Server-conn reuse!!!

eng_elshreef · ‎11-19-2011

We have 4 Bluecoats with ACE 4710 to load balance. The ACE is used in Bridge mode.We are using URL hashing.

We were facing internet slowness , we were waiting about 15 secs to get responds on the internet browsers when opening any url ,even the requests were reaching the Bluecoats after 15 secs.

we opened cisco TAC and Cisco engineer asked us to add ""Server-conn reuse"" under the http parameters and this solves the slowness and now the response is very good

But we got another issue after adding this command . Now every 3 or 4 URL requests , the browser asking for authentication. we are using Single sign on with Bluecoats. the authentication even appear with in the same website in the same IE page.

as test we remove the added command " Server-conn reuse " and now the authentication page is not coming but we are facing the slowness again.

I saw in the forums a command to check the reuse , the output from this command as below

BC-LB1/BlueCoat# show np 1 me-stats "-socm -v" | i [uU][sS][eE]

Reuse retrieve link update conn invalid 0 0

Reuse retrieve link update conn not on r 0 0

Reuse retrieve success but conn invalid: 1979 0

Reuse retrieve miss: 7219215 0

Reuse conns retrieved: 22304174 0

Surya ARBY · ‎11-20-2011

Version and config of your ACE4710 ?

Also when enabling connection reuse NAT is mandatory and the TCP MSS of your servers and ACE must be the same.

eng_elshreef · ‎11-20-2011

below the sh run and sh version

--------------------------------------

BC-LB1/BlueCoat# show ver

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

Software

loader: Version 0.95.1

system: Version A4(2.1a) [build 3.0(0)A4(2.1a) adbuild_21:41:15-2011/07/21_/auto/adbure_nightly4/renumber/rel_a4_2_1_throttle/R

EL_3_0_0_A4_2_1A]

system image file: (hd0,1)/c4710ace-t1k9-mz.A4_2_1a.bin

Device Manager version 4.2 (0) 20110629:0926

installed license: no feature license is installed

Hardware

cpu info:

Motherboard:

number of cpu(s): 2

Daughtercard:

number of cpu(s): 16

memory info:

total: 6226372 kB, free: 4391668 kB

shared: 0 kB, buffers: 20060 kB, cached 0 kB

cf info:

filesystem: /dev/hdb2

total: 861668 kB, used: 550688 kB, available: 267208 kB

last boot reason: Unknown

configuration register: 0x1

BC-LB1 kernel uptime is 27 days 19 hours 3 minute(s) 14 second(s)

-----------------------------------------------------------------------------------------------------------------

BC-LB1/BlueCoat# sho run

Generating configuration....

logging timestamp

logging trap 5

logging buffered 7

access-list HTTPMontor line 8 extended permit tcp host 193.188.163.194 any eq www

access-list HTTPMontor line 16 extended permit tcp any eq www host 193.188.163.194

