Serverfarm VIP as rserver of another farm
Hi guys,
I'm curious if that's possible. The idea behind is to create "special rserver" which is in fact a webfarm with per-request LB, and can be placed as a backup-rserver when primary one is overloaded.
Let's imageine caching webfarm (A) with URL hash-predictor, then, if one rserver has huge load its probe may switch traffic to backup, failover farm (B) which has per-request basis (let's say round-robin) to spread that (and only that) load. Another rservers from farm (A) are not affected.
Don's see a way to do that in one context. No direct routing between contexts forces to use 6k/other devices to route packets between contexts. Some other ideas to achieve that? Maybe some other ways of solving the pbm?
Regards,
Jakub S.
Hi Jakub,
Instead of using another VIP as rserver of one of your serverfarms (which as you state would need you to first route the traffic out of the ACE before reaching this VIP since we cannot directly send traffic from a VIP to another), I would configure your backup rserver as one of type redirect which would have the client directly send the traffic to the per-request VIP through redirection once the main rserver is overloaded.
Regards,
Nicolas
Similar Messages
-
Dear Community
Hi !!
We are Facng a typical issue and scraching Head since sometime Now and Now seek help and sugesstions
I have a ACE with 10 Context. Now There is a Particular Context which have 6 server farms and all have under different VIP.
Have raised Multiple TAC cases and Captured Millions of Packets but no reason. The ACE resource and CPU Usage is Normal and no increase noticed.
Issues Happening is that when connection to one serverfarm cross 1000, all other serverfarms and VIP of that context are facing very very slowness ,and they have no relation with each other both Physically and Fictionally
If any of you have heard of similar issue can you refer me a solution if the issue is with ACEHi Shirshendu,
Replied to you on other thread.
Regards,
Kanwal -
Project Server 2010 Migratet from one farm to another farm
Hi ,
I need to migrate existing Project server 2010 farm one server to another server.
Kindly suggest me what is the best way we need to fallow.
Existing Environment two server:
1. App server(SharePoint 2010 +Project Server 2010)- Existing PWA site is running
2.Database server(with DNS instance name)
New Environment:
1.App server (fresh installed SharePoint + project server 2010)
2.DB server fresh server with sql 2008
Hasan Jamal Siddiqui(MCTS,MCPD,ITIL@V3),Sharepoint and EPM Consultant,TCS
|
| TwitterEvent viewer Error:
Failed to provision site PWA with error: Microsoft.Office.Project.Server.Administration.ProvisionException: Membership synchronization failed. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.Library.SPRequest.RemoveRoleDef(String bstrUrl, Int32 lRoleID)
at Microsoft.SharePoint.SPRoleDefinitionCollection.Delete(SPRoleDefinition roleDefinition)
at Microsoft.Office.Project.Server.BusinessLayer.SharePointSecurityHelper.DeleteRoleByName(SPWeb web, String roleName)
at Microsoft.Office.Project.Server.BusinessLayer.SharePointSecurityHelper.DeleteRoles(SPWeb web)
at Microsoft.Office.Project.Server.BusinessLayer.SharePointSecurityHelper.ConfigureDefaultPWAWSSSecurityModel(SPSite topSite, SPWeb web)
at Microsoft.Office.Project.Server.BusinessLayer.Admin.<>c__DisplayClass18.<QueueUpdateUsersAddRemoveStatusOnPwaRootsAndWorkspaces>b__17()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.Office.Project.Server.BusinessLayer.Admin.QueueUpdateUsersAddRemoveStatusOnPwaRootsAndWorkspaces(Dictionary`2 deletedUserUidsLoginNames, Guid[] addedUserUids, Boolean isFullSync, Boolean syncWorkspaces)
at Microsoft.Office.Project.Server.BusinessLayer.Admin.SynchronizeMembershipForPwaAppRootSite()
at Microsoft.Office.Project.Server.Administration.PsiServiceApplication.SynchronizePwaMembership(ProjectProvisionSettings provset, ProjectSite projectSite)
--- End of inner exception stack trace ---
at Microsoft.Office.Project.Server.Administration.PsiServiceApplication.SynchronizePwaMembership(ProjectProvisionSettings provset, ProjectSite projectSite)
at Microsoft.Office.Project.Server.Administration.PsiServiceApplication.CreateSite(ProjectProvisionSettings provset
Hasan Jamal Siddiqui(MCTS,MCPD,ITIL@V3),Sharepoint and EPM Consultant,TCS
|
| Twitter -
Hello,
I would like to populate a list column with data (Lot #'s) from a list on another sp farm updating frequently. I want to use the column as a lookup to the Lot #'s. Possible? Authentication?
