Persistent connections on Cisco ACE
Hello Team,
Currently I have the below persistence settings for the vips and they are set as cookie based which would match where a session cookie is used.The cookie is set for "browser-expire" . So, this will allow the clients browser to expire the cookie when the session ends.
ASH
====
sticky http-cookie http-cookie-default 206.80.50.110:80
cookie insert browser-expire
serverfarm 206.80.50.110:80
sticky http-cookie http-cookie-default 206.80.50.110:443
cookie insert browser-expire
serverfarm 206.80.50.110:443
Please see the following snippet of information from Akamai:
============================================
"It has come to our attention that your Origin does not support pconns. This may possibly result in a significant overhead. Can you enable pconns on the load balancer and also back to the Origin with a idle timeout of 301 or 302 seconds? Our default is 300 secs of idling before terminating a pconn, so one sec more will avoid a race condition (assuming your server and NLB clock is sync'ed using NTP)"
I am assuming that this refers to TCP connections from the Akamai Edge Server to our end Load Balancer
I am presuming that they make a TCP connection(s) to the LB from the Akamai Edge Server and use it for multiple requests from clients and they would need ties connections to remain active for at least 301 seconds
Can this request be made possible. Pls assist. Thanks !!
regards,
Karthik
Hi Karthik,
I believe you are confusing persistence with stickiness. What they mean by a persistent connection is one in which multiple HTTP requests are sent inside the same TCP flow, and ACE will always accept those.
I would suggest you to go back to Akamai and clarify what exactly is the issue, along with some more details on how they reached that conclussion, and then we can see if there is any way to avoid the problems.
Regards
Daniel
Similar Messages
-
Slow connection in one server if accessing through Cisco ACE
Hi,
Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
What need to do in my configuration? Below is my configuration
logging enable
logging timestamp
logging trap 7
logging buffered 7
logging monitor 7
logging host 167.81.126.5 udp/514
logging host 137.55.152.147 udp/514
resource-class SG_01
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_0.bin
login timeout 30
peer hostname singapore-ace2
hostname singapore-ace1
interface gigabitEthernet 1/1
channel-group 14
no shutdown
interface gigabitEthernet 1/2
channel-group 14
no shutdown
interface gigabitEthernet 1/3
channel-group 14
no shutdown
interface gigabitEthernet 1/4
channel-group 14
no shutdown
interface port-channel 14
description ISOLAN-ACE-TRUNK
ft-port vlan 99
switchport trunk native vlan 1
switchport trunk allowed vlan 12,14,112
no shutdown
clock timezone SGT 8 0
ntp server 137.55.152.1
context Admin
member SG_01
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
ip domain-name ysn.psg.philips.com
probe http singapore_01
description This probe used to monitor application url-app-script
interval 5
passdetect interval 5
request method get url /insiteserverstatus/insiteserverstatus.aspx
expect status 200 200
open 1
probe http singapore_02
description This probe used to monitor IIS-login-page
interval 5
passdetect interval 5
request method get url /InSiteLumiledsApplication/
expect status 200 200
open 1
probe icmp uplink
description This probe used in conjunction with ft track host
interval 2
faildetect 2
passdetect interval 3
parameter-map type connection PARAM_L4STICKY-IP
exceed-mss allow
rserver host sggysnysn1ms013
ip address 137.55.152.135
inservice
rserver host sggysnysn1ms014
ip address 137.55.152.136
inservice
rserver host sggysnysn1ms018
ip address 137.55.152.145
inservice
serverfarm host PLI9058
probe singapore_01
probe singapore_02
rserver sggysnysn1ms013
inservice
rserver sggysnysn1ms014
inservice
rserver sggysnysn1ms018
inservice
sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
timeout 720
replicate sticky
serverfarm PLI9058
class-map type management match-any HTTPS-ALLOW_CLASS
class-map match-all L4STICKY-IP_141:ANY_CLASS
2 match virtual-address 137.55.152.141 any
class-map type http loadbalance match-any NO_MS018
50 match source-address 137.55.155.31 255.255.254.0
class-map type management match-any SSH-ALLOW_CLASS
2 match protocol ssh source-address 167.81.124.0 255.255.255.192
3 match protocol ssh source-address 167.81.126.0 255.255.255.192
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
sticky-serverfarm SG_GROUP_01
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match PLI9058-VIPs_POLICY
class L4STICKY-IP_141:ANY_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
loadbalance vip icmp-reply
connection advanced-options PARAM_L4STICKY-IP
interface vlan 12
description Client-side vlan
bridge-group 1
no normalization
mac-sticky enable
access-group input ALL
access-group output ALL
service-policy input PLI9058-VIPs_POLICY
no shutdown
interface vlan 14
ip address 137.55.152.236 255.255.255.248
peer ip address 137.55.152.237 255.255.255.248
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 112
description Server-side vlan
bridge-group 1
no normalization
access-group input ALL
access-group output ALL
nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
no shutdown
interface bvi 1
ip address 137.55.152.189 255.255.255.192
alias 137.55.152.188 255.255.255.192
peer ip address 137.55.152.190 255.255.255.192
description Bridge-Group 1 Virtual Interface
no shutdown
ft interface vlan 99
ip address 192.168.1.1 255.255.255.252
peer ip address 192.168.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 99
ft group 1
peer 1
priority 150
peer priority 50
associate-context Admin
inservice
ft track host test1
track-host 137.55.152.234
peer track-host 137.55.152.235
peer probe uplink priority 50
probe uplink priority 50
ip route 0.0.0.0 0.0.0.0 137.55.152.233Hi Earsdale,
All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
If you need help with this troubleshooting, you can always open a TAC service request
Regards
Daniel -
Cisco ace mibs for concurrent connection on real and virtual servers
i have loaded cisco provided mibs for cisco ace into nms but i am not able to fetch the details from ace appliance 4710.where can i find IODs for this.
