Remove load balancing...
Oracle 10gR2 RHEL 4 AS 64bit
I wanted to know is there a way to remove load balancing in RAC? Would I just set the LOAD_BALANCE parameter to OFF in the TNSnames.ora file? Would that take care of it? The problem is occurring because developers are trying to upload images into the database (using jumploader) and the file is stored on the first node. What happens is during the upload a procedure searches for the file on the second node (when it is actually on the first node) and then an error is returned. Below are my current TNS entries:
PROD =
(DESCRIPTION =
(LOAD_BALANCE = ON)
(FAILOVER = ON)
(ADDRESS = (PROTOCOL = TCP)(HOST = node1-vip)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = node2-vip)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = TAF)
(FAILOVER_MODE =
(TYPE = SELECT)
(METHOD = BASIC)
(RETRIES = 180)
(DELAY = 1)
TAF =
(DESCRIPTION =
(LOAD_BALANCE = ON)
(FAILOVER = ON)
(ADDRESS = (PROTOCOL = TCP)(HOST = node1-vip)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = node2-vip)(PORT = 1521))
(CONNECT_DATA =
(SERVICE_NAME = TAF)
PROD2 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = node2-vip)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PROD)
(INSTANCE_NAME = PROD2)
PROD1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = node1-vip)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PROD)
(INSTANCE_NAME = PROD1)
)
In this case, changing the tnsnames.ora file alone won't do it. RAC has two independent load balancing sides, client side (tnsnames level) and server side (listener level). The client side is simply a random (yep, random) picking of a listener on an instance to go to. On the server side, however, a given listener can then hand that connection off to another listener on a less loaded machine. Even if you connect via tnsnames to a specific instance, you may be connected to another machine.
Your best bet would be to use services, you can create a service in the cluster that can connect to a specific node with a different service name than "standard" connection. I have used this for reporting instances on a specific node cluster. You then create a new tnsnames alias to point to that new server. Note. If you use the SERVICE_NAMES parameter within your database this will not work, as anything pointed to by it will override the service names.
An alternate idea would be to nfs mount your filesystem that contains the pictures to each of your remaining rac nodes.
Cheers
Jay Caviness
http://www.grumpy-dba.com
Similar Messages
-
Error using load balancer in ebusiness suite R12
Hi
Has any one used Cisco 11503 load balancer in their ebusiness implementation
we have upgraded a customer instance from 11i10cu2 to 12.0.6. we have configured the R12 instance for load balancer as per metalink note 380489.1
when we access the ebusiness suite, we hit the issue as mentioned below:
You cannot complete this task because one of the following events caused a loss of page data. Possible Causes:
You have left your login session idle past the timeout period. A system failure has occurred. The application server is incorrectly configured and does not send a session cookie to the client browser. If you were testing in JDeveloper: JDeveloper OC4J process did not fully shut down before restarting the application. You closed one of the Internet Explorer browser windows while the request is being processed in another Internet Explorer window. Closing an Internet Explorer window causes OC4J to expire a user session. OC4J XML files in your JDeveloper user home system directory have been modified or corrupted.
as per many metalink notes, this may occur due to load balancer ..example note : 755825.1
we have then removed load balancer setting from the applications context file (xml file) and issue doesnt occur.
so issue seems to be with load balancer setting, however we couldnt find any doc which mentions setting for Cisco 11503 load balancer
we saw notes for Bigip and cisco ACE load balancer in metalink 601694.1
Customer is also unable to help here .. as to what setting needs to be changed
Can someone kindly adviseHave you opened a case with Cisco to see if they can help ? Has persistence been enabled on the load balancer ? Is there some kind of timeout enabled on the balancer ? I do not know much about load balancers, but the settings should be somewhat similar across all of them. See if these docs help
601694.1 - How To Check Session Persistence On BigIP F5 And Cisco Ace Load Balancer Appliances
390173.1 - How to prevent Self-Service session expiry when Using Radware's APSolute Insite Software Loadbalancing Software
HTH
Srini -
ACE 4710 one-arm L4 load balancing removes accept-encoding?
We have built a simple one-arm PAT config to round robin load balance two Varnish servers. In the "Default L7 load-balancing action" we have left compression to "N/A". It looks like the ACE removes "Accept-Encoding: gzip, deflate" from the client header.
