Sticky session reset by ¿ACE or real server?

Hello team.
I am looking for hints to debug cookie-based sessions that are failing to work across my ACE. Basically, the user types http://10.150.3.130/iwsupport, and that shoud be distributed across a farm of servers hidden behind the ACE.The servers set a cookie PHPSESSID=<value> when this URL is requested.
The customer tells me that he thinks that the problem arises when he requests access to the VIP with the POST command (please see the attached wireshark capture, line 52). His browser receives the following message:
Based on the original requirements, I configured the ACE, whose related section of the configuration is the following:
sticky http-cookie PHPSESSID STICKY_SERVERS
timeout 720
serverfarm TEST_SERVERFARM
replicate sticky
class-map type http loadbalance match-all iwsupport
match http url /iwsupport.*
policy-map type loadbalance http first-match TEST_POLICY
    class iwsupport
    sticky-serverfarm STICKY_SERVERS
class class-default
    serverfarm TEST_SERVERFARM
class-map match-all VIP-130
match virtual-address 10.150.3.130 tcp eq www
policy-map multi-match CLIENT_VIPS
class VIP-130
    loadbalance vip inservice
    loadbalance policy TEST_POLICY
    loadbalance vip icmp-reply active
I would appreciate your hints to get session information, debugs, or whatever it could be useful in order to see why this is not working properly.
Thank you very much in advance
Rogelio Alvez
Argentina

Hi Rogello,
Do you see on server itself if POST request sent by client reached server or not? And if yes what did server reply? If you don't see POST request on the server then most probably it is the ACE which is sending the RST.
the outputs suggested by Jorge should help us and of course the suggested changes.
The changes will ensure that ACE parses upto 65535 bytes which is to ensure that ACE doesn't drop connection because it couldn't read which it was told to because it was way too far in the packet. By default ACE parses up to 4096 bytes.
Regarding persistence rebalance, When the first HTTP request comes in, the ACE will match the request to a layer-7 class-map and load balance it to one of the servers within the serverfarm associated with that class-map. The ACE will then also match all subsequent requests on the same TCP connection to a layer 7 class-map. If the subsequent request matches the same layer 7 class-map as the previous request, then it will be sent to the same server as the previous request. If it matches a different layer 7 class-map, then it will be load balanced to one of the servers within the serverfarm of the newly matched layer-7 class-map according to the serverfarm’s predictor.
I doubt this will make any difference since without rebalance the traffic would be sent to the same server which i guess is not a problem here.
switch/Admin(config-parammap-http)# parsing non-strict--->This is a valid command and should work fine.
For allocating resources you can go to resource class and use limit resource command to allocate resources.
You can send the data at [email protected] Also, it would be good to have 2-3 instances of outputs while you do testing so that we can see the difference if any fail counter is increasing.
Regards,
Kanwal

Similar Messages

ACE- From one real server to another VIP

Hi,
I have a problem with ACE;
We have multiple serverfarms configured in the ACE module based on the application and different VIPs related to it. We are running the ACE in bridging mode. Now the requirement is from one serverfarm real server wants communicate to the VIP of the second serverfarm...Is this possible..???? Wil some NATing help in this situation. Below is the configuration.
======================
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
access-list LAN_Traffic remark For all IP Traffic
access-list LAN_Traffic line 10 extended permit ip any any
access-list LAN_Traffic line 20 extended permit icmp any any
probe http PORTAL_HTTP
passdetect interval 20
passdetect count 2
request method get url http://portal
expect status 0 600
probe http RMS_HTTP
request method get url /_wmcs
expect status 0 600
rserver host PORTAL1
ip address 172.22.11.241
inservice
rserver host PORTAL2
ip address 172.22.11.243
rserver host QGLRSPW1
inservice
rserver host RMS01
ip address 172.22.10.12
inservice
rserver host RMS02
ip address 172.22.10.8
inservice
serverfarm host PORTAL
failaction purge
probe PORTAL_HTTP
rserver PORTAL1
    inservice
rserver PORTAL2
    inservice
serverfarm host RMS
failaction purge
probe RMS_HTTP
rserver RMS01
    inservice
rserver RMS02
    inservice
class-map match-any PORTAL
2 match virtual-address 172.22.10.166 tcp any
class-map match-any RMS
2 match virtual-address 172.22.10.52 tcp eq www
3 match virtual-address 172.22.10.52 tcp eq https
policy-map type loadbalance first-match RMS-POLICY
class class-default
    serverfarm RMS
policy-map type loadbalance first-match PORTAL-POLICY
class class-default
    serverfarm PORTAL
policy-map multi-match SFARM-LB-POLICY
class RMS
    loadbalance vip inservice
    loadbalance policy RMS-POLICY
    loadbalance vip icmp-reply active
class PORTAL
    loadbalance vip inservice
    loadbalance policy PORTAL-POLICY
    loadbalance vip icmp-reply active
interface vlan 800
description ACE Client Interface
bridge-group 1
mac-sticky enable
service-policy input SFARM-LB-POLICY
no shutdown
interface vlan 898
description ACE Server Interface
bridge-group 1
mac-sticky enable
no shutdown
interface bvi 1
ip address 172.22.11.151 255.255.252.0
alias 172.22.11.153 255.255.252.0
peer ip address 172.22.11.152 255.255.252.0
description Bridge Group for 800 and 898 Interfaces
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.8.17
===================================
Pleae help..Thanks in advance

Hello!
Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE.

ACE 4710: Find out the response time of a real server

Hi to everyone,
I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
Is there a way for this?
Thank you for any answer!
giorgio romano

Hi,
Kindly add the following line in your serverfarm configuration:
predictor response syn-to-synack
Suppose your serverfarm looks like this:
serverfarm host AAA_FARM
predictor response syn-to-synack
probe HTTP_PROBE
probe TCP9001_PROBE
rserver SC106
inservice
rserver SC107
inservice
rserver SC108
inservice
rserver SC109
inservice
rserver SC110
inservice
rserver SC111
inservice
rserver SC112
inservice
rserver SC113
inservice
rserver SC114
inservice
rserver SC120
inservice
rserver SC131
inservice
And then use the following command to see the average response time from your rserver as follows:
ACE1/prod# show serverfarm AAA_FARM detail
serverfarm     : AAA_FARM, type: HOST
total rservers : 11
active rservers: 11
description    : ServerFarm AAA
state          : ACTIVE
predictor      : RESPONSE
method            : syn-to-synack
samples           : 8
failaction     : -
back-inservice    : 0
partial-threshold : 0
num times failover       : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
HTTP_PROBE, type = HTTP
TCP9001_PROBE, type = TCP
----------connections-----------
real                  weight state        current    total      failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC106
x.x.x.x.:0        8      OPERATIONAL 2          1125       0
max-conns            : 4000000   , out-of-rotation count : 0
min-conns            : 4000000
conn-rate-limit      : -         , out-of-rotation count : -
bandwidth-rate-limit : -         , out-of-rotation count : -
retcode out-of-rotation count : -
load value           : 0
average response time (usecs) : 81   ----> thats what you might be looking for
From other day :
rserver: SC114
x.x.x.x:0        8      OPERATIONAL 70         10903      2
max-conns            : 4000000   , out-of-rotation count : 0
min-conns            : 4000000
conn-rate-limit      : -         , out-of-rotation count : -
bandwidth-rate-limit : -         , out-of-rotation count : -
retcode out-of-rotation count : -
load value           : 0
         average response time (usecs) : 1334                       ----> thats what you might be looking for
For Serverfarm BBB_FARM
serverfarm     : BBB_FARM, type: HOST
total rservers : 1
active rservers: 1
description    : ServerFarm BBB
state          : ACTIVE
predictor      : RESPONSE
method            : syn-to-synack
samples           : 8
failaction     : -
back-inservice    : 0
partial-threshold : 0
num times failover       : 1
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
----------connections-----------
real                  weight state        current    total      failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC208
x.x.x.x:0        8      OPERATIONAL 0          0          0
max-conns            : 4000000   , out-of-rotation count : 0
min-conns            : 4000000
conn-rate-limit      : -         , out-of-rotation count : -
bandwidth-rate-limit : -         , out-of-rotation count : -
retcode out-of-rotation count : -
load value           : 0
         average response time (usecs) : 0   ----> thats what you might be looking for
Use more detials for response predictor:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
Configuring the Application Response Predictor
To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
The syntax of this command is as follows:
predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
The keywords and arguments are as follows:
•app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
•syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
•syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
•samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
samples 4
To reset the predictor method to the default of round-robin, enter:
host1/Admin(config-sfarm-host)# no predictor
To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
weight connection
For example, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
samples 4
host1/Admin(config-sfarm-host-predictor)# weight connection
To remove the current connection count from the calculation of the average server response time, enter:
host1/Admin(config-sfarm-host-predictor)# no weight connection
You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
In case if you have measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server use syn-to-close      (already discussed previously)
If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack   (already discussed previously)
SAMPLES parameter is optional and specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load Ã— static weight Ã— current connection count
where:
â€¢weighted load is the load reported by the SNMP probe
â€¢static weight is the configured weight of the real server
â€¢current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
HTH
Plz rate if u find it useful.
Sachin

ACE 4710 SSL server LB with stickiness

I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
THANKS!

In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
I dont think its currently available on ACE appliance yet.
Syed

ACE Module: Recover a real server probe-failed status

How does the ACE module recover a real server that has entered a probe-failed status state? We are doing some testing, purposely dropping a servers interface. ACE recognizes the server as being down and show it in a probe-failed state. When we bring the system's interface back up, will ACE see this and automatically bring the state back into Operational status, or does someone have to do something on the ACE module?

ACE continues to probe servers that are down or probe_failed. As soon as a server starts responding again its state will switch to alive again.
Nothing to be done.
Gilles.

ACE real server rate liiting

Hi,
If the ACE is configured to rate limit the traffic to a given real server to a certain bandwidth, what happens to the traffic that exceeds the specified limit ? Does the ACE drop this traffic in all cases as the documentation says ? Or can we configure the ACE to bypass this traffic either without any load balancing or to a backup server ?
Thanks and regards

That sounds good, When there is excess traffic, all the new connections would be sent to the serverfarm representing the DG. Now when the traffic level of the cache due to the existing connections decrease below acceptable levels, the ACE will again bring it in to rotation.
Cool, One question though. What happens if there are two caching servers, and we want to implement the same to both the servers. I'm thinking the net effect would be similar. But would there be any caveats ?

ACE 4710 use dns name in real server

Is there any way to use a DNS name in real server and not a static IP.

Hi,
This is not possible at the moment. With ACE EOL, i don't think it would be added either.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

ACE 4710 Probes on other servers than the real server

Hi,
I wanted to know if there is a means to configure a probe that is independent of the real servers.
The aim is to configure a probe a real server but also probe another intermediate server which is not in the server farm.
The objective is to declare the real server down if its probe fails but also the probe to an intermediate server fails as well as a or condition.
From the document, there is no mention of it.
But is there a means to do it.
Thanks.

Hi Ashley,
i see it is not mentioned anywhere in document but i think ou should be able to bind two probes with real server of which one probe is actually probing another server.
I would configure one probe let's say TCP based and bind it with serverfarm. Then i would configure another probe TCP based and define IP address in that probe (the other server IP which we need to probe) and bind this probe with same serverfarm. Serverfarm will not have this rserver added. And then i would configure "fail-on-all" and test if that works for you.
i know you can set probe on redirect server/serverfarm which actually probes another real server so logically should work for normal host rserver as well. But i have never tested it myself.
Regards,
Kanwal

Real server to access a different Virtual server in same context ??

Hi all,
I got a scenario need to clarified before go to production. Below is my traffic explaination
SETUP
Context WEB -1st Virtual server (10.10.10.1) - > bind 2 Real Server ( 1.1.1.1 and 1.1.1.2) ->sticky configured
Context WEB - 2nd Virtual server (20.20.20.1) - > bind 2 Real Server (2.2.2.1 and 2.2.2.2) ->sticky configured
My question is
User will HIT 10.10.10.1 and load balance to RS 1.1.1.1 and 1.1.1.2, RS 1.1.1.1 and 1.1.1.2 will need to go destination 20.20.20.1 and ACE load balance to 2.2.2.1 and 2.2.2.2.
Will RS1.1.1.1 and 1.1.1.2 success HIT 20.20.20.1 and ACE can load balace to 2.2.2.1 and 2.2.2.2 and response to RS1.1.1.1 and 1.1.1.2?
Any comment is welcome !!!
Thank you,
Meng Kiat

Hi Meng,
It is possible. You need to apply the Virtual server (20.20.20.1) policy to the server side Vlan interface.
That way server ( 1.1.1.1 and 1.1.1.2) can hit virtual server (20.20.20.1)
This should work just fine without any trouble.
regards,
Ajay Kumar.