Thank you,
Andrea
AndreaHi,
According to your description, you want to populate a list column with the data
from a list in another SharePoint Farm.
Is your another SharePoint Farm in the same domain you are trying to access?
If yes, you can use Client Object Model and set the creadentials to access the
data like below:
context.Credentials = new NetworkCredential("user", "password", "domain");
Here is a similiar thread for your reference:
http://social.msdn.microsoft.com/Forums/office/en-US/66f1ed1d-4df2-4da2-bfda-e3d1747a76cf/get-different-sharepoint-server-list-data-using-custom-webpart?forum=sharepointdevelopmentprevious
More information about get list data using Client Object Model:
http://msdn.microsoft.com/en-us/library/office/fp179912(v=office.15).aspx
Best regards,
ZhengyuGuo
Zhengyu Guo
TechNet Community Support -
INS-40912] Virtual host name: oracle-vip is assigned to another system
I got above error when I try to install RAC on linux redhat.
I configured vip address on /etc/hosts, and it is showing in ifconfig |grep net.
What should I do to fix this error.
I did not find much documents in oracle support.
Do I have to configure vip address in dns?
Thanks,Here are the wordings from online installation docs:
2.7.2.2 IP Address Requirements for Manual Configuration
If you do not enable GNS, then the public and virtual IP addresses for each node must be static IP addresses, configured before installation for each node, but not currently in use. Public and virtual IP addresses must be on the same subnet.
Oracle Clusterware manages private IP addresses in the private subnet on interfaces you identify as private during the installation interview.
The cluster must have the following addresses configured:
A public IP address for each node, with the following characteristics:
Static IP address
Configured before installation for each node, and resolvable to that node before installation
On the same subnet as all other public IP addresses, VIP addresses, and SCAN addresses
A virtual IP address for each node, with the following characteristics:
Static IP address
Configured before installation for each node, but not currently in use
On the same subnet as all other public IP addresses, VIP addresses, and SCAN addresses
A Single Client Access Name (SCAN) for the cluster, with the following characteristics:
Three Static IP addresses configured on the domain name server (DNS) before installation so that the three IP addresses are associated with the name provided as the SCAN, and all three addresses are returned in random order by the DNS to the requestor
Configured before installation in the DNS to resolve to addresses that are not currently in use
Given a name that does not begin with a numeral
On the same subnet as all other public IP addresses, VIP addresses, and SCAN addresses -
Duplicating list contents to SharePoint site in another farm
Hi,
What is the best way to duplicate the contents of a list between two sharepoint farms? Once all contents are in the destination, there will also have to be a scheduled update with new content. I have heard about a publishing feature in SP 2013. Will this
do the trick? If so, is there any documentation on how to accomplish this?
thanks,
SherazadContent deployment enables you to copy content from a source site collection to a destination site collection(from one farm to other farm).
This is very much popular method in industry people use it from Authoring farm to Publishing farm inorder to secure the content. you can deploy full site to one list.
You can follow the below technet to configure the Content Deployment, Job & path and schedule it according to your need.
Configure content deployment settings
Manage content deployment paths and jobs
Manage Quick Deploy jobs
View content deployment job reports and historyEnd-to-end
content deployment walkthrough (white paper)
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Can two server farm share the same VIP?
