Cisco Application :: ACE4710 Insert Cookie - Does It Overwrite Server Cookie
Mar 28, 2012
I was trying to implement stickiness based on cookie. Server inserts a cookie and sends it to the browser. I learned from app team that this cookie is changing dynamically during the session, so stickiness based on server’s cookie doesn’t work.
Now I want to investigate into possibility of ACE to insert a cookie. My question is: ACE feature of “cookie insert”: does it add additional cookie into http header without removing server cookies or it deletes the cookie(s) that server put into http header and replaces them with its own cookie?
We are using an ACE engine module(ACE20-MOD-K9) provide loading balancing service for two WEB servers and configured cookie for stickness. Below is the current configuration and it seems working fine now.
The problem I was facing is before use parameter-map change the http header length to 8k the stickness doesn't really working properly. User complains that their working session constantly be kicked out and redirect them to login page. By tracing traffic from a client we found that sometime ACE fails or stop insert the configured cookie, after increase the header length ACE start getting work.
how does the header length setup effect ACE to insert a cookie? Will the cookie insert attmpt fail if the header is longer then the maximum length configured on ACE? [code]
I have an ACE20-MOD-K9 with version A2_3_6a, and i am having problems in cookie persistency. the setup contains 4 servers using round-robin algorithm and cookie persistency and that receive http traffic on port 9090. I have been receiving complains that the users are getting disconnected randomly while accessing the web application through ACE. Below is part of the config, when setting the timeout of the cookie to default or something equal to hours, the disconnection/complains gets worse.
We have ACE 4710, It is configured with IP based stickiness and working fine for a web application server (BMC Remedy). We tried configuring cookie based stickiness for the same server. Server application is having JSESSIONID.But after configuring cookie based stickiness, there is an issue that the first page is coming for entering login credentials and after entering it the page is blank or not responding. What is the pre-requirement for configuring cookie based stickiness in ACE for BMC Remedy web application and which type of cookie based stickiness is suitable or possible?
We've got ACE30s (active/standby) running A5(1.2), and a context that's front-ending one of our major applications, doing SSL termination on the client side and SSL initiation on the back side:
parameter-map type ssl FrontEndSSL-Param rehandshake enabled
parameter-map type ssl BackendSSL-param authentication-failure ignore [Code]...
I have a requirement to load balance OWA 2010 inbound connectivity to 2 CAS servers using a ACE 4710 with sticky sessions enabled.
The CAS servers are currently responding on 80 or 443 at this moment in time. Eventually I want to off load the SSL to the ACE 4710, its currently running on the CAS servers. I need to enable sticky sessions to keep the session to the same CAS server for each internet based connection. I also have a proxy enabled for inbound connectivity so I cannot use source IP.
Here is my configuration but it doesn’t seem to be working, i am currently testing with port 80 connections not SSL.
We are using a ACE 4710 with A3(2.6) software release.I had to change our sticky load balancing method for HTTPS to cookie based.However while connections appear to work if I look at the show sticky database table I can not see or confirm sticky entries for the cookie based connections.Here or config snippets to show the config
In RFC 951, the format of BOOTP packet was legislated, but the vendor information was not legislated in this document, so the authors of this document had described that :"If the 'vend' field is used, it is recommended that a 4 byte 'magic number' be the first item within 'vend'. This lets a server determine what kind of information it is seeing in this field. "
I think it meant that the format of vendor information wasn't fixed in RFC 951, and any vendor can legislate a new format of vendor information by itself. And the value in "magic cookie" can be set by any vendor.But in RFC 2131, the format of DHCP packet was legislated, and the "magic cooke" was fixed to values 99, 130, 83 and 99, I think it meant that the format of option information in DHCP packet was fixed absolutely and any vendor can't legislate a new format by itself.
Since the format of option information in DHCP packet was fixed absolutely, why the network device needs "magic cookie" to identify the mode in which the succeeding data is to be interpreted ? I think the magic cookie is not useful in DHCP packet because the format of option information is fixed. In other words, there is only one format of option information forever.
We recently configured a setup to loadbalance 2 application server using ACE4710. Initially the configuration was to link two app servers directly to ACE4710 without connecting to a Switch, but later, it was advised that ACE4710 is not able to work without connecting to a switch.
1. ACE4710 is not able to link directly to APP/WEB server, but it must go through a network Switch.
2. If item-1 above is true. We used to have a older Cisco Loadbalancer which is able to link directly to WEB/APP servers. What is the reason or advantage of removing this feature?
We have a CSS11503 that is currently being used to accept incoming HTTPS and SSH connections on a specific VIP and then PAT those client connections. I understand that it also PATs the server initiated connections. [code]
I have an ACE version A5.2 configured in one-armed leg (doing source nat). I have a requirement to add(or copy) the "referer" header value from the original request to the request send by ACE.
I cannot figure out how to copy this value. It is easy to add the source ip address by adding: " insert-http x-forwarded-for header-value "%is".
So how I am going to copy the Refere header?
