[prev in list] [next in list] [prev in thread] [next in thread]
List: foundry-nsp
Subject: Re: [f-nsp] question on cookie persistance+L7 health check
From: "Bahwal, Osama B" <osama.bahwal () aramco ! com>
Date: 2009-07-31 21:09:57
Message-ID: FF47403531D68744B85D78645F2240820683B37867 () EMAILB ! aramco ! com
[Download RAW message or body]
Greetings,
I did change it , but it is the same problem...i realy got mad ...i dont know wat is \
the problem...
Regards,
________________________________
From: Oliver Adam [oadam@madao.de]
Sent: Friday, July 31, 2009 4:11 PM
To: Bahwal, Osama B; foundry-nsp@puck.nether.net
Subject: RE: [f-nsp] question on cookie persistance+L7 health check
Change
port http cookie-name "serverID"
to
port http cookie-name "ServerID"
and see if that is any better.
R, O
At 01:58 30.07.2009, Bahwal, Osama B wrote:
Thank you for your reply,
You are right there was no match for r2...it is very strange...server ports are ok \
and up.
regards,
________________________________
From: Oliver Adam [oadam@madao.de]
Sent: Wednesday, July 29, 2009 10:11 PM
To: Bahwal, Osama B; foundry-nsp@puck.nether.net
Subject: Re: [f-nsp] question on cookie persistance+L7 health check
Hi,
I do assume you do have a single test client only. Port ssl/443 and therefore HTTPS \
is configured to use stickiness based on IP addresses:
port ssl sticky
port ssl sticky-age 5
The client is therefore getting bound to a real server based on the client IP address \
for at least 5 minutes because of the sticky-age 5 setting. You are going to hit the \
initially selected real server all the time as long as you client IP does not change.
The config for the http port looks OK. Are you sure all health checks are successful? \
You do see strange problems in case real server start to flap from up to down. Check \
this using "show log". On top of that I would suggest to see whether you see matches \
for rule r2 or not:
show csw-policy p2
There should be a match for every client request coming in with a cookie names \
ServerID.
R, Oliver
At 07:34 29.07.2009, Bahwal, Osama B wrote:
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_FF47403531D68744B85D78645F2240820682FF72A1EMAILBaramcoc_"
Greetings,
I?m facing strange situation and need advise on this issue. I?m trying to use L7 \
heath check with cookie persistence, L7 is working fine and the cookie was inserted \
as I can see it using http analyzer. However, the foundry did not functioning as it \
should be by providing stickiness between the Clint and the real server based on the \
server ID. Each time I open new session or refresh the opened one it flip me to the \
other server for http requests. For https, it always switched the requests to server \
?B? all the time.
Below is the configuration I?m using, please advise me why this is happening.
Context test
healthck check_A tcp
dest-ip 10.1.180.14
port 44444
protocol http
protocol http url "GET /enable.html"
l7-check
healthck checkSSL_A tcp
dest-ip 10.1.180.14
port 44445
protocol ssl
protocol ssl use-complete
l7-check
healthck checkSSL_B tcp
dest-ip 10.1.180.7
port 44445
protocol ssl
protocol ssl use-complete
l7-check
healthck check_B tcp
dest-ip 10.1.180.7
port 44444
protocol http
protocol http url "GET /enable.html"
l7-check
healthck checkboth_A boolean
and check_A checkSSL_A
healthck checkboth_B boolean
and check_B checkSSL_B
csw-rule "r2" header "cookie" search "ServerID="
!
csw-policy "p2"
match "r2" persist offset 0 length 4 group-or-server-id
default forward 1
default rewrite insert-cookie
!
server real A 10.1.180.14
source-nat
weight 1 1
port 44444
port 44444 healthck check_A
port 44444 keepalive
port 44444 server-id 1218
port 44444 group-id 1 1
port 44445
port 44445 healthck checkboth_A
port 44445 keepalive
port 44445 server-id 1218
port 44445 group-id 1 1
!
server real B 10.1.180.7
source-nat
weight 1 1
port 44444
port 44444 healthck check_B
port 44444 keepalive
port 44444 server-id 1211
port 44444 group-id 1 1
port 44445
port 44445 healthck checkboth_B
port 44445 keepalive
port 44445 server-id 1211
port 44445 group-id 1 1
!
