Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco Ace load balance

Hi,

I need to balance https in port 8091, I already make this configuration in port 443 and works, but with port 8091 the sessions are broken and the users have to constantly make login

probe tcp KPalive_server_8091

  port 8091

  interval 10

  faildetect 2

  passdetect interval 10

  passdetect count 2

  open 1

rserver host server01

  ip address 192.168.32.128

  inservice

rserver host server02

  ip address 192.168.32.129

inservice

serverfarm host SRVfarm_server

  probe KPalive_server_8091

  rserver server01

    inservice

  rserver server02

    inservice

sticky layer4-payload server_HTTPS

  serverfarm SRVfarm_server

  response sticky

  layer4-payload offset 43 length 64 begin-pattern "(\x20|\x00\xST)"

class-map match-all CLA4_HTTPS

  2 match virtual-address 192.168.30.60 tcp eq 8091

policy-map type loadbalance generic first-match POL7_HTTPS

  class class-default

    sticky-serverfarm server_HTTPS

policy-map multi-match POL4_HTTPS

  class CLA4_HTTPS

    loadbalance vip inservice

    loadbalance policy POL7_HTTPS

    loadbalance vip icmp-reply active

thanks

Fred

P.S.

sorry for the repeated topic, but accidentally I choose write answer

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

By default the ACE would use the same port on which the incoming connection has come and in your case it would be 8091.

So if a client comes with dst port 8091 and it matches the class map condition then ACE after making load balance decision will forward the packet to rserver on port 8091.

If you the ACE to send it to a different port than the incoming port then you need to define the port number for rserver in serverfarm.

Regards,

Kanwal

New Member

Cisco Ace load balance port 8091

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

Can you configuration parameter-map and configure "persistence rebalance" and try again?

Regards,

Kanwal

18 REPLIES
Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

No problem:) 

Regards,

Kanwal

New Member

Cisco Ace load balance port 8091

Hi Kanwal,

"If i have understood you correctly you want that traffic coming to VIP at 443 should be sent back to the server on port 8091, then you should make a slight change in config."

I edit the post, the VIP is in 8091 and in the server too.

Regards,

Fred

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

By default the ACE would use the same port on which the incoming connection has come and in your case it would be 8091.

So if a client comes with dst port 8091 and it matches the class map condition then ACE after making load balance decision will forward the packet to rserver on port 8091.

If you the ACE to send it to a different port than the incoming port then you need to define the port number for rserver in serverfarm.

Regards,

Kanwal

New Member

Cisco Ace load balance port 8091

yes I understand.

The problem seems to be in the sticky because I enter in the application via port 8091 without problems, but the ACE does not seem to grab the SSL ID.

Regards,

Fred

I clicked in the wrong button again

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

I see that you have Layer4 payload sticky which is basically to stick the connections on the basis of payload/data present in TCP or UDP.

ACE uses generic protocol parsing for L4 Payload  and i would suggest to do that following configuration:

parameter-map type generic SSLID_PARAMMAP

set max-parse-length 76

Associate this parameter map

policy-map multi-match POL4_HTTPS

class CLA4_HTTPS

loadbalance vip inservice

loadbalance policy POL7_HTTPS

loadbalance vip icmp-reply active

appl-parameter generic advanced-options SSLID-PARAMMAP

Also, can you change the following:

layer4-payload offset 43 length 64 begin-pattern "(\x20|\x00\xST)

Replace 64 with 32 if it is a 32 BYTE SSL ID.

layer4-payload offset 43 length 32 begin-pattern "(\x20|\x00\xST)"

Let me know how it goes.

Regards,

Kanwal

New Member

Cisco Ace load balance port 8091

Hi Kanwal,

Still the same, I do the show sticky database command and I don't find any session.

Regards,

Fred

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

Which version of SSL are you using ? Are you sure that location of SSLID is at the same place where we have told the ACE to look?

Can you take a pcap on client and see what is the location of SSLID string that ACE is looking for in there? That should give us an idea. Configuration looks fine.

Regards,

Kanwal

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

Also, do show sticky database layer4-payload v and show sticky database ssl and see if you see something in there.

Regards,

Kanwal

New Member

Cisco Ace load balance port 8091

Hi Kanwal,

The url for the VIP is https://example.com/login/auth;jsessionid=E9BB3E120CDD87D06BF18A6575A801F2.tc1

I need to use another approach, such as Session Cookie Persistence, but I'm not sure how I'll get the jsessionid, I need to do the match in the url?

Thanks

Fred

New Member

Cisco Ace load balance port 8091

New Member

Cisco Ace load balance port 8091

Hi Steven,

I can see the sticky sessions in database, but users are constantly having logout.

Thanks

Fred

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

Can you configuration parameter-map and configure "persistence rebalance" and try again?

