CSS sticky configuration for clients behind a NAT router
The problem is that CSS is overloading one service/server. 90% of all active client connetions are sent to one single back-end service/server instead of being equally distributed to all three servers.
This is a new CSS11503 (installed 2 months ago).
Our SSL VIP is configured as follows:
vip address x.x.x.14
add service server1
add service server2
add service server3
The vast majority of clients are connecting to this VIP from behind a NAT router (a Cisco overload NAT router), therefore the CSS sees all clients with the same source IP address (normally 200 active concurrent users).
Will our "imbalance" issue be solved by issuing the following configuration command?
Re: CSS sticky configuration for clients behind a NAT router
What do you mean by "you'll lose stickyness with this command"? ...SSL stickiness will no longer work if I configure the "ssl-l4-fallback disable" command?
The option to use the SSL module with cookie stickyness was my initial configuration, however, performance of HTTPS traffic actually degraded (web page load times were slower) when I tried to use the SSL module to off-load the SSL traffic from the web servers. So we're stuck with using SSL sticky for now.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...