Device Manager GUI Guide vA1(7), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Load Balancing
Downloads: This chapterpdf (PDF - 0.95MB) The complete bookPDF (PDF - 11.63MB) | Feedback

Configuring Load Balancing

Table Of Contents

Configuring Load Balancing

Load Balancing Overview

Virtual Servers

Load-Balancing Predictors

Real Servers

Server Farms

Configuring Virtual Servers

Understanding Virtual Server Configuration and ACE Appliance Device Manager

Using ACE Appliance Device Manager to Configure Virtual Servers

Virtual Server Configuration Procedure

Shared Objects and Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

Configuring Virtual Server NAT

Managing Virtual Servers

Viewing Virtual Servers by Context

Activating Virtual Servers

Suspending Virtual Servers

Viewing Detailed Virtual Server Information

Viewing All Virtual Servers

Configuring Load Balancing with Real Servers

Configuring Server Farm Load Balancing

Adding Real Servers to a Server Farm

Viewing All Server Farms

Configuring the Predictor Method for Server Farms

Configuring Server Farm HTTP Return Error-Code Checking

Health Monitoring

TCL Scripts

Configuring Health Monitoring for Real Servers

Probe Attribute Tables

Configuring DNS Probe Expect Addresses

Configuring Headers for HTTP and HTTPS Probes

Configuring Health Monitoring Expect Status

Managing Real Servers

Activating Real Servers

Suspending Real Servers

Modifying Real Servers

Viewing All Real Servers

Stickiness Overview

IP Address Stickiness

Cookie Stickiness

HTTP Header Stickiness

Sticky Groups

Sticky Table

Configuring Load Balancing Using Sticky Groups

Viewing All Sticky Groups by Context

Configuring Sticky Statics

Using Parameter Maps

Configuring Connection Parameter Maps

Configuring HTTP Parameter Maps

Configuring Optimization Parameter Maps

Supported MIME Types

Viewing All Parameter Maps by Context

Configuring Secure KAL-AP


Configuring Load Balancing


This section provides an overview of server load balancing and procedures for configuring load balancing on an ACE appliance.

Topics include:

Load Balancing Overview

Configuring Virtual Servers

Configuring Server Farm Load Balancing

Configuring Health Monitoring for Real Servers

Configuring Load Balancing Using Sticky Groups

Using Parameter Maps

Configuring Secure KAL-AP

Load Balancing Overview

Server load balancing (SLB) is the process of deciding to which server a load-balancing device should send a client request for service. For example, a client request can consist of an HTTP GET for a Web page or an FTP GET to download a file. The job of the load balancer is to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole.

Depending on the load-balancing algorithm or predictor that you configure, the ACE appliance performs a series of checks and calculations to determine the server that can best service each client request. The ACE appliance bases server selection on several factors, including the server with the fewest connections with respect to load, source or destination address, cookies, URLs, or HTTP headers.

The ACE Appliance Device Manager allows you to configure:

Load balancing using virtual servers—See Configuring Virtual Servers.

Load balancing on named real servers—See Configuring Load Balancing with Real Servers.

Load balancing on server farms—See Configuring Server Farm Load Balancing.

Health monitoring for real servers—See Configuring Health Monitoring for Real Servers.

Sticky group attributes—See Configuring Load Balancing Using Sticky Groups.

Parameter maps—See Using Parameter Maps.

For information about SLB as configured and performed by the ACE appliance, see:

Virtual Servers

Load-Balancing Predictors

Real Servers

Server Farms

Health Monitoring

TCL Scripts

Stickiness Overview

Virtual Servers

In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. A virtual server is bound to physical services running on real servers in a server farm and uses IP address and port information to distribute incoming client requests to the servers in the server farm according to a specified load-balancing algorithm. configuration. You use class maps to configure a virtual server address and definition. The load-balancing predictor algorithms (for example, roundrobin, least connections, and so on) determine the servers to which the ACE appliance sends connection requests.

Related Topics

Configuring Virtual Servers

Load-Balancing Predictors

Server Farms

Load-Balancing Predictors

The ACE appliance uses the following predictors to select the best server to satisfy a client request:

Roundrobin—Selects the next server in the list of real servers based on server weight (weighted roundrobin). Servers with a higher weight value receive a higher percentage of the connections. This is the default predictor.

Leastconns—Selects the server with the fewest number of active connections based on server weight. For the least connection predictor, you can configure a slow-start mechanism to avoid sending a high rate of new connections to servers that you have just put into service.

Hash_url—Selects the server using a hash value based on the requested URL.You can specify a beginning pattern and an ending pattern to match in the URL. Use this predictor method to load-balance cache servers. Cache servers perform better with the URL hash method because you can divide the contents of the caches evenly if the traffic is random enough. In a redundant configuration, the cache servers continue to work even if the active ACE appliance switches over to the standby ACE appliance. For information about configuring redundancy, see Configuring High Availability, page 6-1.

Hash_address—Selects the server using a hash value based on either the source or destination IP address, or both. Use these predictors for firewall load balancing (FWLB).


Note FWLB allows you to scale firewall protection by distributing traffic across multiple firewalls on a per-connection basis. All packets belonging to a particular connection must go through the same firewall. The firewall then allows or denies transmission of individual packets across its interfaces. For more information about configuring FWLB on the ACE appliance, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.


Hash_cookie—Selects the server using a hash value based on a cookie name.

Hash_header—Selects the server using a hash value based on the HTTP header name.


Note The different hash predictor methods do not recognize the weight value you configure for real servers. The ACE appliance uses the weight that you assign to real servers only in the round-robin and least-connections predictor methods.


Related Topic

Configuring the Predictor Method for Server Farms

Real Servers

To provide services to clients, you configure real servers on the ACE appliance. Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide client services such as HTTP or XML content, Web site hosting, FTP file uploads or downloads, redirection for Web pages that have moved to another location, and so on. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values. The ACE appliance also allows you to configure backup servers in case a server is taken out of service for any reason.

After you create and name a real server on the ACE appliance, you can configure several parameters, including connection limits, health probes, and weight. You can assign a weight to each real server based on its relative importance to other servers in the server farm. The ACE appliance uses the server weight value for the weighted round-robin and the least-connections load-balancing predictors. The load-balancing predictor algorithms (for example, roundrobin, least connections, and so on) determine the servers to which the ACE appliance sends connection requests. For a listing and brief description of the load-balancing predictors, see Load-Balancing Predictors.

The ACE appliance uses traffic classification maps (class maps) within policy maps to filter out interesting traffic and to apply specific actions to that traffic based on the SLB configuration. You use class maps to configure a virtual server address and definition.

If a primary real server fails, the ACE appliance takes that server out of service and no longer includes it in load-balancing decisions. If you configured a backup server for the real server that failed, the ACE appliance redirects the primary real server connections to the backup server. For information about configuring a backup server, see the Configuring Virtual Server Layer 7 Load Balancing.

The ACE appliance can take a real server out of service for the following reasons:

Probe failure

ARP timeout

Specifying Out of Service as the administrative state of a real server

Specifying Inservice Standby as the administrative state of a real server

The Out of Service and Inservice Standby selections both provide the graceful shutdown of a server.

Related Topics

Configuring Load Balancing with Real Servers

Configuring Health Monitoring for Real Servers

Server Farms

Typically, in data centers, servers are organized into related groups called server farms. Servers within server farms often contain identical content (referred to as mirrored content) so that if one server becomes inoperative, another server can take its place immediately. Also, having mirrored content allows several servers to share the load of increased demand during important local or international events, such as the Olympic Games. This phenomenon of a sudden large demand for content is called a flash crowd.

After you create and name a server farm, you can add existing real servers to it and configure other server farm parameters, such as the load-balancing predictor, server weight, backup server, health probe, and so on. For a listing and brief description of load-balancing predictors, see Load-Balancing Predictors.

Related Topic

Configuring Server Farm Load Balancing

Configuring Virtual Servers

In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. A virtual server is bound to physical services running on real servers in a server farm and uses IP address and port information to distribute incoming client requests to the servers in the server farm according to a specified load-balancing algorithm.

For more information about virtual servers and the ACE Appliance Device Manager, see:

Understanding Virtual Server Configuration and ACE Appliance Device Manager

Using ACE Appliance Device Manager to Configure Virtual Servers

Virtual Server Configuration Procedure

Understanding Virtual Server Configuration and ACE Appliance Device Manager

The ACE Appliance Device Manager Virtual Server configuration interface, an abstraction of the Modular Policy CLI, simplifies, reorders, and makes more atomic the configuration and deployment of a functional load-balancing environment. With simplification or abstraction, some constraints or limitations are necessarily introduced. This section identifies the constraints and framework used by ACE Appliance Device Manager for virtual server configuration.

In ACE Appliance Device Manager, a viable virtual server has the following attributes:

A single Layer 3/Layer 4 match condition

This means that you can specify only a single IP address (or single IP address range if a netmask is used), with only a single port (or port range). Having a single match condition greatly simplifies and aids virtual server configuration.

A default Layer 7 action

A Layer 7 policy map

A Layer 3/Layer 4 class map

A multi-match policy map, a class-map match, and an action

In addition:

The virtual server multi-match policy map is associated with an interface or is global.

The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.

Example 3-1 shows the minimum configuration statements required for a virtual server.

Example 3-1 Minimum Configuration Required for a Virtual Server

class-map match-all Example_VIP
   2 match virtual-address 10.10.10.10 tcp eq www 
policy-map type loadbalance first-match Example_VIP-l7slb
   class class-default
      forward
policy-map multi-match int10
   class Example_VIP
      loadbalance policy Example_VIP-l7slb 

interface vlan 10
   ip address 192.168.65.37 255.255.255.0
   service-policy input int10
   no shutdown


Note also the following items regarding the ACE Appliance Device Manager and virtual servers:

Additional configuration options

The Virtual Server configuration screen allows you to configure additional items for a functional VIP. These items include server farms, sticky groups, real servers, probes, parameter maps, inspection, class maps, and inline match conditions. Because too many items on a screen can be overwhelming, not all configuration options appear on Virtual Server configuration screen, such as sticky statics or backup real servers. These options are available elsewhere in the ACE Appliance Device Manager interface instead of on the Virtual Server configuration screen.

Configuration options and roles

To support and maintain the separation of roles, some objects cannot be configured using the Virtual Server configuration screen. These objects include SSL certificates, SSL keys, NAT pools, interface IP addresses, and ACLs. Providing these options as separate configuration options in the ACE Appliance Device Manager interface ensures that a user who can view or modify virtual servers or aspects of virtual servers cannot create or delete virtual servers.

Related Topics

Configuring Virtual Servers

Using ACE Appliance Device Manager to Configure Virtual Servers

Virtual Server Configuration Procedure

Using ACE Appliance Device Manager to Configure Virtual Servers

It is important to understand the following when using the ACE Appliance Device Manager to configure virtual servers:

Virtual server configuration screens

The ACE Appliance Device Manager Virtual Server configuration screens are designed to aid you in configuring virtual servers by presenting configuration options that are relevant to your choices. For example, the protocols that you select in the Properties configuration subset determine the other configuration subsets that appear.

Use the virtual server configuration method that suits you

The ACE Appliance Device Manager Virtual Server configuration screens simplify the process of creating, modifying, and deploying virtual servers by displaying those options that you are most likely to use. In addition, as you specify attributes for a virtual server, such as protocols, the interface refreshes with related configuration options, such as Protocol Inspection or Application Acceleration and Optimization, thereby speeding virtual server configuration and deployment.

While Virtual Server configuration screens remove some configuration complexities, they have a few constraints that the Expert configuration options do not. If you are comfortable using the CLI, you can use the Expert options (such as Config > Virtual Contexts > context > Expert > Class Map or Policy or Config > Virtual Contexts > context > Load Balancing > Parameter Map to configure more complex attributes of virtual servers, traffic policies, and parameter maps.

Synchronizing virtual server configurations

If you configure a virtual server using the CLI and then use the Sync option (Config > Virtual Contexts > Sync) to synchronize configurations, the configuration that appears in the ACE Appliance Device Manager for the virtual server might not display all configuration options for that virtual server. The configuration that appears in the ACE Appliance Device Manager depends on a number of items, such as the protocols configured in class maps or the rules defined for policy maps.

For example, if you configure a virtual server on the CLI that includes a class map that can match any protocol, you will not see the virtual server Application Acceleration and Optimization configuration subset in the ACE Appliance Device Manager.

Modifying shared objects

Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or parameter map, could impact the other virtual servers. See Shared Objects and Virtual Servers for more information about modifying objects used by multiple virtual servers.

Related Topics

Configuring Virtual Servers

Understanding Virtual Server Configuration and ACE Appliance Device Manager

Virtual Server Configuration Procedure

Virtual Server Configuration Procedure

Use this procedure to add virtual servers to the ACE Appliance Device Manager for load-balancing purposes.

Assumptions

Depending on the protocol to be used for the virtual server, parameter maps need to be defined.

For SSL service, SSL certificates, keys, chain groups, and parameter maps must be configured.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it. The Virtual Server configuration screen appears with a number of configuration subsets. The subsets that you see depend on whether you use the Basic View or the Advanced View and configuration entries you make in the Properties subset. Change views by using the View object selector at the top of the configuration pane.

Table 3-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information.

Table 3-1 Virtual Server Configuration Subsets 

Configuration Subset
Description
Related Topics

Properties

This subset allows you to specify basic virtual server characteristics, such as the virtual server name, IP address, protocol, port, and VLANs.

Configuring Virtual Server Properties

SSL Termination

This subset appears when TCP is the selected protocol and Other or HTTPS is the application protocol.

This subset allows you to configure the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

Configuring Virtual Server SSL Termination

Protocol Inspection

This subset appears in the Advanced View for:

TCP with HTTP, HTTPS, FTP, or RTSP

UDP with DNS

This subset appears in the Basic view for TCP with FTP.

This subset allows you to configure the virtual server so that it can verify protocol behavior and identify unwanted or malicious traffic passing through the ACE appliance on selected application protocols.

Configuring Virtual Server Protocol Inspection

L7 Load-Balancing

This subset appears only in the Advanced View and when HTTP or HTTPS is the selected application protocol.

This subset allows you to configure Layer 7 load-balancing options, including SSL initiation.

Configuring Virtual Server Layer 7 Load Balancing

Default L7 Load-Balancing Action

This subset allows you to establish the default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions.

It also allows you to configure SSL initiation.

Configuring Virtual Server Default Layer 7 Load Balancing

Application Acceleration and Optimization

This subset appears only in the Advanced View and when HTTP or HTTPS is the selected application protocol.

This subset allows you to configure application acceleration and optimization options for HTTP or HTTPS traffic.

Configuring Application Acceleration and Optimization

NAT

This subset appears in the Advanced View only.

This subset allows you to set up Name Address Translation (NAT) for the virtual server.

Configuring Virtual Server NAT


Step 3 When you finish configuring virtual server properties, click:

Deploy Now to deploy the configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Virtual Servers table.


Related Topic

Configuring Virtual Servers

Shared Objects and Virtual Servers

Role Mapping in ACE Appliance Device Manager, page 10-18

Shared Objects and Virtual Servers

A shared object is one that is used by multiple virtual servers. Examples of shared objects are:

Action lists

Class maps

Parameter maps

Real servers

Server farms

SSL services

Sticky groups

Because these objects are shared, modifying an object's configuration in one virtual server can impact other virtual servers that use the same object.

Configuring Shared Objects

ACE Appliance Device Manager offers the following options for shared objects in virtual server configuration screens (Config > Virtual Contexts > context > Load Balancing > Virtual Servers):

View—Click View to review the object's configuration. The screen refreshes with read-only fields and the following three buttons.

Cancel—Click Cancel to close the read-only view and to return to the previous screen.

Edit—Click Edit to modify the selected object's configuration. The screen refreshes with fields that can be modified, except for the Name field which remains read-only.


Note Before changing a shared object's configuration, make sure you understand the effect of the changes on other virtual servers using the same object. As an alternative, consider using the Duplicate option instead.


Duplicate—Click Duplicate to create a new object with the same configuration as the selected object. The screen refreshes with configurable fields. In the Name field, enter a unique name for the new object, then modify the configuration as desired. This option allows you to create a new object without impacting other virtual servers using the same object.

Deleting Virtual Servers with Shared Objects

If you create a virtual server and include shared objects in its configuration, deleting the virtual server does not delete the associated shared objects. This ensures that other virtual servers using the same shared objects are not impacted.

Related Topics

Managing Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

Configuring Virtual Server Properties

Use this procedure to configure virtual server properties.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it. The Virtual Server configuration screen appears. The Properties configuration subset is open by default.

The fields that you see in the Properties configuration subset depend on whether you are using Advanced View or Basic View:

To configure Advanced View properties, continue with Step 3.

To configure Basic View properties, continue with Step 4.

Step 3 To configure virtual server properties in the Advanced View, enter the information in Table 3-2.

Table 3-2 Virtual Server Properties - Advanced View 

Field
Description

VIP Name

Enter the name for the virtual server.

VIP IP

Enter the IP address for the virtual server.

Netmask

Select the subnet mask to apply to the virtual server IP address.

Protocol

Select the protocol the virtual server supports:

Any—Indicates the virtual server is to accept connections using any IP protocol.

TCP—Indicates that the virtual server is to accept connections that use TCP.

UDP—Indicates that the virtual server is to accept connections that use UDP.

Note This field is read-only if you are editing an existing virtual server. The Device Manager does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired protocol.

Application Protocol

This field appears if TCP or UDP is selected. Select the application protocol to be supported by the virtual server.

Note This field is read-only if you are editing an existing virtual server. The Device Manager does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired application protocol.

For TCP, the options are:

Other—Any protocol other than those specified.

HTTP—Hyper Text Transfer Protocol

HTTPS—HTTP over SSL

If you select HTTPS, the SSL Termination configuration subset appears. See Configuring Virtual Server SSL Termination.

FTP—File Transfer Protocol

RTSP—Real Time Streaming Protocol

For UDP, the options are:

Other—Any protocol other than those specified.

DNS—Domain Name System

If you select any specific application protocol, the Protocol Inspection configuration subset appears. See Configuring Virtual Server Protocol Inspection.

Port

This field appears for any specified protocol.

Enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.

For a complete list of protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers.html.

All VLANs

Select the check box to support incoming traffic from all VLANs. Clear the check box to support incoming traffic from specific VLANs only.

VLAN

This field appears if the All VLANs check box is cleared.

In the Available Items list, select the VLANs to use for incoming traffic, then click Add to Selection. The items appear in the Selected Items list.

To remove VLANs, select them in the Selected Items lists, then click Remove from Selection. The items appear in the Available Items list.

Note You cannot change the VLAN for a virtual server once it is specified. Instead, you need to delete the virtual server and create a new one with the desired VLAN.

HTTP Parameter Map

This field appears if HTTP or HTTPS is the selected application protocol.

Select an existing HTTP parameter map or click *New* to create a new one:

If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the HTTP Parameter Map configuration pane appears. Configure the HTTP parameter map as described in Table 3-3.

Connection Parameter Map

This field appears if TCP is the selected protocol.

Select an existing connection parameter map or click *New* to create a new one:

If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the Connection Parameter Map configuration pane appears. Configure the connection parameter map as described in Table 3-4.

ICMP Reply

Indicate how the virtual server is to respond to ICMP ECHO requests:

None—Indicates that the virtual server is not to send ICMP ECHO-REPLY responses to ICMP requests.

Active—Indicates that the virtual server is to send ICMP ECHO-REPLY responses only if the configured VIP is active.

Always—Indicates that the virtual server is always to send ICMP ECHO-REPLY responses to ICMP requests.

Status

Indicate whether the virtual server is to be in service or out of service:

In-Service—Enables the virtual server for load-balancing operations.

Out-of-Service—Disables the virtual server for load-balancing operations.


Table 3-3 Virtual Server HTTP Parameter Map Attributes 

Field
Description

Name

Enter a unique name for the parameter map.

Case-insensitive

Select the check box to indicate that the ACE appliance is to be case insensitive. Clear the check box to indicate that the ACE appliance is to be case sensitive. The check box is cleared by default.

TCP Server Connection Reuse

Select the check box to indicate that the ACE appliance is to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. If you enable this feature:

Ensure that the ACE appliance maximum segment size (MSS) is the same as the server maximum segment size.

Configure port address translation (PAT) on the interface that is connected to the real server.

Configure on the ACE appliance the same TCP options that exist on the TCP server.

Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations).

Clear the check box to disable this option.

HTTP Persistence Rebalance

Select the check box to indicate that the ACE appliance is to:

Separately load balance each subsequent HTTP request on the same TCP connection.

Insert the header and cookie for every request instead of only the first request.

Clear the check box to indicate disable this option.

This option is disabled by default.

Exceed Max Parse Length

Indicate how the ACE appliance is to handle cookies, HTTP headers, and URLs that exceed the maximum parse length:

Continue—Indicates that the ACE appliance is to continue load balancing. When this option is selected, the HTTP Persistence Rebalance option is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse value.

Drop—Indicates that the ACE appliance is to stop load balancing and to discard the packet.

Content Max Parse Length

Enter the maximum number of bytes to parse in HTTP content. Valid entries are integers from 1 to 65535.

Header Max Parse Length

Enter the maximum number of bytes to parse for the total length of cookies, HTTP headers, and URLs. Valid entries are integers from 1 to 65535 with a default of 2048.

Secondary Cookie Delimiters

Enter the ASCII-character delimiters to be used to separate cookies in a URL string. Valid entries are unquoted text strings with no spaces and a maximum of 4 characters. The default delimiters are /&#+.

MIME Type to Compress

In the field on the left, enter the Multipurpose Internet Mail Extension (MIME) type to compress, then click Add. The MIME type appears in the column on the right. To remove or change a MIME type, select it in the column on the right, then click Remove. The selected MIME type appears in the field on the left where you can modify or delete it.

To specify the sequence in which compression is to be applied, select MIME types in the column on the right, then click Up or Down to arrange the MIME types.Enter the Multipurpose Internet Mail Extension (MIME) type to compress.

Supported MIME Types lists the supported MIME types. You can use an asterisk (*) to indicate a wildcard, such as text/*, which would include all text MIME types (text/html, text/plain, and so on).

User Agent Not to Compress

A user agent is a client that initiates a request. Examples of user agents include browsers, editors, and other end-user tools. When you specify a user agent string in this field, the ACE appliance does not compress the response to a request when the request contains the matching user agent string.

In the field on the left, enter the user agent string to be matched, then click Add. The string appears in the column on the right. To remove or change a user agent string, select it in the column on the right, then click Remove. The selected string appears in the field on the left where you can modify or delete it.

To specify the sequence in which strings are to be matched, select strings in the column on the right, then click Up or Down to arrange the strings in the desired sequence.

Valid entries are 64 characters.

Minimum Size to Compress

Enter the threshold at which compression is to occur. The ACE appliance compresses files that are the minimum size or larger. Valid entries are integers from 1 to 4096 bytes.


Table 3-4 Virtual Server Connection Parameter Map Attributes 

Field
Description

Name

Enter a unique name for the parameter map.

Exceeds MSS

Indicate how the ACE appliance is to handle segments that exceed the maximum segment size (MSS):

Allow—Indicates that the ACE appliance is to permit segments that exceed the configured MSS.

Drop—Indicates that the ACE appliance is to discard segments that exceed the configured MSS.

Nagle

The Nagle algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send. Enabling the Nagle algorithm increases throughput, but it can increase latency in your TCP connection.

Select the check box to enable the Nagle algorithm. Clear the check box to disable the Nagle algorithm.

Note Disable the Nagle algorithm when you observe unacceptable delays in TCP connections.

Random Sequence Number

Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.

Select the check box to enable the use of random TCP sequence numbers. Clear the check box to disable the use of random TCP sequence numbers.

This option is enabled by default.

Reserved Bits

Indicate how the ACE appliance is to handle segments with the reserved bits set in the TCP header:

Allow—Indicates that segments with the reserved bits are to be permitted.

Drop—Indicates that segments with the reserved bits are to be discarded.

Clear—Indicates that reserved bits in TCP headers are to be cleared and segments are to be allowed.

Type-of-Service IP Header

The type of service for an IP packet determines how the network handles the packet and balances its precedence, throughput, delay, reliability, and cost.

Enter the type-of-service value to be applied to IP packets. Valid entries are integers from 0 to 255.

For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168.

Smallest TCP MSS

Enter the size of the smallest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a minimum limit.

Largest TCP MSS

Enter the size of the largest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a maximum limit.

SYN Retries

Enter the number of attempts that the ACE appliance is to make to transmit a TCP segment when initiating a Layer 7 connection. Valid entries are integers from 1 to 15, with a default of 4.

TCP WAN Optimization RTT

This option indicates how the ACE appliance is to apply TCP optimizations to packets on a connection associated with a Layer 7 policy map using a round-trip time (RTT) value:

An entry of 0 (zero) indicates that the ACE appliance is to apply TCP optimizations to packets for the life of a connection.

An entry of 65535 (the default) indicates that the ACE appliance is to perform normal operations (that is, without optimizations) for the life of a connection.

Entries from 1 to 65534 indicate that the ACE appliance is to use the following guidelines:

If the actual client RTT is less than the configured RTT, the ACE appliance performs normal operations for the life of the connection.

If the actual client RTT is greater than or equal to the configured RTT, the ACE appliance performs TCP optimizations on the packets for the life of a connection.

Valid entries are integers from 0 to 65535.

Timeout for Embryonic Connections

An embryonic connection is a TCP three-way handshake for a connection that does not complete for some reason. Enter the number of seconds that the ACE appliance is to wait before timing out an embryonic connection. Valid entries are integers from 0 to 4294967295 with a default of 5. A value of 0 indicates the ACE appliance is never to time out an embryonic connection.

Half Closed Timeout

A half-closed connection is one in which the client or server sends a FIN and the server or client acknowledges the FIN without sending a FIN itself. Enter the number of seconds the ACE appliance is to wait before closing a half-closed connection. Valid entries are integers from 0 to 4294967295 with a default of 3600 (1 hour). A value of 0 indicates that the ACE appliance is never to time out a half-closed connection.

Inactivity Timeout

Enter the number of seconds that the ACE appliance is to wait before disconnecting idle connections. Valid entries are integers from 0 to 3217203. A value of 0 indicates that ACE appliance is never to time out a TCP connection.

Slow Start Algorithm

When enabled, the slow-start algorithm increases TCP window size as ACK handshakes arrive so that new segments are injected into the network at the rate at which acknowledgements are returned by the host at the other end of the connection.

Select the check box to enable the slow-start algorithm, and clear the check box to disable the slow-start algorithm. This option is disabled by default.

SYN Segments with Data

Indicate how the ACE appliance is to handle TCP SYN segments that contain data:

Allow—Indicates that the ACE appliance is to permit SYN segments that contain data and mark them for processing.

Drop—Indicates that the ACE appliance is to discard SYN segments that contain data.

Urgent Pointer Policy

Urgent data, as indicated by a control bit in the TCP header, indicates that urgent data is to be processed as soon as possible, even before normal data. Indicate how the ACE appliance is to handle urgent data as identified by the Urgent data control bit:

Allow—Indicates that the ACE appliance is to permit the status of the Urgent control bit.

Clear—Indicates that the ACE appliance is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent Pointer which provides segment information.

ACK Delay Time

Enter the number of milliseconds that the ACE appliance is to wait before sending an acknowledgement from a client to a server. Valid entries are integers from 0 to 400.

TCP Buffer-Share

To improve throughput and overall performance, the ACE buffers the number of bytes you specify before processing received data or transmitting data. Use this option to increase the default buffer size and thereby realize improved network performance.

Enter the maximum size of the TCP buffer in bytes. Valid entries are integers from 8192 to 262143 bytes.

Note If you enter a value in this field for an ACE that does not support this option, an error message appears. Leave this field blank when creating or modifying a connection parameter map for devices that do not support this option.

TCP Window-Scale Factor

The TCP window scaling extension expands the definition of the TCP window to 32 bits and uses a scale factor to carry the 32-bit value in the 16-bit window of the TCP header. Increasing the window size improves TCP performance in network paths with large bandwidth, long-delay characteristics.

Enter the window scale factor. Valid entries are integers from 0 to 14 (the maximum scale factor).

For more information on TCP window scaling, refer to RFC 1323.

Action for TCP Options Range

Indicate how the ACE appliance is to handle the TCP options:

Selective ACK

Timestamps

TCP Window Scaling

by selecting one of the options:

N/A—Indicates that no action is specified.

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Drop—Indicates that the ACE appliance is to discard any segment with the specified option set.

Lower TCP Options

Appears if you select Allow or Drop for the Action for TCP Options Range.

Enter the lower limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.

Upper TCP Options

Appears if you select Allow or Drop for the Action for TCP Options Range.

Enter the upper limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.

Selective ACK

Indicate how the ACE appliance is to handle the selective ACK option that is specified in SYN segments:

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.

Timestamps

Indicate how the ACE appliance is to handle the timestamp option that is specified in SYN segments:

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.

TCP Window Scale Factor

Indicate how the ACE appliance is to handle the TCP window scale factor option that is specified in SYN segments:

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.


Step 4 To configure virtual server properties in the Basic View, enter the information in Table 3-5.

Table 3-5 Virtual Server Properties - Basic View 

Field
Description

VIP Name

Enter the name for the virtual server.

VIP IP

Enter the IP address for the virtual server.

Protocol

Select the protocol that the virtual server supports:

Any—Indicates that the virtual server is to accept connections using any IP protocol.

TCP—Indicates that the virtual server is to accept connections that use TCP.

UDP—Indicates that the virtual server is to accept connections that use UDP.

Application Protocol

Select the application protocol to be supported by the virtual server.

For TCP, the options are:

Other—Any protocol other than those specified.

HTTP—Hyper Text Transfer Protocol

HTTPS—HTTP over SSL

If you select HTTPS, the SSL Termination configuration options appear. See Configuring Virtual Server SSL Termination.

FTP—File Transfer Protocol

RTSP—Real Time Streaming Protocol

For UDP, the options are:

Other—Any protocol other than those specified.

DNS—Domain Name System

Port

This field appears for any specified protocol.

Enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.

For a complete list of all protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers.html.

All VLANs

Select the check box to support incoming traffic from all VLANs. Clear the check box to support incoming traffic from specific VLANs only.

VLAN

This field appears if the All VLANs check box is cleared.

In the Available Items list, select the VLANs to use for incoming traffic, then click Add to Selection. The items appear in the Selected Items list.

To remove VLANs, select them in the Selected Items lists, then click Remove from Selection. The items appear in the Available Items list.

Note You cannot change the VLAN for a virtual server once it is specified. Instead, you need to delete the virtual server and create a new one with the desired VLAN.


Step 5 When you finish configuring virtual server properties, click:

Deploy Now to deploy the configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server SSL Termination

Configuring Virtual Server SSL Termination

SSL termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

Use this procedure to configure virtual server SSL termination service.

Assumption

A virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties configuration subset. For more information, see Configuring Virtual Server Properties.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for SSL termination, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click SSL Termination. The Proxy Service Name field appears.

Step 4 In the Proxy Service Name field, select an existing SSL termination service, or select *New* to create a new SSL proxy service:

If you select an existing SSL service, the screen refreshes and allows you to view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you select *New*, the Proxy Service configuration subset appears.

Step 5 Configure the SSL service using the in Table 3-6.

Table 3-6 Virtual Server SSL Termination Attributes

Field
Description

Name

Enter a name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26 characters.

Key List

Select the SSL key pair to use during the SSL handshake for data encryption.

Certificate

Select the SSL certificate to use during the SSL handshake.

Chain Group

Select the chain group to use during the SSL handshake.

Parameter Map

Select the SSL parameter map to associate with this proxy server service.


For information about using SSL keys and certificates, see Configuring SSL, page 4-1.

Step 6 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server Protocol Inspection

Configuring protocol inspection allows the virtual server to verify protocol behavior and identify unwanted or malicious traffic passing through the ACE appliance.

In the Advanced View, protocol inspection configuration is available for the following virtual server protocol configurations:

TCP with HTTP, HTTPS, FTP, or RTSP

UDP with DNS

In the Basic View, protocol inspection configuration is available for TCP with FTP.

Use this procedure to configure protocol inspection on a virtual server.

Assumption

A virtual server has been configured to use one of the protocols that supports protocol inspection in the Properties configuration subset. See Configuring Virtual Server Properties for information on configuring these protocols.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server that you want to configure for protocol inspection, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click Protocol Inspection. The Enable Inspect check box appears.

Step 4 Select the Enable Inspect check box to enable inspection on the specified traffic. Clear this check box to disable inspection on this traffic. By default, ACE appliances allow all request methods.

Step 5 If you select the Enable Inspect check box, configure additional inspection options according to virtual server application protocol configuration:

For DNS, in the Length field enter the maximum length of the DNS packet in bytes. Valid entries are from 512 to 65535 bytes. If you do not enter a value in this field, the DNS packet size is not checked.

For FTP, continue with Step 6.

For HTTP and HTTPS, continue with Step 7.

Step 6 For FTP protocol inspection:

a. Select the Use Strict check box to indicate that the virtual server is to perform enhanced inspection of FTP traffic and enforce compliance with RFC standards. Clear this check box to indicate that the virtual server is not to perform enhanced FTP inspection.

b. If you select the Use Strict check box, in the Blocked FTP Commands field, identify the commands that are to be denied by the virtual server. See Table 7-6 for more information about the FTP commands.

Select the commands that are to be blocked by the virtual server in the Available Items list, then click Add. The commands appear in the Selected Items list.

To remove commands that you do not want to be blocked, select them in the Selected Items list, then click Remove. The commands appear in the Available Items list.

Step 7 For HTTP or HTTPS inspection:

a. Select the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Clear this check box to disable monitoring of Layer 3 and Layer 4 traffic.

b. In the Policy subset, click Add to add a new match condition and action, or select an existing match condition and action, then click Edit to modify it. The Policy configuration pane appears.

c. In the Matches field, select an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection.

If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate the selected class map. See Shared Objects and Virtual Servers for more information about modifying shared objects.

d. Configure match criteria and related actions by following the steps in Table 3-7.

Table 3-7 Protocol Inspection Match Criteria Configuration  

Selection
Action

Existing class map

1. Click View to review the match condition information for the selected class map.

2. Click:

Cancel to continue without making changes and to return to the previous screen.

Edit to modify the existing configuration.

Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same classmap.

See Shared Objects and Virtual Servers for more information about modifying shared objects.

3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.

Reset—Indicates that the specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*New*

1. In the Name field, specify a unique name for this class map.

2. In the Match field, select the method to be used to evaluate multiple match statements when multiple match conditions exist:

Any—Indicates that a match exists if at least one of the match conditions is satisfied.

All—Indicates that a match exists only if all match conditions are satisfied.

3. In the Conditions table, click Add to add a new set of conditions, or select an existing entry, then click Edit to modify it. The Type field appears.

4. In the Type field, select the type of condition that is to be met for protocol inspection and configure protocol-specific criteria using the information in Table 3-8.

5. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.

Reset—Indicates that the specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*Inline Match*

1. In the Conditions Type field, select the type of inline match condition that is to be met for protocol inspection.

Table 3-8 describes the types of conditions and their related configuration options.

2. Provide condition-specific criteria using the information in Table 3-8.

3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—Indicates that the specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.

Reset—Indicates that the specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.


Table 3-8 Protocol Inspection Conditions and Options 

Condition
Description

None

No conditions are defined for application inspection decisions.

URL

URL names are to be used for application inspection decisions.

In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.

URL Length

URL length is to be used for application inspection decisions.

In the URL Length field, enter the number of bytes to be used for application inspection decisions using one of the following formats:

bytes—Indicates that the URL length must equal the number of bytes specified. For example, 2048.

>bytes—Indicates that the URL length must be greater than the number of bytes specified. For example, >1026.

<bytes—Indicates that the URL length must be less than the number of bytes specified. For example, <512.

bytes1-bytes2—Indicates that the URL length must fall within the range specified. For example, 1-300.

Valid entries are integers from 1 to 65535.

Content

Specific content contained within the HTTP entity-body is to be used for application inspection decisions.

1. In the Content field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.

2. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 4000 bytes.

Content Length

The content parse length is used for application inspection decisions.

In the Content Length field, enter the number of bytes to be used for application inspection decisions using one of the following formats:

bytes—Indicates that the content length must equal the number of bytes specified. For example, 2048.

>bytes—Indicates that the content length must be greater than the number of bytes specified. For example, >1026.

<bytes—Indicates that the content length must be less than the number of bytes specified. For example, <512.

bytes1-bytes2—Indicates that the content length must fall within the range specified. For example, 1-300.

Valid entries are integers from 0 to 4294967295.

Header

The name and value in an HTTP header are used for application inspection decisions.

1. In the Header Name field, enter the name of the HTTP header to be matched. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

Header Length

The length of the header in the HTTP message is used for application inspection decisions.

1. In the Header Command field, specify whether HTTP header request or response messages are to be used for application inspection decisions:

Request—Indicates that HTTP header request messages are to be checked for header length.

Response—Indicates that HTTP header response messages are to be checked for header length.

2. In the Header Length field, enter the number of bytes to be used for application inspection decisions using one of the following formats:

bytes—Indicates that the header length must equal the number of bytes specified. For example, 248.

bytes—Indicates that the header length must be greater than the number of bytes specified. For example, >126.

bytes—Indicates that the header length must be less than the number of bytes specified. For example, <212.

bytes1-bytes2—Indicates that the header length must fall within the range specified. For example, 1-30.

Valid entries are integers from 0 to 255.

Header MIME Type

Multipurpose Internet Mail Extension (MIME) message types are used for application inspection decisions.

In the MIME Type field, select the MIME message type to be used for this match condition.

Port Misuse

The misuse of port 80 (or any other port running HTTP) is to be used for application inspection decisions.

Indicate the application category to be used for this match condition:

IM—Indicates that instant messaging applications are to be checked.

P2P—Indicates that peer-to-peer applications are to be checked.

Tunneling—Indicates that tunneling applications are to be checked.

Request Method RFC

A request method defined in RFC 2616 is to be used for application inspection decisions.

In the RFC Request Method field, select the request method that is to be inspected.

Request Method EXT

An HTTP extension method is to be used for application inspection decisions.

In the EXT Request Method field, select the HTTP extension request method that is to be inspected.

Transfer Encoding

An HTTP transfer-encoding type is to be used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient.

In the Transfer Encoding field, select the type of encoding that is to be checked:

Chunked—The message body is transferred as a series of chunks.

Compress—The encoding format that is produced by the UNIX file compression program compress.

Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951.

Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952.

Identity—The default (identity) encoding which does not require the use of transformation.

Strict HTTP

Compliance with HTTP RFC 2616 is to be used for application inspection decisions.

Note Strict HTTP is only available as an inline match condition. Because this Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, it appears as an inline match condition.

Content Type Verification

Verification of MIME-type messages with the header MIME-type is to be used for application inspection decisions. This option verifies that the header MIME-type value is in the internal list of supported MIME-types and that the header MIME-type matches the content in the data or body portion of the message.

Note Content Type Verification is only available an an inline match condition. Because this Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, it appears as an inline match condition.


e. Click:

OK to save your entries. The Conditions table refreshes with the new entry.

Cancel to exit the Policy subset without saving your entries.

f. In the Default Action field, select the default action that the virtual server is to take when specified match conditions for protocol inspection are not met:

Permit—Indicates that the specified HTTP traffic is to be received by the virtual server.

Reset—Indicates that the specified HTTP traffic is to be denied by the virtual server

N/A—Indicates that this attribute is not set.

Step 8 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries.


Related Topics

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Layer 7 Load Balancing

Layer 7 load balancing is available for virtual servers configured for HTTP or HTTPS. See Configuring Virtual Server Properties for information on configuring these protocols.

Use this procedure to configure Layer 7 load balancing on a virtual server.

Assumption

A virtual server has been configured to use HTTP or HTTPS in the Properties configuration subset. See Configuring Virtual Server Properties for information on configuring these protocols.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for Layer 7 load balancing, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click L7 Load-Balancing. The Layer 7 Load-Balancing Rule Match table appears.

Step 4 In the Rule Match table, click Add to add a new match condition and action, or select an existing match condition and action, then click Edit to modify it. The Rule Match configuration pane appears.

Step 5 In the Rule Match field, select an existing class map or *New* or *Inline Match* to configure new match criteria for Layer 7 load balancing:

If you select an existing class map, click View to review, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New* or *Inline Match*, the Rule Match configuration subset appears.

Step 6 Configure match criteria by following the steps in Table 3-9.

Table 3-9 Layer 7 Load-Balancing Match Criteria Configuration  

Selection
Action

Existing class map

1. Click View to review the match condition information for the selected class map.

2. Click:

Cancel to continue without making changes and to return to the previous screen.

Edit to modify the existing configuration.

Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same classmap.

See Shared Objects and Virtual Servers for more information about modifying shared objects.

*New*

1. In the Name field, enter a unique name for this class map.

2. In the Match field, select the method to be used to evaluate multiple match statements when multiple match conditions exist:

Match Any—Indicates that a match exists if at least one of the match conditions is satisfied.

Match All—Indicates that a match exists only if all match conditions are satisfied.

3. In the Conditions table, click Add to add a new set of conditions or select an existing entry, then click Edit to modify it.

4. In the Type field, select the match condition to be used.

Table 3-10 describes the types of conditions and their related configuration options.

5. Configure any condition-specific options using the information in Table 3-10.

6. Click:

OK to accept your entries and to return to the Conditions table.

Cancel to exit this procedure without saving your entries and to return to the Conditions table.

*Inline Match*

1. In the Conditions Type field, select the type of inline match condition that is to be met for load balancing.

Table 3-10 describes the types of conditions and their related configuration options.

2. Provide condition-specific criteria using the information in Table 3-10.


Table 3-10 Layer 7 Load-Balancing Rule Match Configuration 

Match Condition
Description

Http-cookie

Indicates that HTTP cookies are to be used for this rule.

If you select this method:

1. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching string expressions. Table 7-13 lists the supported characters that you can use for matching string expressions.

3. Select the Secondary Cookie Matching check box to indicate that the ACE appliance is to use both the cookie name and the cookie value to satisfy this match condition. Clear this check box to indicate that the ACE appliance is to use either the cookie name or the cookie value to satisfy this match condition.

This field does not appear for inline match conditions.

Http-header

Indicates that the HTTP header and a corresponding value are to be used for this rule.

If you select this method:

1. In the Header Name field, enter the name of the generic field in the HTTP header. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 7-13 lists the supported characters that you can use in regular expressions.

Http-url

Indicates that this rule is to perform regular expression matching against the received packet data from a particular connections based on the HTTP URL string.

If you select this method:

1. In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE appliance supports regular expressions for matching URL strings. Table 7-13 lists the supported characters that you can use in regular expressions.

2. In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).

Source-address

Indicates that this rule is to use a client source IP address to establish match conditions.

If you select this method:

1. In the Source Address field, enter the source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2).

2. In the Netmask field, select the subnet mask to apply to the source IP address.

Class-map

Indicates that this rule is to use an existing class map to establish match conditions.

If you select this method, in the Classmap field, select the class map to be used.

This option is not available for inline match conditions.


Step 7 In the Primary Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Drop—Indicates that client requests for content are to be discarded when match conditions are met. Continue with Step 10.

Forward—Indicates that client requests for content are to be forwarded without performing load balancing on the requests when match conditions are met. Continue with Step 10.

Load Balance—Indicates that client requests for content are to be directed to a server farm when match conditions are met. Continue with Step 8.

Step 8 If you select Load Balance as the primary action, you can configure load balancing using a server farm, a server farm/backup server farm pair, an existing sticky group, or a new sticky group.


Note If you select an existing object in any of these scenarios, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.


Configure load balancing using the information in Table 3-11.

Table 3-11 Virtual Server Load-Balancing Options 

To configure...
Do this...

Load balancing using a server farm

In the Server Farm field, select the server farm to be used for load balancing for this virtual server, or select *New* to configure a new server farm (see Table 3-12).

Load balancing using a server farm/backup server farm pair

1. In the Server Farm field, select the primary server farm to use for load balancing, or select *New* to configure a new server farm (see Table 3-12).

2. In the Backup Server Farm field, select the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or select *New* to configure a new backup server farm (see Table 3-12).

Load balancing using an existing sticky group

1. In the Server Farm field, select the primary server farm to use for load balancing. This must be the primary server farm specified in the existing sticky group.

2. In the Backup Server Farm field, select the backup server farm to use for load balancing. This must be the backup server farm specified in the existing sticky group.

3. In the Sticky Group field, select the sticky group to use.

Note Sticky groups appear in the Sticky Group field only when their configured primary and backup server farms are selected, respectively. If you select a sticky group and then select a different primary or backup server farm, the sticky group that you selected in the Sticky Group field no longer appears. To change an existing sticky group configuration, modify it in the Stickiness configuration screen (Config > Virtual Contexts > context > Load Balancing > Stickiness).

Load balancing using a new sticky group

1. In the Server Farm field, select the primary server farm to use for load balancing, or select *New* to configure a new server farm (see Table 3-12).

2. In the Backup Server Farm field, select the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or select *New* to configure a new backup server farm (see Table 3-12).

3. In the Sticky Group field, select *New*, then configure a new sticky group using the information in Table 3-13.

Note The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE appliance resources to stickiness. See Managing Resource Classes, page 2-29 for more information on resource classes.


Table 3-12 New Server Farm Attributes 

Field
Description

Name

Enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Type

Select the type of server farm:

Host—Indicates that this is a typical server farm that consists of real servers that provide content and services to clients.

Redirect—Indicates that this server farm consists only of real servers that redirect client requests to alternate locations specified in the real server configuration.

Predictor

Specify the method for selecting the next server in the server farm to respond to client requests:

Roundrobin—Indicates that server selection in the server farm is based on server weight.

Leastconns—Indicates that server selection in the server farm is based on the number of connections; the server with the fewest connections is selected next.

If you select Leastconns, the Least Connections Slow Start field appears. In the Least Connections Slow Start field, enter the slow-start value to be applied. Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up time.

The slow-start mechanism is used to avoid sending a high number of new connections to servers that have just been put into service.

Probes

Specify the health monitoring probes to use:

To include a probe that you want to use for health monitoring, select it in the Available Items list, then click Add. The probe appears in the Selected Items list.

To remove a probe that you do not want to use for health monitoring, select it in the Selected Items list, then click Remove. The probe appears in the Available Items list.

To specify a sequence for probe use, select probes in the Selected Items list, then click Up or Down until you have the desired sequence.

Click Create to add a new probe. See Configuring Health Monitoring for Real Servers.

Select a probe in the list on the right, then click View to review its configuration.

After you add a probe, you can modify the attributes for a health probe from the Health Monitoring table (Config > Virtual Contexts > context > Load Balancing > Health Monitoring) as described in Configuring Health Monitoring for Real Servers. You can also delete an existing health probe from the Health Monitoring table.

Real Servers

The Real Servers table allows you to add, modify, remove, or change the order of real servers.

1. Select an existing server, or click Add to add a server to the server farm:

If you select an existing server, you can view, modify, or duplicate the server's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click Add, the table refreshes and allows you to enter server information.

2. In the IP Address field, enter the IP address of the real server in dotted-decimal format.

3. In the Name field, enter the name of the real server.

4. In the Port field, enter the port number to be used for server port address translation (PAT). Valid entries are integers from 1to 65535.

5. In the Weight field, enter the weight to assign to this server in the server farm. Valid entries are integers from 1 to 100, and the default is 8.

6. In the State field, select the administrative state of this server:

Inservice—The server is to be placed in use as a destination for server load balancing

Out of Service—The server is not to be placed in use by a server load balancer as a destination for client connections.

Inservice Standby—The server is a backup server and is to remain inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections.

7. Click:

OK to accept your entries and add this real server to the server farm. The table refreshes with updated information.

Cancel to exit this procedure without saving your entries and to return to the Real Servers table.


Table 3-13 Sticky Type Attributes 

Field
Description

Group Name

Enter a unique identifier for the sticky type. You can either accept the automatically incremented entry given or you can enter your own. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Sticky Type

Select the method to be used when establishing sticky connections:

HTTP Cookie—Indicates that the virtual server is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction.

HTTP Header—Indicates that the virtual server is to stick client connections to the same real server based on HTTP headers.

IP Netmask—Indicates that the virtual server is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both.

Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.

Cookie Name

This option appears for sticky type HTTP Cookie.

Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Enable Insert

This option appears for sticky type HTTP Cookie.

Select this check box if the virtual server is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie. When selected, the virtual server selects a cookie value that identifies the original server from which the client received a response. For subsequent connections of the same transaction, the client uses the cookie to stick to the same server.

Clear this check box to disable cookie insertion.

Offset

This option appears for sticky types HTTP Cookie and HTTP Header.

Enter the number of bytes the virtual server is to ignore starting with the first byte of the cookie. Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie.

Length

This option appears for sticky types HTTP Cookie and HTTP Header.

Enter the length of the portion of the cookie (starting with the byte after the offset value) that the ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to 4000, and the default is 4000.

Secondary Name

This option appears for sticky type HTTP Cookie.

Enter an alternate cookie name that is to appear in the URL string of the Web page on the server. The virtual server uses this cookie to maintain a sticky connection between a client and a server and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Header Name

This option appears for sticky type HTTP Header.

Select the HTTP header to use for sticking client connections.

Netmask

This field appears for sticky type IP Netmask.

Select the netmask to apply to the source IP address, destination IP address, or both.

Address Type

This field appears for sticky type IP Netmask.

Indicate whether this sticky type is to be applied to the client source IP address, the destination IP address, or both:

Both—Indicates that this sticky type is to be applied to both the source IP address and the destination IP address.

Source—Indicates that this sticky type is to be applied to the source IP address only.

Destination—Indicates that this sticky type is to be applied to the destination IP address only.

Aggregate State

Select this check box to indicate that the state of the primary server farm is to be tied to the state of all real servers in the server farm and in the backup server farm, if configured. The ACE appliance declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down.

Clear this check box if the state of the primary server farm is not to be tied to all real servers in the server farm and in the backup server farm.

Sticky Enabled

Select this check box to indicate that the backup server farm is sticky. Clear this check box if the backup server farm is not sticky.

Replicate

Select this check box to indicate that the virtual server is to replicate sticky table entries on the backup server farm. If a failover occurs and this option is selected, the new active server farm can maintain the existing sticky connections.

Clear this check box to indicate that the virtual server is not to replicate sticky table entries on the backup server farm.

Timeout

Enter the number of minutes that the virtual server keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are integers from 1 to 65535; the default is 1440 minutes (24 hours).

Timeout Active Connections

Select this check box to specify that the virtual server is to time out sticky table entries even if active connections exist after the sticky timer expires.

Clear this check box to specify that the virtual is not to time out sticky table entries even if active connections exist after the sticky timer expires. This is the default behavior.


Step 9 Select the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is to use the DEFLATE method to compress packets when a client request indicates that the client browser is capable of packet compression. The ACE appliance compresses the packets using the following default compression parameter values:

Mime type—All text formats (text/*).

Minimum size—512 bytes.

User agent—None.

Clear the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is not to compress packets.

Step 10 In the SSL Initiation field, select an existing service, or select *New* to create a new service. SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL connection between itself and an SSL server. In this particular application, the ACE receives clear text from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client as clear text.


Note The SSL Initiation field appears when TCP is the selected protocol and Other, HTTP, or HTTPS is the application protocol.


If you select an existing SSL service, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you select *New*, configure the service using the information in Table 3-14.

Table 3-14 Virtual Server SSL Initiation Attributes

Field
Description

Name

Enter a name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26 characters.

Key List

Select the SSL key pair to use during the SSL handshake for data encryption.

Certificate

Select the SSL certificate to use during the SSL handshake.

Chain Group

Select the chain group to use during the SSL handshake.

Parameter Map

Select the SSL parameter map to associate with this proxy server service.


For information about using SSL keys and certificates, see Configuring SSL, page 4-1.

Step 11 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the format header_name=header_value where:

header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.

header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 7-13 lists the supported characters that you can use in regular expressions.

For example, you might enter Host=www.cisco.com.

Step 12 Click:

OK to save your entries and to return to the Rule Match table.

Cancel to exit this procedure without saving your entries and to return to the Rule Match table.

Step 13 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Default Layer 7 Load Balancing

Use this procedure configure default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions.

Assumption

A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for default Layer 7 load balancing, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click Default L7 Load-Balancing Action. The Default L7 Load-Balancing Action configuration pane appears.

Step 4 In the Primary Action field, indicate the default action the virtual server is to take in response to client requests for content when specified match conditions are not met:

Drop—Indicates that client requests that do not meet specified match conditions are to be discarded. Continue with Step 6.

Forward—Indicates that client requests that do not meet specified match conditions are to be forwarded without performing load balancing on the requests. Continue with Step 6.

Load Balance—Indicates that client requests for content are to be directed to a server farm. If you select Load Balance, server farm, backup server farm, and sticky configuration options appear. Continue with Step 5.

Step 5 If you select Load Balance as the primary action, you can configure load balancing using a server farm, a server farm/backup server farm pair, an existing sticky group, or a new sticky group.


Note If you select an existing object in any of these scenarios, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.


Configure load-balancing using the information in Table 3-11.

Step 6 Select the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is to use the DEFLATE compression method to compress packets when a client request indicates that the client browser is capable of packet compression. The ACE appliance compresses the packets using the following default compression parameter values:

Mime type—All text formats (text/*).

Minimum size—512 bytes.

User agent—None.

Clear the Enable Compression (Deflate Method) check box to indicate that the ACE appliance is not to compress packets.

Step 7 In the SSL Initiation field, select an existing service, or select *New* to create a new service. SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL connection between itself and an SSL server. In this particular application, the ACE receives clear text from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client as clear text.


Note The SSL Initiation field appears when TCP is the selected protocol and Other, HTTP, or HTTPS is the application protocol.


If you select an existing SSL service, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you select *New*, configure the service using the information in Table 3-14.

For information about using SSL keys and certificates, see Configuring SSL, page 4-1.

Step 8 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the format header_name=header_value where:

header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.

header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 7-13 lists the supported characters that you can use in regular expressions.

For example, you might enter Host=www.cisco.com.

Step 9 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.


Related Topics

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

The ACE appliance includes configuration options that allow you to accelerate enterprise applications, resulting in increased employee productivity, enhanced customer retention, and increased online revenues. The application acceleration functions of the ACE appliance apply several optimization technologies to accelerate Web application performance. The application acceleration functionality in the ACE appliance enables enterprises to optimize network performance and improve access to critical business information. This capability accelerates the performance of Web applications, including customer relationship management (CRM), portals, and online collaboration by up to 10 times.