!
server virtual Final_test 10.1.180.10
predictor repons-time
port http
port http reset-on-port-fail
port http cookie-name "serverID"
port http csw-policy "p2"
port http csw
port http cookie-age 5
port ssl sticky
port ssl sticky-age 5
port ssl reset-on-port-fail
bind http A 44444 B 44444
bind ssl A 44445 B 44445
________________________________
The contents of this email, including all related responses, files and attachments \
transmitted with it (collectively referred to as ?this Email?), are intended solely \
for the use of the individual/entity to whom/which they are addressed, and may \
contain confidential and/or legally privileged information. This Email may not be \
disclosed or forwarded to anyone else without authorization from the originator of \
this Email. If you have received this Email in error, please notify the sender \
immediately and delete all copies from your system. Please note that the views or \
opinions presented in this Email are those of the author and may not necessarily \
represent those of Saudi Aramco. The recipient should check this Email and any \
attachments for the presence of any viruses. Saudi Aramco accepts no liability for \
any damage caused by any virus/error transmitted by this Email. \
_______________________________________________ foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
[Attachment #3 (text/html)]
<html dir="ltr"><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta content="MSHTML 6.00.6000.16850" name="GENERATOR">
<style title="owaParaStyle"><!--P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
</head>
<body ocsi="x">
<div dir="ltr"><font face="Tahoma" color="#000000" size="2">Greetings,</font></div>
<div dir="ltr"><font face="tahoma" size="2"></font> </div>
<div dir="ltr"><font face="tahoma" size="2">I did change it , but it is the same \
problem...i realy got mad ...i dont know wat is the problem...</font></div> <div \
dir="ltr"><font face="tahoma" size="2"></font> </div> <div dir="ltr"><font \
face="tahoma" size="2">Regards,</font></div> <div id="divRpF920050" style="DIRECTION: \
ltr"> <hr tabindex="-1">
<font face="Tahoma" size="2"><b>From:</b> Oliver Adam [oadam@madao.de]<br>
<b>Sent:</b> Friday, July 31, 2009 4:11 PM<br>
<b>To:</b> Bahwal, Osama B; foundry-nsp@puck.nether.net<br>
<b>Subject:</b> RE: [f-nsp] question on cookie persistance+L7 health check<br>
</font><br>
</div>
<div></div>
<div>Change <br>
<br>
port http cookie-name "serverID"<br>
<br>
to <br>
<br>
port http cookie-name "ServerID"<br>
<br>
and see if that is any better.<br>
<br>
R, O<br>
<br>
At 01:58 30.07.2009, Bahwal, Osama B wrote:<br>
<blockquote class="cite" type="cite"><font face="Tahoma" size="2">Thank you for your \
reply,<br> </font> <br>
<font face="tahoma" size="2">You are right there was no match for r2...it is very \
strange...server ports are ok and up.<br> </font> <br>
<font face="tahoma" size="2">regards,<br>
<hr>
</font><font face="Tahoma" size="2"><b>From:</b> Oliver Adam [oadam@madao.de]<br>
<b>Sent:</b> Wednesday, July 29, 2009 10:11 PM<br>
<b>To:</b> Bahwal, Osama B; foundry-nsp@puck.nether.net<br>
<b>Subject:</b> Re: [f-nsp] question on cookie persistance+L7 health check<br>
</font><br>
Hi,<br>
<br>
I do assume you do have a single test client only. Port ssl/443 and therefore HTTPS \
is configured to use stickiness based on IP addresses:<br> <br>
<blockquote class="cite" type="cite"> port ssl sticky<br>
port ssl sticky-age 5</blockquote>
<br>
The client is therefore getting bound to a real server based on the client IP address \
for at least 5 minutes because of the sticky-age 5 setting. You are going to hit the \
initially selected real server all the time as long as you client IP does not change. \
<br> <br>
The config for the http port looks OK. Are you sure all health checks are successful? \
You do see strange problems in case real server start to flap from up to down. Check \
this using "show log". On top of that I would suggest to see whether you \
see matches for rule r2 or not:<br>
<br>
show csw-policy p2<br>
<br>
There should be a match for every client request coming in with a cookie names \
ServerID.<br> <br>
R, Oliver<br>
<br>