Regards,

Kanwal

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

Ensure the config is correct. Here's the sample config:

Sticky Based on JSESSIONID Cookie Location

With this example config, clients that connect to the VIP on port 80 (HTTP) will be load balanced to one of the three real servers in the serverfarm. When the server returns the cookie by the name of JSESSIONID in the HTTP header of the response, the ACE will create a sticky entry for this client based on the ten characters of the cookie value found after skipping the first 53 characters. The numbers 53 (offset) and 10 (length) are the most commonly used, although these two numbers may not work in all installations. Therefore research may be required to determine the correct numbers. The portion of the cookie value pointed to using these numbers is a static value that is always the same on a per-server basis

JSESSIONID Location Cookie Sticky Configuration

Example Config

access-list ANYONE line 10 extended permit ip any any

probe http WWW-PROBE

request method head url /keepalive.html

expect status 200 200

rserver host SERVER-01

ip address 192.168.1.11

inservice

rserver host SERVER-02

ip address 192.168.1.12

inservice

rserver host SERVER-03

ip address 192.168.1.13

inservice

serverfarm host WWW-SERVERFARM

probe WWW-PROBE

rserver SERVER-01

inservice

rserver SERVER-02

inservice

rserver SERVER-03

inservice

sticky http-cookie JSESSIONID JSESSIONID_STICKY

cookie offset 53 length 10

timeout 720

replicate sticky

serverfarm WWW-SERVERFARM

class-map match-all WWW-VIP

2 match virtual-address 10.1.1.100 tcp eq www

policy-map type loadbalance first-match WWW-POLICY

class class-default

sticky-serverfarm JSESSIONID_STICKY

policy-map multi-match WWW-POLICY

class WWW-VIP

loadbalance vip inservice

loadbalance policy WWW-POLICY

loadbalance vip icmp-reply active

interface vlan 10

description Client vlan

ip address 10.1.1.10 255.255.255.0

access-group input ANYONE

service-policy input WWW-POLICY

no shutdown

interface vlan 20

description Servers vlan

ip address 192.168.1.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.1.1

Regards,

Kanwal

New Member

Re: Cisco Ace load balance port 8091

perfect, the "persistence rebalance" was the missing piece

thanks for the help Kanwal

Regards,

Fred

Cisco Employee

Cisco Ace load balance port 8091

Hi Fred,

Also, i see that you have the cookie in URL so for ACE to read the cookie in URL you should use secondary cookie option.

the way this typically works is that the server is configured to insert the same secondary cookie in both the Set-Cookie header and the HTML URI. ACE creates a sticky entry based on the Set-Cookie header of the server response. Then, when client returns

with the same cookie value in the URL query, it is stuck to the same server.

"cookie secondary" is not meant to work independently of regular cookies. It is meant to be a complementary feature for cases where the client has disabled cookies in their browser. The server is still expected to insert a standard Set-Cookie header in the response.

Something like this:

sticky http-cookie jsessionid sticky-cookie

cookie offset 0 length 42

cookie secondary jsessionid

timeout 35

replicate sticky

You can also define http parameter map to define secondary cookie start or url delimiters.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1475884

Regards,

Kanwal

New Member

Re: Cisco Ace load balance port 8091

Hi Kanwal,

unfortunately is still not okay. When I make show sticky I can see the sessions, users can work, but there are times when all sessions begin to fall with no apparent reason.

This is my parameter configuration.

parameter-map type http PERSIST-REBALANCE

  case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

The sticky

sticky http-cookie JSESSIONID stickyconf

  timeout 10

  replicate sticky

  serverfarm FARM

One note, at this moment all my sessions arrive with the same IP, this can be the problem. The sessions cross a NAT

Thanks for the support and the patience

Regards,

Fred

Cisco Employee

Cisco Ace load balance

Hi Fred,

Did you try using secondary cookie configuration as suggested above since your cookie comes in URL.

Regarding the NAT it shouldn't be an issue because ACE is sticking sessions on the basis of cookie and not src IP.

Regards,

Kanwal

New Member

Cisco Ace load balance

Fred

Did you allocate resources in the context See Below

To begin the configuration, allocate sticky resources to the context you will be using. In this example a context “routed” has already been defined. Create a resource class, allocate the desired amount of sticky entries, and apply them to the “routed” context.

ACE-1/Admin# show run | begin routed
context routed
  allocate-interface vlan 10
  allocate-interface vlan 20
allocate-interface vlan 40

ACE-1/Admin(config)# resource-class sticky
ACE-1/Admin(config-resource)# limit-resource all minimum 0.00 maximum unlimited
ACE-1/Admin(config-resource)# limit-resource sticky minimum 10.00 maximum equal-to-min

ACE-1/Admin(config)# context context name by default, Admin, C001, etc.
ACE-1/Admin(config-context)# member sticky
829
Views
0
Helpful
18
Replies