Sticky configuration at CSS11506
When I configure sticky option on contents as follow
content www
vip address 172.16.1.1
add service web1 weight 2
add service web2 weight 3
add service web3 weight 4
balance weightedrr
advanced-balance sticky-srcip
sticky-mask 255.255.255.0
protocol tcp
port 80
active
There was no problem for common clients.
If no sticky options applied for any clients.
What will the problem be.
Or Any case like that was?
My OS Version and device are 7.1Build109s and CSS11506.
In above content configuration, when I add line application SSL
then what will be happened.
what is the difference between Using 'application SSL' and not using 'application SSL'
the only possible problem is the limit of size for the sticky table.
32k with 128MB
128k with 256MB
Once the table is full we delete old entries (FIFO) or if you have sticky timer, we do not delete old entries and reject creation of new entry.
Gilles.
Similar Messages
-
Hi Guys,
I'm trying to set up a sticky configuration on an ACE modeule in a 6500.
I've got the loadbalancing woking happily but need to ammend the config to add stickiness.
As far as I know the first command is someting on the lines of...
sticky http-cookie COOKIENAME STICKYGROUP
however when I put this in I get the following error.
Error: Sticy resource not available
I suspect that i'm missing something obvious.
Any assistance is greatly appreciated.
Regards
SteveBy default all the resources are available to ACE contexts except sticky resource.
You need a resource class with sticky resource defined and this class applied to the context.
for example
resource-class GOLD
limit-resource sticky minimum 1 maximum equal-to-min
Thanks
Syed Iftekhar Ahmed -
Backup rserver with sticky configured
Hi,
I would like to ask regarding the configuration for the backup rserver with sticky configured.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
This is not documented in the Cisco guides.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Suppose the real server1 fails and connections are diverted to server2. Then server1 resumes service. What happens to existing connections on server2 and the new connections?
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:SimSun;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
serverfarm SFARM1
rserver SERVER1
backup-rserver SERVER2
inservice
rserver SERVER2
inservice standby- Existing connections keep accessing server2.
- If a new client request (connection) matches a sticky entry for server2, ACE forwards this request to server2.
ACE looks up sticky entries and use server2 since standby state is handled as UP.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/rsfarms.html#wp1000385
- If a new client request (connection) doesn't match any sticky entry for server2, ACE forwards this request to server1.
If you want to use server1 after coming back OPERATIONAL, I recommend you use 'backup serverfarm' without sticky option as below.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/sticky.html#wp1137791
serverfarm SFARM1
rserver SERVER1
inservice
serverfarm SFARM2
rserver SERVER2
inservice
sticky ip-netmask 255.255.255.255 address both sticky_ip
serverfarm SFARM1 backup SFARM2
The following is a test result of standby rserver and sticky ip.
ACE20a/Admin# sh rserver
rserver : sv1, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.11:0 8 PROBE-FAILED 0 2
rserver : sv2, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.12:0 8 OPERATIONAL 0 8
ACE20a/Admin#
!___ access from client to ACE vip
ACE20a/Admin# sh sticky database
sticky group : sticky_ip
type : IP
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
13882423967172020068 sv2:0 86384 -
!___ ACE learns client address and registers the entry
ACE20a/Admin#
ACE20a/Admin# sh rserver
rserver : sv1, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.11:0 8 OPERATIONAL 0 2
!___ return OPERATIONAL
rserver : sv2, type: HOST
state : OPERATIONAL (verified by arp response)
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf
192.168.72.12:0 8 STANDBY 0 9
!___ return STANDBY
ACE20a/Admin# sh sticky database
sticky group : sticky_ip
type : IP
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
13882423967172020068 sv2:0 86356 -
!___ ACE keeps sticky entry to server2.
ACE20a/Admin#
!___ access from client with new syn packet
ACE20a/Admin# sh sticky database
sticky group : sticky_ip
type : IP
timeout : 1440 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+--------------------------------+--------------+-------+
13882423967172020068 sv2:0 86389 -
!___ use this sticky entry (time-to-expire flag is reset) and send packets to server2
ACE20a/Admin#
ACE20a/Admin# sh ver | i image
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_1.bin -
Cookie stickiness configuration issue with Cisco ACE
Hi,
We have configured a ACE (in standby mode) with ip netmask stickiness and wanted to configure cookie stickiness for a remedy server placed behind the ace. BMC has said that they use JSESSIONID field on the remedy application and i want to know the procedure for configuring ace to see this field and deploy cookie stickiness feature on the ace.
We tried configuring the ace to learn the cookie string dynamically and tried to insert the cookie in the server response to the client but both methods have failed and the user is not able to see the remedy app webpage in both occassions.
Are there any pre-requisites to be configured on the ace before configuring cookie stickiness feature? We would appreciate your timely response.
Thanks in advance.Hi,
Refer the document below for sample configuration. If this still doesn't work a full config and sniffer capture required to verify this.
http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
Regards,
Siva -
ACE 4710 Stickiness Configuration
We have the ACE 4710 Ver. A3(2.0) configured and the load balancing is working fine. But we are having problem to keep a user session on one web server. The website is running on IIS, and it's created using ASP.NET. The user session is bouncing between the two load balancing servers. How can we configure stickiness to solve this issue? Or, what are the recommend solutions?
Here is an example of a sticky config. This will sticky on source address.
sticky ip-netmask 255.255.255.255 address source WebSeal_Sticky
replicate sticky
serverfarm WebSeal_Farm
Then apply it-
policy-map type loadbalance first-match WebSeal-Virtual-Server-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
policy-map type loadbalance first-match WebSeal_HTTPS-l7slb
class class-default
sticky-serverfarm WebSeal_Sticky
Also check out the configuration guide.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html
Hope that helps. -
Sticky issue for an application configured in ACE
Hi All,
We are facing a strange issue with ACE. We have a sticky configured for an application in ACE.
Sometimes the application is not working, We have to clear sticky session on ACE to fix the issue.
Can anbody help me to troubleshoot this issue?
Regards,
ThiyaguHi Jorge,
Here is the sticky configuration of the application which is having issue.
sticky ip-netmask 255.255.255.255 address source SG
timeout 15
serverfarm SF
Please let me know if you need the complete configurarion.
Regards,
Thiyagu -
How to configure stickiness on ACE20 ?
Config attached....
I have set-up 2 ace20's for SLB which works fine, however I am struggling to understand how to configure stickiness in the way I want to. I want any user on the network whom connects to any of the 5 rservers to have a sticky time of 60 minutes as requested by the application vendor, the app is http.
The network is subnetted and all subnets fall within the ranges 172.16.0.0/12 and 192.168.0.0/16. Can any one help me with the sticky configuration. As you can see from my config I started to configure this but do not quite understand how to classify the traffic and associate it with the serverfarm.
I am new to content switching.
Thanks
Paul Tribe (CCNA, CCMP, CCSP)
Technical Analyst
Nottingham City Council (UK)
Tel - +44 (0)115 915 4119You have stickiness configured but it has not been applied. Try this:
policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
class class-default
sticky-serverfarm Carefirst
Note the change in the last line. This applies the sticky rule. Hope this helps. -
Hi guys, need help with configuring cisco slb for 2 microsoft exchange servers. Have created server farm for the 2 servers, configuration works. Problem is user logs onto the domain, then when opening outlook, user is required to log in again. Now if we edit hostfile on client pc with one of the server addresses which means bypassing slb routing, then user only lgs in once to the domain, when user opens outlook it does not prompt him for credentials, which the user prefers. Anyone with slb experience who can shed some light ? Is ths an slb issue or a server issue. My slb is configured in direct mode and no sticky configured.
ip slb serverfarm SERVERFARM
nat server
real 10.122.xxx.xxx
weight 2
inservice
real 10.122.xxx.xxx
weight 1
inservice
ip slb vserver VSERVER
virtual 10.123.xxx.xxx tcp smtp
serverfarm SERVERFARM
inservice
ip slb vserver VSERVER_HTTPS
virtual 10.123.xxx.xxx tcp https
serverfarm SERVERFARM
inservice
ip slb vserver VSERVER_WWW
virtual 10.123.xxx.xxx tcp www
serverfarm SERVERFARM
inserviceJustin,
you'll need to perform the math manually (or within a script).
Get the number of conn every x sec and make (o2 - o1)/x to have conn/sec
Gilles. -
HTTP sticky timeout issue in ACE .
Hi All ,
We are facing the dis connectivity issue in the the http session ( sticky configuration )
As per the customer requirement we configured the http sticky with the connection time out 60 min ( one hour ) .
But as per the test with the tool cookie manager , they identified as the http sessions are getting timed out in 20 to 30 minuits .
Please find the sticky configuration
sticky http-cookie FRONT_SESSION_ID TEST_FRONT
cookie insert
timeout 60
replicate sticky
serverfarm TEST_FRONT
We also did the http persistence as below .
parameter-map type http HTTP_Persistence_Rebalance
persistence-rebalance
Parameter-map : HTTP_Persistence_Rebalance
Description : -
Type : http
server-side connection reuse : disabled
case-insensitive parsing : disabled
persistence-rebalance : enabled
header modify per-request : disabled
cookie-error-ignore : disabled
header-maxparse-length : 4096
content-maxparse-length : 4096
parse length-exceed action : drop
urlcookie-delimiters : /&#+
urlcookie-start : ?
We have also tested the session directly with the Rserver .But it is not getting disconnected ( As we doubt is it any server related issue )
Also please find the below resource allocation .
resource-class TEST-FRONT
limit-resource all minimum 0.00 maximum unlimited
limit-resource buffer syslog minimum 0.50 maximum equal-to-min
limit-resource sticky minimum 2.00 maximum unlimited
So can any one please suggest me is there any configuration mistakes here .
If the configuration is ok please suggest me what more I have to do for making the stickiness around 60 min .
Regards ,
Sinjish.KSinjish-
Can you use the capture utiliy on ACE to gather a trace of the entire session - then filter out the traffic to just the client IP or the server IP and attach it to this thread? A showtech would also be useful to see if there are any anomolies.
Regards,
Chris Higgins -
ACE Load balancing with different source IP
Dear All ,
I am very much new to ACE . We are deploying it on our enterprise infrastructure (10.x.x.x/8) . I have a setup like this, we have 5 Proxy server which is supporting for our enteprise internet needs . Load balancing to this 5 blue coat proxy server is done via ACE module .
My customer is having special requirement based on specfic source subnet , ACE need to redirect the that specific source subnet to a particular proxy server . Is this possible in ACE ?? or we need to have separate Virtual server group for that specific source subnet range . kindly correct me if am worng on my understanding .
Thanks
Santhoshkumar SaravananHi Saravanan,
Please refer the following link :
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/sticky.pdf
Look at section :
IP Address Stickiness Configuration Quick Start
For example :
8. (Optional) Configure static IP address sticky entries up to a maximum of
65535 static entries per context.
host1/Admin(config-sticky-ip)# static client source 192.168.12.15
destination 172.16.27.3 rserver SERVER1 2000
The above may fulfill your requirement.
regards,
Ajay Kumar -
Multiple Ports for one Content in CSS
Dear All,
We configure a CSS11506 (v5.2) and the enduser wants to setup only one content (vip address) to support multiple services (such as http, https and DNS).
Since, in the configuration, we can only set one port in content rule. Is there any method to setup this requirement? Or we only need to create several content with the same VIP but for different services port?
Thank you very much!
Best Regards,
Lawrencetake a look at the odcumentation regarding the way in which the css processes rules, you can have multiple rules with the same vip...just specify the separate tcp ports in each rule, making them layer 4 rules.
I would advise against an L3 rule, as there is an outstanding bug in the 5.00 and 5.03 releases regarding unexpected switch reboots when UDP hits a rule.
HTH
Mike -
Real server to access a different Virtual server in same context ??
Hi all,
I got a scenario need to clarified before go to production. Below is my traffic explaination
SETUP
Context WEB -1st Virtual server (10.10.10.1) - > bind 2 Real Server ( 1.1.1.1 and 1.1.1.2) ->sticky configured
Context WEB - 2nd Virtual server (20.20.20.1) - > bind 2 Real Server (2.2.2.1 and 2.2.2.2) ->sticky configured
My question is
User will HIT 10.10.10.1 and load balance to RS 1.1.1.1 and 1.1.1.2, RS 1.1.1.1 and 1.1.1.2 will need to go destination 20.20.20.1 and ACE load balance to 2.2.2.1 and 2.2.2.2.
Will RS1.1.1.1 and 1.1.1.2 success HIT 20.20.20.1 and ACE can load balace to 2.2.2.1 and 2.2.2.2 and response to RS1.1.1.1 and 1.1.1.2?
Any comment is welcome !!!
Thank you,
Meng KiatHi Meng,
It is possible. You need to apply the Virtual server (20.20.20.1) policy to the server side Vlan interface.
That way server ( 1.1.1.1 and 1.1.1.2) can hit virtual server (20.20.20.1)
This should work just fine without any trouble.
regards,
Ajay Kumar. -
Sample Command Output of show chassis inventory for CSS
Hi,
I am trying to get a sample command output of "show chassis inventory" for:
CSS 11501
CSS 11503
CSS 11506
Can anyone help?
Thanks in advance.
MikeHi Mchi,
When I use the command: show chassis inventory. I found :
Slot Module Serial
1 CSS5-SCM-2GE F0 JABxxxxxxx
2 CSS5-IOM-2GE E0 JAB08xxxxxx
3 CSS5-IOM-8FE F0 JAB0xxxxxxx
4 CSS503-SM-INT JAB09xxxxxxx
this is the switch fabric module that connects the other modules.
This is an internal module and it can't be removed/replaced.
Use the show chassis command to display a chassis configuration for the CSS. The syntax and options for this command are as follows:
•show chassis - Displays a summary of the chassis configuration.
•show chassis slot number - Displays the operational parameters for a slot in a CSS 11503 or CSS 11506 chassis. Enter an integer value for the chassis slot number.
•show chassis verbose - Displays detailed information about the chassis configuration.
•show chassis flash - Displays the operational and locked Flash software code on the CSS 11501, and the CSS 11503 or CSS 11506 SCM and I/O modules. An asterisk (*) character before a Flash version of code and build number indicates that it is active.
•show chassis inventory - Displays the physical configuration of the CSS including part and serial numbers.
•show chassis session-processors - Displays the weight and power summary of the session processors in the CSS chassis.
CSS11506# show chassis inventory
Chassis Inventory:
Product Name: CSS11506-2AC E0 SW Version: 07.50.1.05s
Serial Number: JAB09xxxxxx Base Mac Address: 00-13-80-37-xx-xx
Slot Module Serial
1 CSS5-SCM-2GE F0 JAB0915xxxx
2 CSS5-SCM-2GE F0 JAB0914xxxx
3 CSS5-SSL-K9 F0 JAB0848xxxx
4 CSS5-IOM-2GE E0 JAB0808xxxx
7 CSS506-SM E0 JAB0911xxxx
8 CSS506-SM E0 JAB0911xxxx
Even a "show chassis verbose" command does not indicate the presence of a GBIC. It shows the Operational Status of a port as "online" whether there is a GBIC installed or not. For example, in the output below Slot 4 has a GBIC installed in port 4/1, but 4/2 is empty:
CSS11506# sho chassis verbose
Configuration for CSS11506-2AC E0:
Product Name: CSS11506-2AC E0 SW Version: 07.50.1.05s
Serial Number: JAB0916xxxx Base Mac Address: 00-13-80-37-xx-xx
Module(s) Found: 6
Power Supplies(s) Found: 2
Fan(s) Found: 3
Slot/SubSlot Operational Locked
1/1 *07.50.1.05 07.40.1.03
2/1 *07.50.1.05 07.40.1.03
3/1 *07.50.1.05 07.40.1.03
4/1 *07.50.1.05 07.20.2.06
Slot Number: 1 Type: CSS5-SCM-2GE F0
Serial Number: JAB0915xxxx Number of Ports: 2
Operational Status: primary
Port Number: 1 Port Name: SCM-2GE
Operational Status online
Port Number: 2 Port Name: SCM-2GE
Operational Status online
Slot Number: 2 Type: CSS5-SCM-2GE F0
Serial Number: JAB0914xxxx Number of Ports: 0
Operational Status: backup
Slot Number: 3 Type: CSS5-SSL-K9 F0
Serial Number: JAB0848xxxx Number of Ports: 0
Operational Status: primary
Slot Number: 4 Type: CSS5-IOM-2GE E0
Serial Number: JAB0808xxxx Number of Ports: 2
Operational Status: primary
Port Number: 1 Port Name: IOM-2GE
Operational Status online
Port Number: 2 Port Name: IOM-2GE
Operational Status online
Slot Number: 7 Type: CSS506-SM E0
Serial Number: JAB0911xxxx Number of Ports: 0
Operational Status: powered-on
Slot Number: 8 Type: CSS506-SM E0
Serial Number: JAB0911xxxx Number of Ports: 0
Operational Status: powered-on
end of buffer.
Maybe you can use "show tech"
HTH
Sachin -
Hi,
I want to redirect some url on a specific server of mywebfarm. The loadbalancing work but the specific rules I create based on http url not. (The loadbalancing dont keep the same server during the same user session by the way)
Here is my config :
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe tcp PROBE_TCP
interval 30
passdetect interval 60
rserver host web1
ip address 172.16.0.101
conn-limit max 50000 min 40000
inservice
rserver host web2
ip address 172.16.0.102
conn-limit max 50000 min 40000
inservice
serverfarm host FARM_WEB
predictor leastconns
probe PROBE_TCP
rserver web1
inservice
rserver web2
inservice
serverfarm host SINGLE_WEB1
rserver web1
inservice
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
class-map match-all L4-WEB-IP
2 match virtual-address x.x.x.x tcp eq www
class-map match-all L4-WEBHTTPS-IP
2 match virtual-address x.x.x.x tcp eq https
class-map type http loadbalance match-all L7CLASSWEB1
2 match http url http://www.mycompany*
class-map type http loadbalance match-all L7CLASSWEB1-Mycompany.com
2 match http url http://www.mycompany.com/*
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance http first-match WEB_L7_POLICY
class L7CLASSWEB1
serverfarm SINGLE_WEB1
class L7CLASSWEB1-Mycompany.com
serverfarm SINGLE_WEB1
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"
insert-http X-FORWARDED-FOR header-value "%is"
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2129
appl-parameter http advanced-options HTTP_PARAMETER_MAP
class L4-WEBHTTPS-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2129
appl-parameter http advanced-options HTTP_PARAMETER_MAPHello Jean
The first thing which comes to my mind when you say: "The loadbalancing dont keep the same server during the same user session by the way" is you need to configure some stickiness configuration, here you have a link about it:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/sticky.html#wp1007300
For the redirection question, what exactly do you want to acomplish?
Here you have an example which might help you out: http://docwiki.cisco.com/wiki/URL_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
ACE-1/onearm(config)# class-map slb-vip
ACE-1/onearm(config-cmap)# match virtual-address 172.16.5.101 any
ACE-1/onearm(config)# class-map type http loadbalance match-all images
ACE-1/onearm(config-cmap-http-lb)# match http url /images/.*
ACE-1/onearm(config)# policy-map type loadbalance http first-match slb-logic
ACE-1/onearm(config-pmap-lb)# class images
ACE-1/onearm(config-pmap-lb-c)# serverfarm imagefarm
ACE-1/onearm(config-pmap-lb-c)# class class-default
ACE-1/onearm(config-pmap-lb-c)# serverfarm webfarm
As you can see above in this partial configuration, you have the VIP:172.16.5.101, that is
our website: www.example.com, now we want to match www.example.com/images/, this is where we
aree using the other class-map and based on that we finally execute the action of sending the
request to the serverfarm imagefarm.
Hope this helps!!!
Jorge
http://docwiki.cisco.com/wiki/URL_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example -
ACE working with IronPort WSA server farm
We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
But we don't have this entry in the arp table.
When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
Some have this kind of problem in some ocasion?
Thank you,
EveraldoHi Jorge,
The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
Follow the output the commands:
show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 304
service-policy: WSA-VIPS
class: WSA_VIP_TCP_3128
VIP Address: Protocol: Port:
10.10.193.25 tcp eq 3128
loadbalance:
L7 loadbalance policy: WSA-POLICY
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 3 , hit count : 1260
dropped conns : 4
conns per second : 0
client pkt count : 19271 , client byte count: 2326106
server pkt count : 26140 , server byte count: 16572023
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : WSA-POLICY
class/match : class-default
LB action :
primary serverfarm: WSA_FARM
state: UP
backup serverfarm : -
hit count : 1260
dropped conns : 0
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
switch/WSA# show probe WSA_TCP_3128
probe : WSA_TCP_3128
type : TCP
state : ACTIVE
port : 3128 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 10
pass count: 3 fail count: 30 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : WSA_FARM
real : WSA-01[0]
real : WSA-02[0]
10.10.193.37 3128 PROBE 15076 72 15004 SUCCESS
real : WSA-03[0]
real : WSA-04[0]
real : WSA-05[0]
real : WSA-06[0]
real : WSA-07[0]
real : WSA-08[0]
real : WSA-09[0]
real : WSA-10[0]
switch/WSA# show probe WSA_TCP_3128 detail
probe : WSA_TCP_3128
type : TCP
state : ACTIVE
description :
port : 3128 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 10
pass count: 3 fail count: 30 recv timeout: 10
conn termination : FORCED
expect offset : 0 , open timeout : 3
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : WSA_FARM
real : WSA-01[0]
real : WSA-02[0]
10.10.193.37 3128 PROBE 15088 72 15016 SUCCESS
Socket state : CLOSED
No. Passed states : 2 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Mon Sep 3 21:06:47 2012
Last fail time : Mon Sep 3 20:45:05 2012
Last active time : Mon Sep 3 20:45:57 2012
real : WSA-03[0]
real : WSA-04[0]
real : WSA-05[0]
real : WSA-06[0]
real : WSA-07[0]
real : WSA-08[0]
real : WSA-09[0]
real : WSA-10[0]
Thank you,
Everaldo
Maybe you are looking for
-
Hello, Can someone point me in the right direction in regards to changing the OIM database password on 9.1.0.2? We recently changed the password and I updated the xlconfig.xml file and updated two XML files located in the project domain using the met
-
Error while loading shared libraries: libtasn1.so.3: cannot open share
Hello, I have done an update to the system today and now I see the following error: emacs: error while loading shared libraries: libtasn1.so.3: cannot open shared object file: No such file or directory same happens if I try to open epiphany. I have:
-
Bookmarks disappear after file save in Acrobat Pro 9
I recently bought Acrobat Pro 9 and have run into a problem with creating, editing and saving bookmarks. (I use InDesign CS2 to create most of my PDFs.) On only one occasion could I create bookmarks in a normal manner, i.e., selecting pages to bookm
-
New IMac GeForce 8800 GS Graphics card is really GeForce 8800M GTS
After calling NVIDIA I've finally discovered what this graphics card REALLY is. This card is NOT the GeForce GS that was recently renamed to 9600 GSO. That card has 384 MB GDDR3 Memory with 550 Core Speed. The new IMac GeForce is 8800M GTS. Heres som
-
Declaring Field Symbols in Public Section of class
Dear All, I am working with class and hav declared some field symbols in one of the method. Now I want to move these declaration in Public section of the class so that this field symbol declaration can be used by other methods of the class but I am n