Is this normal behaviour? We would like the Varnish to do the compression. Do we need modify the headers to get this through the ACE?Hi,
Yes this does seem to be the behavior. Please read below:
HTTP compression is a capability built into web servers and web browsers to improve site performance by reducing the amount of time required to transfer data between the server and the client. Performing compression on the ACE offloads that work from the server, thereby freeing up the server to provide other services to clients and helping to maintain fast server response times.
When you enable HTTP compression on the ACE, the appliance overwrites the client request with "Accept-Encoding identity" and turns off compression on the server-side connection. HTTP compression reduces the bandwidth associated with a web content transfer from the ACE to the client.
So ACE rewrites the ACCEPT-ENCODING header to IDENTITY to indicate to the server that it should not compress the return data. That would be done by ACE.
Also, default method is used when client comes with both gzip or deflate for "ACCEPT ENCODING". For compression to work, a client must send a request with an ACCEPT-ENCODING method of gzip or deflate. If a client sends both methods, then the ACE uses the configured method(default method).
Also, you can see if ACE is compressing the packets or in "show service-policy detail.
switch/Admin#
show service-policy L7_COMP_SLB_POLICY detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 108
service-policy: L7_COMP_SLB_POLICY
class: vip
VIP Address: Protocol: Port:
2.0.5.1 tcp eq 80
loadbalance:
L7 loadbalance policy: pm
VIP ICMP Reply : ENABLED
VIP state: OUTOFSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : pm
class/match : h
ssl-proxy client : c
LB action :
primary serverfarm: sf1
state: DOWN
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : on <------------------------------ Compression is enabled if the value is "on"
compression bytes_in : 0 bytes_out : 0 <--- Number of bytes transmitted after compressing the server response
Compression ratio : 0.00% <------------------------------ Percentage of data compressed
Gzip: 0 Deflate: 0 <--------------- Number of times the method is used
compression errors: _
User-Agent : 0 Accept-Encoding : 0 |
Content size: 0 Content type : 0 |
Not HTTP 1.1: 0 HTTP response error: 0 |-- Check these error counters to see if they are increasing
Let me know if you have any questions.
Regards,
Kanwal -
How to remove farm account from Application Discovery and Load Balancer Service Application
Hello Community
Using Sharpoint 2010 Server I think the reason
the User Profile Synchronization would stop is because somehow the farm
account was registered as a managed account. So I removed the farm
account from all services that ran under the farm account so that I could
run Remove-SPManagedAccount or click the Remove icon in manage service accounts
and then unregisted farm account as a managed account.
But before I can run Remove-SPManagedAccount I need to remove it from one more
service account that uses the farm account which is:
"Application Discovery and Load Balanceer Service Account".
However, nothing seems to remove it from there.
I tried :
"get-spserviceapplication | where {$_.TypeName -match "Application Discovery and Load Balancer Service Application"}
and then
"stop-spserviceinstance "dde7fbef-b068-4687-bedb-f67230efab5a"
amongst a host of other methods so that I could ultimately
unregister farm account as a managed account.
But no matter what I do when I try to remove the farm account from Application Discovery
and Load Balancer Service Application
and then unregister the farm account as a managed account a message always says
"Application Discovery and Load Balancer Service Application" is using the farm account
as its service account.
What can I do to free the farm account from Application Discovery and Load Balancer Service Application?
Thank you
ShabeautThe Farm Account is always a Managed Account and can never be "unmanaged". You don't have to set the automatic password roll.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Azure Load Balancer - Query for VMs in rotation or removed from rotationq
From what I can tell, there is no way to know if any of the VMs configured as part of a Load-Balanced Set has been taken out of rotation. I see a PS script to set the Azure Load Balancer Endpoint -
Set-AzureLoadBalancedEndpoint. But there is no way from what I can tell via
PS or in the Portal to notify or alert me when a VM is no longer part of the LB Set due to some issue. What is the roadmap to make this available via a PS Script, Azure Portal, or via SCOM?Hi,
From my experience, this issue was more related with Windows Azure network, I suggest you move to that forum for a better help.
The forum link was:
http://social.msdn.microsoft.com/Forums/en-US/home?forum=WAVirtualMachinesVirtualNetwork
Best Regards
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Hi,
I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.
Below is the running configuration. Please help me to troubleshot the problem.
