Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1691
Views
0
Helpful
6
Replies

ACE 4710 sticky for MS RDP

Support Team
Level 1
Level 1

‎05-13-2010 01:24 AM

Hello

I have a question about sticky for MS Terminal services. Now I have one 4710 demo box and MS terminal servers farm containg 15 servers. All servers running Windows 2003 Standard Edition. ACE working in bridge mode. Sticky config:

sticky ip-netmask 255.255.255.255 address both SG1
  timeout 120
  serverfarm TSTERM

All working fine, but sticky timeout decreased for active clients. In Administration Guide present following:

The sticky timeout specifies the period of time that the ACE keeps (if possible) the IP address sticky information for a client connection in the sticky table after the latest client connection terminates. The ACE resets the sticky timer for a specific sticky-table entry each time that the appliance opens a new connection or receives a new HTTP GET on an existing connection matching that entry. High connection rates may cause the sticky table entries to age out prematurely.

By default, the ACE ages out a sticky table entry when the timeout for that entry expires and no active connections matching that entry exist. To specify that the ACE time out IP address sticky table entries even if active connections exist after the sticky timer expires, use the timeout activeconns command.

What's happened after 120 minutes for active clients? Sticky entry removed from table and if session is broken and client try to reconnect ACE connect it to different server? How avoid this?

Regards,

Stanislav Kuchma

Labels:
0 Helpful
6 Replies 6

dario.didio
Level 4
Level 4

‎05-14-2010 02:18 AM

Hi,

The sticky table uses a timer to expire entries in its table. 2 possibilities exist here:

- Active connects cannot timeout: When a client connects the first time, an entry in the sticky table is created. As long as connections from that client are seen, the timer is reset. That means that if the timer is 2 hours, an idle time from that client needs to be 2 hours before the entry is removed. Everytime that client reconnects within the 2 hours, the timer is reset.

- Active connects do timeout: When a client connects the first time, an entry in the sticky table is created, and the expire timer is started. If the client is idle or new connections are made, the expire timer is never reset and keeps running. When the timer expires, the entry is removed from the sticky table, and a new load-balancing decision is made on the frist connection after the timer has expired.

For you scenario, the best is not to timeout active connections. This is also the default behaviour of the ACE.

In any case, you can configure "no timeout activeconns" in your sticky serverfarm config.

Have you concidered RDP load-balancing on ACE?

You need a Session Director that passes routing tokens.

Take a look at following document: http://download.microsoft.com/download/8/6/2/8624174c-8587-4a37-8722-00139613a5bc/TS_Session_Directory.doc

HTH,

Dario

0 Helpful

Support Team
Level 1
Level 1
In response to dario.didio

‎05-14-2010 04:34 AM

In my config "Active connects cannot timeout", but for RDP it's doesn't work. Timer isn't reset and continue to decrease. I verify this with sh stiscky database command for active client. And I can't use Session Directory because server farm must running Windows Enterprise or Datacenter Editon. We use Standard Edition.

0 Helpful

dario.didio
Level 4
Level 4
In response to Support Team

‎05-14-2010 04:44 AM

Hi,

If you can't use RDP load-balancing (like you said, indeed your version of Win2003 does not suit), you cannot use the L7 policy type RDP. You should use the normal policy map type loadbalance.

Can you post your config?

Thanks,

Dario

0 Helpful

Support Team
Level 1
Level 1
In response to dario.didio

‎05-14-2010 05:38 AM

logging enable
logging timestamp
logging trap 6
logging buffered 6


access-list bpdu-fixup ethertype permit bpdu

access-list ALL line 8 extended permit ip any any

probe icmp ICMPPROBE
  interval 2
  faildetect 5
  passdetect interval 60
  passdetect count 5

rserver host TSTERM1
  ip address 10.0.0.100
  inservice
rserver host TSTERM10
  ip address 10.0.0.112
  inservice
rserver host TSTERM11
  ip address 10.0.0.113
  inservice
rserver host TSTERM12
  ip address 10.0.0.114
  inservice
rserver host TSTERM13
  ip address 10.0.0.115
  inservice
rserver host TSTERM14
  ip address 10.0.0.116
  inservice
rserver host TSTERM15
  ip address 10.0.0.117
  inservice
rserver host TSTERM2
  ip address 10.0.0.101
  inservice
rserver host TSTERM3
  ip address 10.0.0.102
  inservice
rserver host TSTERM4
  ip address 10.0.0.103
  inservice
rserver host TSTERM5
  ip address 10.0.0.104
  inservice
rserver host TSTERM6
  ip address 10.0.0.108
  inservice
rserver host TSTERM7
  ip address 10.0.0.109
  inservice
rserver host TSTERM8
  ip address 10.0.0.110
  inservice
rserver host TSTERM9
  ip address 10.0.0.111
  inservice


serverfarm host TSTERM
  predictor leastconns
  probe ICMPPROBE
  rserver TSTERM10
    inservice
  rserver TSTERM11
    inservice
  rserver TSTERM12
    inservice
  rserver TSTERM13
    inservice
  rserver TSTERM14
    inservice
  rserver TSTERM15
    inservice
  rserver TSTERM2
    inservice
  rserver TSTERM3
    inservice
  rserver TSTERM4
    inservice
  rserver TSTERM5
    inservice
  rserver TSTERM6
    inservice
  rserver TSTERM7
    inservice
  rserver TSTERM8
    inservice
  rserver TSTERM9
    inservice

sticky ip-netmask 255.255.255.255 address source SG-TSTERM
  timeout 600
  serverfarm TSTERM

class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol http any
  7 match protocol https any
  8 match protocol snmp any
class-map match-all slb-TSTERM-vip
  2 match virtual-address 10.0.0.126 tcp eq rdp

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance rdp first-match slb-TSTERM-vip
  class class-default
    sticky-serverfarm SG-TSTERM

policy-map multi-match client-vips
  class slb-TSTERM-vip
    loadbalance vip inservice
    loadbalance policy slb-TSTERM-vip
    loadbalance vip icmp-reply

interface vlan 108
  bridge-group 2
  access-group input bpdu-fixup
  access-group input ALL
  access-group output ALL
  no shutdown
interface vlan 1108
  bridge-group 2
  access-group input bpdu-fixup
  access-group input ALL
  access-group output ALL
  service-policy input client-vips
  service-policy input remote_mgmt_allow_policy
  no shutdown

interface bvi 2
  ip address 10.0.0.125 255.255.255.224
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.0.97

0 Helpful

dario.didio
Level 4
Level 4
In response to Support Team

‎05-14-2010 05:54 AM

Hi,

change the following and you should be good to go:

policy-map type loadbalance rdp first-match slb-TSTERM-vip
  class class-default
    sticky-serverfarm SG-TSTERM

should become

policy-map type loadbalance first-match slb-TSTERM-vip
  class class-default
    sticky-serverfarm SG-TSTERM

Because you don't have a session director, you should load-balance the RDP traffic like any other traffic.

Let me know if it solved your problem.

HTH,

Dario

0 Helpful

Support Team
Level 1
Level 1
In response to dario.didio

‎05-15-2010 08:43 AM

Hello

I changed policy to include all traffic, but it doesn't work. Sticky timer continue to decrease for active RDP sessions. I think it's ok, because ACE reset sticky timer only for new TCP session or HTTP request.


Regards,

Stanislav Kuchma

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents