Hello George,

In case ACE receives a request containing a cookie value but the corresponding server in in the sticky database is down, ACE should loadbalancing the new request to one of the available servers ignoring the cookie.

To illustrate this, see below a quick test that I did in my lab:

sticky http-cookie ACE_COOKIE_mobile ebanking_mobile_sticky

  cookie insert

  replicate sticky

  serverfarm sf1

ACE/ctx# sh sticky cookie-insert group ebanking_mobile_sticky

     Cookie   |        HashKey       |           rserver-instance  

  ------------+----------------------+----------------------------------------+

  R4072271931 | 15598686253581426628 | sf1/server1:0

  R4072273020 | 6532832188001237582  | sf1/server2:0

GET / HTTP/1.1

Host: 10.10.170.13

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0.1) Gecko/20100101 Firefox/5.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Connection: keep-alive

Cookie: ACE_COOKIE_mobile=R4072273020 --> cookie value corresponding to server2

HTTP/1.1 200 OK

Set-Cookie: ACE_COOKIE_mobile=R4072271931; path=/; expires=Tue, 19-Jul-2011 09:22:39 GMT --> server2 is down, so request went to server1 and corresponding cookie was inserted.

...

Small remark, you shouldn't configure both "cookie insert" and static value for a server. What would you like to achieve?

Thanks,

Olivier

I thought I need to use both.Can you explain the difference please?

If I use only "cookie insert" it creates the cookies for me and if I use static I name the cookies as I like?

Hi again George,

With cookie insertion, ACE generates a cookie value based on the serverfarm and the real server name. This value is permanent and inserted in each server response.

With static values, ACE forwards requests containing cookies according to the static command. This is very similar to  cookie insertion accept that ACE no longer inserts cookies...

On ACE 20 (module), you can’t combine cookie insertion with static values. Static command will be ignored. On the other hand, you have this possibility on the ACE appliance as of A3(2.2) and on the ACE30.

--Olivier

Hi

There are a software to mac ?

Linksys Wireless-G PTZ Internet Camera with Audio - WVC210

Thanks

Hi Rob,

When troubleshooting cookie-insertion issues, best is to look at a network capture. With cookie insertion, ACE should insert below header field in the server responses.

Set-Cookie: =R; path=/; expires=”

You will see below counter being incremented.

ACE/ctx# sh stats http | in "Headers inserted"

Headers inserted          : 38

Do you then see the client adding the corresponding cookie in subsequent http requests?

Typical error with cookie insertion are:

- Clock on ACE is incorrect causing ACE to insert "Set-Cookie" with the date set in the past. Client will then ignore the Cookie.

- ACE failed to parse a client request because not rfc compliant. Connection is then drop to L4 and the "Static parse errors" counter is incremented.

ACE/ctx# sh stats http | in Static

Static parse errors       : 7          , Resource errors          : 0 

- ACE failed to parse a client request because header is too big. You have the  "Max parselen errors" counter for this.

ACE/ctx# sh stats http | in Max

Header insert errors      : 0          , Max parselen errors      : 0 

Let me know if you need more info.

Olivier

HI Olivier,

Thanks for the tips, at the moment our clock on the  ACE module is like 1 hour out, as its in UTC, with  all the clients are  on BST.

The cat6k that we have the ACE modules in are on the  correct time (BST), I thought the ACE clock comes from the cat6k, so  they should be the same?

Is there a way to explicitly set the ACE module clock, having a quick look but can't find any clock/ntp commands in config t

Also  some output below, when we go via our VIP, I do not see any sticky  entries for my clients IP or the sticky database group while there are  active sessions. Is this normal?

