cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6034
Views
0
Helpful
18
Replies

Cisco Ace load balance

frede_frede
Beginner
Beginner

Hi,

I need to balance https in port 8091, I already make this configuration in port 443 and works, but with port 8091 the sessions are broken and the users have to constantly make login

probe tcp KPalive_server_8091

  port 8091

  interval 10

  faildetect 2

  passdetect interval 10

  passdetect count 2

  open 1

rserver host server01

  ip address 192.168.32.128

  inservice

rserver host server02

  ip address 192.168.32.129

inservice

serverfarm host SRVfarm_server

  probe KPalive_server_8091

  rserver server01

    inservice

  rserver server02

    inservice

sticky layer4-payload server_HTTPS

  serverfarm SRVfarm_server

  response sticky

  layer4-payload offset 43 length 64 begin-pattern "(\x20|\x00\xST)"

class-map match-all CLA4_HTTPS

  2 match virtual-address 192.168.30.60 tcp eq 8091

policy-map type loadbalance generic first-match POL7_HTTPS

  class class-default

    sticky-serverfarm server_HTTPS

policy-map multi-match POL4_HTTPS

  class CLA4_HTTPS

    loadbalance vip inservice

    loadbalance policy POL7_HTTPS

    loadbalance vip icmp-reply active

thanks

Fred

P.S.

sorry for the repeated topic, but accidentally I choose write answer

3 Accepted Solutions

Accepted Solutions

Hi Fred,

By default the ACE would use the same port on which the incoming connection has come and in your case it would be 8091.

So if a client comes with dst port 8091 and it matches the class map condition then ACE after making load balance decision will forward the packet to rserver on port 8091.

If you the ACE to send it to a different port than the incoming port then you need to define the port number for rserver in serverfarm.

Regards,

Kanwal

View solution in original post

Hi Fred,

Can you configuration parameter-map and configure "persistence rebalance" and try again?

Regards,

Kanwal

View solution in original post

18 Replies 18

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Fred,

No problem:) 

Regards,

Kanwal

Hi Kanwal,

"If i have understood you correctly you want that traffic coming to VIP at 443 should be sent back to the server on port 8091, then you should make a slight change in config."

I edit the post, the VIP is in 8091 and in the server too.

Regards,

Fred

Hi Fred,

By default the ACE would use the same port on which the incoming connection has come and in your case it would be 8091.

So if a client comes with dst port 8091 and it matches the class map condition then ACE after making load balance decision will forward the packet to rserver on port 8091.

If you the ACE to send it to a different port than the incoming port then you need to define the port number for rserver in serverfarm.

Regards,

Kanwal

yes I understand.

The problem seems to be in the sticky because I enter in the application via port 8091 without problems, but the ACE does not seem to grab the SSL ID.

Regards,

Fred

I clicked in the wrong button again

Hi Fred,

I see that you have Layer4 payload sticky which is basically to stick the connections on the basis of payload/data present in TCP or UDP.

ACE uses generic protocol parsing for L4 Payload  and i would suggest to do that following configuration:

parameter-map type generic SSLID_PARAMMAP

set max-parse-length 76

Associate this parameter map

policy-map multi-match POL4_HTTPS

class CLA4_HTTPS

loadbalance vip inservice

loadbalance policy POL7_HTTPS

loadbalance vip icmp-reply active

appl-parameter generic advanced-options SSLID-PARAMMAP

Also, can you change the following:

layer4-payload offset 43 length 64 begin-pattern "(\x20|\x00\xST)

Replace 64 with 32 if it is a 32 BYTE SSL ID.

layer4-payload offset 43 length 32 begin-pattern "(\x20|\x00\xST)"

Let me know how it goes.

Regards,

Kanwal

Hi Kanwal,

Still the same, I do the show sticky database command and I don't find any session.

Regards,

Fred

Hi Fred,

Which version of SSL are you using ? Are you sure that location of SSLID is at the same place where we have told the ACE to look?

Can you take a pcap on client and see what is the location of SSLID string that ACE is looking for in there? That should give us an idea. Configuration looks fine.

Regards,

Kanwal

Hi Fred,

Also, do show sticky database layer4-payload v and show sticky database ssl and see if you see something in there.

Regards,

Kanwal

Hi Kanwal,

The url for the VIP is https://example.com/login/auth;jsessionid=E9BB3E120CDD87D06BF18A6575A801F2.tc1

I need to use another approach, such as Session Cookie Persistence, but I'm not sure how I'll get the jsessionid, I need to do the match in the url?

Thanks

Fred

Hi Steven,

I can see the sticky sessions in database, but users are constantly having logout.

Thanks

Fred

Hi Fred,

Can you configuration parameter-map and configure "persistence rebalance" and try again?

Regards,

Kanwal

Hi Fred,

Ensure the config is correct. Here's the sample config:

Sticky Based on JSESSIONID Cookie Location

With this example config, clients that connect to the VIP on port 80 (HTTP) will be load balanced to one of the three real servers in the serverfarm. When the server returns the cookie by the name of JSESSIONID in the HTTP header of the response, the ACE will create a sticky entry for this client based on the ten characters of the cookie value found after skipping the first 53 characters. The numbers 53 (offset) and 10 (length) are the most commonly used, although these two numbers may not work in all installations. Therefore research may be required to determine the correct numbers. The portion of the cookie value pointed to using these numbers is a static value that is always the same on a per-server basis

JSESSIONID Location Cookie Sticky Configuration

Example Config

access-list ANYONE line 10 extended permit ip any any

probe http WWW-PROBE

request method head url /keepalive.html

expect status 200 200

rserver host SERVER-01

ip address 192.168.1.11

inservice

rserver host SERVER-02

ip address 192.168.1.12

inservice

rserver host SERVER-03

ip address 192.168.1.13

inservice

serverfarm host WWW-SERVERFARM

probe WWW-PROBE

rserver SERVER-01

inservice

rserver SERVER-02

inservice

rserver SERVER-03

inservice

sticky http-cookie JSESSIONID JSESSIONID_STICKY

cookie offset 53 length 10

timeout 720

replicate sticky

serverfarm WWW-SERVERFARM

class-map match-all WWW-VIP

2 match virtual-address 10.1.1.100 tcp eq www

policy-map type loadbalance first-match WWW-POLICY

class class-default

sticky-serverfarm JSESSIONID_STICKY

policy-map multi-match WWW-POLICY

class WWW-VIP

loadbalance vip inservice

loadbalance policy WWW-POLICY

loadbalance vip icmp-reply active

interface vlan 10

description Client vlan

ip address 10.1.1.10 255.255.255.0

access-group input ANYONE

service-policy input WWW-POLICY

no shutdown

interface vlan 20

description Servers vlan

ip address 192.168.1.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.1.1

Regards,

Kanwal

perfect, the "persistence rebalance" was the missing piece

thanks for the help Kanwal

Regards,

Fred

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: