Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE 20 CAS servers

Hi all,

I have to load balance two CAS servers. Is this the correct way to setup the probes and serverfarm. I am using an ACE 20.

 

probe tcp TESTCAS-PROBE
  interval 3
  passdetect interval 5

 

parameter-map type ssl SSL-TESTCAS-FARM-ADVANCED
  cipher RSA_WITH_RC4_128_MD5

rserver host TSTCAS

  ip address 10.192.6.2

  inservice
rserver host TSTCAS2
  ip address 10.192.6.3
  inservice

ssl-proxy service SSL-TESTCAS-FARM
  key testcas.pem
  cert testcascert
  chaingroup TEST-CHAINGRP
  ssl advanced-options SSL-TESTCAS-FARM-ADVANCED


serverfarm redirect HTTP-TESTCAS-FARM
  rserver HTTP-TESTCAS
    inservice

serverfarm host TESTCAS-FARM
  predictor leastconns
  probe TESTCAS-PROBE
  rserver TSTCAS 80
    inservice
  rserver TSTCAS2 80
    inservice

sticky ip-netmask 255.255.255.255 address source
STICKY-SSL-TESTCAS-FARM
  timeout 720
  timeout activeconns
  replicate sticky
  serverfarm TESTCAS-FARM

class-map match-any TESTCAS-VIP
  2 match virtual-address 10.192.6.1 tcp eq https


policy-map type loadbalance first-match TESTCAS-POLICY
  class class-default
    sticky-serverfarm STICKY-SSL-TESTCAS-FARM


policy-map multi-match TESTCASPOLICY
class TESTCAS-VIP
loadbalance vip inservice
loadbalance policy TESTCAS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-TESTCAS-PROXY


service-policy input TESTCASPOLICY

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Netter,I am glad i was of

Hi Netter,

I am glad i was of help. Have a good evening man!

Regards,

Kanwal

26 REPLIES
Cisco Employee

Hi,The above looks good.

Hi,

The above looks good. Looking at the probe i would recommend that you always keep more than passdetect interval time. You can read about "Skipped probes" for detail. Ideally, interval should not be too aggressive. 3 seconds is very aggressive time to probe servers/application. I would suggest to increase it to 10-15 seconds.

Other than that config looks fine and i see that you have selected a particular cipher too so i guess that was the requirement. A client coming with another cipher will renegotiate and if it cannot come with the above cipher in list, handshake will fail.

Let me know if you have any questions.

Regards,

Kanwal

New Member

Thanks Kanwalsi, I am not

Thanks Kanwalsi,

 

I am not sure on passdetect interval as I have had no information from the server guys. This isn't micrsoft CAS but it is CAS for a webportal application.

 

I will let you know what requirements the server guys get back to me with. Again they didn't specify a cipher but this has been used in all other load balancer configs.

Thanks.

Cisco Employee

Hi Netter,It is your set up

Hi Netter,

It is your set up and you shall tweak different parameters available to suit your environment.

But let me know if you need anything from my side.

Regards,

Kanwal

New Member

Thanks Kanwalsi,Seems there

Thanks Kanwalsi,

Seems there is a change in design. They want to pass traffic straight onto the CAS servers, where the certificates will be installed. The CAS certificates have to be on the CAS servers, both http and https traffic to be enabled from Load Balancer to CAS.

 

They say this method ensures that all servers  and internal communication to CAS takes place securely.

 

I will redo the config and see how it goes.

 

Cisco Employee

Hi,No problem. Let me know if

Hi,

No problem. Let me know if you need anything. Also, if they don't want ACE to do anything but just loadbalance then it is just going to be simple L3-L4 based loadbalancing and should be pretty straight forward.

Good luck!

Regards,

Kanwal

New Member

Thanks Kanwalsi, Is the

Thanks Kanwalsi,

 

Is the configuration in the post above correct? I am not sure if the redirect server farm is the right approach to doing this. it may work but would the right approach  be to 443 from the servers in the serverfarm and have it like this:

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS

inservice

rserver TSTCAS2

inservice

And then just add another class match to the vip for www like below?

