We've got ACE30s (active/standby) running A5(1.2), and a context that's front-ending one of our major applications, doing SSL termination on the client side and SSL initiation on the back side:
parameter-map type ssl FrontEndSSL-Param
rehandshake enabled
parameter-map type ssl BackendSSL-param
authentication-failure ignore
[Code]...
I have a requirement to load balance OWA 2010 inbound connectivity to 2 CAS servers using a ACE 4710 with sticky sessions enabled.
The CAS servers are currently responding on 80 or 443 at this moment in time. Eventually I want to off load the SSL to the ACE 4710, its currently running on the CAS servers. I need to enable sticky sessions to keep the session to the same CAS server for each internet based connection. I also have a proxy enabled for inbound connectivity so I cannot use source IP.
Here is my configuration but it doesn’t seem to be working, i am currently testing with port 80 connections not SSL.
serverfarm host INHOUSE-EXCHANGE-OWA-vFARM
predictor response app-req-to-resp samples 4
probe 443
probe HTTP-PROBE
rserver INHOUSE-TEST-CAS01-SVR
inservice(code)
We are using a ACE 4710 with A3(2.6) software release.I had to change our sticky load balancing method for HTTPS to cookie based.However while connections appear to work if I look at the show sticky database table I can not see or confirm sticky entries for the cookie based connections.Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
[code].....
I am considering using IP sticky timeout, but have a quick question about the database, is the 800,000 sticky connection per appliance or per context?
View 1 Replies View RelatedI have a strange effect at my ACE 4710. I loadbalances normally reliable only 14 WEB-Services.
It's running on SW A3.25. Since several weeks I regognized a dramatical increase of Sticky entries. So when running in limitations (the stolen for reuse counter increased then) (show np 1 me-stats "-slb -v") gave more and more resources for sticky ... last it was at 65% and ran again into limits at round 650500 Sticky entries.
So I began to find out what of the services was affected with most sticky database entries and could Identify it. There were really to see round about640000 entries for that specific service.
The sticky for that service was defined to look at a specific cookie in the http header and the timeout defined is 120 minutes.
So round about 45000 Entries was to see with a "show sticky databse group Cookie_Sticky" with a time-to-expire value of zero in the database like the follwing examüple shows:
timeout : 120 timeout-activeconns : FALSE sticky-entry rserver-instance time-to-expire flags ---------------------+--------------------------------+--------------+-------+ 13765297814690832647
[Code]....
When I modified my Sticky definition with the command "timeout activeconns" all the Zero-Entries were kicked out and the rsources used for Stickywent back to 5% of usage...
I was trying to implement stickiness based on cookie. Server inserts a cookie and sends it to the browser. I learned from app team that this cookie is changing dynamically during the session, so stickiness based on server’s cookie doesn’t work.
Now I want to investigate into possibility of ACE to insert a cookie. My question is: ACE feature of “cookie insert”: does it add additional cookie into http header without removing server cookies or it deletes the cookie(s) that server put into http header and replaces them with its own cookie?
I've been using my pair of ACE-4710s for quite some time and have usually stuck to the Class C Subnet sticky settings, as that's what we migrated from in Windows NLB. In one instance of load balancing I'm trying to create an L4 inspection policy that looks for a certain payload (much like a http header) and would like to persist on this. The problem is that the client portion of the conversation starts with a 'SessionID' of 0, and the server responds with a unique 'SessionID'. If I setup the sticky policy with 'Enable Sticky For Response', I get entries populated in the sticky database, but they all go to the same server as there is a sticky session setup for the SessionID = 0. Is there a way to setup sticky entries on server response only? Currently using ACE DM v4(1.0).
View 10 Replies View RelatedWe are using an ACE engine module(ACE20-MOD-K9) provide loading balancing service for two WEB servers and configured cookie for stickness. Below is the current configuration and it seems working fine now.
The problem I was facing is before use parameter-map change the http header length to 8k the stickness doesn't really working properly. User complains that their working session constantly be kicked out and redirect them to login page. By tracing traffic from a client we found that sometime ACE fails or stop insert the configured cookie, after increase the header length ACE start getting work.
how does the header length setup effect ACE to insert a cookie? Will the cookie insert attmpt fail if the header is longer then the maximum length configured on ACE? [code]
I have an ACE20-MOD-K9 with version A2_3_6a, and i am having problems in cookie persistency. the setup contains 4 servers using round-robin algorithm and cookie persistency and that receive http traffic on port 9090. I have been receiving complains that the users are getting disconnected randomly while accessing the web application through ACE. Below is part of the config, when setting the timeout of the cookie to default or something equal to hours, the disconnection/complains gets worse.
