CIsco CSS and ISA 2004 Problem

Discussion in 'Cisco' started by Jack Daniels, May 28, 2008.

  1. Jack Daniels

    Jack Daniels Guest

    Hi everyone,

    I'm looking for some advice on a problem i have with a Cisco CSS and a
    ISA 2004 server, the CSS is load balancing a web farm but one of the
    servers is always getting hit and its not the same one after some
    investigations we traced it back to the ISA and the VPN users that are
    accessing the website.

    The CSS seems to see the ISA server as one connection and as a result
    whatever server it gets connected to by the CSS then gets the full
    load of all the VPN clients users.

    So my question is can I get the CSS to see this as not just one client
    connecting but many so that it balances the load or some how just
    split the load so that one web server is not always killed.

    Any advice is welcome.

    Jack
    Jack Daniels, May 28, 2008
    #1
    1. Advertising

  2. Jack Daniels wrote:
    >The CSS seems to see the ISA server as one connection and as a result
    >whatever server it gets connected to by the CSS then gets the full
    >load of all the VPN clients users.


    Info on your config on the CSS would help.

    I presume the ISA is translating to all users appear to have the same source
    address? Do you have sticky configured on the CSS? If you have sticky set by
    source address, it is behaving exactly as it should. You could try other
    options for stick, or even remove it entirely if the application does not need
    it.

    P.
    --
    Paul Matthews CCIE #4063
    Please post questions to the NG, NOT by e-mail.
    Paul Matthews, May 29, 2008
    #2
    1. Advertising

  3. Jack Daniels

    Jack Daniels Guest

    All traffic is being translated by the ISA server so the CSS see it as
    one IP connecting and one connection.


    !*************************** CIRCUIT
    **************************
    circuit vlan1
    ip address 10.10.10.5 255.255.255.0
    no redirects
    !*************************** SERVICE
    **************************
    service 1
    ip address 10.10.10.2
    active
    service 2
    ip address 10.10.10.3
    active
    service 3
    ip address 10.10.10.4
    active
    !*************************** OWNER
    ****************************
    owner cisco_systems
    content One-Arm-rule
    vip address 10.10.10.6
    add service 1
    add service 2
    add service 3
    active
    !*************************** GROUP
    ****************************
    group Servers
    vip address 10.10.10.6
    add destination service 1
    add destination service 2
    add destination service 3
    active
    Jack Daniels, May 29, 2008
    #3
  4. Jack Daniels

    Jack Daniels Guest

    On May 29, 9:30 am, Paul Matthews <> wrote:
    > Jack Daniels wrote:
    > >The CSS seems to see the ISA server as one connection and as a result
    > >whatever server it gets connected to by the CSS then gets the full
    > >load of all the VPN clients users.

    >
    > Info on your config on the CSS would help.
    >
    > I presume the ISA is translating to all users appear to have the same source
    > address? Do you have sticky configured on the CSS? If you have sticky set by
    > source address, it is behaving exactly as it should. You could try other
    > options for stick, or even remove it entirely if the application does not need
    > it.
    >
    > P.
    > --
    > Paul Matthews CCIE #4063
    > Please post questions to the NG, NOT by e-mail.


    All traffic is being translated by the ISA server so the CSS see it as
    one IP connecting and one connection.


    !*************************** CIRCUIT
    **************************
    circuit vlan1
    ip address 10.10.10.5 255.255.255.0
    no redirects
    !*************************** SERVICE
    **************************
    service 1
    ip address 10.10.10.2
    active
    service 2
    ip address 10.10.10.3
    active
    service 3
    ip address 10.10.10.4
    active
    !*************************** OWNER
    ****************************
    owner cisco_systems
    content One-Arm-rule
    vip address 10.10.10.6
    add service 1
    add service 2
    add service 3
    active
    !*************************** GROUP
    ****************************
    group Servers
    vip address 10.10.10.6
    add destination service 1
    add destination service 2
    add destination service 3
    active
    Jack Daniels, May 29, 2008
    #4
  5. Jack Daniels wrote:

    >!*************************** OWNER
    >****************************
    > owner cisco_systems
    > content One-Arm-rule
    > vip address 10.10.10.6
    > add service 1
    > add service 2
    > add service 3
    > active
    >!*************************** GROUP


    This may need a little trial and error

    The options to look at are:

    balance roundrobin
    balance aca

    Under the content rule. Basically RR says as you would expect, ACA watches
    response times and passes more load to quicker responding swervers.

    The sticky is set by the advanced balance command. Options are:

    sip-call-id
    wap-msisdn
    arrowpoint-cookie
    sticky-srcip
    sticky-srcip-dstport
    cookies
    url
    cookieurl
    ssl
    none

    Of those, I would suggest trying cookies first. Some are obviously irrelevant -
    sip-call-id, wap-msisdn and ssl. Others will be ineffective.

    Another thing to check - is there any possibility that the servers in the farm
    are redirecting directly to themselves?

    P.
    --
    Paul Matthews CCIE #4063
    Please post questions to the NG, NOT by e-mail.
    Paul Matthews, May 29, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Sm9ha2ltIEFudWVsbA==?=

    ISA 2004 cert?

    =?Utf-8?B?Sm9ha2ltIEFudWVsbA==?=, Oct 21, 2004, in forum: Microsoft Certification
    Replies:
    1
    Views:
    568
  2. Igac
    Replies:
    0
    Views:
    1,626
  3. wmmalii
    Replies:
    0
    Views:
    3,178
    wmmalii
    May 17, 2006
  4. Pix515e and ISA 2004

    , Aug 10, 2006, in forum: Cisco
    Replies:
    1
    Views:
    432
  5. Dingus

    Exchange Server 2003 and ISA Server 2004

    Dingus, Mar 25, 2006, in forum: Computer Support
    Replies:
    4
    Views:
    472
Loading...

Share This Page