 

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

3 match virtual-address 10.192.158.60 tcp eq www

 

And totally remove the redirect config?

 

 

Cisco Employee

Hi Netter,Redirect would be

Hi Netter,

Redirect would be needed if you want the ACE to redirect the users coming on HTTP  to HTTPS. Once they come on HTTPS they will be loadbalanced.

If redirect is needed then you need to configure a redirect server, serverfarm, call it in policy map and then call the class-map for www in policy multi-match. So traffic would be redirected from http to HTTPS. Once the user comes on HTTPS, it will match class 443, and get loadbalanced to a different serverfarm.

Coming back to your configuration i don't see you have called redirect serverfarm in policy map. That will not work. So you need to be very clear what customer wants and we can configure accordingly.

Regards,

Kanwal

New Member

Thanks Kanwalsi,This is what

Thanks Kanwalsi,

This is what I got from the external server guys.

·         For the CAS Tier, pass the traffic straight onto the CAS servers, on which the certificates will be installed. The CAS Certificates just have to be on the CAS servers, both http and https traffic to be enabled from Load balancer to CAS.

The internal server guys say the servers listen on both 80 and 443 and if a request comes in on 80 the servers redirect to 443.

This makes me think I need my server farm setup as follows:

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS

inservice

rserver TSTCAS2

inservice

 

And then my class match as follows:

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

3 match virtual-address 10.192.158.60 tcp eq www

 

Am I totally wrong or is this the right idea? Never had to do a configuration where the servers handled ssl offload and where they accepted traffic on both 80 and 443.

Do I need two probes configured to the one serverfarm? Then two vips as above?

 

 

 

 

 

Cisco Employee

Hi Netter,So you should have

Hi Netter,

So you should have two class-maps:

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

class-map match-any TESTCAS-VIP1

3 match virtual-address 10.192.158.60 tcp eq www

Then you should have two serverfarms:

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS

inservice

rserver TSTCAS2

inservice

 

serverfarm host TESTCAS-FARM-HTTPS

rserver TSTCAS 443

inservice

rserver TSTCAS2 443

inservice

policy-map type loadbalance first-match TESTCAS-POLICY-HTTP

class class-default

serverfarm TESTCAS-FARM

policy-map type loadbalance first-match TESTCAS-POLICY-HTTPS

class class-default

serverfarm TESTCAS-FARM-HTTPS

policy-map multi-match TESTPOLICY

Class TESTCAS-VIP

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY-HTTPS

class TESTCAS-VIP1

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY-HTTP

That's the configuration you need to do. I just did it for you:)

Now of course you should have two different probes. Simply you can have TCP port 80 for serverfarm TESTCAS-FARM and TCP port 443 for serverfarm TESTCAS-FARM-HTTPS or you can have HTTP and HTTPS for respective serverfarms.

Let me know if you have any questions.

 

Regards,

Kanwal

 

New Member

Hi Kanwal,Firstly thanks for

Hi Kanwal,

Firstly thanks for all your help and time spent on this. I have taken your advice and redone the hole config. I have 2 class maps and 2 serverfarms. Can you please double check my serverfarms and probes?

Below is the full config. Does it look ok to you? Am I on the right track?

 

probe https TESTCASHTTPS-PROBE

  interval 3

  passdetect interval 5

  expect status 200 200

probe http TESTCASWWW-PROBE

  interval 3

  passdetect interval 5

  expect status 200 200

 

 

rserver host TSTCAS

  ip address  10.192.158.44

  inservice

rserver host TSTCAS2

  ip address 10.193.158.58

  inservice

 

serverfarm host TESTCASHTTPS-FARM

  predictor leastconns

  probe TESTCASHTTPS-PROBE

  rserver TSTCAS

    inservice

  rserver TSTCAS2

    inservice

 

 

serverfarm host TESTCASWWW-FARM

  predictor leastconns

  probe TESTCASWWW-PROBE

  rserver TSTCAS

    inservice

  rserver TSTCAS2

    inservice

 

sticky ip-netmask 255.255.255.255 address source STICKY-TESTCASWWW-FARM

  timeout 720

  timeout activeconns

  replicate sticky

  serverfarm TESTCASWWW-FARM

sticky ip-netmask 255.255.255.255 address source STICKY-TESTCASHTTPS-FARM

  timeout 720

  timeout activeconns

  replicate sticky

  serverfarm TESTCASHTTPS-FARM

 

class-map match-any TESTCASHTTPS-VIP

  2 match virtual-address 10.192.158.60 tcp eq https

class-map match-any TESTCASWWW-VIP

  3 match virtual-address 10.192.158.60 tcp eq www

 

policy-map type loadbalance first-match TESTCAS-POLICY-HTTPS

  class class-default

    sticky-serverfarm STICKY-TESTCASHTTPS-FARM

policy-map type loadbalance first-match TESTCAS-POLICY-WWW

  class class-default

    sticky-serverfarm STICKY-TESTCASWWW-FARM

 

policy-map multi-match TESTCASPOLICYHTTPS

  class TESTCASHTTPS-VIP

    loadbalance vip inservice

    loadbalance policy TESTCAS-POLICY-HTTPS

policy-map multi-match TESTCASPOLICYWWW

  class TESTCASWWW-VIP

    loadbalance vip inservice

    loadbalance policy TESTCAS-POLICY-WWW

 

service-policy input TESTCASPOLICYWWW

service-policy input TESTCASPOLICYHTTPS

 

 

 

Cisco Employee

Hi Netter,The configuration

Hi Netter,

The configuration looks good but you should also have port number 443 defined in the HTTPS serverfarm.

Regards,

Kanwal

New Member

Thanks Kanwal,But why when

Thanks Kanwal,

But why when the probe is https? Am I missing something?

 

probe https TESTCASHTTPS-PROBE

  interval 3

  passdetect interval 5

  expect status 200 200

Cisco Employee

Hi Netter,No. You are good:

Hi Netter,

No. You are good:)

Regards,

Kanwal

New Member

Great, thanks again for all

Great, thanks again for all the help on this. Lets hope the server guys are happy. I will let you know how it goes.

Thanks/

Cisco Employee

Hi Netter,Sure. Welcome

Hi Netter,

Sure. Welcome always!

Regards,

Kanwal

New Member

Hi Kanwalsi, One problem that

Hi Kanwalsi,

 

One problem that I have never seen before. I can get to the VIP from outside the network and the external world but can't from the two CAS servers. Have you ever seen this before?

 

Thanks

Cisco Employee

Hi Netter,What do you mean by

Hi Netter,

What do you mean by you cannot get to them? Are you not able to ping them or you are trying to access the URL? You would need proper NAT in place for the server connection to work. But why do you need to access servers via VIP from the servers itself?

Regards,

Kanwal

New Member

Hi Kanwal,I have 3 vlans 62

Hi Kanwal,

I have 3 vlans 62 layer 3 on router, 362 bridged fwsm and 662 bridged ace.

If I put a server in vlan 62 I can telnet to the VIP on port 443. telnet 10.192.228.60 443 and I get a connection fine.

However if I try from a server behind the ace in vlan 662 it doesn't connect.

I have a webtier vip on this same context and that works fine. 

 

 

New Member

Hi Kanwal,At the moment it's

Hi Kanwal,

At the moment it's just to test the slw. You can telnet to vip address on port 80 and 443 from cas servers and other servers in that vlan. But once you move one of these servers behind the ace vlan you can't.

I just don't understand it. Do you think it requires some sort of source nat. Otherwise the config you helped me with seems perfect.

Cisco Employee

Hi Netter,Yes you would need

Hi Netter,

Yes you would need source NAT on ACE since you are sitting on the same server which you are trying to access via VIP.

