11-19-2011 09:27 PM
We have 4 Bluecoats with ACE 4710 to load balance. The ACE is used in Bridge mode.We are using URL hashing.
We were facing internet slowness , we were waiting about 15 secs to get responds on the internet browsers when opening any url ,even the requests were reaching the Bluecoats after 15 secs.
we opened cisco TAC and Cisco engineer asked us to add ""Server-conn reuse"" under the http parameters and this solves the slowness and now the response is very good
But we got another issue after adding this command . Now every 3 or 4 URL requests , the browser asking for authentication. we are using Single sign on with Bluecoats. the authentication even appear with in the same website in the same IE page.
as test we remove the added command " Server-conn reuse " and now the authentication page is not coming but we are facing the slowness again.
I saw in the forums a command to check the reuse , the output from this command as below
BC-LB1/BlueCoat# show np 1 me-stats "-socm -v" | i [uU][sS][eE]
Reuse retrieve link update conn invalid 0 0
Reuse retrieve link update conn not on r 0 0
Reuse retrieve success but conn invalid: 1979 0
Reuse retrieve miss: 7219215 0
Reuse conns retrieved: 22304174 0
11-20-2011 02:10 AM
Version and config of your ACE4710 ?
Also when enabling connection reuse NAT is mandatory and the TCP MSS of your servers and ACE must be the same.
11-20-2011 10:57 PM
below the sh run and sh version
--------------------------------------
BC-LB1/BlueCoat# show ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2011 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95.1
system: Version A4(2.1a) [build 3.0(0)A4(2.1a) adbuild_21:41:15-2011/07/21_/auto/adbure_nightly4/renumber/rel_a4_2_1_throttle/R
EL_3_0_0_A4_2_1A]
system image file: (hd0,1)/c4710ace-t1k9-mz.A4_2_1a.bin
Device Manager version 4.2 (0) 20110629:0926
installed license: no feature license is installed
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226372 kB, free: 4391668 kB
shared: 0 kB, buffers: 20060 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 861668 kB, used: 550688 kB, available: 267208 kB
last boot reason: Unknown
configuration register: 0x1
BC-LB1 kernel uptime is 27 days 19 hours 3 minute(s) 14 second(s)
-----------------------------------------------------------------------------------------------------------------
BC-LB1/BlueCoat# sho run
Generating configuration....
logging timestamp
logging trap 5
logging buffered 7
access-list HTTPMontor line 8 extended permit tcp host 193.188.163.194 any eq www
access-list HTTPMontor line 16 extended permit tcp any eq www host 193.188.163.194
access-list ICMP line 5 extended permit icmp any any
access-list ICMP line 10 extended permit ip any any
probe http BC_80
description *** Probe for WWW health monitoring ***
port 80
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
receive 3
request method head
expect status 200 401
open 1
probe icmp ICMP_PROBE1
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
receive 3
rserver host KOC-BC-1
ip address 10.100.210.205
inservice
rserver host KOC-BC-2
ip address 10.100.210.206
inservice
rserver host KOC-BC-3
ip address 10.100.210.207
inservice
rserver host KOC-BC-4
ip address 10.100.210.208
inservice
serverfarm host BC_SF
description * BlueCoat server farm
predictor hash header Host
probe ICMP_PROBE1
rserver KOC-BC-1
inservice
rserver KOC-BC-2
inservice
rserver KOC-BC-3
inservice
rserver KOC-BC-4
inservice
serverfarm host BC_SF_none_http
probe ICMP_PROBE1
rserver KOC-BC-1
inservice
rserver KOC-BC-2
inservice
rserver KOC-BC-3
inservice
rserver KOC-BC-4
inservice
serverfarm host TOPHITsFarm
rserver KOC-BC-4
inservice
parameter-map type http pm_http
case-insensitive
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parsing non-strict
sticky ip-netmask 255.255.255.0 address source IPSourceSticky
timeout 480
timeout activeconns
serverfarm BC_SF
sticky ip-netmask 255.255.255.0 address source IPSourceSticky_none_http
timeout 480
replicate sticky
serverfarm BC_SF_none_http
