To start with following is our architectural request flow:
Load Balancer --> Webseal /(reverse proxy) --> HTTP Server --> Portal Server
We have Hardware Load Balancer Cisco ACE20. When we access our portal from Webseal server it works totally fine without any issue, but when we access the same application using ACE we face the following issues:
1) Some of the links on do not work. For eg: We have a link "subscribe" which points to [URL], whenever we click on this link, the request is directed to [URL] i.e homepage
2) URL redirection does not work We have some links which have a url forwarding or redirection for example when we open [URL] it forwards the requests to [URL] opendocument....., but this redirection fails and again the request is thrown to homepage i.e., [URL]
3) The response of the request and the overall portal when accessed via ACE is very sluggish and it takes 20 seconds for homepage to load, whereas the homepage loads in 4 secs when accessed via webseal.
SIP Load balancing Issue with ACE 4710?I have a Cisco ace 4710 with vesion Version A4(2.2). i configued simple SIP load balancing first without stickiness. without stikeiness we are having a problem because bye packet at the was not going to the same server all the time that left our port in used even though user hang up the phone. its happen randmly. i have a total 20 licenced ports and its fill out very quickly. so i dicided to use the stickiness with call-ID but still same issue. below is the config
rserver host CIN-VOX-31 ip address 172.20.130.31 inservice rserver host CIN-VOX-32 ip address 172.20.130.32 inservice
We have two Cisco ACE 4710 and we want to install both of the devices in HA with load balancing mode.While i have done HA mode configuration between ACE 4710.But unable to configure load balancing configuration between them.i want to tell you connectivity between server,client & loadbalancer.Our Web servers are connected to VLAN 152 on the L3 (3750) switch.Which are alreday working in redundancy between other L3.And ACE 4710 it is also connected to vlan 150 which are connected to same L3 (3750) switches and users are also connected to vlan 6 on the same L3 itself.
We have a pair of CSS 11501,Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).This way we are able to also send it back to the same server when it uses SSL.I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP.
is there a possibility to get a load balancing across two rservers so: when client sends http://vip/ and it goes to rserver1 then url is sent without change when client sends http://vip/ and it goes to rserver2 then url is modified to http://vip/xyz/
Or maybe load balancing can be done across two serverfarms ?
I am performing a deployment, in which i require clarity on the following. Our setup has DC and DR , in each site we have two devices for HA.We have received One SSL Certificate from Public CA, Kindly clarify the following doubts i have on thisIn Doc, i found Cert.pem and key.pem is required to generate the pair ,do i receive both Cert.pem and key.pem from the CA or we can generate key.pem from Cert.pem ?SSL Offloading is planned for the X application, and it is running in both DC and DR ( Considering each having their own Public IP address ) , do i need to have two different public certificates or a single certificate can i use in both DC and DR.Load Balancing IssueIs it possible to configure in ACE to access the service in Business hours and in non Business hours to display HTML page showing this is available only during these hours ?In DC we have Three Web Servers ( only in One physical server the service is active, other two are backup ), and these three servers are under cluster and shares one cluster IP , In ACE we have created the VIP and Pointed to only Cluster IP ( like pass through only ). The issue we face is if active web server is down, even then ACE is sending the traffic to that webserver only instead of sending it to the new Active web server. let us know if any solution is there to overcome this issue ?as per my understanding instead of giving cluster IP as real server IP we can issue the three physical servers. now i dont require load balancing between three servers instead require failover king like if first server is down then it should forward to Second server ?
We are in the situation we have a active configuration with ACE30 doing normal load balancing in routed mode, we have tons of rservers going out on a VIP.we now had to add a new private network to a provider that strangely enough does not want to see our public or private addresses. we need to loadbalance towards him on a priovided subnet (still rfc1918) (IOS VRF bug? is that correct?)I have two options, add the network (new interface) to the active loadbalancers (contexts) and then tie in new policies to the active serverfarms or make a new context just to load balance towards this provider.(preferred)Now - If I do this, the rservers see the client source addresses from this new provider. as the loadbalancer does not "hide" the client IP's. I would then have to add static routers toward the new context - I would want to skip that.
is there a way, to make the loadbalancer hide the client addresses towards the rservers ? perhaps I'm just needing the correct search term to find the config example.
I'm trying to design a CSS configuration that allows servers in the same vlan to be the source and destination of load-balanced traffic. My thought is to add two new vlans, one for the VIPs and one for the servers, then NAT the source IPs going from the LB to the servers.
Is this the right way to do it?I've never NATted using CSSs, so I wanted to verify what I'm thinking.Our current config trunks the vlans -
I want to route gre traffic through an ACE20, but it doesn't seem to work. The only thing I configured was an ACL with gre enabled, but the ACE20 seems to drop the gre packtes. The gre traffic is entering via the vlan 561 interface and should be send out via the vlan 472 interface. Source 10.94.32.212, destination 10.94.132.39. The tunnel control traffic on port tcp/1723 is working fine. In the service-policies is nothing configured for the gre traffic.
We are using an ACE engine module(ACE20-MOD-K9) provide loading balancing service for two WEB servers and configured cookie for stickness. Below is the current configuration and it seems working fine now.
The problem I was facing is before use parameter-map change the http header length to 8k the stickness doesn't really working properly. User complains that their working session constantly be kicked out and redirect them to login page. By tracing traffic from a client we found that sometime ACE fails or stop insert the configured cookie, after increase the header length ACE start getting work.
how does the header length setup effect ACE to insert a cookie? Will the cookie insert attmpt fail if the header is longer then the maximum length configured on ACE? [code]
I would like to add a vlan to a second context on a pair of redundant ACE modules. As soon as I open up that shared vlan box we will expose ourselves to mac conflicts until the shared-vlan-hostid commands can be implemented and the module reloaded. Adding the commands is not a big deal but I may not be able to schedule a reload until next week. What I would like to do is confirm the mac pools in use by each module right now. My hope is that they grabbed unique pools when they last booted and a conflict will not be a concern now.
I have an ACE20-MOD-K9 with version A2_3_6a, and i am having problems in cookie persistency. the setup contains 4 servers using round-robin algorithm and cookie persistency and that receive http traffic on port 9090. I have been receiving complains that the users are getting disconnected randomly while accessing the web application through ACE. Below is part of the config, when setting the timeout of the cookie to default or something equal to hours, the disconnection/complains gets worse.
We have a pair of ACE20-MOD-K9 in Fault Tolerant mode. They are running multiple contexts and we have a problem with one particular context which is running SSL off-loading. Despite the config being identical on both (accept for the peer addresses obviously) and both having the same SSL Key and Cert files loaded on both, the configuration will not sync between them. [code] All the Crypto files are identical as I copied them from one ACE to the other.
We are currently running a ACE20 with 11 contexts. Recently we have seen that one of the contexts is being 'starved' of resources, especially Concurrent Connections, Bandwidth and Throughput.
Whilst we know how to address this situation by reallocating resources from less busy contexts, I was wondering if there was a more scientific way of looking at the resources being used and calculating the best way to allocate them across the ACE other than just looking at the 'show resource usage' and 'show resource allocated' commands?
Has Cisco or any other 3rd party developed a handy tool to monitor the the ACE resources which will possibly assist with calculating the optimum resource allocations across all contexts?
I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was host1/Admin(config-cmap-http-lb)#match cipher less-than 128 So I want to know whether this is possible on ACE 20 and SW version A2(2.3). Kindly suggest a way to acheive this.
I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow. I want to drop all the connections with less than 128 bits cipher strength.
We are using an ACE20 module running version A2(3.2).I have a question regarding IP stickyness and the timeout parameter.I found this in the "Server load balancing configuration guide" (in a section entitled: "Configuring a Timeout for IP Address Stickiness"):
"The sticky timeout specifies the period of time that the ACE keeps (if possible) the IP address sticky information for a client connection in the sticky table after the latest client connection terminates. The ACE resets the sticky timer for a specific sticky-table entry each time that the module opens a new connection or receives a new HTTP GET on an existing connection that matches that entry."
The parts in bold seem to point to the fact that the timeout is an "inactivity timeout" as the counter is reset on every new connection.The next section in the documentation is entitled: "Enabling an IP Address Sticky Timeout to Override Active Connections" and says:
"By default, the ACE ages out a sticky table entry when the timeout for that entry expires and no active connections matching that entry exist. To specify that the ACE time out IP address sticky table entries even if active connections exist after the sticky timer expires, use the timeout activeconns command."
This seems to contradict the previous statement.So my question is: is the IP stickyness timeout an "inactivity timeout" or not?
I've run into an interesting problem trying to migrate my production config from my redundant ACE20's (A2(3.4)) to the new ACE30's (Tried (A4(1.0) and A5(1.0)). Everything on the ACE30 is working fine with a base config, but when the restore all is run from the ACE20 backup (backup all), the SSL files are not restored and return errors. All the contexts are restored correctly, along with the startup-config, but the running config fails due to no SSL.
All the crypto certs/keys are exportable and are present in the backup .tgz file.