Regards,

Kanwal

New Member

Hi Kanwal,Damn I was afraid

Hi Kanwal,

Damn I was afraid you were going to say that. I have never implemented source nat before. Is it hard to do?

My network is 10.192.228.0/25. My rservers are tstcas 10.192.228.44 and testcas2 10.192.228.58. The VIP is 10.192.228.60.

I have implemented the two probes, two server farms and two policies as suggested. Do I just pick a random IP address for 10.192.228.0/25.

Any help greatly appreciated I am really stuck on this.

 

 

 

 

 

Cisco Employee

Hi Netter,

Hi Netter,

Something like this:

- Clients coming in on VLAN 251 connect to the VIP and are load balanced without source NAT.
- Servers connecting to the VIP on VLAN 451 are load balanced AND source NAT'd because they match both class-maps.



login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all REAL_SERVERS
  2 match source-address 192.168.1.0 255.255.255.0
class-map match-all VIP-30
  2 match virtual-address 172.16.51.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
  class REAL_SERVERS
    nat dynamic 1 vlan 451

interface vlan 251
  description Client vlan
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 451
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1

Regards,

Kanwal

New Member

Hi Kanwal,Nat worked and I'm

Hi Kanwal,

Nat worked and I'm up and running. Thanks for all your help on this.

Cisco Employee

Hi Netter,I am glad i was of

Hi Netter,

I am glad i was of help. Have a good evening man!

Regards,

Kanwal

New Member

Kanwal I forgot to mention

Kanwal I forgot to mention its not just the cas servers. If I try telnet to VIP from one of the web tier servers it works fine in vlan 62 but if I move that server to vlan 662 I have the same problem can't telnet to vip on 443 or 80.

You reckon still a source nat problem?

 

New Member

Hi Kanwalsi, Because now they

Hi Kanwalsi,

 

Because now they want the certs on the servers and traffic to reach the servers on 80 and 443 I have enabled the config below. AM I on the right track? I have probe probing the servers in 443 and have a redirect farm enabled as well. Not sure if I should have a https probe and 443 in the serverfarm?

May be I am on the wrong track altogether but this is what I have?

 

probe https TESTCAS-PROBE

interval 3

passdetect interval 5

expect status 200 200

 

rserver redirect HTTP-TESTCAS

webhost-redirection https://%h/%p 301

inservice

 

 

rserver host TSTCAS

ip address 10.192.168.44

inservice

rserver host TSTCAS2

ip address 10.192.168.58

inservice

 

 

serverfarm redirect HTTP-TEST-FARM

rserver HTTP-TEST

inservice

 

serverfarm host TESTCAS-FARM

predictor leastconns

probe TESTCAS-PROBE

rserver TSTCAS 443

inservice

rserver TSTCAS2 443

inservice

 

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-**-TESTCAS-FARM

timeout 720

timeout activeconns

replicate sticky

 

sticky ip-netmask 255.255.255.255 address source STICKY-TESTCAS-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm TESTCAS-FARM

 

 

class-map match-any TESTCAS-VIP

2 match virtual-address 10.192.158.60 tcp eq https

 

class-map match-any REDIRECT-HTTPCAS-TEST

2 match virtual-address 10.192.168.60 tcp eq www

 

 

 

policy-map type loadbalance first-match TESTCAS-POLICY

class class-default

sticky-serverfarm STICKY-TESTCAS-FARM

 

policy-map type loadbalance first-match TESTCAS-POLICY-REDIRECT

class class-default

sticky-serverfarm STICKY-SSL-**-TESTCAS-FARM

 

policy-map multi-match TESTCASPOLICY

class TESTCAS-VIP

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY

loadbalance vip icmp-reply active

 

policy-map multi-match TESTCASREDIRECTPOLICY

class REDIRECT-HTTPCAS-TEST

loadbalance vip inservice

loadbalance policy TESTCAS-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise

 

service-policy input TESTCASREDIRECTPOLICY

service-policy input TESTCASPOLICY

 

141
Views
0
Helpful
26
Replies