Sticky session for SSL termination

We have a server farm with 2 servers. The ACE is perfoming SSL termination to this farm, and talking tcp/80 on the back end. How can I ensure these sessions are sent to the same servers?
Thanks

since you are doing ssl termination you can do cookie sticky and have the ace either learn a cookie from the server or insert a cookie to provide sticky.
for instance to do cookie insert
sticky http-cookie COOKIE1 GROUP3
cookie insert browser-expire <-- this makes it a session based cookie. If you want the cookie to expire at a set time you can leave off browser-expire
and then set a timeout . the timeout is not on ace rather we will send a utc expire time to the browser
serverfarm test
then call the sticky serverfarm in your load balance policy
policy-map type loadbalance first-match L7PLBSF_STICKY-COOKIE_POLICY
class class-default
sticky-serverfarm GROUP3
you can also use other sticky methods see
http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1070365

Issue with sticky sessions

My application has the following architecture:
1.) a load balanced Flex frontend with sticky sessions which queries
2.) a load balanced REST service also with sticky sessions
The flex frontend queries the service using a Flex HTTPService object. However, although sticky sessions are enabled on both the flex frontend and
rest service, we are seeing queries go to different instances. For example
user will request Flex App1 which will then call RestService1
then user will request Flex App1 again which will call RestService2(instead of RestService1).
Has anyone seen this issue before in a load balanced environment? I need this to work because the REST service does not have a distributed cache, so subsequent requests must hit the same box to use the cache.
thanks

NW6 SP5 needs nw6nss5c in order for NSS to work properly; once applied
then do
nss /poolrebuild /purge
on all pools. Make sure you have tested backups first, just in case.
Also Load Monitor - Server Parameters - NCP. Set Level 2 OpLocks Enabled
= Off, and Client File Caching Enabled = Off.
What lan driver, date and version, on the server?
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://support.novell.com/forums
(Sorry, support is not provided via e-mail)
Opinions expressed above are not
necessarily those of Novell Inc.

Authentication in clustered web application without sticky session

I have built JSP/Servlet/Struts application in the past on a cluster of app servers. Each app server has its own JVM running the Servlel Container. All of the HTTP requests come into a hardware load balancer, which directs the requests to one of the app servers in the cluster.
I have wanted to use the Java HttpSession management without any kind of distributed session provided by the app server. We have used "sticky" sessions. The application writes a cookie to the client on the first request. The load balancer looks for that cookie on subsequent requests and directs the request to the server that originally wrote the cookie. This ensures that all requests within the same session are handled by the same application server. This also means that if I do request.getSession().setAttribute("authenticated",true) on one request, when I do request.getSession().getAttribute(authenticated) on subsequent requests in the same session, I can be sure the value will not be null. This allows me to create a filter that checks for that session attribute on each request, and if it is false or null, redirect the request to some sort of login page. Otherwise I can be sure the user has logged in.
I want to build a stateless/non-session based application that can still handle authentication. What I mean by that is that I don't want the load balancer to have to send requests for the same session all to the same server. I would like the load balancer to send each request where ever it wants. That means the simple authentication example I explained in the last paragraph would not work. The user could login on server A, but then on a subsequent request during the same "session", the user's request could be handled by server B. In that case, the session attribute would be null, and the app would think that the user has not logged in.
My application can require that users have cookies enabled, so therefore I can assume the user is accepting cookies (I would have something to check that and redirect the user to an error page saying "turn cookies on" if cookies weren't on). I think one thing that I could do is use encrpytion with a key that is shared between all the servers in the cluster. For example, user logins in on server A, server A writes a cookie with the contents "username,1109272102009". The first part being the username that the user successfully authenticated as and the second part being a timestamp for when the cookie was created. The contents of the actual cookie would be encrypted and I would send the ciphertext as the value of the cookie. When server B gets the cookie, it can decrypt the ciphertext (using the same key as was used to encrypt the data on server A), and check that the username is valid and that the timestamp does not exceed some timeout. The timestamp in the cookie would then have to be updated for the next request.
So my question is (thanks for sticking with me and reading this really long post), has anyone done anything like this before? Is what I have described totally ridiculous or insecure? Are there any books or articles that describe a pattern similar to this that has been know to work well?

I have worked on a web site that did exactly that.
The cookie contained a little bit more information - there was a small amount of user data that were needed on heavily accessed pages.
You'll have a problem if your web application uses attributes. We solved this by keeping most stuff in hidden inputs (backed up by hidden input cryptographic checksums in places where forgery was a concern.) HttpSession attributes have some problems and gotchas.
A few possible fine tunings:
Add a random number to the cookie. Should make known plaintext attacks harder.
Add some extra stuff to the cookie, so that any random hex string that happens to decode to "xZoiyqw,15" isn't accepted. It's easy to try a million cookies until you get "<something>,<integer>" but getting "<something>,<integer>,HelloHowAreYou" is a lot harder.
Be paranoid in checking the format of the cookie. If you add a random number, check that it is all digits etc. Belt and suspenders: also check that the time stamp isn't in the future (allow e.g. 15 seconds future time, in case different servers' clocks are a bit off.)
Don't update the cookie at every hit, only if the time stamp is older than a couple of minutes. Saves encryption CPU power.
After encrypting, prepend a short version number to the cookie. E.g. if the hex cookie is ABCDEF, make it 1ABCDEF. If you later e.g. change the encryption algorithm, change version to 2 and you can easily skip any obviously non-decipherable cookies. A second version number within the cookie might or might not be useful.
Even though you can make random load balancing, consider not doing that. E.g. a server might pull the user's name from the database into memory cache. You get less database traffic and smaller caches if the user still goes to the same server. If a server goes down, only then switch him elsewhere. Downside though: if one server is "half alive" (doesn't respond to requests but alive enough so the load balancer doesn't notice the malfunction), all users bound to that server see a 100% failure.
Benchmark cookie decryption time when selecting the crypto algorithm. How many hits per second you can get and how many you need.
Guard your crypto keys like the crown jewels. Change them periodically and whenever someone in your company (especially IT department) gets the pink slip.

Sticky sessions and Load Balancing in WL Clusters

We are using iPlanet Web Server 4.1 with WebLogic App Server; and would like
to implement load balancing with sticky sessions and in-memory state
replication.
The documentation in Weblogic says that -
When using in-memory state replication, your WebLogic Server Cluster must
live behind one or more proxy servers. The proxy servers are smart enough to
send servlet requests, belonging to the same HTTP session, back to the same
server in the cluster that holds the session data.
(Ref: http://www.weblogic.com/docs51/cluster/setup.html)
Does this mean that the sticky session configuration has to be done on the
iPlanet Web Server itself ?
Also, if WebLogic is used as the Web server, does WebLogic provide any
support for sticky sessions?
Any help, suggestions or links to useful info are welcome.
Regards,
Milind.

Mike,
im curious as to why you would recomend using weblogic as a web server in 6.1?
I would not for the following reasons:
- it costs 10x more per cpu list
- it doesnt support hardware accell cards (afaik, please let me know if this has
changed)
iplanet is really good a serving up static html and gif's, especially in ssl if you
have a hardware accell card. So if you have a site with lots of graphics and you use
ssl a lot, I think its still a better solution.
-Joel
Mike Reiche wrote:
You get sticky round-robin by default.
You need to have session tracking turned on (i think it is on by default). You
need to have the WL plugin configured in iPlanet.
When WL creates an httpSession, it writes a cookie (or rewrites the URL) back
to the browser. On subsequent requests, the browser sends the cookie and iPlanet
plug-in directs the request to the correct WL instance based on the ip address
of the WL server embedded in the cookie.
If you are using WLS 6.1, I would recommend using it as a web server (and not
using iPlanet). I imagine that it supports stickly load balancing as well.
Mike
Joel Nylund <[email protected]> wrote:
you get round robin by default, if you want a different scheme you can
use one
of the other 3 options (weight, random or parameter).
-Joel
I think weight can be set in weblogic properties. I havent used any other
than
round robin.
Milind Prabhu wrote:
We are using iPlanet Web Server 4.1 with WebLogic App Server; and wouldlike
to implement load balancing with sticky sessions and in-memory state
replication.
The documentation in Weblogic says that -
When using in-memory state replication, your WebLogic Server Clustermust
live behind one or more proxy servers. The proxy servers are smartenough to
send servlet requests, belonging to the same HTTP session, back tothe same
server in the cluster that holds the session data.
(Ref: http://www.weblogic.com/docs51/cluster/setup.html)
Does this mean that the sticky session configuration has to be doneon the
iPlanet Web Server itself ?
Also, if WebLogic is used as the Web server, does WebLogic provideany
support for sticky sessions?
Any help, suggestions or links to useful info are welcome.
Regards,
Milind.

ACE: if one server is loaded and it want to use the server not loaded? how?