Refer to Configuring Application Acceleration and Optimization, page 8-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization.

Use this procedure to configure acceleration and optimization on virtual servers.

Assumption

A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for optimization, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click Application Acceleration and Optimization. The Application Acceleration and Optimization configuration pane appears.

Step 4 In the Configuration field, indicate the method you want to use to configure application acceleration and optimization:

EZ—Indicates that you want to use standard acceleration and optimization options. Continue with Step 5.

Custom—Indicates that you want to associate specific match criteria, actions, and parameter maps for application acceleration and optimization for this virtual server. If you choose this option, continue with Step 6.

Step 5 If you select EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization (Delta) fields appear.

a. Select the Latency Optimization (FlashForward) check box to indicate that the ACE appliance is to use bandwidth reduction and download acceleration techniques to objects embedded within HTML pages. Clear this check box to indicate that the ACE appliance is not to employ these techniques to objects embedded within HTML pages. Latency optimization corresponds to FlashForward functionality. For more information about FlashForward functionality, see Optimization Overview, page 8-2.

b. Select the Bandwidth Optimization (Delta) check box to indicate that the ACE appliance is to dynamically update client browser caches with content differences, or deltas. Clear this check box to indicate that the ACE appliance is not to dynamically update client browser caches. Bandwidth optimization corresponds to action list Delta optimization. For more information about Delta optimization, see Optimization Overview, page 8-2 and Configuring Action Lists, page 8-3.

c. Continue with Step 11.

Step 6 If you select Custom, the Actions configuration pane appears with a table listing match criteria and actions. Click Add to add an entry to this table, or select an existing entry, then click Edit to modify it. The configuration subset refreshes with the available configuration options.

Step 7 In the Apply Template field, select one of the configuration templates for the type of optimization you want to configure, or leave blank to configure optimization without a template:

Bandwidth Optimization—Maximizes bandwidth for Web-based traffic.

Latency Optimization for Embedded Objects—Reduces the latency associated with embedded objects in Web-based traffic.

Latency Optimization for Embedded Images—Reduces the latency associated with embedded images in Web-based traffic.

Latency Optimization for Containers—Reduces the latency associated with Web containers.

If you do not select a template and select *New* in the Rule Match and Actions fields, you are creating your own optimization rules and actions.

Step 8 In the Rule Match field, select an existing class map or click *New* to specify new match criteria:

If you select an existing class map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the screen refreshes with the default configuration settings for the template you selected. You can accept the default settings or modify them using the information in Table 3-15.

Table 3-15 Optimization Rule Match Configuration Options 

Field
Description

Name

Enter a unique name for this match criteria rule.

Match

Select the method to be used to evaluate multiple match statements when multiple match conditions exist:

Match Any—A match exists if at least one of the match conditions is satisfied.

Match All—A match exists only if all match conditions are satisfied.

Conditions

Click Add to add a new set of conditions or select an existing entry, then click Edit to modify it:

1. In the Type field, select the match condition to be used, then configure any condition-specific options using the information in Table 3-10.

2. Click OK to save your entries, or Cancel to exit this procedure without saving your entries.


Step 9 In the Actions field, select an existing action list to use for optimization or click *New* to create a new action list.

If you select an existing action list, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the screen refreshes with the default configuration settings for the template you selected. You can accept the default settings or modify them using the information in Table 3-16.

Table 3-16 Optimization Action List Configuration Options 

Field
Description

Action List Name

Enter a unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Enable Delta

Delta optimization dynamically updates client browser caches directly with content differences, or deltas, resulting in faster page downloads.

Select this check box to enable delta optimization for the specified URLs.

Clear this check box to disable delta optimization for the specified URLs.

Enable AppScope

AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and measures end-to-end application performance.

Select this check box to enable AppScope performance monitoring for use with the ACE appliance. Clear this check box to disable AppScope performance monitoring for use with the ACE appliance.

FlashForward

The FlashForward feature reduces bandwidth usage and accelerates embedded object downloading by combining local object storage with dynamic renaming of embedded objects, thereby enforcing object freshness within the parent HTML page.

Specify how the ACE appliance is to implement FlashForward:

N/A—Indicates that this feature is not enabled.

FlashForward—Indicates that FlashForward is to be enabled for the specified URLs and that embedded objects are to be transformed.

FlashForward Object—Indicates that FlashForward static caching is to be enabled for the objects that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files.

Cache Dynamic

Select this check box to enable Adaptive Dynamic Caching for the specified URLs even if the expiration settings in the response indicate that the content is dynamic. The expiration of cache objects is controlled by the cache expiration settings based on time or server load.

Clear this check box to disable this feature.

Cache Forward

Select this check box to enables the cache forward feature for the corresponding URLs. Cache forward allows the ACE to serve the object from its cache (static or dynamic) even when the object has expired if the maximum cache TTL time period has not yet expired (set by specifying the Cache Time-to-Live Duration (%): field in an Optimization parameter map). At the same time, the ACE sends an asynchronous request to the origin server to refresh its cache of the object.

Clear this check box to disable this feature.

Dynamic Etag

This feature enables the acceleration of noncacheable embedded objects, which results in improved application response time. When enabled, this feature eliminates the need for users to download noncacheable objects on each request.

Select this check box to indicate that the ACE appliance is to implement just-in-time object acceleration for noncacheable embedded objects.

Clear this check box to disable this feature.

Fine Tune Optimization Parameters

Click this header to configure additional optimization attributes. When expanded, the configuration pane displays options specific to the type of optimization you are configuring and features that you enable.

Refer to Table 3-43 for information about specific options that appear.


Step 10 When you finish configuring match criteria and actions, click:

OK to save your entries and to return to the Rule Match and Actions table.

Cancel to exit this procedure without saving your entries and to return to the Rule Match and Actions table.

Step 11 When you finish configuring virtual server properties, click:

Deploy Now to save your entries. The ACE appliance validates the action list configuration and deploys it on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.


Related Topics

Configuring Virtual Server Properties

Optimization Traffic Policies and Typical Configuration Flow, page 8-2

Configuring Traffic Policies for HTTP Optimization, page 8-6

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Virtual Server NAT

Use this procedure to configure Name Address Translation (NAT) for virtual servers.

Assumptions

A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.

A VLAN has been configured. See Configuring Virtual Context VLAN Interfaces, page 5-1 for information on configuring a VLAN interface.

At least one NAT pool has been configured on a VLAN interface. See Configuring VLAN Interface NAT Pools, page 5-9 for information on configuring a NAT pool.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for NAT, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click NAT. The NAT table appears.

Step 4 Click Add to add an entry, or select an existing entry, then click Edit to modify it.

Step 5 In the VLAN field, select the VLAN you want to use NAT. For more information about NAT, see Configuring VLAN Interface NAT Pools, page 5-9.

Step 6 In the NAT Pool ID field, select the NAT pool that you want to associate with the selected VLAN.

Step 7 Click:

OK to save your entries and to return to the NAT table. The NAT table refreshes with the new entry.

Cancel to exit the procedure without saving your entries and to return to the NAT table.

Step 8 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Managing Virtual Servers

After you have created a virtual server the following options are available:

Task
Related Topics

Modify a virtual server configuration

Configuring Virtual Servers

List virtual servers by virtual context

Viewing Virtual Servers by Context

Activate a virtual server

Activating Virtual Servers

Suspend a virtual server

Suspending Virtual Servers

View detailed information about a virtual server and its configured state

Viewing Detailed Virtual Server Information


Viewing Virtual Servers by Context

Use this procedure to view all virtual servers associated with a virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the context associated with the virtual servers you want to view, then select Load Balancing > Virtual Servers. The Virtual Servers table appears with the following information:

Virtual server name

Configured state, such as Inservice

IP address

Port

Associated VLANs

Associated server farms


Related Topics

Configuring Virtual Servers

Managing Virtual Servers

Activating Virtual Servers

Use this procedure to activate a virtual server.

Procedure


Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the server that you want to activate, then click Activate. The server is activated and the screen refreshes with updated information in the Configured State column.


Related Topics

Managing Virtual Servers

Viewing All Virtual Servers

Suspending Virtual Servers

Suspending Virtual Servers

Use this procedure to suspend a virtual server.

Procedure


Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the server that you want to suspend, then click Suspend. The server is taken out of service and the screen refreshes with updated information in the Configured State column.


Related Topics

Managing Virtual Servers

Viewing All Virtual Servers

Activating Virtual Servers

Viewing Detailed Virtual Server Information

Use this procedure to view detailed information about the state of a virtual server.

Procedure


Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server whose configuration details you want to view, then click Details. The Details window appears with the following information:

Current operational status

Description, if one was entered

Configured interfaces, such as VLANs

Configured service policies including:

Configured class maps, detailed by type (such as load balancing or inspection)

States of configured options, indicated by word (ACTIVE, DISABLED, OUTOFSERVICE) and color (green, orange/yellow, and red)

Associated policy maps with details on their type and action (L7 loadbalance, serverfarm)

Statistics regarding connections and counts

Related Topics

Configuring Virtual Servers

Managing Virtual Servers

Viewing All Virtual Servers

To view all virtual servers, select Config > Operations > Virtual Servers. The Virtual Servers table appears with the following information for each server:

Server name, grouped by virtual context

Configured state

IP address

Port

VLANs

Server farms

Virtual context

You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server.

Related Topics

Activating Virtual Servers

Suspending Virtual Servers

Viewing Detailed Virtual Server Information

Configuring Load Balancing with Real Servers

Real servers are dedicated physical servers that are typically configured in groups called server farms. These servers provide services to clients, such as HTTP or XML content, streaming media (video or audio), TFTP or FTP services, and so on. When configuring real servers, you assign names to them and specify IP addresses, connection limits, and weight values.

The ACE appliance uses traffic classification maps (class maps) within policy maps to filter specified traffic and to apply specific actions to that traffic based on the load-balancing configuration. A load-balancing predictor algorithm (round-robin or least connections) determines the servers to which the ACE appliance sends connection requests. For information about configuring class maps, see Configuring Virtual Context Class Maps, page 7-12.

Use this procedure to configure load balancing on real servers.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Real Servers. The Real Servers table appears.

Step 2 Click Add to add a new real server, or select a real server you want to modify, then click Edit. The Real Servers configuration screen appears.

Step 3 Configure the server using the information in Table 3-17.

Table 3-17 Real Server Attributes 

Field
Description

Name

Either accept the automatically incremented value in this field, or enter a unique name for this server. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Type

Select the type of server:

Host—Indicates that this is a typical real server that provides content and services to clients.

Redirect—Indicates that this server is used to redirect traffic to a new location.

Description

Enter a brief description for this real server. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters.

IP Address

This field appears for only real servers specified as hosts.

Enter a unique IP address in dotted-decimal format (such as 192.168.11.1). The IP address cannot be an existing virtual IP address (VIP).

Max Connections

Enter the maximum number of active connections allowed on this server. When the number of connections exceeds this value, the ACE appliance stops sending connections to this server until the number of connections falls below the Min Connections value. Valid entries are integers from 1 to 4000000, and the default is 4000000.

Min Connections

Enter the minimum number of connections to be allowed on this server before the ACE appliance starts sending connections again after it has exceeded the Max Connections limit. This value must be less than or equal to the Max Connections value. By default, this value is equal to the Max Connections value. Valid entries are integers from 1 to 4000000.

Weight

This field appears only for real servers identified as hosts.

Enter the weight to be assigned to this real server in a server farm. Valid entries are integers from 1 to 100, and the default is 8.

State

Select the state of this real server:

In Service—Indicates that this real server is in service.

Out of Service—Indicates that this real server is out of service.

Probes

This field appears only for real servers identified as hosts.

In the Probes field, select the probes that are to be used for health monitoring in the list on the left, then click Add. The selected probes appear in the list on the right.

To remove probes that you do not want to use for health monitoring, select them in the list on the right, then click Remove. The selected probes appear in the list on the left.

Webhost Redirection

This field appears only for real servers identified as redirect servers.

Enter the URL and port used to redirect requests to another server.

Valid entries are in the form http://host.com:port where host is the name of the server and port is the port to be used.

Valid host entries are unquoted text strings with no spaces and a maximum of 255 characters.

Valid port numbers are from 1 to 65535.

Redirection Code

This field appears only for real servers identified as redirect servers.

Select the appropriate redirection code:

N/A—Indicates that the webhost redirection code is not defined.

301—Indicates that the requested resource has been moved permanently. For future references to this resource, the client should use one of the returned URIs.

302—Indicates that the requested resource has been found, but has been moved temporarily to another location. For future references to this resource, the client should use the request URI because the resource may be moved to other locations from time to time.


Step 4 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Real Servers table.

Next to save your entries and to configure another real server.


Related Topics

Configuring Health Monitoring for Real Servers

Configuring Server Farm Load Balancing

Configuring Load Balancing Using Sticky Groups

Configuring Server Farm Load Balancing

Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors. If one server goes down, another server can take its place and continue to provide the same content to the clients who requested it.

Use this procedure to configure load balancing on server farms.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.

Step 2 Click Add to add a new server farm, or select an existing server farm, then click Edit. The Server Farms configuration screen appears.

Step 3 Enter the server farm attributes (see Table 3-18).

Table 3-18 Server Farm Attributes 

Field
Description

Name

Either accept the automatically incremented value in this field, or enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Type

Select the type of server farm:

Host—Indicates that this is a typical server farm that consists of real servers that provide content and services to clients

Redirect—Indicates that this server farm consists only of real servers that redirect client requests to alternate locations specified in the real server configuration. (See Configuring Load Balancing with Real Servers.)

Description

Enter a brief description for this server farm. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters.

Fail Action

Select the action the ACE appliance is to take with respect to connections if any real server in the server farm fails:

N/A—Indicates that the ACE appliance is to take no action if any server in the server farm fails.

Purge—Indicates that the ACE appliance is to remove connections to a real server if that real server in the server farm fails. The ACE appliance sends a reset command to both the client and the server that failed.

Transparent

This field appears only for real servers identified as host servers.

Specify whether network address translation from VIP address to server IP is to occur:

N/A—Indicates that the default value is to be used; the default value is False.

False—Indicates that network address translation from VIP address to server IP address is not to occur.

True—Indicates that network address translation from VIP address to server IP address is to occur.

Probes

This field appears only for real servers identified as host servers.

In the Probes field, select the probes that are to be used for health monitoring in the list on the left, then click Add. The selected probes appear in the list on the right.

To remove probes that you do not want to use for health monitoring, select them in the list on the right, then click Remove. The selected probes appear in the list on the left.


Step 4 Click:

Deploy Now to deploy this configuration on the ACE appliance. To add real servers to the farm and to configure server farm attributes, see:

Adding Real Servers to a Server Farm

Configuring the Predictor Method for Server Farms

Configuring Server Farm HTTP Return Error-Code Checking

Cancel to exit the procedure without saving your entries and to return to the Server Farms table.

Next to save your entries and to configure another server farm.


Related Topics

Configuring Health Monitoring for Real Servers

Configuring Load Balancing with Real Servers

Configuring Load Balancing Using Sticky Groups

Configuring the Predictor Method for Server Farms

Configuring Server Farm HTTP Return Error-Code Checking

Adding Real Servers to a Server Farm

After adding a server farm, (see Configuring Server Farm Load Balancing), you can associate real servers with it and configure predictors and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.


Note If you do not see these tabs beneath the Server Farms table, click Show Tabs just below the table name. If you still do not see tabs, it is either because there are no entries in the table or because no entries are selected.


When creating or editing a server farm, if the real server to be added has the same name as an existing global real server but contains a different IP address (or no IP address), the Device Manager displays the following error message:

IP address of pre-existing real sever cannot be changed: "<rs-name>" (ip-addr>). 

If this error message appears, ensure that you specify an existing real server with the matching IP address.

Use this procedure to add real servers to a server farm.

Assumptions

A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server Farm Load Balancing.)

At least one real server exists.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.

Step 2 Select the server farm you want to associate with real servers, then select the Real Servers tab. The Real Servers table appears. If you do not see tabs beneath the Server Farms table, click Show Tabs just below the table name.

Step 3 Click Add to add a new entry to the Real Servers table, or select an existing server, then click Edit to modify it. The Real Servers configuration screen appears.

Step 4 Configure the real server using the information in Table 3-19.

Table 3-19 Real Server Configuration Attributes 

Field
Description

Name

Select the server that you want to associate with the server farm.

Port

Enter the port number to be used for server port address translation (PAT). Valid entries are integers from 1 to 65535.

Backup Server Name

Select the server that is to act as the backup server for the server farm. Leave this field blank to indicate that there is no designated backup server for the server farm.

Backup Server Port

If you select a backup server, enter the backup server port number. Valid entries are integers from 0to 65535.

Max Connections

Enter the maximum number of active connections that can be sent to the server. When the number of connections exceeds this number, the ACE appliance stops sending connections to the server until the number of connections falls below the number specified in the Min Connections field. Valid entries are integers from 1 to 4000000. The default is 4000000.

Min Connections

Enter the minimum number of connections that the number of connections must fall below before the ACE appliance resumes sending connections to the server after it has exceeded the number in the Max Connections field. The number in this field must be less than or equal to the number in the Max Connections field. 1 to 4000000. The default value is 4000000.

Weight

Enter the weight to assign to the server. Valid entries are integers from 1 to 100, and the default is 8.

State

Select the state of this server:

In Service—Indicates that this server is in service.

Out of Service—Indicates that this server is out of service.

In Service Standby—Indicates that this server is a backup server and is to remain inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections.

Probes

Select the probes in the list on the left that you want to apply to this server, then click Add. The selected probes appear in the list on the right. To remove probes you do not want to apply to this server, select the probes in the list on the right, then click Remove.


Step 5 When you finish configuring this server for this server farm, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Real Servers table.

Next to save your entries and to add another real server for this server farm.


Related Topics

Configuring Health Monitoring for Real Servers

Configuring Load Balancing with Real Servers

Configuring Load Balancing Using Sticky Groups

Configuring the Predictor Method for Server Farms

Configuring Server Farm HTTP Return Error-Code Checking

Viewing All Server Farms

Use this procedure to view all server farms associated with a virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context with the server farms you want to view, then click Load Balancing > Server Farms. The Server Farms table appears with the following information:

Server farm name

Server farm type (either host or redirect)

Description

Depending on the server farms selected, additional tables appear below the Server Farms table. These tables include:

Real Servers—This table identifies the real servers associated with the selected server farm.