access-list ICMP line 5 extended permit icmp any any

access-list ICMP line 10 extended permit ip any any

probe http BC_80

description *** Probe for WWW health monitoring ***

port 80

interval 5

faildetect 2

passdetect interval 60

passdetect count 2

receive 3

request method head

expect status 200 401

open 1

probe icmp ICMP_PROBE1

description *** Probe for icmp health monitoring ***

interval 5

faildetect 2

passdetect interval 60

passdetect count 2

receive 3

rserver host KOC-BC-1

ip address 10.100.210.205

inservice

rserver host KOC-BC-2

ip address 10.100.210.206

inservice

rserver host KOC-BC-3

ip address 10.100.210.207

inservice

rserver host KOC-BC-4

ip address 10.100.210.208

inservice

serverfarm host BC_SF

description * BlueCoat server farm

predictor hash header Host

probe ICMP_PROBE1

rserver KOC-BC-1

inservice

rserver KOC-BC-2

inservice

rserver KOC-BC-3

inservice

rserver KOC-BC-4

inservice

serverfarm host BC_SF_none_http

probe ICMP_PROBE1

rserver KOC-BC-1

inservice

rserver KOC-BC-2

inservice

rserver KOC-BC-3

inservice

rserver KOC-BC-4

inservice

serverfarm host TOPHITsFarm

rserver KOC-BC-4

inservice

parameter-map type http pm_http

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

length-exceed continue

parsing non-strict

sticky ip-netmask 255.255.255.0 address source IPSourceSticky

timeout 480

timeout activeconns

serverfarm BC_SF

sticky ip-netmask 255.255.255.0 address source IPSourceSticky_none_http

timeout 480

replicate sticky

serverfarm BC_SF_none_http

class-map match-all BC_VIP

2 match virtual-address 10.100.210.209 tcp eq www

class-map match-all BC_VIP8080

2 match virtual-address 10.100.210.209 tcp eq 8080

class-map match-all BC_VIPftp20

2 match virtual-address 10.100.210.209 tcp eq ftp-data

class-map match-all BC_VIPftp21

2 match virtual-address 10.100.210.209 tcp eq ftp

class-map match-all BC_VIPhttps

2 match virtual-address 10.100.210.209 tcp eq https

class-map type http loadbalance match-any Class-All

2 match source-address 0.0.0.0 0.0.0.0

class-map type http loadbalance match-any NBK

2 match http url /WOLWebUI/*

class-map type http loadbalance match-any TOPHITS

10 match http header Host header-value ".*youtube.com"

20 match http header Host header-value ".*athenaonline.com"

class-map type management match-any mgmt-cm

2 match protocol http source-address 193.188.163.194 255.255.255.255

3 match protocol icmp source-address 193.188.163.194 255.255.255.255

4 match protocol https source-address 193.188.163.194 255.255.255.255

5 match protocol ssh source-address 193.188.163.194 255.255.255.255

6 match protocol telnet source-address 193.188.163.194 255.255.255.255

7 match protocol http source-address 193.188.163.193 255.255.255.255

8 match protocol https source-address 193.188.163.193 255.255.255.255

9 match protocol icmp source-address 193.188.163.193 255.255.255.255

10 match protocol ssh source-address 193.188.163.193 255.255.255.255

11 match protocol telnet source-address 193.188.163.193 255.255.255.255

12 match protocol snmp source-address 10.1.206.20 255.255.255.255

policy-map type management first-match mgmt-pm

class mgmt-cm

permit

policy-map type loadbalance first-match BC_VIP-l7slb

class class-default

serverfarm BC_SF

policy-map type loadbalance first-match BC_VIP8080-l7slb

class class-default

serverfarm BC_SF

policy-map type loadbalance first-match BC_VIPftp20-l7slb

class class-default

sticky-serverfarm IPSourceSticky

policy-map type loadbalance first-match BC_VIPftp21-l7slb

class class-default

serverfarm BC_SF_none_http

policy-map type loadbalance first-match BC_VIPhttps-l7slb

class class-default

sticky-serverfarm IPSourceSticky_none_http

policy-map multi-match int209

class BC_VIP

loadbalance vip inservice

loadbalance policy BC_VIP-l7slb

loadbalance vip icmp-reply active

appl-parameter http advanced-options pm_http

class BC_VIPhttps

loadbalance vip inservice

loadbalance policy BC_VIPhttps-l7slb

loadbalance vip icmp-reply active

class BC_VIPftp21

loadbalance vip inservice

loadbalance policy BC_VIPftp21-l7slb

loadbalance vip icmp-reply active

inspect ftp

class BC_VIP8080

loadbalance vip inservice

loadbalance policy BC_VIP-l7slb

loadbalance vip icmp-reply active

appl-parameter http advanced-options pm_http

interface vlan 210

description " Web client side"

bridge-group 125

mac-sticky enable

access-group input ICMP

access-group output ICMP

service-policy input mgmt-pm

service-policy input int209

no shutdown

interface vlan 211

description "BC server side"

bridge-group 125

mac-sticky enable

access-group input ICMP

access-group output ICMP

no shutdown

interface bvi 125

ip address 10.100.210.214 255.255.255.0

alias 10.100.210.15 255.255.255.0

peer ip address 10.100.210.216 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 10.100.210.1

Surya ARBY · ‎11-20-2011

Can you take a network trace with wireshark and a SPAN session ?

eng_elshreef · ‎11-21-2011

We did yesterday but the file size is 3 Giga

Surya ARBY · ‎11-21-2011

Can you use a filter within the ACL for the SPAN session to check the traffic on 1 bluecoat only ?

eng_elshreef · ‎11-21-2011

while am trying to sniff again the packet , what do you expect to be the problem?

I do not understand well , how the TCP request handled with the server-conn reuse?

Surya ARBY · ‎11-21-2011

With connectiuon reuse the ACE acts as a TCP procy. Whitout it doesn't.

Maybe there are a lot of TCP transmission errors, this may be the cause of the slowness.

eng_elshreef · ‎11-21-2011

So How can I check if I have error due to connection reuse?