Hello,
I have 2 real Servers (10.24.8.200 and 10.24.8.201) in loadbalance (HTTP and HTTPS) with VIP 10.24.16.10, and the type of loadbalance is round robin, but when the server (10.24.8.200) has high proccessing for example memory or hard disk and users try to access to server (10.24.8.200) this is more slow. if this server is too loaded? how can the ACE switch to another real server? in 10 seconds for example?
Best Regards
My configuration is:
ACE-MOD6/integracion1# sh runn
Generating configuration....
access-list anyone line 8 extended permit ip any any
probe http get-index
interval 4
open 2
recieve 2
faildetect 2
passdetect interval 10
expect status 200 200
rserver host Srv1
ip address 10.24.8.200
probe get-index
inservice
rserver host Srv2
ip address 10.24.8.201
probe get-index
inservice
serverfarm host servers
rserver Srv1
inservice
rserver Srv2
inservice
class-map type management match-any ADM-CONTEX-SERV1
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
class-map type http loadbalance match-all Check-Headers
2 match http url .*
3 match http header Host header-value "10.24.16.*"
4 match http header User-Agent header-value ".*MSIE.*"
class-map match-all VIP-10-HTTP
2 match virtual-address 10.24.16.10 tcp eq www
class-map type http loadbalance match-all other-HTTP
2 match http url .*
policy-map type management first-match ADM-CTX-SERV1
class ADM-CONTEX-SERV1
permit
policy-map type loadbalance first-match L7-logic
class Check-Headers
serverfarm servers
class other-HTTP
serverfarm servers
policy-map type loadbalance first-match lb-logic
class class-default
serverfarm servers
policy-map multi-match client-vips
class VIP-10-HTTP
loadbalance vip inservice
loadbalance policy L7-logic
loadbalance vip icmp-reply active
interface vlan 60
description inside
ip address 10.24.8.5 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ADM-CTX-SERV1
no shutdown
interface vlan 233
description outside
ip address 10.24.16.5 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ADM-CTX-SERV1
service-policy input client-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 10.24.16.1

If your server is running an SNMP agent, the ACE can use SNMP to pull stats from the server. You'll just need the correct OID. For instance, if you were using Linux, you might use something like the following as a probe:
probe snmp linux-stats
interval 10
community public
oid .1.3.6.1.4.1.2021.10.1.5.1
threshold 75
.1.3.6.1.4.1.2021.10.1.5.1 is the OID for CPU load average (for Linux, Windows would have a different OID). If it goes above 75, the server is marked as out. When used with the least-loaded predictor, it will also divert more traffic to the least loaded server, as defined by that OID. You can use multiple OIDs in conjunctions and give them different weights.
However, judging from your timeout value of your get-http health check, I would check to see if the issue isn't that your servers are flapping because of a too-low receive threshold. Each server has 2 seconds to respond to the ACE, which may not enough time given that the servers may be getting a lot of traffic and you're doing these checks every 4 seconds.
If one fails, the other gets all the traffic, until it is overloaded, and it fails. By this time, your other servers has calmed down, and gets all the traffic, and the cycle repeats itself. Check SNMP traps or SYSLOG to see if this is the case.
Either way, you might want to change the timeout to 5 or 10, to give them more breathing room.

Can a real Server be applied in two different server farms associated with two different VIP IP and TCP Port

Good day everyone,
I have a question in regard to real server operation with different server farms, and VIPs
Can a Real Server be associated ( for simpliciy) with two different Server Farms that have a VIP associated with each, servicing the same TCP Port (443).
Example:
SF-A
RSRV-1: 192.168.1.10 /24
RSRV-2: 192.168.1.11 /24
VIP-A: 192.168.1.20 /24
VIP-A: https:web-A
Protocol: HTTPS
SF-B
RSRV-2: 192.168.1.11 /24
RSRV-3: 192.168.1.12 /24
VIP-B: 192.168.1.30 /24
VIP-b: https:web-B
Protocol: HTTPS
Client-A: 172.16.128.10
Client-B: 172.16.128.15
I have attached an sketch depicting the connectivity.
As always any feedback/Suggestions will be greatly apprecaited.
Cheers,
Raman Azizian

Raman,
This type of config is no problem. What the server is doing is virtual web hosting. The server would have two different web services running for the same IP, but each listening for a unique host header.
From an IP point of view both connections would be destined to the rserver address on port 80, but in the http header they would have two different Host headers.
one for www.example1.com and the second for www.example2.com. If the web server is configured correct so each host name is tied to one web service it will not have any issues.
The config you attached looks ok. The way you have the sticky group is ok doing source IP. If you use cookies for the sticky group I would suggest you create two sticky groups each with a different cookie name and add the same serverfarm to both groups. The client will only send a cookie for the domain it received it from so using the same cookie in two vips could cause problems if the same client hits both vips.
Hope that helps
Regards
Jim

Sticky session reset by ¿ACE or real server?

Similar Messages

Maybe you are looking for