class-map match-all BC_VIP
2 match virtual-address 10.100.210.209 tcp eq www
class-map match-all BC_VIP8080
2 match virtual-address 10.100.210.209 tcp eq 8080
class-map match-all BC_VIPftp20
2 match virtual-address 10.100.210.209 tcp eq ftp-data
class-map match-all BC_VIPftp21
2 match virtual-address 10.100.210.209 tcp eq ftp
class-map match-all BC_VIPhttps
2 match virtual-address 10.100.210.209 tcp eq https
class-map type http loadbalance match-any Class-All
2 match source-address 0.0.0.0 0.0.0.0
class-map type http loadbalance match-any NBK
2 match http url /WOLWebUI/*
class-map type http loadbalance match-any TOPHITS
10 match http header Host header-value ".*youtube.com"
20 match http header Host header-value ".*athenaonline.com"
class-map type management match-any mgmt-cm
2 match protocol http source-address 193.188.163.194 255.255.255.255
3 match protocol icmp source-address 193.188.163.194 255.255.255.255
4 match protocol https source-address 193.188.163.194 255.255.255.255
5 match protocol ssh source-address 193.188.163.194 255.255.255.255
6 match protocol telnet source-address 193.188.163.194 255.255.255.255
7 match protocol http source-address 193.188.163.193 255.255.255.255
8 match protocol https source-address 193.188.163.193 255.255.255.255
9 match protocol icmp source-address 193.188.163.193 255.255.255.255
10 match protocol ssh source-address 193.188.163.193 255.255.255.255
11 match protocol telnet source-address 193.188.163.193 255.255.255.255
12 match protocol snmp source-address 10.1.206.20 255.255.255.255
policy-map type management first-match mgmt-pm
class mgmt-cm
permit
policy-map type loadbalance first-match BC_VIP-l7slb
class class-default
serverfarm BC_SF
policy-map type loadbalance first-match BC_VIP8080-l7slb
class class-default
serverfarm BC_SF
policy-map type loadbalance first-match BC_VIPftp20-l7slb
class class-default
sticky-serverfarm IPSourceSticky
policy-map type loadbalance first-match BC_VIPftp21-l7slb
class class-default
serverfarm BC_SF_none_http
policy-map type loadbalance first-match BC_VIPhttps-l7slb
class class-default
sticky-serverfarm IPSourceSticky_none_http
policy-map multi-match int209
class BC_VIP
loadbalance vip inservice
loadbalance policy BC_VIP-l7slb
loadbalance vip icmp-reply active
appl-parameter http advanced-options pm_http
class BC_VIPhttps
loadbalance vip inservice
loadbalance policy BC_VIPhttps-l7slb
loadbalance vip icmp-reply active
class BC_VIPftp21
loadbalance vip inservice
loadbalance policy BC_VIPftp21-l7slb
loadbalance vip icmp-reply active
inspect ftp
class BC_VIP8080
loadbalance vip inservice
loadbalance policy BC_VIP-l7slb
loadbalance vip icmp-reply active
appl-parameter http advanced-options pm_http
interface vlan 210
description " Web client side"
bridge-group 125
mac-sticky enable
access-group input ICMP
access-group output ICMP
service-policy input mgmt-pm
service-policy input int209
no shutdown
interface vlan 211
description "BC server side"
bridge-group 125
mac-sticky enable
access-group input ICMP
access-group output ICMP
no shutdown
interface bvi 125
ip address 10.100.210.214 255.255.255.0
alias 10.100.210.15 255.255.255.0
peer ip address 10.100.210.216 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.210.1
11-20-2011 11:38 PM
Can you take a network trace with wireshark and a SPAN session ?
11-21-2011 12:10 AM
We did yesterday but the file size is 3 Giga
11-21-2011 12:32 AM
Can you use a filter within the ACL for the SPAN session to check the traffic on 1 bluecoat only ?
11-21-2011 01:01 AM
while am trying to sniff again the packet , what do you expect to be the problem?
I do not understand well , how the TCP request handled with the server-conn reuse?
11-21-2011 03:23 AM
With connectiuon reuse the ACE acts as a TCP procy. Whitout it doesn't.
Maybe there are a lot of TCP transmission errors, this may be the cause of the slowness.
11-21-2011 03:45 AM
So How can I check if I have error due to connection reuse?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: