«

Hi everyone,

I'm looking for some advice on a problem i have with a Cisco CSS and a
ISA 2004 server, the CSS is load balancing a web farm but one of the
servers is always getting hit and its not the same one after some
investigations we traced it back to the ISA and the VPN users that are
accessing the website.

The CSS seems to see the ISA server as one connection and as a result
whatever server it gets connected to by the CSS then gets the full
load of all the VPN clients users.

So my question is can I get the CSS to see this as not just one client
connecting but many so that it balances the load or some how just
split the load so that one web server is not always killed.

Any advice is welcome.

Jack

Jack Daniels wrote:
>The CSS seems to see the ISA server as one connection and as a result
>whatever server it gets connected to by the CSS then gets the full
>load of all the VPN clients users.

Info on your config on the CSS would help.

I presume the ISA is translating to all users appear to have the same source
address? Do you have sticky configured on the CSS? If you have sticky set by
source address, it is behaving exactly as it should. You could try other
options for stick, or even remove it entirely if the application does not need
it.

P.
--
Paul Matthews CCIE #4063
Please post questions to the NG, NOT by e-mail.

All traffic is being translated by the ISA server so the CSS see it as
one IP connecting and one connection.


!*************************** CIRCUIT
**************************
circuit vlan1
ip address 10.10.10.5 255.255.255.0
no redirects
!*************************** SERVICE
**************************
service 1
ip address 10.10.10.2
active
service 2
ip address 10.10.10.3
active
service 3
ip address 10.10.10.4
active
!*************************** OWNER
****************************
owner cisco_systems
content One-Arm-rule
vip address 10.10.10.6
add service 1
add service 2
add service 3
active
!*************************** GROUP
****************************
group Servers
vip address 10.10.10.6
add destination service 1
add destination service 2
add destination service 3
active

On May 29, 9:30 am, Paul Matthews <p...@cattytown.me.uk> wrote:
> Jack Daniels wrote:
> >The CSS seems to see the ISA server as one connection and as a result
> >whatever server it gets connected to by the CSS then gets the full
> >load of all the VPN clients users.
>
> Info on your config on the CSS would help.
>
> I presume the ISA is translating to all users appear to have the same source
> address? Do you have sticky configured on the CSS? If you have sticky set by
> source address, it is behaving exactly as it should. You could try other
> options for stick, or even remove it entirely if the application does not need
> it.
>
> P.
> --
> Paul Matthews CCIE #4063
> Please post questions to the NG, NOT by e-mail.

All traffic is being translated by the ISA server so the CSS see it as
one IP connecting and one connection.


!*************************** CIRCUIT
**************************
circuit vlan1
ip address 10.10.10.5 255.255.255.0
no redirects
!*************************** SERVICE
**************************
service 1
ip address 10.10.10.2
active
service 2
ip address 10.10.10.3
active
service 3
ip address 10.10.10.4
active
!*************************** OWNER
****************************
owner cisco_systems
content One-Arm-rule
vip address 10.10.10.6
add service 1
add service 2
add service 3
active
!*************************** GROUP
****************************
group Servers
vip address 10.10.10.6
add destination service 1
add destination service 2
add destination service 3
active

Jack Daniels wrote:

>!*************************** OWNER
>****************************
> owner cisco_systems
> content One-Arm-rule
> vip address 10.10.10.6
> add service 1
> add service 2
> add service 3
> active
>!*************************** GROUP

This may need a little trial and error

The options to look at are:

balance roundrobin
balance aca

Under the content rule. Basically RR says as you would expect, ACA watches
response times and passes more load to quicker responding swervers.

The sticky is set by the advanced balance command. Options are:

sip-call-id
wap-msisdn
arrowpoint-cookie
sticky-srcip
sticky-srcip-dstport
cookies
url
cookieurl
ssl
none

Of those, I would suggest trying cookies first. Some are obviously irrelevant -
sip-call-id, wap-msisdn and ssl. Others will be ineffective.

Another thing to check - is there any possibility that the servers in the farm
are redirecting directly to themselves?

P.
--
Paul Matthews CCIE #4063
Please post questions to the NG, NOT by e-mail.