#Referer #Address (URI) of the resource from which the URI in the request was obtained
We are using Cisco ACE 4710 to load balance servers. We have created VIP under the interface vlan using nat-pool command. Also, we have changed the gateway of the server to point to the ACE vlan ip address which is created using alias 10.x.x.x 255.x.x.x command under the interface vlan. In short ACE is in inline mode for the servers which needs to be load balanced.
[code]...
But still I am not able to view the original client IP. Just to add more, the site is a HTTPS site & we have not doing any kind of SSL offloading on the ACE, it is taken care by server itself
I just want to do the HTTP & HTTPS load balancing without SSL offloading & should be able to see the original client IP in the server logs
I have a problem, recently I can not telnet to the ACE 4710, the ACE version is A4(2.0). I can enter by web and console but not for telnet. I try to give more resource to the admin context but it doesnt work.
I have to load balance traffic between 2 servers sitting behind the LB. The webservices are on HTTPS/8443. I followed the end to end configuration guide for SSL. No success.
Here is my configuration -
rserver host nms1 ip address 10.29.36.31 conn-limit max 4000000 min 4000000
We have a rather strange issue, and I'm not sure it's really a problem with the ACE or not. We created an HTTP parameter map called "TCPreuse" and applied it to a virtual server. A show conn detail displays "[ conn in reuse pool : FALSE]" for all connections pertaining to this virtual server. The rserver in question is Linux(Ubuntu) + Apache.Next we applied the HTTP parameter map to another virtual server - this time IIS7 + Windows Server 2008. There are plenty of entries "[ conn in reuse pool : TRUE ]" when I do a "show conn detail".What could the web servers be doing differently that would cause the connection reuse to work on one virtual server and not the other?
I need to upgrade 2 active-standby cisco ACE4710, the issue is I cannot access FTP/TFTP/SFTP server via Admin context but can be accessible via other contexts.
Can I copy the ACE system software file from FTP/SFTP/TFTP server to image: directory durectly or need some other way around ? I could see the option is available to copy ftp: to image: via other context.
My customer they do not want change their real server IPs. So I need setup one interace (one armed) for them on ACE4710. Who had this sample configuration? (CSS has this but it seems to be not compitable with ACE)
I am attempting to configure an ACE4710 to perform SSL end-to-end confguration. i.e. SSL termination - load balance - SSL initiate to backend server.The configuration appears to work fine in a test lab using any old web server, however when I peform the same configuration in the production environment it does not work. It appeatrs from a capture run on the ace that the ace is reseting the tcp connections after communicating with the back end server. The main difference I can think of in this environment is that the cert and key pair the ace is using where exported from the backend server, i.e. both the ace and the backend server have the same certificates and keys. Is this allowed? how to troubleshoot why the ace resets the connection.
I have 2 ACE4710 in HA enviroment, they receive connection from Internet. What I need to configure is following: The ACE have configured two URL, with the same port and VIP Address, for example:
All clients point to unique VIP and Port configured, I need to know if I can apply any filter or rule that allows me to distinguish when a customer goes to the URL1 or URL2.If any client try to access to URL-2, your traffic must be deny.In summary, from Internet I should be able to go only to URL-1.
I have to deploy the Cisco GSS in our 2 dataceters globally seprate IP ranges to loadbalance the exchange 2010 environment with Cisco ACE 4710 series SLBs. The scenario is to deploy one GSS + ACE on each datacenters and our nameserver will point to both GSS's IP addresses to get through. Incase primary site "site A" goes down name server will point the client's request to "site B".
What will be the physical setup of the GSS here and what configuration should on SLB ACE will make it work? Do GSS and ACE need to be in the same vlan? is this necessary to use Both interface of the GSS to get things working? How the GSS will check the health check on ACE if they both are on different vlans/ip range? Our ACE will be in routed mode do we need to assign the Real server default gateway as ACE inside interface with the server farm or just do the SNAT of the client IPs so the request can come back to ACE?
I have HA configuration for two ACE4710. FT between Ace's is configured as L2 (V LAN). Active ACE is sending heartbeats, but switch shows lot of 'input errors' on ingress and this is a major problem. FT is logically not working (there is no connection between these two Ace's over V LAN). There is only L2 configuration, with speed and duplex auto, no other special configuration. When I connect Ace's directly, FT is working without problem.
I can see lot of errors on input direction (from ACE) to switch port, that means, L1, or L2 problem, but direct connection (using the same Ethernet cable) is working. I tried 'shut/no shut' on both sides, set duplex/speed,... without success.
Do you know if it is possible in ACE 4710 appliance to configure a SIP TLS ?The SIP probe we have in the configuration guide it is only for clear text. for Lync 2013 we need to establish first a TLS session and then within it, send an SIP request..IS it possible in any version? I tried also to configure a HTTPS probe but it fails as it sends a GET which the Lync SIP server doesn't understand.
ACE 4710 deployment model. We'll be doing an eval later in the year, but I'm just looking to understand the architecture.We have a stack of 3750 switches with a single VLAN (10.1.1.0/24). Connected to that stack is a pair of web servers (10.1.1.5 and 6) that we want to provide load balancing/failover for. Some of the clients are located right there on that same VLAN. Other clients may be coming from other spots in the infrastructure.It sounds like I could put a pair of 4710s connected to that stack of switches, in a single arm deployment? And then the virtual IP and the real servers would all be 10.1.1.0/24. Maybe use an etherchanel to connect each 4710 to two 3750s?
I'm implementing and found out some issues are unresolvable on ACE4710. This network have been running on a server without LB. Now the second server comes up. We choosed to implement with Routed Mode.This network Peak @ 300Mbps. Now on we're doing the first context which is function as content web-farm. In near future, 2nd context which takes care of indexing web-farm when they buy more server.
From following diagrams.I browsed from internet into this service. "show service-policy" shown as '0' (counter was not running). I guessed that there is something wrong in FW configuration. So I isolated out FW. Then I plugged-in my PC into network 30 (192.168.30.X) in front of this LB, then browsed into LB's VIP (192.168.30.1). LB "show service-policy" came up BUT there is nothing return to my PC (client). "show conn" on LB as "SYNSEEN". What's SYNSEEN?! Some meaningful.
Then I tried to figure out with a PC running 'apache' and took the place of real server. "It works!" returned from LB/Server. "show conn" became 'Establish' Programmer guy said if I browse into web-farm (i.e. content web-farm) directly pkt will be redirected to indexing server. But they said it will be L7 redirection. Not LB/Network level.
On my ACE4710s I'm using least-loaded predictors monitoring Microsoft Windows CPU usage. There are times when the MS Windows CPU OIDs can change between reboots. Any way for the ACE to automatically adjust to the new CPU OIDs and continue to get accurate CPU usage values?
one of our 2 ACE boxes in FT group suddenly reboot-ed from active state and now it continuously reboots with the following error:
insmod: error inserting '/isan/bin/klm_octeon_device.klm': -1 No such deviceerror inserting /isan/bin/klm_octeon_device.klmDaughter Card Not Found. Rebooting..INIT: Sending all processes the TERM signal...
For server load balancing, does the ACE4710 support custom protocols? We'll be using HTTP for server health monitoring, and to determine if a server is up or down. But the client/server application is custom, and includes a lot of non-standard ports. Can the server VIP handle generic TCP connections? For example client1 connects to the VIP on http, but then later client1 switches to using tcp842 (a custom protocol, not http).
I have a ACE4710 setup to load balance a couple of web servers. The real servers all show as inservice as do the propbes and serverfarms/virtual servers. If I ping the Virtuual server ip address I get a reply but it I try to access VIP via telnet or web browser. I get a connection could not be open error on the client.The question is how do i determine where the error is comming from so far I can not tell if the client is getting through the acl or not.I have used the trouble shooting guide and nothing has worked to determine the cause so far. show service-policy int479 detail does not show an increase in the hit count when I try to connect.show stats conn does not show an increase in failed or timed out connections when i try to connect. [code]
My customer wants each ACE4710 (of a highly available cluster) to have its own, dedicated port for management purposes.
According to documentation, IP addressing can be applied to VLAN interfaces, so in order to satisfy the requirement, I should make one port belong to an "access VLAN X", and then apply IP addressing to the corresponding "interface VLAN X". This should satisfy my customer´s requirement in an indirect way.
But... ¿ Can´t I just configure IP address on one of the 4 ethernet ports in order to save the work of building the aforementioned VLAN? I am asking this since I do not have access to a real box in order to verify.
We have an ACE Appliance in a DMZ and the ACE Appliance's Admin Context IP is translated between ACE and ANM. The ANM Server does not get translated. It is just the opposite then in another Community discussion.
Our Problem: When adding the ACE4710 Appliance to the ANM imported Device List, we use the ACE's NATed Admin Context IP. Import works well, but ANM reflects the Admin Context IP with it's real configured IP. Polling the ACE Appliance does not work therefore.
Is there a possibility of telling the ANM, that the ACE has to be polled through a NATed IP? I could not find a field to set a NATed Mgmt IP.
Configured IP on ACE Admin Context: 192.168.0.10 NATed ACE Admin Context IP: 172.16.0.10
Imported ACE with IP 172.16.0.10 into ANM, but ANM polls for Rserver, Vserver, Probes, etc. via 192.168.0.10 - which is not reachable from the ANM.
I upgraded the IOS on my 887VA router which is not yet in service. The next day I did a cold boot and made some changes. Then, when I wrote them this warning popped up which seems to imply I need to recreate my configuration from scratch in order to avoid potential issues.Is that the correct interpretation of this message/scenario? [code]
how to replace an image in webauth-bundle on WLC 5500?When I run "show custom-web webauth-bundle", I do see the files:
aup.html login.html yourlogo.jpg
But, the size of yourlogo.jpg is too big and need to replace with a smaller one.I have tried (with the appropiate IP and filename):
transfer download mode tftp transfer download datatype image transfer download serverip tftp-server-ip-addres transfer download filename {filename.jpg | filename.gif | filename.png}
