I am not able to find information of how to configure a balance in CSS11500 depending of the IP source. I want to do the next:
Site A : 192.168.1.0/24
Site B : 192.168.2.0/24
Both sites access to the same VIP: http://vip_balnace_IP but depending of the source the should be balanced to diferentes servers.
Site A -> VIP_balance -> server1
Site A -> VIP_balance -> server2
how to do that?
I have a Cisco ACE with a server farm "intranet" with real servers rsrv1 and rsrv2 (round robin) and i have two sites A (IP Address A) and B (IP Address B) in the WAN. I want to that Site A conect to ACE 4710 via VIP, but this connection will be to srv1 and Site B conect to ACE 4710 via VIP, but this connection will be to srv2.
View 3 Replies View RelatedWhy do my connection not clear when my service goes to a down state. The only way I can get the connections to clear is by bouncing my content rule. CSS11503 version 08.20.4.05s - SSL all the way to the server --- I also have flow permanent port3 443 configured, but I don't understand why the other two servers go to zero while server01 never goes to zero. If I remove the flow permanent port3 all the counters go to zero, but I would think if the servers goes down then the connections should go to zero regardless of the flow permanent port configuration. [code]
View 3 Replies View RelatedI'm seeing the following error on one of our real server. Is there a way to find out who is spamming?
10.x.x.x(VIP) - - "POST /slmruntime/service HTTP/1.0" 404 1214
I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url. For instance, I can set up URL at the same 192.168.35.12 address in DNS, and set up two different content rules:
content cats
vip address 192.168.35.12
port 80
url "//www.cats.com/*"
add server cats1
add server cats2
active
content dogs
vip 192.168.35.12
port 80
url "//www.dogs.com/*"
add server dogs1
add server dogs2
active.
Easy and straightforward.
But what if I want to add SSL handling for URl. I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
Can this be done? Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service? Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
How to change host name in CSS11500 Series. I cannot find any documentation for that matter.Is there any impact in the system to change the host name?
View 3 Replies View RelatedThis is a newbie question regarding CSS11500 series loadbalancers as I trying to get up to speed with managing them as part of my job. I noticed that there are a couple of CSS "clustered together" since I see they are managed using a single ip address.
My question is around how to establish a session to each individual device in this cluster, if at all possible? If is not possible, how do manage the secondary device in this cluster to perform tasks such as copying new software to it, backing it up, etc.?
How can you check if balance ACA is enabled in CSS11503? How can you see also if the content switch(CSS11503) is load balancing using balance ACA? "show load" command does not show it.
xxxxxx# show load Global load information:
Reporting:Enabled
Calculation method:Relative Step Size:Dynamic Configured:10 Actual:1280
Threshold:254 Ageout-Timer:60 Teardown-timer: Configured:20 Actual:20
Service load information: Average Average Peak Average Service Name Load Number ResponseTime Response Time ----------------------------------------------------------------------- DNS1 4 8999 33972 DNS2 4 8884 28254 SSH-WPHGT11 2 0 87509 WPHGT11 2 0 0 def-gwy-server 255 0 0 fe1-gw1-radius1 2 0 0 fe1-gw1-radius2 2 0 0 fe1-gw1-wap-8799 8 15344 662337 fe1-gw1-wap-9200 2 [Code].....
How to load balance two/three ISPs using ACE.
What might be the default gateway?Can i create a serverfarm with two rserver with different subnets?
Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later. I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
View 6 Replies View RelatedI am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
[Code].....
I've done a lot of ACE work over the years but this is the first time this has ever come up.
I have a request from an application group where I have 3 rserver in the server farm but they want all traffic to only go to the first server unless that server fails. If the first server fails, only then do they want traffic to go to the 2nd server instead and if that fails, then traffic goes to the 3rd.
I've read through the documentation but haven't figured out a way to do this. What to do this type of failover configuration?
I’m looking for some notes from the field guidance here from those that have much more deployment experience.