Predictor—This configuration screen displays the selected predictor method for the selected server farm.

Retcode Map—This table displays the HTTP return error-code checking that has been configured for the selected server farm.


Related Topics

Configuring Server Farm Load Balancing

Adding Real Servers to a Server Farm

Configuring the Predictor Method for Server Farms

Configuring Server Farm HTTP Return Error-Code Checking

Configuring the Predictor Method for Server Farms

After adding a server farm, (Configuring Server Farm Load Balancing), you can associate real servers with it and configure the predictor method and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.

If you do not see these tabs beneath the Server Farms table, click Show Tabs just below the table name. If you still do not see tabs, it is either because there are no entries in the table or because no entries are selected.

Use this procedure to configure the predictor method for a server farm. The predictor method specifies how the ACE appliance is to select a server in the server farm when it receives a client request for a service.


Note You can configure only one predictor method per server farm.


Assumptions

A server farm has been added to the ACE Appliance Device Manager. (See Configuring Server Farm Load Balancing.)

At least one real server exists.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.

Step 2 Select the server farm you want to configure the predictor method for, then select the Predictor tab. The Predictor configuration screen appears. If you do not see tabs beneath the Server Farms table, click Show Tabs just below the table name.

Step 3 In the Type field, select the method that the ACE appliance is to use to select a server in this server farm when it receives a client request. Table 3-20 lists the available options and describes them.

Step 4 Enter the required information for the selected predictor method. See Table 3-20.

Table 3-20 Predictor Method Attributes 

Predictor Method
Description / Action

None

Indicates that a predictor method is not specified for the server farm.

Continue with Step 5.

Roundrobin

Indicates that the ACE appliance is to select the next server in the list of servers based on server weight. This is the default predictor method.

Continue with Step 5.

Leastconns

Indicates that the ACE appliance is to select the server with the fewest number of connections.

In the Slowstart Duration field, enter the slow-start value to be applied to this predictor method. Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up value.

The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you have just put into service.

Hash_url

Indicates that the ACE appliance is to select the server using a hash value based on the URL. Use this method to load balance firewalls.

Enter values in one or both of the pattern fields:

In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to parse.

In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse.

Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters for each pattern you configure.

Hash_address

Indicates that the ACE appliance is to select the server using a hash value based on the source or destination IP address.

To configure the hash address predictor method:

1. In the Mask Type field, indicate whether server selection is based on source IP address or the destination IP address:

N/A—Indicates that this option is not defined.

Source—Indicates that the server is selected based on the source IP address.

Destination—Indicates that the server is selected based on the destination IP address.

2. In the IP Netmask field, select the subnet mask to apply to the address. If none is specified, the default is 255.255.255.255.

Hash_cookie

Indicates that the ACE appliance is to select the server by using a hash value based on the cookie name.

In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces and a maximum of 64 characters.

Hash_header

Indicates that the ACE appliance is to select the server by using a hash value based on the header name.

In the Header Name field, select the HTTP header to be used for server selection:

To specify an HTTP header that is not one of the standard HTTP headers, select the first radio button and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

To specify one of the standard HTTP headers, select the second radio button, then select one of the HTTP headers from the list.


Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Predictor table.


Related Topics

Configuring Health Monitoring for Real Servers

Configuring Load Balancing with Real Servers

Configuring Load Balancing Using Sticky Groups

Adding Real Servers to a Server Farm

Configuring Server Farm HTTP Return Error-Code Checking

Configuring Server Farm HTTP Return Error-Code Checking

After adding a server farm, (Configuring Server Farm Load Balancing), you can associate real servers with it and configure the predictor method and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.

Use this procedure to configure HTTP return error-code checking (retcode map) for a server farm.


Note This feature is available only for server farms configured as hosts. It is not available for server farms configured with the type Redirect.


Assumption

A host type server farm has been added to the ACE Appliance Device Manager. (See Configuring Server Farm Load Balancing.)

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Server Farms. The Server Farms table appears.

Step 2 Select the server farm you want to configure return error-code checking for, then select the Retcode Map tab. The Retcode Map table appears. If you do not see tabs beneath the Server Farms table, click Show Tabs just below the table name.

Step 3 Click Add to add a new entry to the table. The Retcode Map configuration screen appears.


Note You cannot modify an entry in the Retcode Map table. Instead, delete the existing entry, then add a new one.


Step 4 In the Lowest Retcode field, enter the minimum value for an HTTP return error code. Valid entries are integers from 100 to 599. This number must be less than or equal to the number in the Highest Retcode field.

Step 5 In the Highest Retcode field, enter the maximum number for an HTTP return error code. Valid entries are integers from 100 to 599. This number must be greater than or equal to the number in the Lowest Retcode field.

Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Retcode Map table.

Next to save your entries and to add another retcode map.


Related Topics

Using Virtual Contexts, page 2-1

Configuring Virtual Context Class Maps, page 7-12

Configuring Virtual Context Policy Maps, page 7-27

Configuring Load Balancing with Real Servers

Configuring Load Balancing Using Sticky Groups

Health Monitoring

You can instruct the ACE appliance to check the health of servers and server farms by configuring health probes (sometimes referred to as keepalives). After you create a probe, you assign it to a real server or a server farm. A probe can be one of many types, including TCP, ICMP, Telnet, HTTP, and so on. You can also configure scripted probes using the TCL scripting language (see TCL Scripts).

The ACE appliance sends out probes periodically to determine the status of a server, verifies the server response, and checks for other network problems that may prevent a client from reaching a server. Based on the server response, the ACE appliance can place the server in or out of service, and, based on the status of the servers in the server farm, can make reliable load-balancing decisions.

Health monitoring on the ACE appliance tracks the state of a server by sending out probes. Also referred to as out-of-band health monitoring, the ACE appliance verifies the server response or checks for any network problems that can prevent a client to reach a server. Based on the server response, the ACE appliance can place the server in or out of service, and can make reliable load balancing decisions.

The ACE appliance identifies the health of a server in the following categories:

Passed—The server returns a valid response.

Failed—The server fails to provide a valid response to the ACE appliance is unable to reach a server for a specified number of retries.

By configuring the ACE appliance for health monitoring, the ACE appliance sends active probes periodically to determine the server state.

The ACE appliance supports 4000 unique probe configurations which includes ICMP, TCP, HTTP, and other predefined health probes. The ACE appliance also allows the opening of 1000 sockets simultaneously.

Related Topics

Configuring Health Monitoring for Real Servers

TCL Scripts

TCL Scripts

The ACE appliance supports several specific types of health probes (for example HTTP, TCP, or ICMP health probes) when you need to use a diverse set of applications and health probes to administer your network. The basic health probe types supported in the current ACE appliance software release may not support the specific probing behavior that your network requires. To support a more flexible health-probing functionality, the ACE appliance allows you to upload and execute TCL scripts on the ACE appliance.

The TCL interpreter code in the ACE appliance is based on Release 8.44 of the standard TCL distribution. You can create a script to configure health probes. Script probes operate similar to other health probes available in the ACE appliance software. As part of a script probe, the ACE appliance executes the script periodically, and the exit code that is returned by the executing script indicates the relative health and availability of specific real servers. For information on health probes, see Configuring Health Monitoring for Real Servers.

For your convenience, the following sample scripts for the ACE appliance are available to support the TCL feature and are supported by Cisco TAC:

CHECKPORT_STD_SCRIPT

ECHO_PROBE_SCRIPT

FINGER_PROBE_SCRIPT

FTP_PROBE_SCRIPT

HTTP_PROBE_SCRIPT

HTTPCONTENT_PROBE

HTTPHEADER_PROBE

HTTPPROXY_PROBE

IMAP_PROBE

LDAP_PROBE

MAIL_PROBE

POP3_PROBE

PROBENOTICE_PROBE

RTSP_PROBE

SSL_PROBE_SCRIPT

TFTP_PROBE

The ace_scripts.tgz zip file contains these scripts and is located at the URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-intellother

To load a script into memory on the ACE appliance and enable it for use, use the script file command. For detailed information on uploading and executing Toolkit Command Language (TCL) scripts on the ACE appliance, refer to the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

Configuring Health Monitoring for Real Servers

To check the health and availability of a real server, the ACE appliance periodically sends a probe to the real server. Depending on the server response, the ACE appliance determines whether to include the server in its load-balancing decision.

Use this procedure to establish monitoring of real servers to determine their viability in load-balancing decisions.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.

Step 2 Click Add to add a new health monitoring probe, or select an existing entry, then click Edit to modify it. The Health Monitoring screen appears.

Step 3 In the Name field, enter a name that identifies the probe and that associates the probe with the real server. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Step 4 In the Type field, select the type of probe you want to use. The probe type determines what the probe sends to the real server. See Table 3-21 for the types of probes and their descriptions.

Table 3-21 Probe Types 

Probe Type
Description

DNS

Sends a request to a DNS server giving it a configured domain. To determine if the server is up, the ACE appliance must receive the configured IP address for that domain.

ECHO-TCP

Sends a string to the server and compares the response with the original string. If the response string matches the original, the server is marked as passed. If not, the ACE appliance retries as configured before the server is marked as failed.

ECHO-UDP

Sends a string to the server and compares the response with the original string. If the response string matches the original, the server is marked as passed. If not, the ACE appliance retries as configured before the server is marked as failed.

FINGER

Sends a probe to the server to verify that a defined username is a username on the server.

FTP

Initiates an FTP session. By default, this probe is for an anonymous login with the option of configuring a user ID and password. The ACE appliance performs an FTP GET or LS to determine the outcome of the problem. This probe supports only active connections.

HTTP

Sets up a TCP connection and issues an HTTP request. Any valid HTTP response causes the probe to mark the real server as passed.

HTTPS

Similar to an HTTP probe, but this probe uses SSL to generate encrypted data.

ICMP

Sends an ICMP request and listens for a response. If the server returns a response, the ACE appliance marks the real server as passed. If there is no response and times out, or an ICMP standard error occurs, such as DESTINATION_UNREACHABLE, the ACE appliance marks the real server as failed.

IMAP

Initiates an IMAP session, using a configured user ID and password. Then, the probe attempts to retrieve e-mail from the server and validates the result of the probe based on the return codes received from the server.

POP

Initiates a POP session, using a configured user ID and password. Then, the probe attempts to retrieve e-mail from the server and validates the result of the probe based on the return codes received from the server.

RADIUS

Connects to a RADIUS server and logs into it to determine if the server is up.

Scripted

Executes probes from a configured script to perform health probing. This method allows you to author specific scripts with features not present in standard probes.

SMTP

Initiates an SMTP session by logging into the server.

TCP

Initiates a TCP handshake and expects a response. By default, a successful response causes the probe to mark the server as passed. The probe then sends a FIN to end the session. If the response is not valid, or if there is no response, the probe marks the real server as failed.

TELNET

Establishes a connection to the real server and verifies that a greeting from the application was received.

UDP

Sends a UDP packet to a real server. The probe marks the server as failed only if an ICMP Port Unreachable messages is returned.


Step 5 Enter health monitoring general attributes (see Table 3-22).

Table 3-22 Health Monitoring General Attributes 

Field
Action

Description

Enter a description for this probe. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters.

Probe Interval

Enter the number of seconds that the ACE appliance is to wait before sending another probe to a server marked as passed. Valid entries are from 2 to 65535 with a default of 120.

Pass Detect Count

Enter the number of successful probe responses from the server before the server is marked as passed. Valid entries are integers from 1 to 65535 with a default of 3.

Pass Detect Interval

Enter the number of seconds that the ACE appliance is to wait before sending another probe to a server marked as failed. Valid entries are integers from 2 to 65535 with a default of 300.

Receive Timeout

Enter the number of seconds the ACE appliance is to wait for a response from a server that has been probed before marking the server as failed. Valid entries are integers from 1 to 65535 with a default of 10.

Fail Detect

Enter the consecutive number of times that an ACE appliance must detect that probes have failed to contact a server before marking the server as failed. Valid entries are integers from 1 to 65535 with a default of 3.

Dest IP Address1

By default, the probe uses the IP address from the real or virtual server configuration for the destination IP address. To override the destination address that the probe uses, enter the preferred destination IP address in this field using dotted-decimal notation, such as 192.168.11.1.

Is Routed2

Select the check box to indicate that the destination IP address is routed according to the ACE appliance internal routing table. Clear the check box to indicate that the destination IP address is not routed according to the ACE appliance internal routing table.

1 The Dest IP Address field is not applicable to the Scripted probe type.

2 The Is Routed field is not applicable to the Scripted probe type.


Step 6 Enter the attributes for the specific probe type selected:

For DNS probes, see Table 3-23.

For Echo-TCP probes, see Table 3-24.

For Echo-UDP probes, see Table 3-25.

For Finger probes, see Table 3-26.

For FTP probes, see Table 3-27.

For HTTP probes, see Table 3-28.

For HTTPS probes, see Table 3-29.

There are no specific attributes for ICMP probes.

For IMAP probes, see Table 3-30.

For POP probes, see Table 3-31.

For RADIUS probes, see Table 3-32.

For Scripted probes, see Table 3-33.

For SMTP probes, see Table 3-34.

For TCP probes, see Table 3-35.

For Telnet probes, see Table 3-36.

For UDP probes, see Table 3-37.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Health Monitoring table.

Next to save your entries and to configure another probe.


Related Topics

Configuring DNS Probe Expect Addresses

Configuring Headers for HTTP and HTTPS Probes

Configuring Health Monitoring Expect Status

Configuring Load Balancing with Real Servers

Configuring Server Farm Load Balancing

Configuring Load Balancing Using Sticky Groups

Probe Attribute Tables

Refer to the following topics to configure health monitoring probe-specific attributes:

DNS Probe Attributes

Echo-TCP Probe Attributes

Echo-UDP Probe Attributes

Finger Probe Attributes

FTP Probe Attributes

HTTP Probe Attributes

HTTPS Probe Attributes

IMAP Probe Attributes

POP Probe Attributes

RADIUS Probe Attributes

Scripted Probe Attributes

SMTP Probe Attributes

TCP Probe Attributes

Telnet Probe Attributes

UDP Probe Attributes

Refer to the following topics for additional configuration options for health monitoring probes:

Configuring DNS Probe Expect Addresses

Configuring Headers for HTTP and HTTPS Probes

Configuring Health Monitoring Expect Status

DNS Probe Attributes

Table 3-23 DNS Probe Attributes 

Field
Action

Domain Name

Enter the domain name that the probe is to send to the DNS server. Valid entries are unquoted text strings with a maximum of 255 characters.

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.


To configure expect addresses for DNS probes, see Configuring DNS Probe Expect Addresses.

Echo-TCP Probe Attributes

Table 3-24 Echo-TCP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.

Send Data

Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.


Echo-UDP Probe Attributes

Table 3-25 Echo-UDP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Send Data

Enter the ASCII data that the probe is to send to the server.Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.


Finger Probe Attributes

Table 3-26 Finger Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.

Send Data

Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.


FTP Probe Attributes

Table 3-27 FTP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.


To configure probe expect statuses for FTP probes, see Configuring Health Monitoring Expect Status.

HTTP Probe Attributes

Table 3-28 HTTP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.

User Name

Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

Password

Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

Expect Regex

Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.

Expect Regex Offset

Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Valid entries are integers from 1 to 4000.

Hash

Select the Hash check box to indicate that the ACE appliance is to use an MD5 hash for an HTTP GET probe. Clear the Hash check box to indicate that the ACE appliance should not use an MD5 hash for an HTTP GET probe.

Hash String

This field appears if the Hash check box is selected.

Enter the 32-bit hash value that the ACE appliance is to compare with the hash that is generated from the HTTP page sent by the server. If you do not provide this value, the ACE appliance generates a value the first time it queries the server, stores this value, and matches this value with other responses from the server. A successful comparison causes the probe to maintain an Alive state.

Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters.

Request Method Type

Select the type of HTTP request method that is to be used for this probe:

N/A—Indicates that this option is not defined.

Head—Indicates that the server is to only get the header for the page. Using this method can prevent the ACE appliance from assuming that the service is down due to changed content and therefore changed hash values.

Get—Indicates that the HTTP request method is a GET with a URL of "/". This request method directs the server to get the page, and the ACE appliance calculates a hash value for the content of the page. If the page content information changes, the hash value no longer matches the original hash value and the ACE appliance assumes the service is down. This is the default request method.

Request HTTP URL

Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying the URL path. The default path is "/'.


To configure probe headers and expect statuses for HTTP probes, see:

Configuring Headers for HTTP and HTTPS Probes

Configuring Health Monitoring Expect Status

HTTPS Probe Attributes

Table 3-29 HTTPS Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.

User Name

Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

Password

Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

Expect Regex

Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.

Expect Regex Offset

Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Value entries are integers from 1 to 4000.

Hash

Select the Hash check box to indicate that the ACE appliance is to use an MD5 hash for an HTTP GET probe. Clear this check box to indicate that the ACE appliance is not to use an MD5 hash for an HTTP GET probe.

Hash String

This field appears if the Hash check box is selected.

Enter the 32-bit hash value that the ACE appliance is to compare with the hash that is generated from the HTTP page sent by the server. If you do not provide this value, the ACE appliance generates a value the first time it queries the server, stores this value, and matches this value with other responses from the server. A successful comparison causes the probe to maintain an Alive state.

Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters.

Request Method Type

Select the type of HTTP request method that is to be used for this probe:

N/A—Indicates that this option is not defined.

Head—Indicates that the server is to only get the header for the page. Using this method can prevent the ACE appliance from assuming that the service is down due to changed content and therefore changed hash values.

Get—Indicates that the HTTP request method is a GET with a URL of "/". This request method directs the server to get the page, and the ACE appliance calculates a hash value for the content of the page. If the page content information changes, the hash value no longer matches the original hash value and the ACE appliance assumes the service is down. This is the default request method.

Request HTTP URL

Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying the URL path. The default path is "/'.

Cipher

Select the cipher suite to be used with this HTTPS probe:

RSA_ANY—Indicates that the HTTPS probe accepts all RSA-configured cipher suites and that no specific suite is configured. This is the default action.

RSA_EXPORT1024_WITH_DES_CBC_SHA

RSA_EXPORT1024_WITH_RC4_56_MD5

RSA_EXPORT1024_WITH_RC4_56_SHA

RSA_EXPORT_WITH_DES40_CBC_SHA

RSA_EXPORT_WITH_RC4_40_MD5

RSA_WITH_3DES_EDE_CBC_SHA

RSA_WITH_AES_128_CBC_SHA

RSA_WITH_AES_256_CBC_SHA

RSA_WITH_DES_CBC_SHA

RSA_WITH_RC4_128_MD5

RSA_WITH_RC4_128_SHA

SSL Version

Select the version of SSL or TLS to be used in ClientHello messages sent to the server:

SSLv2—Indicates that the probe is to use SSL version 2.