HOB-ACE-1/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
boot system image:c4710ace-mz.A3_2_0.bin
hostname HOB-ACE-1
interface gigabitEthernet 1/1
description Man_HOB_1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description VIP_HOB_1
switchport access vlan 24
no shutdown
interface gigabitEthernet 1/3
description HA_HOB_1
switchport access vlan 180
no shutdown
interface gigabitEthernet 1/4
shutdown
[7m--More-- [m
access-list ALL line 8 extended permit ip any any
probe icmp ICMP_PROBE1
interval 15
faildetect 4
passdetect interval 60
passdetect count 5
receive 5
rserver host MFREFSAS497
description MAAFAXSERVER
ip address 10.16.12.148
conn-limit max 4000000 min 4000000
inservice
rserver host MSHOFCFS489
description HOBFAXSERVER
ip address 10.26.12.130
conn-limit max 4000000 min 4000000
inservice
[7m--More-- [m
[K
serverfarm host SFHOBACE-1
description SFHOBACE-1
predictor hash header Accept
probe ICMP_PROBE1
rserver MFREFSAS497 80
conn-limit max 4000000 min 4000000
inservice
rserver MSHOFCFS489 80
conn-limit max 4000000 min 4000000
inservice
class-map match-all VSHOBACE-1
2 match virtual-address 10.26.24.242 any
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
[7m--More-- [m
[K
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VSHOBACE-1-l7slb
class class-default
serverfarm SFHOBACE-1
policy-map multi-match global
class VSHOBACE-1
loadbalance vip inservice
loadbalance policy VSHOBACE-1-l7slb
loadbalance vip icmp-reply
nat dynamic 1 vlan 24
nat dynamic 1 vlan 1000
service-policy input global
interface vlan 24
description "Client VLAN"
ip address 10.26.24.243 255.255.255.0
[7m--More-- [m
access-group input ALL
no shutdown
interface vlan 1000
ip address 10.26.12.132 255.255.255.0
peer ip address 10.26.12.133 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 180
ip address 192.168.180.2 255.255.255.248
peer ip address 192.168.180.3 255.255.255.248
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 180
ft group 1
peer 1
priority 140
associate-context Admin
[7m--More-- [m
inservice
ip route 0.0.0.0 0.0.0.0 10.26.12.1
snmp-server contact "HOB_ACE"
snmp-server location "HOB"
snmp-server community FAXSERVER group Network-Monitor
snmp-server user administrator Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI. role Admin domain
default-domain
username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1 role Admin domain de
fault-domain
ssh key rsa 1024 force
Thanks and Regards,
AshfaqueHello Hossain,
Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.
Use the
ACE/Admin(config)# no service-policy input global
ACE/Admin(config)# interface vlan 24
ACE/Admin(config-if)# service-policy input global
Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.
Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.
Do you happen to have a quick logical diagram of this piece of the network?
Thnx
Pablo -
Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65 Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out. -
Load balancing testing.
Hi Gurus,
For load balancing purpose we have installed sap in one more box (crm
quality system). now i need to test whether load balancing is
happening or not in below scenarios..
1.) Test the Load balancing on the C.I and D.I.
2.) Take Multiple Logins and compare the Load Balancing
3.) Maintain the Variation of Job such as on-line process and background.
4.) Monitor the Login System for each Variation
So first i tested the transaction codes like sm04, and smlg and checked with users and how much bytes they are occuping i have tested.
please give me your inputs in which way i could test it better and what are all the various aspects??
Thanks
SahadHI ,
For load balancing you can check the load on the Ci and DI .
Just goto SM51 ,there you shall see the CI and the DI there.double click on the ci.
Now run St02 and st03n and St06 and check the performance.
Do the same for the Application Server.
I shall suggest that if you have more application server Just Remove the CI from the logon load balancing to have better performance.
for more details go through this Link to check logon load balancing at os level
http://help.sap.com/saphelp_nw70/helpdata/en/64/32a5682e6a4e0cbb3f8a33970d11a8/content.htm
Thanks
Rishi Abrol -
CSS Load balancing for Exchange Server
Hi,
I have CSS configured in single arm and I have multiple servers configured for load balancing and it is working fine but when I am configuring Exchange server for load balancing I am facing problem and applications and printer/scanners are not able to send the email through the Virtual IP address configured for exchaneg server.
But if we configured the real server IP in the printer/scanners they are able to send the email. While checking the logs on the exchange server, it is showing that request for the email so coming from the Exchange VIP configured in the CSS.
I can telnet on port 25 on the VIP address (192.168.200.237). But unable to send the email through this VIP.
Below is the configuration
service ENOC_EXCHANGE-1
ip address 192.168.200.235
active
service ENOC_EXCHANGE-2
ip address 192.168.200.236
active
content EXCHANGE
add service ENOC_EXCHANGE-2
add service ENOC_EXCHANGE-1
vip address 192.168.200.237
active
group EXCHANGE
add destination service ENOC_EXCHANGE-1
add destination service ENOC_EXCHANGE-2
vip address 192.168.200.237
active
DC-CSS01# show rule GIT EXCHANGE
Name: EXCHANGE Owner: ENOC_GIT
State: Active Type: HTTP
Balance: Round Robin Failover: N/A
Persistence: Enabled Param-Bypass: Disabled
Session Redundancy: Disabled
IP Redundancy: Not Redundant
L3: 192.168.200.237
L4: Any/Any
Url:
Redirect: ""
TCP RST client if service unreachable: Disabled
Rule Services & Weights:
1: EXCHANGE-1-Alive, S-1
2: EXCHANGE-2-Down, S-1
=============================================================================
Please let me know how to solve this problem. System team is saying with the physical IP address it is working fine problem with Load balancing. I have even tried with the
Add service command in the group but didnt work for me. If i will remove the group command then I cant telnet on port 25.
I think this is related to single arm modle or some wrong configuration for the NAT.
Kindly assist meHi
Printers are on Vlan 80 ( gw is 192.168.80.1) and exange server is on vlan 200 (gw is 192.168.200.1) i have multiple vlan which will communcate with exchange.
I hv other servers on 200 subnet which are working fine in load balancing.
My CSS is single arm setup.
Please assist
Sent from Cisco Technical Support iPhone App -
FTP Load-Balancing in DSR mode
Hello Experts ..
Need some clarity on FTP LB under DSR mode .... I have my DSR working fine for normal http traffic , but facing issues with FTP on the same , please find the configs attached below
Topology
Client ( 10.20.10.101) -----> CAT6k ( 10.20.10.110 & 10.10.15.2) --> ACE --- > Server
VLAN 149 VLAN 149 & VLAN 150
access-list access line 8 extended permit icmp any any
access-list access line 16 extended permit tcp any any
access-list acl line 8 extended permit ip any any
rserver host real2
ip address 10.10.15.101
inservice
serverfarm host ftp
transparent
rserver real2
inservice
class-map match-all ftp-vip
2 match virtual-address 192.168.5.5 tcp eq ftp
class-map match-any ftp_1
2 match access-list access
policy-map type management first-match mgmt
class class-default
permit
policy-map type loadbalance first-match ftp
class class-default
serverfarm ftp
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
class ftp-vip
loadbalance vip inservice
loadbalance policy ftp
inspect ftp
class ftp_1
nat dynamic 5 vlan 150
interface vlan 61
ip address 61.202.200.200 255.0.0.0
access-group input acl
service-policy input mgmt
no shutdown
interface vlan 150
description server-side
ip address 10.10.15.1 255.255.255.0
no normalization
access-group input acl
nat-pool 5 10.10.15.209 10.10.15.209 netmask 255.255.255.255 pat
service-policy input LBPOL
service-policy input mgmt
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.15.2
Client
======
root@TLS_SRV ~]# ifconfig eth1.149
eth1.149 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.20.10.101 Bcast:10.20.10.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:203 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10444 (10.1 KiB) TX bytes:8408 (8.2 KiB)
route
192.168.5.0 10.20.10.110 255.255.255.0 UG 0 0 0 eth1.149
CAT6k
=======
interface Vlan149
ip address 10.20.10.110 255.255.255.0
end
interface Vlan150
ip address 10.10.15.2 255.255.255.0
end
ip route 192.168.5.5 255.255.255.255 10.10.15.1
Server
=======
eth1.150 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.10.15.101 Bcast:10.10.15.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9194 errors:0 dropped:0 overruns:0 frame:0
TX packets:408 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:503104 (491.3 KiB) TX bytes:71884 (70.1 KiB)
eth1.150:1 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:192.168.5.5 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
route
10.20.0.0 10.10.15.2 255.255.0.0 UG 0 0 0 eth1.150
When i do FTP from client 10.20.10.101 , my connection is getting refused.... But when i connect to my server directly bypassing ACE i am getting authenticated ..