I have a GSS and an ACE, and its the ACE that's primarily giving me something to think about, in terms of placement and what mode to adopt.
The traffic flow will look loosely like this:-
Client---Internet---Firewall---GSS---ACE---Servers
Physically, it's like this. The RED line denotes a boundary, and pretty much anything North of that is not accessible to us, we simply have a L3 trunk between our switches and "their" switches (S3/S4) and talk using EIGRP.
There are other servers in the top tier, some that also require load balancing, some that don’t. Typically, I want to load balance HTTPS requests from the internet, to one of the 3 servers in the top half.
I’m not sure what mode to select, routed, one arm? What about placement of the ACE? At the moment, I’ve just configured 1/1 on it and made it part of the MG MT VLAN, it's S VI exists on the S1/S2 switches, so I’m open to change as it's still all in the lab.
I've configured the ACE4710 to bring the logging to a syslog server! Here's the configuration
[...]
logging enable
logging fastpath
[Code]....
I saw to log with connection on the syslog server but It would be interesting to know the "source ip address" and my question is : It may be possible to configure for the logging a kind of "transparent pass through"?
I hav ACE 4710, I am trying to configure a policy in which when specific Client tries to access the specific Destination. ACE should not send the traffic to load balancing. It should directly send to the next Hop.
I configred the below but didnt able to achieve my object.
access-list source_IP line 8 extended permit ip host 192.168.146.123 host 198.xx.xx.2
class-map match-all CM_BYPASS_SOURCE 2 match access-list source_IP
policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE class class-default forward
But I am not able to reach to destination. MY source traffic is still diverting to the Load balancing server. I dont want it to redirect to LB server
I'm not sure if my terminology is correct when using hairpinning but i was wondering if there is any special config needed when you try to access a content rule VIP from a server that's configured as a member of a source group on the same CSS?
So say i have a content rule with a VIP 20.20.20.20 and i also have two servers 192.168.1.1 and 192.168.1.2 that are part of a source group with VIP of 20.20.20.21. My problem at the moment is if from the servers 192.168.1.x i try to ping the other VIP 20.20.20.20 that's configured on the same CSS then it doesn't work and ping fails. The same happens with HTTP traffic to the 20.20.20.20 VIP.
I would have thought that the NAT of the source group would happen before the routing so the 192.168.1.x IP's would be natted to 20.20.20.21 and then passed over for routing where the CSS would see that the VIP 20.20.20.20 is local and it would send it on it's way.
I thought it might be ACL related but i increased the verbosity of acl logging and couldn't see anything in the logs.The source group works fine on it's own and from the CSS itself i can ping the 20.20.20.20 VIP fine. It just seems that from the source group members i can't ping the VIP.
ACE A2(3.4). Is it possible to set a rate-limit connections per sec from any source IP. For example, if a client is trying to GET a web page 10 time per sec I will send a reset or drop that connection.
View 1 Replies View RelatedI have a requirement to select a farm based on source IP address. I tried creating a match all class-map that matches on the virtual-address and source address but I get this message.LB01/Admin(config-cmap)# match source-address x.x.x.75 255.255.255.255 Error: Only one match virtual-address is allowed in a match-all class-map and it cannot mix with any other match type To me this is the only place where it makes sense to set the source match criteria.
View 2 Replies View Relatedi don't know why cu need this feature, he want stickiness based on source ip and source port. Does CSS 11500 support stickiness based on source IP and source port?or is there any other method to support stickness based on source ip and sourceport?
View 12 Replies View RelatedI have a requirement to bypass some specific traffic (with particular source to specific internet destination) in ACE 4710.
All the webtraffic (http and https) is configured to loadbalance to my proxies , i need to configure some specific traffic with source and destiantion to internet to byepass from this loadbalancing and directly got to outside interface .
Im having a (from google-fu) seemingly unique issue with load balancing. So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space. [code]
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
What is the best way to load balance traffic between an FWSM and ASA 5520? Both are attached to a 6509-E (in seperate VLANs). The problem is the FWSM doesn't support any dynamic routing protocols (in multi context mode). So with my limited knowledge I don't see a way to do this.
View 8 Replies View RelatedIs it possible configuring load balance with three intefaces, in my router with the following features?I have three ISP, and would like balance the traffic ... Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1) Cisco CISCO2911/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FTX1613AH8D
3 Gigabit Ethernet interfaces
1 terminal line
2 Channelized (E1 or T1)/PRI ports
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
[code]....
I am using 192.168.1.1 as database server in head office. my branch user are more than 500. all user hit at 192.168.1.1 for database. Now i want to NAT with application server 192.168.1.50 and 192.168.1.51 with load balance As some user hit 192.168.1.1 form branch but traffic go to 192.168.1.50 and some users traffic go to 192.168.1.51.
I want to do it in My core router (Cisco 3845) in Head office. How i do these two things ?
So I can fail over my NAT and IPSEC VPN (DPD). I am curious can I load balance my WAN links too?
I have a route map that is used for fail over, I just can't quite think how I would load balance the links
ip nat inside source route-map 10mb interface GigabitEthernet0/1 overload
ip nat inside source route-map efm interface Vlan3 overload
ip route 0.0.0.0 0.0.0.0 213.38.xx.xx
ip route 0.0.0.0 0.0.0.0 46.226.xx.xx 10
access-list 175 deny ip 172.16.20.0 0.0.0.255 172.31.114.0 0.0.0.255
[code]....
We configured sa520 load balance with 2 isp 2mb+2mb how to check the status of the load balance on sa 520 .
View 1 Replies View RelatedI have the following setup, eBGP to the same ISP, iBGP inside the AS between the routers and 6509s
I would like to do the following, lets say I have 1.1.1.0.... 1.1.6.0
These are advertised by my 6509s through BGP. I would like to balance the traffic across both of the links, so inbound/outbound traffic would be
[code]...
I have problem with VPN and Load Balance at the same time.VPN (Gateway to Gateway) between two RV042 routers is working fine with only one WAN or two WAN's with Smart Link Backup. If i switch to Load Balance communication through VPN is almost impossible.
I have postgres server (port 5432) in first location and clients in another. Clients cannot connect to server or lose connection after while. This is example, but every communicaton except ICMP over VPN with Load Balance enabled is faulty (file sharing, RDP...). Everything works fine using public IP and port forwarding or VPN with only one WAN.
If i understand it correctly Protocol Binding should affect only "normal" communication (outside of VPN), but it looks like VPN communication is also divided between WAN1 and WAN2. Of course this cannot work this way because VPN works only with one WAN.
Another question - is it possible to bind communication TO selected target port with RV042 Load Balancing to selected WAN?
I would like know, what license is necessary to employ a load-balance in a 2911 router. I have these licenses bellow, can i configure an load balance?In this cenario we have two links with an ISP.
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1)
Cisco CISCO2911/K9 (revision 1.0) with 479232K/45056K bytes of memory.
Processor board ID FTX1613AH8D
1 FastEthernet interface
3 Gigabit Ethernet interfaces
1 terminal line
2 Channelized (E1 or T1)/PRI ports(code)
i am using two internet connection if one fails the other want to connect automatically is there any hardware.
View 2 Replies View RelatedEverytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
i need to know how many links i can using with load-balance on the same router ? i have router cisco 2901 , 3 providers , every provider having 4 links can i load balance between 12 links ? i am using static route
View 11 Replies View RelatedWhat is the load balance method of 3750 port channel ( by source ip , or by source mac ) to diver traffic to paths? I have tried to use 10.242.104.101 and 10.242.104.102 as source ip, it will travel to the same link (G0/1) within one port channel (G0/1+G0/2). Howerver, if I later use 10.242.104.109, then this time it will traffic to G0/2 link. What's the concept behind.
View 1 Replies View Related