would really appreciate if anyone can help me regarding thisHi Manohar,
you need two MIBs:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
The current connection you will find in the section:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
slbVServerInfoTableEntry .1.3.6.1.4.1.9.9.161.1.4.2.1
Example:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
slbVServerNumberOfConnections .1.3.6.1.4.1.9.9.161.1.4.2.1.6.1.44
Use a MIB-Browser to find out the OID for each server.
Best Regards,
Achim -
How Cisco ACE open connections to rservers?
Hi
How Cisco ACE decides that a new connection must be open to an rserver? I observed a spike of connections to 10x normal and want to understand what makes ACE open more connections to the rservers (besides more traffic coming in).
As a follow up, is there a way I can check if sessions are getting replicated across rservers? I am using 'persistence rebalance' strict along with ‘cookie-insert’ for session stickiness.
I am on a ACE20-MOD-K9 using system A2 (3.5)
Regards,
ManuelI do not know the answer to the connection question but I may be able to help on the session question.
Now, if you are referring to session replciation between two ACE modules? If so, you can do 'sho sticky database detail' and you will see two lines at the bottom of each entry for
created-from-HA-peer: FALSE
HA-replicated-at-least-once: TRUE
Now if you wanting to see if sticky sessions are divided evenly between the rservers, I often use
sh sticky database group | inc | count
and then run that for both real servers and will show how many sticky entries are on each real server. -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
Urgent!!! Cisco ACE and asymetric routing assistance needed
I am wondering if someone can give me pointers on the cisco ACE
and asymetric routes. I've attached the diagram:
-Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
-Firewall External interface is 192.168.15.1/24,
-Firewall Internal interface is 192.168.192.1/24,
-F5_BigIP External interface is 192.168.192.4/24,
-F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
-host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
-Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
pointing to the F5_BigIP,
-host_y is dual-home to both VLAN_A and VLAN_B with the default
gateway on host_y pointing to VLAN_A which is 192.168.196.1,
-host_x CAN ssh/telnet/http/https to both of host_y IP addresses
of 192.168.196.10 and 192.168.197.10.
In other words, from host_x, when I try to connect to host_y
via IP address of 192.168.197.10, the traffics will go through VLAN_B
but the return traffics will go through VLAN_A. Everything
is working perfectly for me so far.
Now customer just replaces the F5_BigIP with Cisco ACE. Now,
I could not get it to work with Asymetric route with Cisco ACE. In
other words, from host_x, I can no longer ssh or telnet to host_y
via IP address of 192.168.197.10.
Anyone knows how to get asymetric route to work on Cisco ACE?
Thanks in advance.That won't work because ACE uses the vlan id to distinguish between flows.
So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
You would need to force your host to respond on the same vlan the traffic came in.
This could be done with client nat on ACE using different nat pool.
Gilles. -
Looking up a specific connection on the ACE
Hi.
We're running the ACE SMs version A2(3.3) and need to be able to look up the connection that traversed the ACE awhile ago. Since it was a successful connection, it didn't get register in the logs. Is there any other way to find it?
thanks..
Greg...Hi Greg,
depending on the version of the ACE. The connection may be their on ACE for max 3600 seconds. ( idle connection)
If you are curious to track a connection which has been established within an hour and not closed by client then you can use the following link that explains everything.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_Connectivity#Internal_Mapping_of_ACE_TCP_and_UDP_Flows
Read section : Tracking Connections Through the ACE
Ideally commands such as
show conn details or show conn
You can also filter with pipe specifying the ip address of client
show conn detail | in 10.10.10.10
regards,
Ajay Kumar -
Cisco ACE compatiblity with F5 GTM
Hi,
We have cisco ace 30 modules installed in cisco 6500 switches. For application availability purpose from the internet, we need to have some global site selector/3rd party devices with similar feature set that of cisco gss.