View 1 Replies View RelatedWe have ACE 4710, It is configured with IP based stickiness and working fine for a web application server (BMC Remedy). We tried configuring cookie based stickiness for the same server. Server application is having JSESSIONID.But after configuring cookie based stickiness, there is an issue that the first page is coming for entering login credentials and after entering it the page is blank or not responding. What is the pre-requirement for configuring cookie based stickiness in ACE for BMC Remedy web application and which type of cookie based stickiness is suitable or possible?
View 8 Replies View RelatedI have two CSS 11503 in my network, recently we had configured sticky with advanced-balance arrowpoint-cookie.
The sticky is functioning but we found our server's private IP in the IE cookie ARPT box.
Is there any way to hide ARPT info? Below is an example configuration of my CSS and attached screenshot is Firefox cookie info.
content 5301
add service 172.18.71.77_5301
add service 172.18.71.77_5302
[Code]......
I've been using my pair of ACE-4710s for quite some time and have usually stuck to the Class C Subnet sticky settings, as that's what we migrated from in Windows NLB. In one instance of load balancing I'm trying to create an L4 inspection policy that looks for a certain payload (much like a http header) and would like to persist on this. The problem is that the client portion of the conversation starts with a 'SessionID' of 0, and the server responds with a unique 'SessionID'. If I setup the sticky policy with 'Enable Sticky For Response', I get entries populated in the sticky database, but they all go to the same server as there is a sticky session setup for the SessionID = 0. Is there a way to setup sticky entries on server response only.Currently using ACE DM v4(1.0).
View 8 Replies View RelatedI'm looking for some documentation I can share with a customer to explain why I can't configure them a back-up sticky server farm when we're not terminating SSL on the the ACE (we pass SSL from the client through to the rservers, sticking the client to the rserver by source IP address). I've not been able to find anything that addresses this particular scenario in my googling so far. I remember discussing this in my training class with the instructor, but I can't find any reference to it. Have any of you run into this and have a link they can share?
View 7 Replies View RelatedWe are using a sticky serverfarm with 2 real servers, one server was down for maintenance for an extended period of time. When it came inservice again it was not getting any connections. is it because all the connections had stuck to the other server ? we want sessions to be sticky but we also want to LB?I got it working by bouncing the server that had been online all the time. things started to LB then.BTW the ACE 4710 is running 4.2.1
View 1 Replies View Relatedhow a static entry under a "sticky" performs Configuring Static IP Address Sticky Table Entries Cisco Documentation Says When you configure a static entry, the ACE enters it into the sticky table immediately. Configuring the ACE Action on Server Failure failaction purge # The purge keyword specifies that the ACE remove the connections to a real server if that real server in the server farm fails after you enter the command. The ACE sends a reset (RST) to both the client and the server that failed. Cisco Documentation Says If you do not configure this command, the ACE takes no action when a server fails
sample config
sticky ip-netmask 255.255.255.240 address source STICKY1
timeout 180 replicate sticky serverfarm SERVERFARM1 8 static client source 192.168.12.15 rserver SERVER1
Question1 - What happens if SERVER1 fails?
a) Does the ACE let the connections to SERVER1 timeout(default behaviour) and then load-balance new connections coming in deom 192.168.12.15 to another server in SERVERFARM1
ORb) Does the ACE reset the connections to SERVER1 immediately and starts load-balancing new conenction coming in from 192.168.12.15 to other servers in SERVERFARM1 ?
ORc) Does the ACE just drop the current and new connections from 192.168.12.15 till SERVER1 comes back up ?
OR d) Is it dealt differently?
Question2 - Now what happens if the failed server(SERVER1) comes back up after some time?
e) Does the ACE reset any current connections from 192.168.1.15 and starts sending them to SERVER1 ?
ORf) Does the ACE leave the current connections from 192.168.1.15 to other servers in SERVERFARM1 as they are and send any new connections
from 192.168.1.15 to SERVER1?
ORg) Is it dealt differently?