As per the DSR , i made Rserver & ACE as L2 Adjacent , so when ACE receives the packet it will change the dest ip instead it will use VIP ip as destination , but the MAC will be rewritten to Rserver MAC address... As i said before all works fine for http DSR ...
I know NAT doesn't work in ACE when its configured under DSR , but for FTP i made NAT config , but even if i remove the same its not working , Is my config for FTP is correct ?
Could some please look into this and reply ?
Thanks
Charlesif you need to route / provide load balancing between 2 hosts, then you will need to have Route SAF . you can use web server 7 reverse proxy cli or gui to get this. however, you might want to start from a fresh configuration to avoid reverse-map / map that you have experimented with does not overlap with the 'Route' functionality that you seem to need here
here are some reference content
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_sun
http://www.sun.com/bigadmin/features/articles/web_server_zones.jsp -
I have an interesting problem. I have a VIP with a two server, serverfarm. Originally the VIP and serverfarm were doing load balancing in the switch IOS and the vip was configured with a 27 bit subnet mask. I moved the configuration to our csm mod and removed the subnet mask. The original sticky was set to 120 and I reset the sticky to 30 as part of the move. Now the load balancing is extremely off kilter (200 connections to 7). Any ideas what could be amiss?
Real servers are physical devices assigned to a server farm. Real servers provide the services that are load balanced. When the server receives a client request, it pulls matching information from a disk and sends it to the CSM for forwarding to the client.
You configure the real server in the real server configuration mode by specifying the server IP address and port when you assign it to a server farm. You enter the real server configuration mode from the serverfarm mode where you are adding the real server.
This URl should help me:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guide09186a00801760d0.html#xtocid439743 -
Site behind load balancer - Key not valid for use in specified state
Hi,
I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
state exception. Stickiness is enabled on load balancer. verified that.
I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
Any pointers would help.
Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76Hi,
As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
and with the IIS’ user profile load turned off.
1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler,
System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
There is a similar case:
http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
Best regards,
Sara Fan
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
FDM Load balancer Configuration issue
We are doing the installation for Hyperion Planning, ODI and DRM on DEV environment
The EPM version we are using - 11.1.2.2
Server 1 (Windows 2008 x64)
Foundation Services
Calculation Manager
Planning Web Application
Analytical Provider Services
Essbase Administration Services web application
Oracle HTTP Server
Server 2 (Windows 2008 x64)
R & A Framework Services
R & A Framework Web Application
Financial Reporting Web Application
Web analysis Web Application
Server 3 (Windows 2008 x64)
FDM
EPMA
ODI
DRM
Essbase Integration Services
Essbase Studio
IIS 7.x
Server 4 (Windows 2008 x64)
Essbase Server
Server 5(Windows 2008 x64)
SQL Server 2008
All our services are running fine for Planning. We are in process of configuring FDM.
FDM Application Server Configuration is completed.
While doing FDM Load Balancer Configuration, we also able to connect to Shared Service directory successfully. But when we click ok to complete the configuration it gives following error -
Unable to Create Load Balancer Object!
Please verify that the user name, password, and domain are correct
Error=Cannot create ActiveX component
When checked in Event Log we found -
Unable to create Load Balance Manager object! Configuration directory could not be located. Error=-2147023878 - Retrieving the COM class factory for component with CLSID *{E652643D-6CC1-48AC-915D-01842B04F292}*
Source=TaskManagerService - at TaskManagerService.TaskItem.fGetConfigFolder()
We tried the below steps but issue still persists -
• Start the ‘dcomcnfg’ tool in Windows
• Expand Component Services\Computers\My Computer\Dcom-Config and locate the following object: {E652643D-6CC1-48AC-915D-01842B04F292}
• Right-click and choose "Properties" and click on the "Security" tab
• Click the "Edit" button and remove all users except the default: "Everyone" and "System" and click OK, then set the radio button to "Use Default"
• Click the "Edit" button under Access Permissions and remove all users/groups except the default items and click OK, and set the radio button to "Use Default"
• Now click the "Identity" tab and remove the ID in the "This User" field and set the radio button to "The Launching User" and click "Apply" and "OK"
• Now try to launch the FDM Load Balance Config and all the extra tools for FDqM
We are using hypadmin as domain account but it is part of Administrators group on FDM Server (Server 3). The administrators group is also part of -
Act as part of the operating system
Bypass traverse checking
Log on as a batch job
Log on as a service
Please let us know in case if you encountered similar error on this version and possible solution for the issue.