My question is: whether cisco ace is compatible to ge tintegrated with other 3rd party devices like F5 GTM?
kindly sugegst..Good afternoon,
I'm not familiar with the GTM solution, but, as long as it's DNS-based like the GSS, it should be perfectly compatible. Bear in mind that the ACE is not aware on how clients are getting the IP address, it just replies to whatever connections it gets.
Regards
Daniel -
Cisco ACE - "show conn" command queries
Hi all,
i have some queries regarding the "show conn" command in Cisco ACE.
Working Scenario:
VIP : 10.10.10.1
Server 1 : 10.10.20.1
Server 2 : 10.10.20.2
Client: 30.30.30.1
When a client 30.30.30.1 initiates a connection to the VIP on 10.10.10.1, the ACE load balances it to Server 1, 10.10.20.1. Looking at the "show conn" table, it shows that Server 1 is replying back to the Client 30.30.30.1 through the ACE.
Now, my question is when the ACE returns the traffic to the Client, should the Client be seeing the source IP coming from the VIP or Server 1? My understanding is that the Client should be seeing traffic returning from the VIP. But the show conn table does not seem to suggest so.
show conn table
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
1768 1 in TCP 10 30.30.30.1:9221 10.10.10.1:80 ESTAB
41 1 out TCP 52 10.10.20.1:80 30.30.30.1:9221 CLOSEDDaniel,
The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.
The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs" the reply so now the source of the packet is the VIP and destination is 30.30.30.1.
This is a expected behavior as you're not using S-NAT on your network.
HTH.
Pablo -
How to test a cisco ACE loadbalancer.
Hello guys, I am new on this site. I have deployed a Cisco ACE 4710 loadbalancer, and it is loadbalancing 2 real servers. Is there any way or commands I can use to see if it is loadbalancing properly.
"show serverfarm" will show you the load-balanced connections to each real. Also try "show service-policy <> class-map <> detailed" and check client and server hits counts.
"show connection" also. -
VPC / Cisco ACE and the Nexus 2K and 5K
Hi all,
So we have a test environment that looks like the following. We have 2 5K's switch 1 and switch 2. Switch 1 has two 10gb connections downstream to a 2K and switch 2 has two 10Gb connections downstream to the other 2K. We have a few servers that are multi-homed with LACP and VPC via the 2Ks and it works a treat.
We have our Cisco ACE 01, ports 1 and 2 going to one of the 2K's and we have ports 3 and 4 going to the other 2K, ACE02 ports 1 and 2 going to one of the 2K's and we have ports 3 and 4 going to the other 2K. If i enable VPC and none LACP based etherchannel i cannot get the ACE's talking to each other, but looking at the VPC status its all healthy and up.
Has anyone managed to multi-home the ACE between two 2K's with VPC successfully?
If I disable the links so each ACE only has links upstream in a traditional port-channel and not cross connected, the ACE's can see each other with no issues.
CheersDoh.. so we had a cable patching issue in the end. Let this be a lesson to all networking chaps - always check the basics first! Now we have patched the cables as per design the VPC has been established and works.
Now we have VPC is working we are simulating link failures. When we restore a shutdown physical port within the port-channel/VPC that sits between the 2K and ACE (simulating a port failure) the ACE's lose sight of each other for about 10 seconds and causes an short outage until the port is up and up. The logs on the ACE show 'the Peer x.x.x.x is not reachable. Error: Heartbeat stopped. No alternate interface configured' but the VLAN for the FT interface is carried over all four ACE NIC's that are multi-homed to two 2K's... very strange, i would not expect this, it's like the MAC addresses for the FT interface are waiting to be timed out on the 2K until they are switched on another interface within the port-channel and VPC.
Anyone seen this before? -
Cisco ace Load balancer not maintaining session persistence
Hi All,
We have observed from the IIS logs on the internal webservers that loadbalancer is not maintaining session persistence for two specific request for the internal servers.
https://123.xyz.com/Webresource.axd
https://123.xyz.com/ScriptResource.axd
Error
Webresource.axd : 500
Scriptresource.axd: 404
Session persistence is maintained for all other requests hitting loadbalancer.
Issue is observerd on hits for these two specified components. WebResource.axd and ScriptResource.axd are Http Handlers used by ASP.NET and Ajax to add client-side scripting to the outgoing web page.