Hello,
Can i create two server farm and share the same VIP? for example:
is posible this configuration?
rserver host des1
ip address 10.24.18.34
inservice
rserver host des2
ip address 10.24.18.35
inservice
rserver host was1
ip address 10.24.18.10
inservice
rserver host was2
ip address 10.24.18.11
inservice
serverfarm host farm1
rserver des1
inservice
rserver des2
inservice
serverfarm host farm2
rserver was1
inservice
rserver was2
inservice
class-map type http loadbalance match-all Check-Headers-10
2 match http url .*
3 match http header Host header-value "10.24.16.*"
4 match http header User-Agent header-value ".*MSIE.*"
class-map type http loadbalance match-all Check-Headers-s-10
2 match http url .*
3 match http header Host header-value "10.24.16.*"
4 match http header User-Agent header-value ".*MSIE.*"
class-map type http loadbalance match-all other-http-10
2 match http url .*
class-map type http loadbalance match-all other-http-s-10
2 match http url .*
class-map match-all server-vlan-vip-10-http
2 match virtual-address 10.24.16.10 tcp eq www
class-map match-all server-vlan-vip-10-https
2 match virtual-address 10.24.16.10 tcp eq https
policy-map type loadbalance first-match http-10-lb
class Check-Headers-10
serverfarm farm2
class other-http-10
serverfarm farm2
policy-map type loadbalance first-match http-10-s-lb
class Check-Headers-s-10
serverfarm farm1
class other-http-s-10
serverfarm farm1
policy-map type loadbalance first-match lb-logic-10
class class-default
serverfarm farm2
policy-map type loadbalance first-match lb-logic-s-10
class class-default
serverfarm farm1
policy-map multi-match server-vip-service-policy-10
class server-vlan-vip-10-http
loadbalance vip inservice
loadbalance policy http-10-lb
loadbalance policy http-10-s-lb
loadbalance vip icmp-reply
class server-vlan-vip-10-https
loadbalance vip inservice
loadbalance policy lb-logic-10
loadbalance policy lb-logic-s-10
loadbalance vip icmp-reply
interface vlan 233
description Servidores_Balanceados_outside
peer ip address 10.24.16.7 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input client-vips
no shutdown
interface vlan 242
description Servidores_desarrollo1
peer ip address 10.24.18.33 255.255.255.240
access-group input anyone
access-group output anyone
service-policy input server-vip-service-policy-10
no shutdownHello gdufour,
Actually i've got this configuration:
1.) One serverfarm (farm1).
2.) In this serverfarm, i have two real servers des1 and des2.
3.) The real servers are using VIP 10.24.16.10.
4.) The loadbalance is roundrobin using http with headers.
I want to have:
1.) One new server (a.b.c.d), it can be in the same subnett.
2.) This server don't know if can belong to serverfarm farm1.
2.) When i reach to http://index/url/url1, this has to be to VIP 10.24.16.10.
3.) When i reach the link, the VIP 10.24.16.10 redirect to server a.b.c.d.
4.) When the server a.b.c.d down, the serverfarm farm1 have to take the load of the url.
Is posible this configuration?
Thank you.
Best Regards -
HTTP/HTTPS on the same ACE VIP - best practice
I currently have a VIP representing one server farm that contains two http servers:-
class-map match-all VIP-HTTP-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
I have a couple of queries with regards to URL re-writes:-
1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
ssl url rewrite location "www\.cisco\.com\secure-forms"
2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
Any advice or personal experiences would be gratefully received.
Thanks
MatthewBack again!
Could someone possibly cast their eye over the following config?
The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
rserver host server1
description *** HTTP server 1 ***
ip address 10.100.194.2
inservice
rserver host server2
description *** HTTP server 2 ***
ip address 10.100.194.3
inservice
rserver redirect REDIRECT_TO_HTTPS
webhost-redirection https://www.website.co.uk/%p 302
inservice
rserver redirect REDIRECT_TO_HTTP
webhost-redirection http://www.website.co.uk/%p 302
inservice
class-map type http loadbalance Secure_Pages
match http url /secure.*
class-map type http loadbalance Non-Secure_Pages
*** DO NOT *** match http url /secure.*
class-map match-all VIP-HTTP-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
class Secure_Pages
serverfarm REDIRECT_TO_HTTPS
class class-default
serverfarm serverfarm-website.co.uk
policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
class Non-Secure_Pages
serverfarm REDIRECT_TO_HTTP
class class-default
serverfarm serverfarm-website.co.uk
serverfarm host serverfarm-website.co.uk
failaction purge
rserver server1 80
probe PING_SERVER
probe http-website.co.uk
inservice
rserver server2 80
probe PING_SERVER
probe http-website.co.uk
inservice
serverfarm redirect REDIRECT_TO_HTTPS
rserver REDIRECT_TO_HTTPS
inservice
serverfarm redirect REDIRECT_TO_HTTP
rserver REDIRECT_TO_HTTP
inservice
many thanks -
I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
inservice
rserver RS_WEB2
inservice
rserver RS_WEB3
inservice
rserver RS_WEB4
inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
loadbalance vip inservice
loadbalance policy HTTP
loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
FrancescoHi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal -
ACE - sticky serverfarm and sorry servers
Primary serverfarm with stickiness (cookie insert) goes down. Backup serverfarm kicks in with sorry servers. Primary serverfarm comes back up and returning connections still get serviced by the backup farm. The reason for this is explained in the load balancing guide.