ACE01/DMZ-VRF# sh service-policy TEST_VIP detail

Status     : ACTIVE

Description: -

-----------------------------------------

Interface: vlan 849

  service-policy: TEST_VIP

    class: TEST_7777

      nat:

        nat dynamic 102 vlan 849

        curr conns       : 1         , hit count        : 28       

        dropped conns    : 0        

        client pkt count : 880       , client byte count: 222069             

        server pkt count : 1062      , server byte count: 890955             

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

     VIP Address:    Protocol:  Port:

     172.31.XXX.XXX  tcp        eq    7777

      loadbalance:

        L7 loadbalance policy: STICKY_COOKIE

        VIP Route Metric     : 10

        VIP Route Advertise  : ENABLED-WHEN-ACTIVE

        VIP ICMP Reply       : ENABLED

        VIP State: INSERVICE

        curr conns       : 1         , hit count        : 115      

        dropped conns    : 0        

        client pkt count : 2783      , client byte count: 720269             

        server pkt count : 3163      , server byte count: 2530541            

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : STICKY_COOKIE

          class/match : class-default

            LB action :

               sticky group: websphere-sticky-cookie

                  primary serverfarm: TEST_SFARM

                    state: UP

                  backup serverfarm : -

            hit count        : 983      

            dropped conns    : 9        

ACE01/DMZ-VRF# sh sticky database type http-cookie

ACE01/DMZ-VRF# sh sticky database client 172.16.15.7

FYI, we are running a fairly old version of  the ACE code, but I'm assuming that this feature has been ok for quite a  while, with the sticky cookie insert?

disk0:c6ace-t1k9-mz.A2_1_2.bin

Cheers,

Rob

Rob,

ACE can indeed sync with the clock of the chassis if chassis is configured with "clock calendar-valid". Although be aware that ACE and chassis can be configured to be in different time zone…

You can't explicitly set the clock on an ACE module. Like you said, it needs to synchronize with the chassis ;-).

With cookie insertion, ACE assigns statically a cookie to each server. The database doesn't actually contain any information related to the client. This is why "sh sticky database client" doesn't return anything. You have to look at "sh sticky database static".

sticky http-cookie my_cookie cookie1

  cookie insert

  serverfarm sf1

policy-map type loadbalance first-match lb_policy

  class class-default

    sticky-serverfarm cookie

ACE/ctx# sh sticky database static

sticky group : cookie1

type         : HTTP-COOKIE

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags  

  ---------------------+--------------------------------+--------------+-------+

  R4072271931            server1:0                           never         -

sticky group : cookie1

type         : HTTP-COOKIE

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags  

  ---------------------+--------------------------------+--------------+-------+

  R4072273020            server2:0                           never         -

If you believe ACE doesn't stick the client connections as it should. You may try to see if configuring "persistence rebalance" does not help.

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wpxref30971

Thanks,

Olivier

thanks for that tip, it looks like my clocks are synced, so I will have another go at this next week.

FYI, the link you sent :

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wpxref30971

it doesnt work for me I get a Forbidden File or Application, are you able to provide another link?

Cheers,

Rob

I think I've found the link, is it this one your talking about?

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1062907

Hello Bryan,

What kind of issues are you facing?

Common problem with radius load balancing is that the clients often use a very limited number of udp connections to sent requests to the aaa servers. Usually those connections never time out as clients keep reusing them. This can lead to unfair load balancing.

By configuring radius stickiness, we force the ACE to load balance each radius request individually. So yes, it is good proactive to have it! See below a config example with radius stickiness.

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1112138

Radius class-map is something else. You may for instance want to send requests with some particular radius attributes vaule (eg calling station id, …) to a specific serverfarm. I am not sure you need this.

Finally, make sure that your context is not running out of sticky resources, otherwise ACE will start reusing exiting sticky entires. You can monitor this with following command:

ACE/ctx# sh stats sticky

+------------------------------------------+

+----------- Sticky statistics ------------+

+------------------------------------------+

Total sticky entries reused    : 3464 <<<<

prior to expiry

Total active sticky entries    : 2

Total active reverse sticky    : 0

entries

Total active sticky conns      : 0

Total static sticky entries    : 2

Regards,

Olivier