For e.g /WebResource.axd d=t2GXfySdqWmJ-lZSI0KVbw2&t=634868473645172160 is valid for server 1 and return 200 response but the same request is seen on few other servers where the response is 404 even though load balancer cookie is same. This means that if the request for the both the axd contains a valid decrypter and it connects to the right server then the response seen is 200.
The url passed by the user contains d and t parameters when are unique for each user session.
Solution tried:
Accessed website via another VIP without http redirect rule but could not see difference.
Tried to match machine key across all servers : Failed . Could see the ‘d’ value different for each server.
Load balancer VIP :
x.x.x.x
redirect: http > https
SSL Offload : ON
Poool:
WEB1
WEB2
WEB3
WEB4
WEB5
All servers listening on port 80
sticky config:
sticky ihttp-cookie cookie1 vip-1.1.1.1-80-stickyfarm
cookie insert browser-expire
replicate sticky
serverfarm vip-1.1.1.1_80
sticky http-cookie cookie1 vip-farm:1.1.1.1:443
cookie insert browser-expire
replicate sticky
serverfarm farm:1.1.1.1:443
Has anyone else come across similar issue?
Can you plese check if there is any config on cisco ace that will ensure that session persistence is maintained for these 2 requests.
Thank you for all the help.
regards,
SangramHello Sangram,
We would need simultanous packet traces before and after the ACE to get to the root cause of this issue so I would recommend that you open a cisco tac case for more in depth troubleshooing of this issue.
Joel Lamousnery
CCIE R&S - 36768
Engineer, Customer Support
Technical Services -
How long is Persistent connection last?
As long as the content rule is matched, the persistent connection remains in the flow. Can I set the time like the sticky?
For the duration of persistent connection, is it behave the same way as sticky? I'm confused :(
BradThese might help you understand persistence: http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/contrule.htm#xtocid2610130 and http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/contrule.htm#92523
-
T3 Oracle´s proprietary tunneling protocol and Cisco ACE
Does anybody know if it is possible to load balance the T3 Oracle´s proprietary tunneling protocol supported by Oracle Weblogic with Cisco ACE?
TIA,
Claudio UemuraHI Claudio,
I don't know much about T3 protocol, in short you can load balance almost anything really, the issue becomes to how granular and if you can do any intelligent inspection besides source and dest ip and if there are multiple different connections on different ports. These last points sort of decide whether it's worth it.
- If you find the specifics about the connection ( port, type of protocol and type of connection ( long-lived or short lived) you should be able to setup a basic rule to test. A sniffer trace will give you the most information if oracle website does not explain T3 in detail.
- From a quick search there also looks to be a method to encapsulate T3 inside a http packet on weblogic servers, if this were the case then you could do some deep packet inspection with regex etc to get more granular load balancing
http://forums.oracle.com/forums/thread.jspa?threadID=706909
I would think it's defintely worth looking at both options
cheers,
Chris -
VPN client connect to CISCO 887 VPN Server bat they stop at router!!
Hi
my scenario is as follows
SERVER1 on lan (192.168.5.2/24)
|
|
CISCO-887 (192.168.5.4) with VPN server
|
|
INTERNET
|
|
VPN Cisco client on xp machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
They can ping only router!!!
They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Peraps ACL problem?
Building configuration...
Current configuration : 5019 bytes
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gate
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
quit
ip name-server 212.216.112.222
ip cef
no ipv6 cef
password encryption aes
license udi pid CISCO887VA-K9 sn ********
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
line con 0
line aux 0
line vty 0 4
transport input all
endHello,
Your pool of VPN addresses is overlapping with the interface vlan1.
Since proxy-arp is disabled on that interface, it will never work
2 solutions
1- Pool uses a different network than 192.168.5
2- Enable ip proxy-arp on interface vlan1
Cheers,
Olivier
Maybe you are looking for
-
How to attach a document for a resume on a iPad
How to attach a document to a resume using a ipad
-
Can we call a package inside a package
Dear Sir Can we create a package inside a package or can we call a a package inside a package?.If yes.How we can create and call a package inside a package? Regards Thakur Manoj
-
BEA WebLogic vs OAS/OC4J: application redeployment
Hi gang I'm currently researching solutions to JEE application redeployment, or more specifically when you want to update an existing deployed application on a JEE app server, how can you do so with minimal interruption to the users? From my research
-
Are there any parameters you can add to the end of a PDF HTML link to make it open in a particular size (such as 80%)? I guess this assumes that the user is using an Adobe product to open a PDF but i was curious.
-
Designing opinions about a network database application
Hi all, I want to develop a small application with Java that will manage data. The size of the data is small. I do not need a client server database (ex.Oracle or Sql server). I also want to make a version of these application to work as desktop appl