[quote]
If you want to configure a sorry server farm and you want existing connections to revert to the primary server farm after it comes back up, do not use stickiness.
[/quote]
Source: http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686ebf.html#wp1060156
The big questions is. How can i offer a serverfarm with stickiness and a sorry serverfarm without stickiness?
RobleHi Syed,
unfortunately that's the theory. If you have cookie inserts the clients are still stuck to the sorry servers once they have hit the sorry servers.
And my sticky group looks exactly like your first example. The documentation is kind off confusing. My interpretation of the quoted text was if your primary serverfarm is sticky your backup server farm will also be sticky no matter what you configure. That is actually why i asked.
If i use dynamic cookies from the application the clients hop from one rserver to another every 2nd or 3rd connection. The behavior of the stickiness and sorry servers then works like i want it but the stickiness itself is not consistent.
1.5a still had this behavior and i think this might be a bug.
Roble -
ACE in one-arm model. VIP on Client Side, servers in other vlan
Hello All
i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
the servers are in vlan 503 (10.12.3.0/24)
it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
the configuration is the next:
MSFC:
svclc module 1 vlan-group 1,2,
svclc vlan-group 1 503,900-902
svclc vlan-group 2 511
interface Vlan503
description OSS_&_Otros
ip address 10.12.3.253 255.255.255.0
standby 10 ip 10.12.3.254
standby 10 priority 150
standby 10 preempt delay minimum 305
interface Vlan900
description MSF_<->_ACE
ip address 10.0.9.126 255.255.255.192
end
access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
access-list 101 deny ip any any
route-map From_Server_OSS_to_ACE permit 10
match ip address 101
set ip next-hop 10.0.9.125
ACE_1/admin#
ip route 0.0.0.0 0.0.0.0 10.0.9.126
context OSS
allocate-interface vlan 511
allocate-interface vlan 900
allocate-interface vlan 902
member Max20
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.9.126
maybe a i need to allocate the vlan 503 in OSS Context, any advice?
Thanks in advace,
Gianni From ChileSince you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
This is how one-armed mode works.
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
nat dynamic 10 vlan 900
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown -
Interesting ACE URL Header & Load-balance & SSL on 2 VIPs
Hi There
I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
So, RSERVER = SERVER = 192.168.0.1
Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
OUTSIDE:
website1.abc.com = 172.16.0.1:443
website2.abc.com = 172.16.0.1:443
website3.abc.com = 172.16.0.2:443
website4.abc.com = 172.16.0.2:443
On the server we have:
INSIDE: 192.168.0.1
SERVER:8001 = website1.abc.com
SERVER:8002 = website2.abc.com
SERVER:8003 = website3.abc.com
SERVER:8004 = website4.abc.com
So, in a nutshell what I need to do is:
Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
But .... things are going hey-wire.
So, steps are:
RSERVER
SFARMs = RSERVER:PORTs
ACLs = VIPs
CMAP = HEADER = URL
LB PMAP = HEADER CMAP & SFARM
PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
SVC-POL = PMAP MULTIMHi Surya
Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
regards
Sent from Cisco Technical Support iPad App -
[ACE] Real servers and VIP in the same VLAN
Hello.
I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
Thanks a lot,
MiquelHi Miquel,
Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
==========================================================================
One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
==========================================================================
login timeout 0
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 451
interface vlan 451
description Servers vlan
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Let me know if you have any question.
Regards,
Kanwal -
ACE redirect to different URI on rserver
We use JDE and up to now part of the tools was Apache which would redirect as follows
http://alias.server to http://real.server:13333/main.maf
the latest version no longer uses Apache so I was wondering how I can do it on the ACE
of course there is no problem going from alias.server port 80 to real.server:13333 but how can I add the URI main.maf?Hi
The configuration would look like the following:
rserver host CHIJTW55
description CHIJTW55
ip address 172.16.98.106
inservice
rserver redirect JDEDV_RED
webhost-redirection http://172.16.73.10:13333/main.maf 301
serverfarm host JDEDV
description JDEDV servers
failaction purge
probe tcp13333
rserver CHIJTW55 13333
inservice
serverfarm redirect REDIRECT_FARM
rserver JDEDV_RED
inservice
class-map match-any JDEDV_vip_80
2 match virtual-address 172.16.73.10 tcp eq www
class-map match-any JDEDV_vip_13333
2 match virtual-address 172.16.73.10 tcp eq 13333
policy-map type loadbalance first-match JDEDV_80
class class-default
serverfarm REDIRECT_FARM
policy-map type loadbalance first-match JDEDV_13333
class class-default
serverfarm JDEDV
policy-map multi-match MULTI_POLICY
class JDEDV_vip_80
loadbalance vip inservice
loadbalance policy JDEDV_80
class JDEDV_vip_13333
loadbalance vip inservice
loadbalance policy JDEDV_13333
interface vlan X
service-policy input MULTI_POLICY
I hope this helps
Daniel -
Access Server through VIP (ACE 4710) but very slow
Re: Access Server through VIP (ACE 4710) but very slow
Hi Shiva
Kindly Help .....Accessing the server very slow.., Plz check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version.??? without probe server will work but very slow. And plz guide Nat-pool is required
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging host 172.29.91.112 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
member RC1
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
webhost-redirection / 302
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 192.168.10.3
inservice
rserver host web2
ip address 192.168.10.4
inservice
rserver host web3
ip address 192.168.10.5
inservice
serverfarm host http
rserver web1
inservice
rserver web2
inservice
rserver web3
inservice
serverfarm redirect https_redirect_farm
description Redirect traffic to https
serverfarm redirect maintenance_farm
description send user to maintenance page
parameter-map type connection paramap_http
description parameter connection tcp
exceed-mss allow
sticky ip-netmask 255.255.255.0 address source Sticky_http
timeout activeconns
serverfarm http
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 172.16.15.8 tcp eq www
policy-map type management first-match remote_access
class class-default
permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
permit
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
inspect http policy slb-vip-http
connection advanced-options paramap_http
interface vlan 30
description "Client Side"
ip address 172.16.15.24 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
ip address 192.168.10.1 255.255.255.0
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.15.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/ role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0 role Admin domain d
efault-domain
ssh key rsa 1024 force
banner motd # "ro" #
Regards,
PremHi Shiva,
plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
Regards,
Prem
Maybe you are looking for
-
My boyfriend just recently erased everything off our computer and re-install everything again and now we have no music on the computer (dont worry we backed it up), but i have made playlist of songs that were taken off cd's and other usb drives that
-
" QUERY REGARDING NUMBER OF USER'S "
Hai, What is the Upper Limit for the Number of User's in a SAP system??? Ex : IF a User is created , how many (N number of user's can use the same SAP system???
-
Hi All, I am using Timestamp column in sql server 2008. In sql 2008 the query is working fine but from query template i am getting following error: com.sap.xmii.Illuminator.logging.LHException: Error occurred while processing records; The conversion
-
ITunes 10.1 Major bug fix?
I recently upgraded to version 10.1 as I was excited to try out iOS 4.2... Only to find that there were some interface bugs on installation. http://img641.imageshack.us/i/buggyitunes.jpg Does anyone know of a solution to my problem?? It's stopped my
-
i have just bought an ipod second hand it has latest update on. my facetime is showing in notifications but no icon to be found ive tried spotsearch and it not anywhere on my ipod i have checked region and all restrictions are disabled is there a way