At 07:34 29.07.2009, Bahwal, Osama B wrote:<br>
<blockquote class="cite" type="cite">Content-Language: en-US<br>
Content-Type: multipart/alternative;<br>
\
boundary="_000_FF47403531D68744B85D78645F2240820682FF72A1EMAILBaramcoc_"<br>
<br>
Greetings,<br>
<br>
I?m facing strange situation and need advise on this issue. I?m trying to use L7 \
heath check with cookie persistence, L7 is working fine and the cookie was inserted \
as I can see it using http analyzer. However, the foundry did not functioning as it \
should be by providing stickiness between the Clint and the real server based on the \
server ID. Each time I open new session or refresh the opened one it flip me to the \
other server for http requests. For https, it always switched the requests to server \
?B? all the time.<br>
<br>
Below is the configuration I?m using, please advise me why this is happening.<br>
<br>
<br>
<br>
Context test<br>
healthck check_A tcp<br>
dest-ip 10.1.180.14<br>
port 44444<br>
protocol http<br>
protocol http url "GET /enable.html"<br>
l7-check<br>
<br>
healthck checkSSL_A tcp<br>
dest-ip 10.1.180.14<br>
port 44445<br>
protocol ssl<br>
protocol ssl use-complete<br>
l7-check<br>
<br>
healthck checkSSL_B tcp<br>
dest-ip 10.1.180.7<br>
port 44445<br>
protocol ssl<br>
protocol ssl use-complete<br>
l7-check<br>
<br>
healthck check_B tcp<br>
dest-ip 10.1.180.7<br>
port 44444<br>
protocol http<br>
protocol http url "GET /enable.html"<br>
l7-check<br>
<br>
healthck checkboth_A boolean<br>
and check_A checkSSL_A<br>
<br>
healthck checkboth_B boolean<br>
and check_B checkSSL_B<br>
<br>
csw-rule "r2" header "cookie" search "ServerID="<br>
!<br>
csw-policy "p2"<br>
match "r2" persist offset 0 length 4 group-or-server-id<br>
default forward 1<br>
default rewrite insert-cookie<br>
!<br>
server real A 10.1.180.14<br>
source-nat<br>
weight 1 1<br>
port 44444<br>
port 44444 healthck check_A<br>
port 44444 keepalive<br>
port 44444 server-id 1218<br>
port 44444 group-id 1 1<br>
port 44445<br>
port 44445 healthck checkboth_A<br>
port 44445 keepalive<br>
port 44445 server-id 1218<br>
port 44445 group-id 1 1<br>
!<br>
server real B 10.1.180.7<br>
source-nat<br>
weight 1 1<br>
port 44444<br>
port 44444 healthck check_<b>B<br>
</b> port 44444 keepalive<br>
port 44444 server-id 1211<br>
port 44444 group-id 1 1<br>
port 44445<br>
port 44445 healthck checkboth_B<br>
port 44445 keepalive<br>
port 44445 server-id 1211<br>
port 44445 group-id 1 1<br>
!<br>
!<br>
server virtual Final_test 10.1.180.10<br>
predictor repons-time<br>
port http<br>
port http reset-on-port-fail<br>
port http cookie-name "serverID"<br>
port http csw-policy "p2"<br>
port http csw<br>
port http cookie-age 5<br>
port ssl sticky<br>
port ssl sticky-age 5<br>
port ssl reset-on-port-fail<br>
bind http A 44444 B 44444<br>
bind ssl A 44445 B 44445<br>
<br>
<br>
<hr>
<font face="Verdana" size="2">The contents of this email, including all related \
responses, files and attachments transmitted with it (collectively referred to as \
?this Email?), are intended solely for the use of the individual/entity to whom/which \
they are addressed, and may contain confidential and/or legally privileged \
information. This Email may not be disclosed or forwarded to anyone else without \
authorization from the originator of this Email. If you have received this Email in \
error, please notify the sender immediately and delete all copies from your system. \
Please note that the views or opinions presented in this Email are those of the \
author and may not necessarily represent those of Saudi Aramco. The recipient should \
check this Email and any attachments for the presence of any viruses. Saudi Aramco \
accepts no liability for any damage caused by any virus/error transmitted by this \
Email.<br> </font>_______________________________________________<br>
foundry-nsp mailing list<br>
foundry-nsp@puck.nether.net<br>
<a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" \
target="_blank">http://puck.nether.net/mailman/listinfo/foundry-nsp</a></blockquote> \
</blockquote> <br>
</div>
</body>
</html>
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
--===============1729233611==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic