP Load balancing Issue with ACE 4710
  I have a Cisco ace 4710 with vesion Version A4(2.2). i configued simple SIP load balancing first without stickiness. without stikeiness we are having a problem because bye packet at the was not going to the same server all the time that left our port in used even though user hang up the phone. its happen randmly. i have a total 20 licenced ports and its fill out very quickly. so i dicided to use the stickiness with call-ID but still same issue. below is the config
  rserver host CIN-VOX-31
    ip address 172.20.130.31
    inservice
  rserver host CIN-VOX-32
    ip address 172.20.130.32
    inservice
  serverfarm host CIN-VOX
    probe SIP-5060
    rserver CIN-VOX-31
      inservice
    rserver CIN-VOX-32
      inservice
  sticky sip-header Call-ID VOX_SIP_GROUP
    timeout 1
    timeout activeconns
    replicate sticky
    serverfarm CIN-VOX
  class-map match-all CIN_VOX_L4_CLASS
    2 match virtual-address 172.22.12.30 any
  class-map match-all CIN_VOX_SIP_L4_CLASS
    2 match virtual-address 172.22.12.30 udp eq sip
  policy-map type loadbalance sip first-match CIN_VOX_LB_SIP_POLICY
    class class-default
      sticky-serverfarm VOX_SIP_GROUP
  policy-map multi-match GLOBAL_DMZ_POLICY
     class CIN_VOX_SIP_L4_CLASS
      loadbalance vip inservice
      loadbalance policy CIN_VOX_LB_SIP_POLICY
      loadbalance vip icmp-reply
    class CIN_VOX_L4_CLASS
      loadbalance vip inservice
      loadbalance policy CIN_VOX_LB_SIP_POLICY
      loadbalance vip icmp-reply
  interface vlan 20
    description VIP_DMZ_VLAN
    ip address 172.22.12.4 255.255.255.192
    alias 172.22.12.3 255.255.255.192
    peer ip address 172.22.12.5 255.255.255.192
    access-group input PERMIT-ANY-LB
    service-policy input GLOBAL_DMZ_POLICY
  could you please help me on this...
  thanks
  Rakesh Patel

  I mean there should be one more statement-
  class-map type sip loadbalance match-any CIN_VOX_LB_SIP_POLICY 
  match sip header Call_ID header-value sip:
  and that will be called under-
  policy-map multi-match GLOBAL_DMZ_POLICY
     class CIN_VOX_SIP_L4_CLASS
      loadbalance vip inservice
      loadbalance policy CIN_VOX_LB_SIP_POLICY
      loadbalance vip icmp-reply
  is that missing in your config ?

• FTPS with ACE 4710

  Hi,
  I need to configure ACE for load-balancing FTPS. And simply deploying L4 policies are not helping either. Configured the FTPS servers and both of them are working fine when accessed via physical IP, but do not work when accessed via the VIP.
  if it is possible, a reference URL would really be a great help.

  Hi Rajiv,
  Do you want to loadbalance SFTP ?
  Or just have it pass through ??
  Loadbalancing SFTP is difficult because it starts as regular FTP and switches over to SSL which ACE can't do and fails to understand.
  you don't need anything to have it passthrough.
  As long as you don't ask ACE to inspect the traffic, and assuming this traffic is permitted in your access-group, then there is nothing to do to have it go through.
  I think your goal is to distribute inbound file deposits evenly across SFTP servers.
  High-level Overview
  Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
  I would like to tell you that SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
  So you are good.
  On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
  FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
  Kindly find these examples for FTP load balance method in cisco ACE:
  1. FTP serverfarm on Cisco ACE
  http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html
  2. FTP Load Balancing on ACE in Routed Mode Configuration Example
  http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example
  3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example
  http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example
  Kindly refer the folowing URL for Layer4 policies:
  http://cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Troubleshooting_Layer_4_Load_Balancing
  http://snippets101.blogspot.com/2008/08/cisco-ace-and-private-vlans-in-switch.html
  http://snippets101.blogspot.com/2008/08/asymmetric-server-normalization-on.html
  http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Configuring_Server_Load_Balancing
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/tcpipnrm.html#wpmkr1116809
  Hope it will help you furhter in configuring the ACE load balancing L4 policies.
  Kindly rate
  Sachin Garg

• Firewall Load Balance using bridged mode ACE

  Dear Folks,
  I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
  I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
  Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
  by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
  Please Help Thanks

  Thank you very much Gilles,
  You 're the man. ;-)
  Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
  What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
  I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
  Thank you very much

• WAAS WITH WINDOWS SERVER 2008 AND CERTIFICATE

  172.20.203.3:135
  172.20.1.191:2751
  PT AD Int Error
  172.20.221.205:51786
  172.20.1.176:80
  PT In Progress
  172.20.1.191:2751
  172.20.203.3:135
  PT AD Int Error
  172.20.221.3:443
  172.20.1.29:25403
  PT AD Int Error
  172.20.1.176:80
  172.20.221.250:64345
  PT In Progress
  172.20.221.250:64345
  172.20.1.176:80
  PT In Progress
  172.20.203.222:57837
  172.20.1.232:80
  PT In Progress
  172.20.1.138:2249
  172.20.140.218:139
  PT AD Int Error
  172.20.1.29:25403
  172.20.221.3:443
  PT AD Int Error
  172.20.1.29:25452
  172.20.221.3:443
  PT AD Int Error
  172.20.1.138:2241
  172.20.140.218:445
  PT AD Int Error
  172.20.1.29:25411
  172.20.221.3:443
  PT AD Int Error
  172.20.1.187:8014
  172.20.221.250:64349
  PT In Progress
  172.20.1.176:80
  172.20.221.205:51786
  PT In Progress
  172.20.140.218:445
  172.20.1.138:2241
  PT AD Int Error
  172.20.221.3:443
  172.20.1.29:25452
  PT AD Int Error
  172.20.1.138:1942
  172.20.221.3:445
  PT In Progress
  SMB Digital Signing is enabled by default on Domain Controllers - I'll double check, but don't believe it is enabled across ALL 2008 Server, but it would be worth checking.
  Digital Signing is designed to prevent man in the middle attacks - which is precisely what WAAS is doing
  Turning it of generally improves speed by around 20% even without WAAS, and lets WAAS use full DRE and the CIFS adapter to cache files.
  Any problems, just raise a TAC case and my boys will help you out
  Edit: Link from MS which discusses it in more detail and how to turn off:
  http://support.microsoft.com/?kbid=887429
  According to that, it's NOT enabled across the board in 2008, just on the DC's.
  My company uses waas, as you can see above whenever i try to do the implementation waas is giving me the following message "pt in ad error"for all the connections that will be compatible with windows, I did some research and what's above has to do with the digital windows certificate which waas is struggling to open due to the code encrypted in the certificate. do you happen to have a way of enabling the certificate within the module. another option would be to disable the certificate in windows server 2008?

  Thiago,
  PT AD Int Error has nothing to do with SMB digital signatures.  PT AD Int error means TFO auto-discovery failed and could not negotiate an optimized flow; this is during the TCP 3-way handshake before digital signatures even come into play
  A common reason for PT AD Int Error status is another device in the path before WAAS has filled up the TCP options field with other data, thus leaving no room for WAAS to put it's TCP opt 0x21.
  Once you resolve the PT AD Int Error problem and a CIFS AO negotiated policy occurs, if the server/client require digital signatures then you will see the connection as T,G,D,L or T,G (meaning Generic AO).
  If digital signatures are not required the CIFS connections will show as T,C,D,L.
  I suggest you take packet captures on both client and server side WAEs to see how SYN and SYN-ACK packets are reaching the WAE and see if the options field is filed with data before reaching the WAE.
  If this is part of a WAAS PoC/ Demo feel free to open a case with the PDI team.
  http://www.cisco.com/web/partners/tools/pdi.html
  Otherwise, if this is in production please open a case with TAC.
  Regards,
  Mike Korenbaum
  Cisco Data Center PDI Help Desk
  http://www.cisco.com/go/pdihelpdesk

• Load-balancing inbound sftp connections with ACE

  Hi,
  Can anyone share experiences or any info relating to issues that might be encountered when load-balancing sftp protocol?
  The goal is to distribute inbound file deposits evenly across SFTP servers.
  High-level Overview
  Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
  Many Thanks

  SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
  So you are good.
  On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
  FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
  HTH
  Syed Iftekhar Ahmed

• Transparent proxy with ACE+CE (Client-ip spoof) slow response.

  I have configed transparent proxy with ACE and CE510+Bluecoat. I also enable client-ip spoofing. I use PBR for redirect request web page from client to ACE and I also use PBR for return traffic from any web servers to ACE(make complete flow for client-ip spoofing). Any thing is fine, but I have a little bit issue that when I try to browse to the new website and ACE load my request to CE510, I seem long time for page response, I monitor at ACE, it show connection is "ESTABLISH". When first page on these new website response after that I try to browse other pages on these new website, the response is normal. This happen for everytime that I test. I have already send configuration of ACE and CE. Anyone, please see anything that I config is correct. Thank you very much.

  Following link may help you
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00806b728a.html

• Dual MPLS connection to one WAAS with inlinecard

  Hi all,
  Is it posible to use one Cisco WAAS with dual inlineports connected to two PTT routers?
  Both PTT routers is active and load balacing with BGP wth local L3 switches.
  Or is it a most to use WCCP?
  Jan

  Hi Jan,
  Just because I've previously ran into problems, because WAAS obfuscates sequence numbers.
  On newer (greenfield) implementations of WAAS, BGP is set to pass-through as default.
  From this link : http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v511/configuration/guide/cnfg/apx_apps.html
  If the policies is migrated from a WAAS Central manager running versions earlier than 4.4, the default was LS+TFO+DRE - from 4.3.x the default changed to Pass-Through.
  Best Regards
  Finn Poulsen

• HT202667 Hi - My daughter was using her Apple TV until recently when she got a Smart TV.  Now the Apple TV is not needed so she passed it on to me.  How do I get it transferred over from her Home Sharing account to mine so that I can use it with my PC?

  Hi - My daughter was using her Apple TV until recently when she got a Smart TV.  Now the Apple TV is not needed so she passed it on to me.  How do I get her Home Sharing account transferred over to mine so that I can use it with my PC? Thanks!

  As  Winston Churchill wrote, however you might want to do a factory reset on the Apple TV.
  This way all information pertaining to your daughter will be removed from the device. Specifically if see was sign into any of the streaming service, Netflix, Hulu, etc. her credentials will still be associated with this Apple TV, doing  a factory reset will remove all that and make it as if you purchased the device and just plugged it in.
  regards

• OPEN CURSOR using a WITH clause in the select query

  Hi,
  I am using Oracle 9i. I have a requirement where I have a REFCURSOR as an OUT parameter for my procedure. I have declared the TYPE and created the procedure.
  In the procedure, I am using OPEN <cursor_name> FOR <query>;
  Ideally this works in most of the cases that I have tried earlier. However, in the current case I am using a WITH clause in my query to get the results.
  I need help in understanding if the above mentioned syntax would not allow me to use the WITH clause in the query.

  What error do you get , seems to work ok for me on 10g
  SQL> begin
    2  open :cv for 'with x as (select * from emp)  select * from x';
    3  end;
    4  /
  PL/SQL procedure successfully completed.
  SQL> print :cv
       EMPNO
  ENAME
  JOB              MGR HIREDATE         SAL       COMM     DEPTNO
        7521
  WARD
  SALESMAN        7698 22-FEB-81       1250        500         30
        7566
  JONES
  MANAGER         7839 02-APR-81       2975                    20
       EMPNO

• My iPhone 4 will not sync my new voice memos from the "Voice Memos" app to my computer. This is frustrating, should not be so hard, can someone please help. I use PC with windows 7 with iPhone version 6.1.3 and iTunes most recent. Thanks.

  My iPhone 4 will not sync my new voice memos from the "Voice Memos" app to my computer. This is frustrating, should not be so hard, can someone please help. I use PC with windows 7 with iPhone version 6.1.3 and iTunes most recent. Thanks.

  In the Music tab of iTunes, do you have 'Include Voice Memos' checked?

• I ordered my Macbook Air with Aperture two years ago. I now have an iMac - can I use that with Aperture in any way?

  I ordered my Macbook Air with Aperture two years ago. I now have an iMac - can I use that with Aperture in any way? I appreciate that it is a different computer but I am now the end user of both devices and I was just wondering if it was possible.
  Thanks,
  Sean

  The answer would be in your software license agreement for Aperture. However if you cannot locate it you can ask in the Aperture forum, the link for that is:
  https://discussions.apple.com/community/professional_applications/aperture
  However I believe you can have Aperture installed on two machines however only one may be using it at a time.
  On the new iMac launch the Mac App Store - Purchased - look for Aperture and download to your new machine.

• How do I use LDAP with iMQ 2.0?

  I am looking for an example to see how to use LDAP with iMQ 2.0.
  I was able to set up the config settings to access a local LDAP,
  but iMQ authentication still rejects valid logins.
  Let me know if I can find more info someplace.

  You can also find an example I put togther in the Sun One knowledge base.
  If you go here:
  http://knowledgebase.iplanet.com/NASApp/ikb/index.jsp
  Search for article 7772
  Alternatively here is the direct link
  http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html