CSS11500 Load Balancing issue

Answered Question
Jan 7th, 2010
User Badges:

Hi all,


I using the CSS 11500 sg0750004 (07.50.0.04) to balacing requests between two web application servers, but the after applied the configurations, the balancing requests don't occurs as expect, see the configuration applied:


service SAPSRV1_8000
  ip address 192.215.13.44
  protocol tcp
  keepalive method get
  keepalive type tcp
  keepalive port 8000
  keepalive frequency 30
  port 8000
  string  sapsrv1
  active


service SAPSRV2_8000
  ip address 192.215.13.45
  protocol tcp
  keepalive method get
  keepalive type tcp
  keepalive port 8000
  keepalive frequency 30
  port 8000
  string  sapsrv2
  active


content SAPSRVS_8000
    add service SAPSRV1_8000
    add service SAPSRV2_8000
    vip address 192.215.13.40
    advanced-balance cookies
    string process-length 7
    no persistent
    protocol tcp
    port  8000
    url "/*"
    string prefix "sap-hostid="
    string range 1 to 1999
    active


group SAPSRV1_SAPSRV2Servers
  add destination service SAPSRV1_8000
  add destination service SAPSRV2_8000
  vip address 192.215.13.40
  active



So, the VIP Address is exclusively to the group service and the tcp port also is exclusively.


Could you please assist me, why the load balancing doesn't running correctly?


Case need more information, please let me know.


Thank you in advanced.


Sergio Lima

Correct Answer by jason.espino about 7 years 5 months ago

Hello Sergio,


Can you please elaborate on the issues you are experiencing? When you mention the VIP is not working as expected is that due to the fact that the connection simply hangs? Is the CSS actually balancing the inbound traffic?  Or is it successfully balancing the traffic, but not maintaining session persistence based on the server-side cookie?  Do you know if the session cookie will be embedded within the HTTP header or the URL string?  If you are unsure you can always change the "advanced-balance" method to "cookie-url". Can you ping the VIP address?




Also, can you confirm that the server-side cookie should be located directly after the following name "sap-hostid="?


Ex:


sap-hostid=sapsrv1


The reason why I ask is you do not have a string skip-length defined so the CSS will attempt to locate the server-side cookie string after the prefix.




Also, have you verified the services have passed their keep-alive check? This can be performed by running the following command:


show service-summary


Both of the services should "alive" on their keep-alive check.




Also, on your service configuration you do not require the "keepalive method get" command since the services are setup to perform a tcp socket connection for their keep-alive check and not a keepalive type of http to a URI page.


service SAPSRV1_8000
  ip address 192.215.13.44
  protocol tcp
  keepalive type tcp
  keepalive port 8000
  keepalive frequency 30
  port 8000
  string  sapsrv1
  active


service SAPSRV2_8000
  ip address 192.215.13.45
  protocol tcp
  keepalive type tcp
  keepalive port 8000
  keepalive frequency 30
  port 8000
  string  sapsrv2
  active




Also, based on the service and content rule configuration it would seem as though your CSS has been deployed in Bridged Mode (single Circuit VLAN).  That being said, the Group Rule will allow users from the 192.215.13.0/24 network to establish a port 8000 connection to the 192.215.13.40 VIP. However, please be advised external clients establishing a connection to the 192.215.13.40 VIP will "appear" as the .40 VIP address within the destination server logs.  The CSS will SNAT the inbound client traffic and masquerade their true source address as the VIP. Unfortunately, the CSS does not support the X-Forwarded-For HTTP header option.  However, this can be bypassed through the use of ACLs on the CSS.


- Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jason.espino Thu, 01/07/2010 - 07:58
User Badges:
  • Bronze, 100 points or more

Hello Sergio,


Can you please elaborate on the issues you are experiencing? When you mention the VIP is not working as expected is that due to the fact that the connection simply hangs? Is the CSS actually balancing the inbound traffic?  Or is it successfully balancing the traffic, but not maintaining session persistence based on the server-side cookie?  Do you know if the session cookie will be embedded within the HTTP header or the URL string?  If you are unsure you can always change the "advanced-balance" method to "cookie-url". Can you ping the VIP address?




Also, can you confirm that the server-side cookie should be located directly after the following name "sap-hostid="?


Ex:


sap-hostid=sapsrv1


The reason why I ask is you do not have a string skip-length defined so the CSS will attempt to locate the server-side cookie string after the prefix.




Also, have you verified the services have passed their keep-alive check? This can be performed by running the following command:


show service-summary


Both of the services should "alive" on their keep-alive check.




Also, on your service configuration you do not require the "keepalive method get" command since the services are setup to perform a tcp socket connection for their keep-alive check and not a keepalive type of http to a URI page.


service SAPSRV1_8000
  ip address 192.215.13.44
  protocol tcp
  keepalive type tcp
  keepalive port 8000
  keepalive frequency 30
  port 8000
  string  sapsrv1
  active


service SAPSRV2_8000
  ip address 192.215.13.45
  protocol tcp
  keepalive type tcp
  keepalive port 8000
  keepalive frequency 30
  port 8000
  string  sapsrv2
  active




Also, based on the service and content rule configuration it would seem as though your CSS has been deployed in Bridged Mode (single Circuit VLAN).  That being said, the Group Rule will allow users from the 192.215.13.0/24 network to establish a port 8000 connection to the 192.215.13.40 VIP. However, please be advised external clients establishing a connection to the 192.215.13.40 VIP will "appear" as the .40 VIP address within the destination server logs.  The CSS will SNAT the inbound client traffic and masquerade their true source address as the VIP. Unfortunately, the CSS does not support the X-Forwarded-For HTTP header option.  However, this can be bypassed through the use of ACLs on the CSS.


- Jason

Sergio Lima Thu, 01/07/2010 - 09:37
User Badges:

Hi Jason,


Many thanks for your information.


I review configurations applied on my CSS around the string and, observe that some errors. I reconfigure this and have success.


Now, I gonna review the all configurations applied on some services to check faults.


As soon as possible, I pass to you the information requested.


Thanks a lot.


Cheers.

Actions

This Discussion

Related Content