Thanks in advance.
Regards,I woudl clear out all users/groups on the security tab of the FDM Load Balance Server DCOm object for "Launch and Activation" and "Access" permisisons and then set the identity to the "Launching User" radio button and apply. Then re-set the config.
If that still fails, try rebooting the server and then set it.
Make sure the domain and password are also correct that is being entered. -
Internal load balance ilb on ServiceConfiguration LoadBalancers
Hi everybody, I try to setup an internal load balancer using this configuration:
from cscfg:
<NetworkConfiguration>
<VirtualNetworkSite name="WE" />
<AddressAssignments>
<InstanceAddress roleName="Role1">
<Subnets>
<Subnet name="WE_WWW" />
</Subnets>
</InstanceAddress>
<InstanceAddress roleName="Role">
<Subnets>
<Subnet name="WE_SERVICE" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
<LoadBalancers>
<LoadBalancer name="WEB_ILB">
<FrontendIPConfiguration type="private" subnet="WE_WWW" staticVirtualNetworkIPAddress="192.168.1.5" />
</LoadBalancer>
<LoadBalancer name="API_ILB">
<FrontendIPConfiguration type="private" subnet="WE_SERVICE" staticVirtualNetworkIPAddress="192.168.2.5" />
</LoadBalancer>
</LoadBalancers>
</NetworkConfiguration>
from csdef:
<WebRole name="Role1" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="httpIn" endpointName="httpIn" />
<Binding name="httpsIn" endpointName="httpsIn" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="httpIn" protocol="http" port="80" loadBalancer="WEBILB" />
<InputEndpoint name="httpsIn" protocol="https" port="443" certificate="Valuta" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
<Import moduleName="RemoteAccess" />
<Import moduleName="RemoteForwarder" />
</Imports>
<Certificates>
<Certificate name="Valuta" storeLocation="LocalMachine" storeName="CA" />
</Certificates>
</WebRole>
<WebRole name="Role2" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="httpIn" endpointName="httpIn" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="httpIn" protocol="http" port="8080" loadBalancer="APIILB" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
<Import moduleName="RemoteAccess" />
</Imports>
</WebRole>
as you can see I have two webroles linked to a vnet:
Role1 has two input endpoint: https and http (the one I want to "internal" load balance)
Role2 has only an http input endpoint (again the one I want to "internal" load balance)
and I try to configure an internal loadbalancer (see here:
vs2013-update3)
When I try to deploy the package I receive this error:
Error: The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers. Http Status Code: BadRequest OperationId:
874024071e88327f8cb73c16f15f3ac2
I'm sure it depends on the ilb configuration because when I remove it the deploy succeed...
Does anybody try something like this?
Thanks,
SimoneI've found a solution by myself with the help of a friend (Sandro Vecchiarelli): the "problem" is that I try to setup two load balancers in one cloud service. Trying with only one work correctly; the error probably is a schema validation and I
really don't know if the error is on "client" schema that allow me to configure more than one ILB (note the node name
LoadBalancers... its plural...) or online (the one on Azure).
By the way...at the moment use just one ILB per cloud service.
Hope this help. -
With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
Allocation
Resource Current Peak Min Max Denied
-- outputs omitted for brevity --
proxy-connections 0 16358 16358 16358 17872
ssl-connections rate 0 626 626 626 23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo
Maybe you are looking for
-
HI Experts What is the function module for F4 help download. Thanks in advance
-
Issue with Shared Services 11.1.1
Hi all, I have an issue with the shared services in version 11.1.1. When i am trying to click on the Application Groups on the left pane in the console, an error message has been displayed as " A communication error has occured while loading the view
-
Excel application - can't remove from memory
I'm opening and reading a worksheet using the Excel application/reference methods from Labview. Worked fine until some short time ago where now all my sheets are opened up as "read-only". Worse yet, when I try to close the sheet and Quit excel appl
-
I am getting the following error message when I boot up:"The procedure entry point GetNuanceRelatedData could not be located in the dynamic link library CommFunc.dll". It is with reference to tpknrres.exe. Any idea how to fix this? Solved! Go to So
-
Polling (voting) Portlet - Is there one available?
Greetings from Tampa: Query the community for a portlet for the use of polling, or gathering votes from users. The idea is to also make available the raw results to date, as well as access to final results of previous polls. Thanks in advance for any