SSLv3—Indicates that the probe is to use SSL version 3.

TLSv1—Indicates that the probe is to use TLS version 1.

By default, the probe sends ClientHello messages with an SSL version 3 header and a TLS version 1 message.


To configure probe headers and expect statuses for HTTPS probes, see:

Configuring Headers for HTTP and HTTPS Probes

Configuring Health Monitoring Expect Status

IMAP Probe Attributes

Table 3-30 IMAP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.

User Name

Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 24 characters.

Password

Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 24 characters.

Mailbox Name

Enter the user mailbox name from which to retrieve e-mail for this IMAP probe. Valid entries are unquoted text strings with a maximum of 64 characters.

Request Method

Enter the request method command for this probe. Valid entries are text strings with a maximum of 32 characters and no spaces.


POP Probe Attributes

Table 3-31 POP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.

User Name

Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

Password

Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

Request Method

Enter the request method command for this probe. Valid entries are text strings with a maximum of 32 characters and no spaces.


RADIUS Probe Attributes

Table 3-32 RADIUS Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

User Secret

Enter the shared secret to be used to allow probe access to the RADIUS server. Valid entries are case-sensitive strings with no spaces and a maximum of 128 characters.

User Name

Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

Password

Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters.

NAS IP Address

Enter the IP address of the Network Access Server (NAS) in dotted-decimal format, such as 192.168.11.1.


Scripted Probe Attributes

Table 3-33 Scripted Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Script needs to be copied from remote location?

Select this check box to indicate that the file needs to be copied from a remote server. Clear this check box to indicate that the script resides locally.

Protocol

This field appears if the Script needs to be copied from remote Location? check box is selected.

Select the protocol to be used for copying the script:

FTP—Indicates that the script is to be copied using FTP.

TFTP—Indicates that the script is to be copied using TFTP.

Username

This field appears if FTP is selected in the Protocol field.

Enter the name of the user account on the remote server.

Password

This field appears if FTP is selected in the Protocol field.

Enter the password for the user account on the remote server.

Confirm

This field appears if FTP is selected in the Protocol field.

Reenter the password.

Source File Name

Enter the host IP address, path, and filename of the file on the remote server in the format host-ip/path/filename where:

host-ip represents the IP address of the remote server.

path represents the directory path of the file on the remote server.

filename represents the filename of the file on the remote server.

For example, your entry might resemble 192.168.11.2/usr/bin/my-script.ext.

Script Name

Enter the local name that you want to assign to this file on the ACE appliance. This file can reside in the disk0: directory or the probe: directory (if the probe: directory exists). Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.

Script Arguments

Enter up to 5 arguments that are to be passed to the script. Valid arguments are unquoted text strings with no spaces; separate multiple arguments with a space. The field limit is 255 characters.


SMTP Probe Attributes

Table 3-34 SMTP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.


To configure probe expect statuses for SMTP probes, see Configuring Health Monitoring Expect Status.

TCP Probe Attributes

Table 3-35 TCP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.

Send Data

Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.

Expect Regex

Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.

Expect Regex Offset

Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Value entries are integers from 1 to 4000.


Telnet Probe Attributes

Table 3-36 Telnet Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Is Connection

Select the check box to indicate that connection parameters are configured. Clear the check box to indicate that connection parameters are not configured.

Open Timeout

Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 10.


UDP Probe Attributes

Table 3-37 UDP Probe Attributes 

Field
Action

Port

Enter the port number that the probe is to use. By default, the probe uses the port number based on its type.

Send Data

Enter the ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.

Expect Regex

Enter the expected response data from the probe destination. Valid entries are unquoted text strings with a maximum of 255 characters.

Expect Regex Offset

Enter the number of characters into the received message or buffer where the ACE appliance is to begin looking for the string specified in the Expect Regex field. Value entries are integers from 1 to 4000.


Configuring DNS Probe Expect Addresses

When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address by matching the received IP address with the configured addresses.

Use this procedure to specify the IP address that the ACE appliance expects to receive in response to a DNS request.

Assumption

A DNS probe has been configured. See Configuring Health Monitoring for Real Servers for more information.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.

Step 2 Select the DNS probe that you want to configure with an expected IP address. The Expect Addresses subtable appears.

Step 3 Click Add to add an entry to the Expect Addresses table. The Expect Address configuration screen appears.


Note You cannot modify an entry in the Expect Addresses table. Instead, delete the existing entry, then add a new one.


Step 4 In the IP Address field, enter the IP address that the ACE appliance is to expect as a server response to a DNS request. Valid entries are unique IP addresses in dotted-decimal notation, such as 192.168.11.1.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entry and to return to the Expect Addresses table.

Next to save your entry and to add another IP Address to the Expect Addresses table.


Related Topics

Configuring Health Monitoring for Real Servers

DNS Probe Attributes

Configuring Headers for HTTP and HTTPS Probes

Use this procedure to specify header fields for HTTP and HTTPS probes.

Assumption

An HTTP or HTTPS probe has been configured. See Configuring Health Monitoring for Real Servers for more information.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.

Step 2 Select the HTTP or HTTPS probe that you want to configure with header. The Probe Headers subtable appears.

Step 3 Click Add to add an entry, or select an existing entry, then click Edit to modify it. The Probe Headers configuration screen appears.

Step 4 In the Header Name field, select the HTTP header the probe is to use.

Step 5 In the Header Value field, enter the string to assign to the header field. Valid entries are text strings with a maximum of 255 characters. If the string includes spaces, enclose the string with quotes.

Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entry and to return to the Probe Headers table.

Next to save your entry and to add another header entry to the Probe Headers table.


Related Topics

Configuring Health Monitoring for Real Servers

HTTP Probe Attributes

HTTPS Probe Attributes

Configuring Health Monitoring Expect Status

When the ACE appliance receives a response from the server, it expects a status code to mark a server as passed. By default, there are no status codes configured on the ACE appliance. If you do not configure a status code, any response code from the server is marked as failed.

Expect status codes can be configured for FTP, HTTP, HTTPS, and SMTP probes.

Use this procedure to configure a single or range of code responses that the ACE appliance expects from the probe destination.

Assumption

An FTP, HTTP, HTTPS, or SNMP probe has been configured. See Configuring Health Monitoring for Real Servers for more information.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears.

Step 2 Select the FTP, HTTP, HTTPS, or SMTP probe that you want to configure for expect status codes. The Expect Status subtable appears.

Step 3 Click Add to add an entry, or select an existing entry, then click Edit to modify it. The Expect Status configuration screen appears.

Step 4 To configure a single expect status code:

a. In the Min Expect Status Code field, enter the expect status code for this probe. Valid entries are integers from 0 to 999.

b. In the Max Expect Status code, enter the same expect status code that you entered in the Min Expect Status Code field.

Step 5 To configure a range of expect status codes:

a. In the Min Expect Status Code, enter the lower limit of the range of status codes. Valid entries are integers from 0 to 999.

b. In the Max Expect Status Code, enter the upper limit of a range of status codes. Valid entries are integers from 0 to 999. The value in this field must be greater than or equal to the value in the Min Expect Status Code field.

Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Expect Status table.

Next to save your entries and to add another expect status code to the Expect Status table.


Related Topics

Configuring Health Monitoring for Real Servers

FTP Probe Attributes

HTTP Probe Attributes

SMTP Probe Attributes

Managing Real Servers

The Real Servers table (Config > Operations > Real Servers) provides the following information by default for each server:

Server name

IP address

Port

Configured status, such as In Service, Out of Service, or In Service Standby

Current state (See Table 3-38 for descriptions of real server operational states.)

Number of current connections

Current server weight

Associated server farm

Owner, such as the associated virtual context

In the table, N/A indicates that either the information is not available from the database or that it is not being collected via SNMP. To identify any SNMP-related issues, select the real server's virtual context in the object selector. If there are problems with SNMP, SNMP status will appear in the upper right above the content pane.

The following options are available from the Real Servers table:

Activating Real Servers

Suspending Real Servers

Modifying Real Servers

Viewing All Real Servers

Activating Real Servers

Use this procedure to activate a real server.

Procedure


Step 1 Select Config > Operations > Real Servers. The Real Servers table appears.

Step 2 Select the servers that you want to activate, then click Activate. The Activate Server screen appears.

Step 3 In the Task field, confirm that this is the server that you want to activate.

Step 4 In the Reason field, enter a reason for this action. You might enter a trouble ticket, an order ticket, or a user message. Do not enter a password in this field.

Step 5 Click:

Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears in the table with the status Inservice.

Cancel to exit this procedure without activating the server and to return to the Real Servers table.


Related Topics

Managing Real Servers

Suspending Real Servers

Viewing All Real Servers

Suspending Real Servers

Use this procedure to suspend a real server.

Procedure


Step 1 Select Config > Operations > Real Servers. The Real Servers table appears.

Step 2 Select the server that you want to suspend, then click Suspend. The Suspend Server screen appears.

Step 3 In the Task field, confirm that the correct server is identified.

Step 4 In the Reason field, enter the reason for this action. You might enter a trouble ticket, an order ticket, or a user message. Do not enter a password in this field.

Step 5 Select the Clear Existing Connections? check box to clear the existing connections to this server as part of the shutdown process. Clear the check box if you do not want to clear the existing connections as part of the shutdown process.

Step 6 Click:

Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears in the table with the status Out of Service.

Cancel to exit this procedure without suspending the server and to return to the Real Servers table.


Related Topics

Managing Real Servers

Activating Real Servers

Viewing All Real Servers

Modifying Real Servers

Use this procedure to modify weight and connections for real servers.

Procedure


Step 1 Select Config > Operations > Real Servers. The Real Servers table appears.

Step 2 Select the server whose configuration you want to modify, then click Edit. The Real Server configuration screen appears.

Step 3 In the Reason field, enter for this change. You might enter a trouble ticket, an order ticket, or a user message. Do not enter a password in this field.

Step 4 In the Weight field, enter the weight to be assigned to this real server in a server farm. Valid entries are integers from 1 to 100, and the default is 8.

Step 5 In the Minimum Connections field, enter the number of connections that must occur before this server starts accepting connections again after maximum number of connections has been exceeded. Valid entries are integers from 1 to 4000000.

Step 6 In the Maximum Connections field, enter the maximum number of connections allows for this server. Valid entries are integers from 1 to 4000000.

Step 7 Click:

Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears in the table with the updated information.

Cancel to exit this procedure without saving your entries and to return to the Real Servers table.


Related Topics

Managing Real Servers

Activating Real Servers

Viewing All Real Servers

Viewing All Real Servers

To view all real servers, select Config > Operations > Real Servers. The Real Servers table displays the following information by default:

Real server name

IP address

Port

Configured status, such as In Service, Out of Service, or In Service Standby

Current operational state. Table 3-38 describes real server operational states.

Number of current connections

Server weight

Associated server farm

Owner, such as the associated virtual context

In the table, N/A indicates that either the information is not available from the database or that it is not being collected via SNMP. To identify any SNMP-related issues, select the real server's virtual context in the object selector. If there are problems with SNMP, SNMP status will appear in the upper right above the content pane.

Table 3-38 Real Server Operational States 

State
Description

Failed

The server has failed and will not be retried for the amount of time specified by its retry timer.

Inband probe failed

The server has failed the inband Health Probe agent.

In service

The server is in use as a destination for server load balancing client connections.

Operation wait

The server is ready to become operational but is waiting for the associated redirect virtual server to be in service.

Out of service

The server is not in use by a server load balancer as a destination for client connections.

Probe failed

The server load-balancing probe to this server has failed. No new connections will be assigned to this server until a probe to this server succeeds.

Probe testing

The server has received a test probe from the server load balancer.

Ready to test

The server has failed and its retry timer has expired; test connections will begin flowing to it soon.

Return code failed

The server has been disabled because it returned an HTTP code that matched a configured value.

Test wait

The server is ready to be tested. This state is applicable only when the server is used for HTTP redirect load balancing.

Testing

The server has failed and has been given another test connection. The success of this connection is not known.

Throttle: DFP

DFP has lowered the weight of the server to throttle level; no new connections will be assigned to the server until DFP raises its weight.

Throttle: max clients

The server has reached its maximum number of allowed clients.

Throttle: max connections

The server has reached its maximum number of connections and is no longer being given connections.

Unknown

The state of the server is not known.


Related Topics

Activating Real Servers

Suspending Real Servers

Modifying Real Servers

Stickiness Overview

When customers visit an e-commerce site, they usually start out by browsing the site, the Internet equivalent of window shopping. Depending on the application, the site may require that the client become "stuck" to one server once the connection is established, or the application may not require this until the client starts to build a shopping cart.

In either case, once the client adds items to the shopping cart, it is important that all of the client requests get directed to the same server so that all the items are contained in one shopping cart on one server. An instance of a customer's shopping cart is typically local to a particular Web server and is not duplicated across multiple servers.

E-commerce applications are not the only types of applications that require stickiness. Any Web application that maintains client information may require stickiness, such as banking applications or online trading. Other uses include FTP and HTTP file transfers.

Stickiness allows the same client to maintain multiple simultaneous or subsequent TCP or IP connections with the same real server for the duration of a session. A session, as used here, is defined as a series of transactions between a client and a server over some finite period of time (from several minutes to several hours). This feature is particularly useful for e-commerce applications where a client needs to maintain multiple connections with the same server while shopping online, especially while building a shopping cart and during the checkout process.

Depending on the configured SLB policy, the ACE appliance "sticks" a client to an appropriate server after the ACE appliance has determined which load-balancing method to use. If the ACE appliance determines that a client is already stuck to a particular server, then the ACE appliance sends that client request to that server, regardless of the load-balancing criteria specified by the matched policy. If the ACE appliance determines that the client is not stuck to a particular server, it applies the normal load-balancing rules to the content request.

For information on stickiness, see:

IP Address Stickiness

Cookie Stickiness

HTTP Header Stickiness

Sticky Groups

Sticky Table

Related Topics

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Load Balancing Using Sticky Groups

IP Address Stickiness

You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.

Related Topics

Stickiness Overview

Cookie Stickiness

HTTP Header Stickiness

Sticky Groups

Sticky Table

Cookie Stickiness

Client cookies uniquely identify clients to the ACE appliance and the servers providing content. A cookie is a small data structure within the HTTP header that is used by a server to deliver data to a Web client and request that the client store the information. In certain applications, the client returns the information to the server to maintain the connection state or persistence between the client and the server.

When the ACE appliance examines a request for content and determines through policy matching that the content is sticky, it examines any cookie or URL present in the content request. The ACE appliance uses the information in the cookie or URL to direct the content request to the appropriate server.

The ACE appliance supports the following types of cookie stickiness:

Dynamic cookie learning

You can configure the ACE appliance to look for a specific cookie name and automatically learn its value either from the client request HTTP header or from the server Set-Cookie message in the server response. Dynamic cookie learning is useful when dealing with applications that store more than just the session ID or user ID within the same cookie. Only very specific bytes of the cookie value are relevant to stickiness.

By default, the ACE appliance learns the entire cookie value. You can optionally specify an offset and length to instruct the ACE appliance to learn only a portion of the cookie value.

Alternatively, you can specify a secondary cookie value that appears in the URL string in the HTTP request. This option instructs the ACE appliance to search for (and eventually learn or stick to) the cookie information as part of the URL. URL learning is useful with applications that insert cookie information as part of the HTTP URL. In some cases, you can use this feature to work around clients that reject cookies.

Cookie insert

The ACE appliance inserts the cookie on behalf of the server upon the return request, so that the ACE appliance can perform cookie stickiness even when the servers are not configured to set cookies. The cookie contains information that the ACE appliance uses to ensure persistence to a specific real server.

Related Topics

Stickiness Overview

IP Address Stickiness

HTTP Header Stickiness

Sticky Groups

Sticky Table

HTTP Header Stickiness

You can use HTTP-header information to provide stickiness. With HTTP header stickiness, you can specify a header offset to provide stickiness based on a unique portion of the HTTP header.

Related Topics

Stickiness Overview

IP Address Stickiness

Cookie Stickiness

Sticky Groups

Sticky Table

Sticky Groups

The ACE appliance uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with a Layer 7 policy-map action in a Layer 7 SLB policy map.You can create a maximum of 4096 sticky groups in each context. Each sticky group that you configure on the ACE appliance contains a series of parameters that determine:

Sticky method

Timeout

Replication

Cookie offset and other cookie-related attributes

HTTP header offset and other header-related attributes


Note The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE appliance resources to stickiness. See Managing Resource Classes, page 2-29 for information about configuring ACE appliance resources.


Related Topics

Stickiness Overview

IP Address Stickiness

Cookie Stickiness

HTTP Header Stickiness

Sticky Table

Sticky Table

To keep track of sticky connections, the ACE appliance uses a sticky table. Table entries include the following items:

Sticky groups

Sticky methods

Sticky connections

Real servers

The sticky table can hold a maximum of four million entries (four million simultaneous users). When the table reaches the maximum number of entries, additional sticky connections cause the table to wrap and the first users become unstuck from their respective servers.

The ACE appliance uses a configurable timeout mechanism to age out sticky table entries. When an entry times out, it becomes eligible for reuse. High connection rates may cause the premature aging out of sticky entries. In this case, the ACE appliance reuses the entries that are closest to expiration first.

Sticky entries can be either dynamic (generated by the ACE appliance on-the-fly) or static (user-configured). When you create a static sticky entry, the ACE appliance places the entry in the sticky table immediately. Static entries remain in the sticky database until you remove them from the configuration. You can create a maximum of 4096 static sticky entries in each context.

If the ACE appliance takes a real server out of service for whatever reason (probe failure, no inservice command, or ARP timeout), the ACE appliance removes from the database any sticky entries that are related to that server.

Related Topics

Stickiness Overview

IP Address Stickiness

Cookie Stickiness

HTTP Header Stickiness

Sticky Groups

Sticky Table

Configuring Load Balancing Using Sticky Groups

Stickiness (or session persistence) is a feature that allows the same client to maintain multiple simultaneous or subsequent TCP connections with the same real server for the duration of a session. A session, as used here, is defined as a series of transactions between a client and a server over some finite period of time (from several minutes to several hours). This feature is particularly useful for e-commerce applications where a client needs to maintain multiple TCP connections with the same server while shopping online, especially while building a shopping cart and during the checkout process.

E-commerce applications are not the only types of applications that require stickiness. Any Web application that maintains client information may require stickiness, such as banking applications or online trading. Other uses include FTP and HTTP file transfers.

The ACE appliance uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with a Layer 7 policy-map action in a Layer 7 SLB policy map.


Note The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE appliance resources to stickiness. See Managing Resource Classes, page 2-29 for information about configuring ACE appliance resources.


Assumption

The context in which you are configuring a sticky group is associated with a resource class that allocates resources to stickiness.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table appears.

Step 2 Click Add to add a new sticky group, or select an existing sticky group you want to modify, then click Edit.

Step 3 Enter the sticky group attributes (see Table 3-39).

Table 3-39 Sticky Group Attributes 

Field
Description

Group Name

The sticky group identifier. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Type

The method to be used when establishing sticky connections:

HTTP Cookie—Indicates that the ACE appliance is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction.

HTTP Header—Indicates that the ACE appliance is to stick client connections to the same real server based on HTTP headers.

IP Netmask—Indicates that the ACE appliance is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both.

Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.

Cookie Name

This option appears for sticky type HTTP Cookie.

Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Enable Insert

This option appears only for sticky type HTTP Cookie.

Select this check box if the ACE appliance is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie. When selected, the ACE appliance selects a cookie value that identifies the original server from which the client received a response. For subsequent connections of the same transaction, the client uses the cookie to stick to the same server.

Clear this check box to disable cookie insertion.

Offset

This option appears for sticky types HTTP Cookie and HTTP Header.

Enter the number of bytes the ACE appliance is to ignore starting with the first byte of the cookie. Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the ACE appliance does not exclude any portion of the cookie.

Length

This option appears for sticky types HTTP Cookie and HTTP Header.

Enter the length of the portion of the cookie (starting with the byte after the offset value) that the ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to 1000. The default is 1000.

Secondary Name

This option appears only for sticky type HTTP Cookie.

Enter an alternate cookie name that is to appear in the URL string of the Web page on the server. The ACE appliance uses this cookie to maintain a sticky connection between a client and a server and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Header Name

This option appears for sticky type HTTP Header.

Select the HTTP header to use for sticking client connections.

Netmask

This option appears only for sticky type IP Netmask.

Select the netmask to apply to the source IP address, the destination IP address, or both.

Address Type

This option appears only for sticky type IP Netmask.

Indicate whether this sticky type is to be applied to the client source IP address, the destination IP address, or both:

Both—Indicates that this sticky type is to be applied to both the source IP address and the destination IP address.

Source—Indicates that this sticky type is to be applied to the source IP address only.

Destination—Indicates that this sticky type is to be applied to the destination IP address only.

Sticky Server Farm

Select a server farm you want to associate with this sticky group.

Backup Server Farm

Select a backup server farm to be associated with this sticky group. If the primary server farm is down, the ACE appliance uses the backup server farm.

Aggregate State

This field appears when a server farm and backup server farm are selected.

Select this check box to indicate that the state of the backup server farm is tied to the virtual server state. Clear this check box if the backup server farm is not tied to the virtual server state.

Sticky Enabled

This field appears when a server farm and backup server farm are selected.

Select this check box to indicate that the backup server farm is sticky. Clear this check box if the backup server farm is not sticky.

Replicate

Select this check box to indicate that the ACE appliance to replicate sticky table entries on the standby ACE appliance. If a failover occurs and this option is selected, the new active ACE appliance can maintain the existing sticky connections.

Clear this check box to indicate that the ACE appliance is not to replicate sticky table entries on the standby ACE appliance.

Timeout

Enter the number of minutes that the ACE appliance keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are integers from 1 to 65535; the default is 1440 minutes (24 hours).

Timeout Active Connections

Select this check box to specify that the ACE appliance is to time out sticky table entries even if active connections exist after the sticky timer expires.

Clear this check box to specify that the ACE appliance is not to time out sticky table entries even if active connections exist after the sticky timer expires. This is the default behavior.


Step 4 Click:

Deploy Now to deploy this configuration on the ACE appliance. To configure sticky statics, see Configuring Sticky Statics.

Cancel to exit the procedure without saving your entries and to return to the Sticky Groups table.

Next to save your entries and to configure another sticky group.


Related Topics

Configuring Sticky Statics

Configuring Virtual Context Class Maps, page 7-12

Configuring Virtual Context Policy Maps, page 7-27

Configuring Load Balancing with Real Servers

Configuring Server Farm Load Balancing

Viewing All Sticky Groups by Context

Use this procedure to view all sticky groups associated with a virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context with the sticky groups you want to view, then select Load Balancing > Stickiness. The Sticky Groups table appears, listing the sticky groups associated with the selected context.


Related Topics

Configuring Load Balancing Using Sticky Groups

Configuring Sticky Statics

Configuring Sticky Statics

Use this procedure to configure sticky statics.

Assumption

A sticky group has been configured. See Configuring Load Balancing Using Sticky Groups for more information.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table appears.

Step 2 Select the sticky group you want to configure for sticky statics, then select the Sticky Statics tab. If you do not see the Sticky Statics tab beneath the Sticky Groups table, click Show Tabs just below the table name.

Step 3 Click Add to add a new entry to the table, or select an existing entry, then click Edit to modify it. The Sticky Statics configuration screen appears.

Step 4 In the Seqnumber field, either accept the automatically incremented number for this entry or enter a new sequence number.The sequence number indicates the order in which multiple sticky static configurations are applied.

Step 5 In the Type field, confirm that the correct sticky group type is selected. If you select multiple sticky groups and are creating a new static sticky entry, select the sticky group type to use:

HTTP Cookie—Indicates that the ACE appliance is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction.

HTTP Header—Indicates that the ACE appliance is to stick client connections to the same real server based on HTTP headers.

IP Netmask—Indicates that the ACE appliance is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both.


Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.


Step 6 If you select either HTTP Cookie or HTTP Header for sticky type, in the Static Value field, enter the cookie string value. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotes.

Step 7 If you select IP Netmask for the sticky type:

a. In the Static Source field, enter the source IP address of the client.

b. In the Static Destination field, enter the destination IP address of the client.

Step 8 In the Named Real Server field, select the real server to associate with this static sticky entry.

Step 9 In the Port field, enter the port number of the real server. Valid entries are integers from 1 to 65535.

Step 10 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Sticky Statics table.

Next to save your entries and to configure another sticky static entry.


Related Topic

Configuring Load Balancing Using Sticky Groups

Using Parameter Maps

Parameter maps allow you to combine related actions for IP, TCP, or HTTP connections in a Layer 3 and Layer 4 policy map.

The ACE Appliance Device Manager interface enables you to create:

Connection parameter maps that combine all IP and TCP connection-related behaviors pertaining to:

TCP normalization, termination, and server reuse

IP normalization, fragmentation, and reassembly

HTTP parameter maps that configure HTTP behavior for HTTP load-balanced connections.

Optimization parameter maps that specify optimization-related commands that pertain to application acceleration and optimization functions performed by the ACE appliance.

Related Topics

Configuring Connection Parameter Maps

Configuring HTTP Parameter Maps

Configuring Optimization Parameter Maps

Configuring Traffic Policies, page 7-1

Configuring Load Balancing

Configuring Virtual Contexts, page 2-4

Configuring Connection Parameter Maps

Use this procedure to configure a Connection parameter map for use with a Layer 3/Layer 4 policy map.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Parameter Map. The Parameter Map table appears.

Step 2 Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify it. The Parameter Maps configuration screen appears.

Step 3 In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 32 alphanumeric characters.

Step 4 In the Type field, select Connection.

Step 5 Enter the information in Table 3-40.

Table 3-40 Connection Parameter Map Attributes 

Field
Description

Exceeds MSS

Indicate how the ACE appliance is to handle segments that exceed the maximum segment size (MSS):

Allow—Indicates that the ACE appliance is to permit segments that exceed the configured MSS.

Drop—Indicates that the ACE appliance is to discard segments that exceed the configured MSS.

Nagle

The Nagle algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send. Enabling the Nagle algorithm increases throughput, but it can increase latency in your TCP connection.

Select the check box to enable the Nagle algorithm. Clear the check box to disable the Nagle algorithm.

Note Disable the Nagle algorithm when you observe unacceptable delays in TCP connections.

Random Sequence Number

Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.

Select the check box to enable the use of random TCP sequence numbers. Clear the check box to disable the use of random TCP sequence numbers.

This option is enabled by default.

Reserved Bits

Indicate how the ACE appliance is to handle segments with the reserved bits set in the TCP header:

Allow—Indicates that segments with the reserved bits are to be permitted.

Drop—Indicates that segments with the reserved bits are to be discarded.

Clear—Indicates that reserved bits in TCP headers are to be cleared and segments are to be allowed.

Type-of-Service IP Header

The type of service for an IP packet determines how the network handles the packet and balances its precedence, throughput, delay, reliability, and cost.

Enter the type-of-service value to be applied to IP packets. Valid entries are integers from 0 to 255.

For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168.

ACK Delay Time

Enter the number of milliseconds that the ACE appliance is to wait before sending an acknowledgement from a client to a server. Valid entries are integers from 0 to 400.

TCP Buffer-Share

To improve throughput and overall performance, the ACE buffers the number of bytes you specify before processing received data or transmitting data. Use this option to increase the default buffer size and thereby realize improved network performance.

Enter the maximum size of the TCP buffer in bytes. Valid entries are integers from 8192 to 262143 bytes.

Note If you enter a value in this field for an ACE device that does not support this option, an error message appears. Leave this field blank when creating or modifying a connection parameter map for devices that do not support this option.

Smallest TCP MSS

Enter the size of the smallest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a minimum limit.

Largest TCP MSS

Enter the size of the largest segment of TCP data that the ACE appliance is to accept. Valid entries are integers from 0 to 65535 bytes. The value 0 indicates that the ACE appliance is not to set a maximum limit.

SYN Retries

Enter the number of attempts that the ACE appliance is to make to transmit a TCP segment when initiating a Layer 7 connection. Valid entries are integers from 1 to 15, with a default of 4.

TCP WAN Optimization RTT

This option indicates how the ACE appliance is to apply TCP optimizations to packets on a connection associated with a Layer 7 policy map using a round-trip time (RTT) value:

An entry of 0 (zero) indicates that the ACE appliance is to apply TCP optimizations to packets for the life of a connection.

An entry of 65535 (the default) indicates that the ACE appliance is to perform normal operations (that is, without optimizations) for the life of a connection.

Entries from 1 to 65534 indicate that the ACE appliance is to use the following guidelines:

If the actual client RTT is less than the configured RTT, the ACE appliance performs normal operations for the life of the connection.

If the actual client RTT is greater than or equal to the configured RTT, the ACE appliance performs TCP optimizations on the packets for the life of a connection.

Valid entries are integers from 0 to 65535.

Timeout for Embryonic Connections

An embryonic connection is a TCP three-way handshake for a connection that does not complete for some reason. Enter the number of seconds that the ACE appliance is to wait before timing out an embryonic connection. Valid entries are integers from 0 to 4294967295 with a default of 5. A value of 0 indicates the ACE appliance is never to time out an embryonic connection.

Half Closed Timeout

A half-closed connection is one in which the client or server sends a FIN and the server or client acknowledges the FIN without sending a FIN itself. Enter the number of seconds the ACE appliance is to wait before closing a half-closed connection. Valid entries are integers from 0 to 4294967295 with a default of 3600 (1 hour). A value of 0 indicates that the ACE appliance is never to time out a half-closed connection.

Inactivity Timeout

Enter the number of seconds that the ACE appliance is to wait before disconnecting idle connections. Valid entries are integers from 0 to 4294967295. A value of 0 indicates that ACE appliance is never to time out a TCP connection.

Slow Start Algorithm

When enabled, the slow start algorithm increases TCP window size as ACK handshakes arrive so that new segments are injected into the network at the rate at which acknowledgements are returned by the host at the other end of the connection.

Select this check box to enable the slow start algorithm, and clear this check box to disable the slow start algorithm. This option is disabled by default.

SYN Segments with Data

Indicate how the ACE appliance is to handle TCP SYN segments that contain data:

Allow—Indicates that the ACE appliance is to permit SYN segments that contain data and mark them for processing.

Drop—Indicates that the ACE appliance is to discard SYN segments that contain data.

Urgent Pointer Policy

Urgent data, as indicated by a control bit in the TCP header, indicates that urgent data is to be processed as soon as possible, even before normal data. Indicate how the ACE appliance is to handle urgent data as identified by the Urgent data control bit:

Allow—Indicates that the ACE appliance is to permit the status of the Urgent control bit.

Clear—Indicates that the ACE appliance is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent Pointer which provides segment information.

TCP Window-Scale Factor

The TCP window scaling extension expands the definition of the TCP window to 32 bits and uses a scale factor to carry the 32-bit value in the 16-bit window of the TCP header. Increasing the window size improves TCP performance in network paths with large bandwidth, long-delay characteristics.

Enter the window scale factor in this field. Valid entries are integers from 0 to 14 (the maximum scale factor).

For more information on TCP window scaling, refer to RFC 1323.

Action for TCP Options Range

Indicate how the ACE appliance is to handle the TCP options:

Selective ACK

Timestamps

TCP Window Scaling

by selecting one of the options:

N/A—Indicates that this option is not set.

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Drop—Indicates that the ACE appliance is to discard any segment with the specified option set.

Lower TCP Options

Appears if you select Allow or Drop for the Action for TCP Options Range.

Enter the lower limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.

Upper TCP Options

Appears if you select Allow or Drop for the Action for TCP Options Range.

Enter the upper limit of the TCP option range. Valid entries are 6, 7, or an integer from 9 to 255. See Table 3-41 for information on TCP options.

Selective ACK

Indicate how the ACE appliance is to handle the selective ACK option that is specified in SYN segments:

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.

Timestamps

Indicate how the ACE appliance is to handle the timestamp option that is specified in SYN segments:

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.

TCP Window Scale Factor

Indicate how the ACE appliance is to handle the TCP window scale factor option that is specified in SYN segments:

Allow—Indicates that the ACE appliance is to allow any segment with the specified option set.

Clear—Indicates that the ACE appliance is to clear the specified option from any segment that has it set and allow the segment.

Drop—Indicates that the ACE appliance is to discard any segment with the specified option set.


Table 3-41 TCP Options for Connection Parameter Maps1  

Kind
Length
Meaning

6

6

Echo (obsoleted by option 8)

7

6

Echo Reply (obsoleted by option 8)

9

2

Partial Order Connection Permitted

10

3

Partial Order Service Profile

11

 

CC

12

 

CC.NEW

13

 

CC.ECHO

14

3

TCP Alternate Checksum Request

15

N

TCP Alternate Checksum Data

16

 

Skeeter

17

 

Bubba

18

3

Trailer Checksum Option

19

18

MD5 Signature Option

20

 

SCPS Capabilities

21

 

Selective Negative Acknowledgements (SNACK)

22

 

Record Boundaries

23

 

Corruption Experienced

24

 

SNAP

25

 

Unassigned (released 12/18/2000)

26

 

TCP Compression Filter

1 For more information on TCP options, refer to the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.


Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table.

Next to accept your entries and to add another parameter map.


Related Topics

Using Parameter Maps

Configuring HTTP Parameter Maps

Configuring Optimization Parameter Maps

Configuring Traffic Policies, page 7-1

Configuring Load Balancing

Configuring Virtual Contexts, page 2-4

Configuring HTTP Parameter Maps

Use this procedure to configure an HTTP parameter map for use with a Layer 3/Layer 4 policy map.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Parameter Map. The Parameter Map table appears.

Step 2 Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify it. The Parameter Maps configuration screen appears.

Step 3 In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 32 alphanumeric characters.

Step 4 In the Type field, select HTTP.

Step 5 Enter the information in Table 3-42.

Table 3-42 HTTP Parameter Map Attributes 

Field
Description

Case-insensitive

Select this check box to indicate that the ACE appliance is to be case insensitive. Clear this check box to indicate that the ACE appliance is to be case sensitive. This check box is cleared by default.

Exceed Max Parse Length

Indicate how the ACE appliance is to handle cookies, HTTP headers, and URLs that exceed the maximum parse length:

Continue—Indicates that the ACE appliance is to continue load balancing. When this option is selected, the HTTP Persistence Rebalance option is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse value.

Drop—Indicates that the ACE appliance is to stop load balancing and to discard the packet.

HTTP Persistence Rebalance

Select this check box to indicate that the ACE appliance is to:

Separately load balance each subsequent HTTP request on the same TCP connection.

Insert the header and cookie for every request instead of only the first request.

Clear this check box to indicate that this option is disabled.

This option is disabled by default.

TCP Server Connection Reuse

Select this check box to indicate that the ACE appliance is to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. If you enable this feature:

Ensure that the ACE appliance maximum segment size (MSS) is the same as the server maximum segment size.

Configure port address translation (PAT) on the interface that is connected to the real server.

Configure on the ACE appliance the same TCP options that exist on the TCP server.

Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations).

Clear this check box to disable this option.

Content Max Parse Length

Enter the maximum number of bytes to parse in HTTP content. Valid entries are integers from 1 to 65535.

Header Max Parse Length

Enter the maximum number of bytes to parse for the total length of cookies, HTTP headers, and URLs. Valid entries are integers from 1 to 65535 with a default of 2048.

Secondary Cookie Delimiters

Enter the ASCII-character delimiters to be used to separate cookies in a URL string. Valid entries are unquoted text strings with no spaces and a maximum of 4 characters. The default delimiters are /&#+.

MIME Type to Compress

In the field on the left, enter the Multipurpose Internet Mail Extension (MIME) type to compress, then click Add. The MIME type appears in the column on the right. To remove or change a MIME type, select it in the column on the right, then click Remove. The selected MIME type appears in the field on the left where you can modify or delete it.

To specify the sequence in which compression is to be applied, select MIME types in the column on the right, then click Up or Down to arrange the MIME types.

Supported MIME Types lists the supported MIME types. You can use an asterisk (*) to indicate a wildcard, such as text/*, which would include all text MIME types (text/html, text/plain, and so on).

User Agent Not to Compress

A user agent is a client that initiates a request. Examples of user agents include browsers, editors, and other end-user tools. When you specify a user agent string in this field, the ACE appliance does not compress the response to a request when the request contains the matching user agent string.

In the field on the left, enter the user agent string to be matched, then click Add. The string appears in the column on the right. To remove or change a user agent string, select it in the column on the right, then click Remove. The selected string appears in the field on the left where you can modify or delete it.

To specify the sequence in which strings are to be matched, select strings in the column on the right, then click Up or Down to arrange the strings in the desired sequence.

Valid entries are 64 characters.

Minimum Size to Compress

Enter the threshold at which compression is to occur. The ACE appliance compresses files that are the minimum size or larger. Valid entries are integers from 1 to 4096 bytes.


Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table.

Next to accept your entries and to add another parameter map.


Related Topics

Using Parameter Maps

Configuring Connection Parameter Maps

Configuring Optimization Parameter Maps

Configuring Traffic Policies, page 7-1

Configuring Load Balancing

Configuring Virtual Contexts, page 2-4

Configuring Optimization Parameter Maps

Use this procedure to configure an Optimization parameter map for use with a Layer 3/Layer 4 policy map.

Refer to Configuring Application Acceleration and Optimization, page 8-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Parameter Map. The Parameter Map table appears.

Step 2 Click Add to add a new parameter map, or select an existing parameter map, then click Edit to modify it. The Parameter Map configuration screen appears.

Step 3 In the Parameter Name field, enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 32 alphanumeric characters.

Step 4 In the Type field, select Optimization. The Optimization parameter map configuration attributes appear.

Step 5 Configure the Optimization parameter map using the information in Table 3-43.

Table 3-43 Optimization Parameter Map Attributes 

Field
Description

Set Browser Freshness Period

Select the method that the ACE appliance is to use to determine the freshness of objects in the client's browser:

N/A—Indicates that this option is not configured.

Set freshness similar to FlashForward objects—Indicates that the ACE appliance is to set freshness similar to that used for FlashForwarded objects and to use the values specified in the Maximum Time for Cache Time-to-Live and Minimum Time for Cache Time-to-Live fields.

Disable browser object freshness control—Indicates that browser freshness control is not to be used.

Duration for Browser Freshness (seconds)

Enter the number of seconds that objects in the client's browser are considered fresh. Valid entries are 0 to 2147483647 seconds.

Response Codes to Ignore

Enter a comma-separated list of HTTP response codes for which the response body must not be read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect) response from the origin server. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Appscope Optimize Rate (%)

Enter the percentage of all requests or sessions to be sampled for performance with acceleration (or optimization) applied. All applicable optimizations for the class will be performed. Valid entries are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value entered in the Passthru Rate Percent field must not exceed 100.

Appscope Passthrough Rate (%)

Enter the percentage of all requests or sessions to be sampled for performance without optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100, with a default of 100 percent. The sum of this value and the value entered in the Optimize Rate Percent field must not exceed 100.

Max Number for Parameter Summary Log (bytes)

Enter the maximum number of bytes that are to be logged for each parameter value in the parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes.

Max for POST Data to Scan for Logging (kBytes)

Enter the maximum number of kilobytes of POST data the ACE appliance is to scan for parameters for the purpose of logging transaction parameters in the statistics log.

Valid entries are 0 to 1000 KB.

Specify String for Grouping Requests

Enter the string the ACE appliance is to use to sort requests for AppScope reporting. The string can contain a URL regular expression that defines a set of URLs in which URLs that differ only by their query parameters are to be treated as separate URLs in AppScope reports.

For example, to define a string that is used to identify the URLs http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two separate reporting categories, you would enter http_query_param(region).

Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed in Table 3-44.

Specify Base File Anonymous Level

Information that is common to a large set of users is generally not confidential or user-specific. Conversely, information that is unique to a specific user or a small set of users is generally confidential or user-specific. The anonymous base file feature enables the ACE appliance to create and deliver condensed base files that contain only information that is common to a large set of users. No information unique to a particular user, or across a very small subset of users, is included in anonymous base files.

Enter the value for base file anonymity for the all-user condensation method. Valid entries are integers from 0 to 50; the default value of 0 disables the base file anonymity feature.

Specify Cache-Key Modifier Expression

A cache object key is a unique identifier that is used to identify a cached object to be served to a client, replacing a trip to the origin server. The cache key modifier feature allows you to modify the canonical form of a URL; that is, the portion before "?" in a URL. For example, the canonical URL of "http://www.xyz.com/somepage.asp?action=browse&level=2" is "http://www.xyz.com/somepage.asp".

Enter a regular expression containing embedded variables as described in Table 3-44. The ACE appliance transforms URLs specified in class maps for this virtual server with the expression and variable entered here.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotation marks (").

Maximum Time for Cache Time-to-Live (seconds)

Enter the maximum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE appliance cache. Valid entries are 0 to 2147483647 seconds.

Minimum Time for Cache Time-to-Live (seconds)

Enter the minimum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE appliance cache. This value specifies the minimum time that content can be cached. If the ACE appliance is configured for FlashForward optimization, this value should normally be 0. If the ACE appliance is configured for dynamic caching, this value should indicate how long the ACE appliance should cache the page. (See Table 3-16 for information about these configuration options.)

Valid entries are 0 to 2147483647 seconds.

Cache Time-to-Live Duration (%)

Enter the percent of an object's age at which an embedded object without an explicit expiration time is considered fresh.

Valid entries are 0 to 100 percent.

Expression to Modify Cache Key Query Parameter

The cache parameter feature allows you to modify the query parameter of a URL; that is, the portion after "?" in a URL. For example, the query parameter portion of "http://www.xyz.com/somepage.asp?action=browse&level=2" is "action=browse&level=2".

Enter a regular expression containing embedded variables as described in Table 3-44. The ACE appliance transforms URLs specified in class maps for this virtual server with the expression and variable entered here. If no string is specified, the query parameter portion of the URL is used as the default value for this portion of the cache key.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.

Canonical URL Expressions

The ACE appliance uses the canonical URL feature to eliminate the "?" and any characters that follow to identify the general part of the URL. This general URL is then used to create the base file. In this way, the ACE appliance maps multiple URLs to a single canonical URL.

Enter a comma-separated list of parameter expander functions as defined in Table 3-44 to identify the URLs to associate with this parameter map.

Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.

Enable Cacheable Content Optimization

This feature allows the ACE appliance to detect cacheable content and perform delta optimization on it.

Select the check box to enable delta optimization of cacheable content. Clear the check box to disable this feature.

Enable Delta Optimization on First Visit to Web Page

Select the check box to enable delta optimization on the first visit to a Web page. Clear the check box to disable this feature.

Minimum page size for delta optimization (bytes)

Enter the minimum page size, in bytes, that can have delta optimization applied. Valid entries are integers from 1 to 250000 bytes.

Maximum page size for delta optimization (bytes)

Enter the maximum page size, in bytes, that can have delta optimization applied. Valid entries are integers from 1 to 250000 bytes.

Set Default Client Script

Indicate the scripting language that the ACE appliance is to recognize on condensed content pages:

N/A—Indicates that this option is not configured.

Javascript—Indicates that the default scripting language is JavaScript.

Visual Basic Script—Indicates that the default scripting language is Visual Basic.

Exclude Iframes from Delta Optimization

Select the check box to indicate that delta optimization is not to be applied to IFrames (inline frames). Clear the check box to indicate that delta optimization is to be applied to IFrames.

Exclude Non-ASCII Data from Delta Optimization

Select the check box to indicate that delta optimization is not to be applied to non-ASCII data. Clear the check box to indicate that delta optimization is to be applied to non-ASCII data.

Exclude JavaScripts from Delta Optimization

Select the check box to indicate that delta optimization is not to be applied to JavaScript. Clear the check box to indicate that delta optimization is to be applied to JavaScript.

MIME Types to Exclude from Delta Optimization

1. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail Extension) type messages that are not to have delta optimization applied, such as image/Jpeg, text/html, application/msword, or audio/mpeg. See Supported MIME Types for a list of supported MIME types.

2. Click Add to add the entry to the list box on the right. You can position the entries in the list box by using the Up and Down buttons.

Remove HTML META Elements from Documents

Select the check box to indicate that HTML META elements are to be removed from documents to prevent them from being condensed. Clear the check box to indicate that HTML META elements are not to be removed from documents.

Set FlashForward Refresh Policy

Select the method the ACE appliance is to use to refresh stale embedded objects:

N/A—Indicates that this option is not configured.

Allow FlashForward to indirect refresh of objects—Indicates that the ACE appliance is to use FlashForward to indirectly refresh embedded objects.

Bypass FlashForward to direct refresh of objects—Indicates that the ACE appliance is to bypass FlashForward for stale embedded objects so that they are refreshed directly.

Rebase Delta Optimization Threshold (%)

Enter the delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing when the delta response size exceeds the threshold as a percentage of base file size.

Valid entries are 0 to 10000 percent.

Rebase FlashForward Threshold (%)

Enter the threshold, expressed as a percent, when rebasing is to be triggered based on the percent of FlashForwarded URLs in the response. This entry triggers rebasing when the difference between the percentages of FlashForwarded URLs in the delta response and the base file exceeds the threshold.

Valid entries are 0 to 10000 percent.

Rebase History Size (pages)

Enter the number of pages to be stored before the ACE appliance resets all rebase control parameters to zero and starts over. This option prevents the base file from becoming too rigid.

Valid entries are 10 to 2147483647.

Rebase Modify Cool-off Period (seconds)

Enter the number of seconds after the last modification before performing a rebase.

Valid entries are 1 to 14400 seconds (4 hours).

Rebase Reset Period (seconds)

Enter the period of time, in seconds, for performing a meta data refresh.

Valid entries are 1 to 900 seconds (15 minutes).

Override Client Request Headers

Indicate how the ACE appliance is to handle client request headers (primarily for embedded objects):

N/A—Indicates that this feature is not enabled.

All cache request headers are ignored—Indicates that all cache request headers are to be ignored.

Overrides the Cache-Control: no cache HTTP header from a request—Indicates that the ACE appliance is to ignore cache control request headers that state no cache.

Override Server Response Headers

Indicate how the ACE appliance is to handle origin server response headers (primarily for embedded objects):

N/A—Indicates that this feature is not enabled.

All cache response headers are ignored—Indicates that all response headers are to be ignored.

Overrides the Cache-Control: private HTTP header from a response—Indicates that the ACE appliance is to ignore cache control response headers that state private.

UTF-8 Character Set Threshold

The UTF-8 (8-bit Unicode Transformation Format) character set is an international standard that allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any universal character in the Unicode standard and is backwards compatible with ASCII.

Enter the number of UTF-8 characters that need to appear on a page to constitute a UTF-8 character set page. Valid entries are integers from 1 to 1,000,000.

Server Load Threshold Trigger (%)

The server load threshold trigger indicates that the time-to-live (TTL) period for cached objects is to be based dynamically on server load. With this method, TTL periods increase if the current response time from the origin sever is greater than the average response time and decrease if the current response time from the origin server is less than the average response time when the difference in response times exceeds a specified threshold amount.

Enter the threshold, expressed as a percent, at which the TTL for cached objects is to be changed.

Valid entries are from 0 to 100 percent.

Server Load Time-to-Live Change (%)

This option specifies the percentage by which the cache TTL is increased or decreased in response to a change in server load. For example, if this value is set to 20 and the current TTL for a response is 300 seconds. and if the current server response times exceeds the trigger threshold, the cache TTL for the response is raised to 360 seconds.

Enter the percent by which the cache TTL is to be increased or decreased when the server load threshold trigger is met.

Valid entries are from 0 to 100 percent.

Specify Delta Optimization Mode

Select the method by which delta optimization is to be implemented:

N/A—Indicates that a delta optimization mode is not configured.

Enable all user mode for delta optimization—Indicates that the ACE appliance is to generate the delta against a single base file that is shared by all users of the URL. This option is usable in most cases if the structure of a page is common across all users, and the disk space overhead is minimal.

Enable the per-user mode for delta optimization—Indicates that the ACE appliance is to generate the delta against a base file that is created specifically for that user. This option is useful when page contents, including layout elements, are different for each user, and delivers the highest level of condensation. However, this increases disk space requirements because a copy of the base page that is delivered to each user is cached. This option is useful when privacy is required because base pages are not shared among users.

String To Be Used for Server HTTP Header

Use this option to define a string that is to be sent in the server header for an HTTP response. This option provides you with a method for uniquely tagging the context or URL match statement by setting the server header value to a particular string. The server header string can be used when a particular URL is not being transmitted to the correct target context or match statement.

Enter the string that is to appear in the server header. Valid entries are quoted text strings with a maximum of 64 alphanumeric characters.


Table 3-44 lists the parameter expander functions that you can use.

Table 3-44 Parameter Expander Functions 

Variable
Description

$(number)

Expands to the corresponding matching subexpression (by number) in the URL pattern. Subexpressions are marked in a URL pattern using parentheses (). The numbering of the subexpressions begins with 1 and is the number of the left-parenthesis "(" counting from the left. You can specify any positive integer for the number. $(0) matches the entire URL. For example, if the URL pattern is ((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct:

$(0) = http://server/main/sub/a.jsp

$(1) = http://server/main/sub/

$(2) = http://server/main

$(3) = sub

If the specified subexpression does not exist in the URL pattern, then the variable expands to the empty string.

$http_query_string()

Expands to the value of the whole query string in the URL. For example, if the URL is http://myhost/dothis?param1=value1&param2=value2, then the following is correct:

$http_query_string() = param1=value1&param2=value2

This function applies to both GET and POST requests.

$http_query_param(query-param-name)


The obsolete syntax is also supported:

$param(query-param-name)

Expands to the value of the named query parameter (case-sensitive).

For example, if the URL is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct:

$http_query_param(category) = shoes

$http_query_param(session) = 99999

If the specified parameter does not exist in the query, then the variable expands to the empty string. This function applies to both GET and POST requests.

$http_cookie(cookie-name)

Evaluates to the value of the named cookie. For example, $http_cookie(cookiexyz). The cookie name is case-sensitive.

$http_header(request-header-name)

Evaluates to the value of the specified HTTP request header. In the case of multivalued headers, it is the single representation as specified in the HTTP specification. For example, $http_header(user-agent). The HTTP header name is not case-sensitive.

$http_method()

Evaluates to the HTTP method used for the request, such as GET or POST.

Boolean Functions:

$http_query_param_present(query-param-name)

$http_query_param_notpresent(query-param-name)

$http_cookie_present(cookie-name)

$http_cookie_notpresent(cookie-name)

$http_header_present(request-header-name)

$http_header_notpresent(request-header-name)

$http_method_present(method-name)

$http_method_notpresent(method-name)

Evaluates to a Boolean value: True or False, depending on the presence or absence of the element in the request. The elements are a specific query parameter (query-param-name), a specific cookie (cookie-name), a specific request header (request-header-name), or a specific HTTP method (method-name). All identifiers are case-sensitive except for the HTTP request header name.

$regex_match(param1, param2)

Evaluates to a Boolean value: True if the two parameters match and False if they do not match. The two parameters can be any two expressions, including regular expressions, that evaluate to two strings. For example, this function:

$regex_match($http_query_param(URL), .*Store\.asp.*)

compares the query URL with the regular expression string .*Store\.asp.*

If the URL matches this regular expression, this function evaluates to True.


Step 6 Click:

Deploy Now to save your entries. The ACE appliance validates the parameter map configuration and deploys it.

Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table.

Next to accept your entries and to add another parameter map.


Related Topics

Using Parameter Maps

Configuring Traffic Policies, page 7-1

Configuring Load Balancing

Configuring Virtual Contexts, page 2-4

Supported MIME Types

The ACE appliance supports following MIME types:

application/msexcel

application/mspowerpoint

application/msword

application/octet-stream

application/pdf

application/postscript

application/\x-gzip

application/\x-java-archive

application/\x-java-vm

application/\x-messenger

application/\zip

audio/*

audio/basic

audio/midi

audio/mpeg

audio/x-adpcm

audio/x-aiff

audio/x-ogg

audio/x-wav

image/*

image/gif

image/jpeg

image/png

image/tiff

image/x-3ds

image/x-bitmap

image/x-niff

image/x-portable-bitmap

image/x-portable-greymap

image/x-xpm

text/*

text/css

text/html

text/plain

text/richtext

text/sgml

text/xmcd

text/xml

video/*

video/flc

video/mpeg

video/quicktime

video/sgi

video/x-fli

Viewing All Parameter Maps by Context

Use this procedure to view all parameter maps associated with a virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context with the parameter maps you want to view, then select Load Balancing > Parameter Map. The Parameter Map table appears listing each parameter map and its type (either connection, HTTP, or optimization).


Related Topics

Configuring Connection Parameter Maps

Using Parameter Maps

Configuring Secure KAL-AP

A keepalive-appliance protocol (KAL-AP) on the ACE allows communication between the ACE and the Global Site Selector (GSS), which send KAL-AP requests, to report the server states and loads for global-server load-balancing (GSLB) decisions. The ACE uses KAL-AP through a UDP connection to calculate weights and provide information for server availability to the KAL-AP device. The ACE acts as a server and listens for KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens on the standard 5002 port for any KAL-AP requests. You cannot configure any other port.

The ACE appliance supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption, you must configure a shared secret as a key for authentication between the GSS and the ACE appliance context.

Use this procedure to configure secure KAL-AP associated with a virtual context.

Assumptions

You have created a virtual context that specifies the Keepalive Appliance Protocol over UDP.

You have enabled KAL-AP on the ACE by configuring a management class map and policy map, and apply it to the appropriate interface.

Procedure


Step 1 Select Config > Virtual Contexts > context > Load Balancing > Secure KAL-AP. The Secure KAL-AP table appears.

Step 2 Click Add to configure secure KAL-AP for MD5 encryption of data. The Secure KAL-AP configuration screen appears.

Step 3 In the IP Address field, enable secure KAL-AP by configuring the VIP address for the GSS. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

Step 4 In the Hash Key field, enter the MD5 encryption method shared secret between the KAL-AP device and the ACE appliance. Enter the shared secret as a case-sensitive string with no spaces and a maximum of 31 alphanumeric characters.

Step 5 Click:

Deploy Now to save your entries. The ACE appliance validates the secure KAL-AP configuration and deploys it.

Cancel to exit this procedure without accepting your entries and to return to the Secure KAL-AP table.

Next to accept your entries.


Related Topics

Creating Virtual Contexts, page 2-2

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 7-17