My guess is Question1 -> a) and Question2 -> e)
ACE model = ACE10-6500-K9
Version = A2(3.3)
I have question about the basics of a high performance application and database server connection to each other. I have two servers, one application and one database server. Both of them are Windows 2008 R2 servers. I would like to connect them. What is the best configuration for quicker communication between them. Is it better to connect them through a network switch? Or directly connect them? Do I need to dedicate one of the ethernet ports on each server to separate their traffic to each other, from the internet connection traffic?
View 5 Replies View RelatedI've configured WCCP2 on my ASR1002/ESP2 and works fine. But got error log since I changed redirect ACL entries. Check on Cisco seems it a known bug?[URL] And seems any change on WCCP not take affected anymore. Even I removed all WCCP configure on my router, but my cache engine still got the redirected packet!?
Aug 8 22:41:00 CST: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image: Batch type 6 ID 0 download to CPP failed
Aug 8 22:41:30 CST: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image: Batch type 6 ID 0 download to CPP failed
Aug 8 22:42:00 CST: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image: Batch type 6 ID 0 download to CPP failed
Aug 8 22:42:30 CST: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image: Batch type 6 ID 0 download to CPP failed
[code]....
In RFC 951, the format of BOOTP packet was legislated, but the vendor information was not legislated in this document, so the authors of this document had described that :"If the 'vend' field is used, it is recommended that a 4 byte 'magic number' be the first item within 'vend'. This lets a server determine what kind of information it is seeing in this field. "
I think it meant that the format of vendor information wasn't fixed in RFC 951, and any vendor can legislate a new format of vendor information by itself. And the value in "magic cookie" can be set by any vendor.But in RFC 2131, the format of DHCP packet was legislated, and the "magic cooke" was fixed to values 99, 130, 83 and 99, I think it meant that the format of option information in DHCP packet was fixed absolutely and any vendor can't legislate a new format by itself.
Since the format of option information in DHCP packet was fixed absolutely, why the network device needs "magic cookie" to identify the mode in which the succeeding data is to be interpreted ? I think the magic cookie is not useful in DHCP packet because the format of option information is fixed. In other words, there is only one format of option information forever.
RV042 in Router mode.WAN1 preferred.With Smart Link it seems to work to a point.When WAN1 fails, it fails over to WAN2.But then it gets stuck on WAN2 and I have to manually switch to WAN2 preferred and then back to WAN1 preferred to get WAN1 connection to return.The test IP addresses should be just fine as set.
Is there something I should be doing differently?
The wlc config guide of Release 7.4 states that sticky key caching (usefull with apple devices) is supported at AP in local mode. [URL]I am testing the new WLC 8500 with 7.4.100.60.
AP mode = FlexConnect
The wlan i activated skc is centrally switched.I debugged the iPhone (4S) roaming.I think skc works at centrally switched vlan on flexconnect APs.
*apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Reassociation received from mobile on BSSID 00:16:9c:ba:a9:b6
*apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Global 200 Clients are allowed to AP radio
*apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Max Client Trap Threshold: 0 cur: 23
*apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Rf profile 600 Clients are allowed to AP wlan
[code]....
I'm having an issue with port-security on a cisco 2950 switch. The port-security is setup to user sticky mac-addresses and was working just fine. Recently when a computer was changed out and I needed to clear the security on the port it wouldn't let me.I would type clear port-security sticky int fa0/## and it would give me an error. The error would be that the sticky command doesn't exist.So I went back and type clear port-security ? and the only option was dynamic. Even if I try to take the port security off the switch it wont let me, it never shows the option for sticky.If I change the maximum number of mac-addresses allow the computer will work, but I can never clear the old addresses out.
View 3 Replies View RelatedOur customer has a Cisco ME3600X with the IOS me 360x-universalK9-mz.122-52.EY3.They are saying that is not possible to configure the "switchport port-security mac-address sticky" in the interfaces and want to know whether any additional license is needed.As far as I know there isn't any extra license to activate this feature and also I believe the ME3600 switch should have this feature with the universal IOS, isn't that right?
View 1 Replies View Relatedhow to read some of these log entries I see on the IOS 15.2 router I'm working with. I'm fairly new to this stuff. My understanding is that the first socket (123.123.123.123:port#) is the originating one, and the 2nd socket is the receiving or destination. This makes sense when I see an entry like:
01043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80 due to RST inside current window with ip ident 0
The internal IP is our email server inside the LAN, the first IP is some IP in a foreign country, so someobody visited our web interface for the email server, obviously trying to breach or recon the interface but whatever. Then I see an (unrelated) entry like this elsewhere in the logs:
001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to Stray Segment with ip ident 0
What this latter entry tells me is that the Internet host sent data FROM port 25 to what I am guessing is the open port our internal email server must have originated some other communication from. However we do not accept incoming port 25 mail from anywhere but a designated IP so this "send" is not supposed ot occur. So first off, am I reading that correctly? Is the first IP the sending system, and the second IP the receiver? there are no other entries in the logs between these two hosts, so either the logs have truncated with oldest entries removed (log buffer is set to 51200), or that outside host is sending, hoping to get our mail server to respond? BTW, the outside host WHOIS's to Microsoft's IP range, Block 1.
we are using an ASR 1002 for dynamic NAT (with route maps). I do have a Problem with the usage of the NAT pool it self.The total NAT Translations for the pool are:
#sh ip nat stat
[Id: 1] route-map natted-host-01 pool nat-pool-01 refcount 136
pool nat-pool-01: netmask 255.255.254.0
start XX.XX.202.0 end XX.XX.203.255
type generic, total addresses 512, allocated 88 (17%), missee 0
If i now look into the NAT translation Table i do get less entries:
#sh ip nat translations filter map-id dynamic 1 total Total number of translations: 43
Only a deeper look into the QFP gives here the right values:
# sh platform hardware qfp active feature nat data The ouput count matches the values I get if i isue a sh ip nat stat
My question is how is it handled internally.
We do have a problem too, with raising usage of the pool over the time.Once allocated Pool entries are not released after a period of time. And no NAT translation occur for that used IP NAT pool Addresses.
The timer on the device are set:
ip nat translation timeout 300
ip nat translation tcp-timeout 900
ip nat translation pptp-timeout 900
ip nat translation udp-timeout 120
ip nat translation routemap-entry-timeout 900
ip nat translation max-entries 750000
how big the NAT tabel for a PIX515E is? how many entries can it have?
View 10 Replies View RelatedI work in a service desk in +100 company and lately i got a task to gather all the host file entries that are on our network's PC's.We operate on windows XP 32&64bit, W7 64bit. Is there any tool that i could use to scan all host files within our network. I tried google of course but maybe i type my search phrases in a bad way to find something useful to my needs.
View 4 Replies View RelatedI have the ME3400 deployed in an the following design. 8 100Meg ports connects to Cisco 2955s, and the 1Gig port uplinks to a Cisco 3560. My CDP neighbour table only shows an entries for the uplink Gig port. If I look at the CDP stats in the show cdp Interfaces Fastethernet 0/1,, I see CDP packets being sent every 60, but nothing returning.
View 4 Replies View RelatedI can not seem to view my "permit" entries in the log on my ASA 5520. I set up logging-lists, changed the level to 3 on the logging statement, and simply can't find it anywhere.
Partial config:
logging enabled
logging timestamp
logging JC-L3 level errors
logging monitor JC-L3
logging buffered JC-L3
logging trap notifications
[code]....
How many VMs can a pair of 5548s support? Remember, for each VM, I will have an ARP entry in the 5500 ARP Table (assume 5500 is the L3 default gateway).
View 3 Replies View RelatedIs there a Table which the list the route table entries on Cisco ISR Router especially ISR 1921 Router.
View 3 Replies View Relatedhow many route entries can ASA5520 (8.2.1-k8) support?
View 2 Replies View RelatedI have enabled Network filtering on MAC address on my D-Link 628 router.
I've noticed entries in the log file - "Access Denied to LAN System with MAC address ______________" for 2 different MAC addresses. I do not recognize these MAC addresses. The entry that immediately follows these messages - "Above message repeated 466 times and 124 times. The entries for these 2 MAC addresses has been occurring multiple times with different repeat numbers over the past few days.
Is this an indication that someone nearby my router is attempting to hack into my wireless router or do I have a configuration issue?
The version of my DIR-655 is 1.32NA. Entries in the column of Time for LOG DETAILS are incorrect. How can I correct them?
View 3 Replies View Related