ddesmidt

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 79 total)
  • Author
    Posts
  • in reply to: HA active-active #874
    avatar
    ddesmidt
    Member

    Hi Dannel,

    That’s indeed also possible with LSN implementation.
    And the configuration is the very same as what you did on your SLB active-active deployment.
    You simply configure:
    . HA with preempt
    . 2 HA groups with different priorities => AX1 is active on 1 group and standby on the other group
    . 2 HA Floating VIP => each device receives the traffic it’s supposed to receive

    I attached a config sample as example.
    Dimitri

    in reply to: Health Monitoring #819
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    The Virtual ADC is focused on A10 Networks AX solution. Other products are not covered under that portal.

    Please forward your request to A10 Networks support:
    http://www.a10networks.com/support/index.php

    Regards

    in reply to: Disaster Recovery configuration example for GSLB #425
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Hi Dannel,

    For disaster recovery, you want everybody sent to “the primary datacenter” when this one is UP.
    The “backup datacenter” will be used only if the:
    . datacenter is down (lost Internet access for instance)
    . or all the servers/applications are down in the datacenter (so VIP is down in the datacenter)

    For that the easiest option is to use:
    . “admin-preference” under the GSLB site (with a higher preference for the primary site)
    . “admin preference” under the GSLB policy (=> the site VIP with higher preference is always replied – as long as UP of course)

    Here is attached a CLI configuration example.

    Thanks,
    Dimitri

     

    in reply to: Connection Reuse #422
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Hi,

    The AX5200-11 are definitely more powerful than the AX3000.
    So with the same configuration/load, you should expect a significant AX CPU load drop from AX3000 to AX5200-11.
    If that’s not what you find, I strongly suggest you open an A10 support ticket => A10 can follow that close with you.

    Otherwise about your question: “keep-alive value”.
    I guess you’re talking about HTTP keep alive on web servers. In other words, the ability for the client to send other http requests in the same TCP session when the server replied to the previous request.

    Apache default settings (httpd.apache.org/docs/2.1/mod/core.htm):
    . KeepAlive = ON
    . KeepAliveTimeOut = 5 seconds (close TCP connection if no following request in the next 5 seconds). If your server has enough memory, this setting is usually pushed up to avoid too many TCP close/open from end-users.
    . MaxKeepAliveRequests = 100 (after 100 consecutive requests/reply in a TCP session, Apache will close it). This setting is usually pushed far up 10k when you have a lot of traffic for server performance.

    IIS default settings (http://www.dotnetscraps.com/dotnetscraps/post/D…ive-in-IIS-7-75.aspx)
    . KeepAlive = ON
    . Note: There are the ability to configure “advanced options” like on Apache, but not in a simple manner. I let you contact Microsoft if you want to tweak IIS.

    Dimitri

    in reply to: Health Monitor – SASP, SOAP, WMI and RPC #747
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    aFleX can do advanced actions based on user traffic and/or server response.
    But aFleX do not generate traffic on its own, like healthcheck.

    For that, AX offers built-in healthchecks (called health monitors and available under Config > Service > Health Monitor): ICMP, TCP, UDP, HTTP, HTTPS, FTP, SMTP, POP3, SNMP, DNS, Radius, LDAP, RTSP, SIP, NTP, IMAP, Database.
    And if you have an application that is not part of these built-in list, AX offers scriptable healthchecks. The 4 scripts supported are: python, shell, tcl and perl.
    You can find examples in our AX Configuration Guide.

    Technical Note: In addition to knowing how to program using the script language, you have to know how works the application protocol very well to create the script. Indeed through the script, you’ll say exactly what AX has to send and what AX has to expect.
    Some customers may find that too complex. Another option can be to request A10 Networks via a “feature request” to build a built-in healthcheck => simple interface to do the applicative healthcheck. Customers contact their A10 Sales rep to submit feature requests.

    Thanks,
    Dimitri

    in reply to: Running Axdebug in a partition #416
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    That’s correct. Inside a partition you can’t see traffic from other partitions 

    Dimitri

    in reply to: log message Question #412
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Imish is our routing module.
    According to dev, that error is supposed to be inert and suppressed in the latest 2.6.1 code.
    What version are you on?

    Also I recommend you open a ticket to A10 Support => they can track it with you.
    Thanks,
    Dimitri

    in reply to: AX working with VMWare ‘View’ #864
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    I haven’t personally tested it, but AX has the functionalities required to load balance VMware View.

    There are multiple ways to configure VMView.

    Case1:
    VMView not using PCoIP (use SSL) + AX configured with no SSL Offload (end-to-end SSL)

    On VMware Manager servers:
    . Keep default “Require SSL for client connections”
    . Configure external URL with “https:// vmview.example.com” (with “vmview.example.com” = AX-VIP)
    . Uncheck “direct connection to desktop”

    On AX:
    . VIP x.x.x.x
    . port 443 type https
    – Service Group with “View_Managers_servers:443”
    – Create aFleX for persistence based on the cookie JSESSIONID (see http://www.a10networks.com/vadc/index.php/forums/topic/aflex-for-individual-server-cookie-persist/)
    – Client-SSL-Template with your certificate for “https:/vmview.example.com”
    – Server-SSL-Template with default

    Case2:
    VMView not using PCoIP (use SSL) + AX configured with SSL Offload (SSL up to AX only)

    On VMware Manager servers:
    . Uncheck default “Require SSL for client connections” (under View Manager Administrator tool – View Configuration – Global Settings – Edit”
    . Configure external URL with “https:// vmview.example.com” (with “vmview.example.com” = AX-VIP)
    . Uncheck “direct connection to desktop”
    . Restart the View Connection Server service (as explained in the http://www.vmware.com/pdf/view-46-administration.pdf)

    On AX:
    . VIP x.x.x.x
    . port 443 type https
    – Service Group with “View_Managers_servers:80”
    – Create aFleX for persistence based on the cookie JSESSIONID (see http://www.a10networks.com/vadc/index.php/forums/topic/aflex-for-individual-server-cookie-persist/)
    – Client-SSL-Template with your certificate for “https:/vmview.example.com”
    – No Server-SSL-Template

    Case3:
    VMView using PCoIP + AX configured with no SSL Offload (end-to-end SSL).
    In that case only authentication/authorization/accounting packets are received and load balanced by AX to VMView Managers servers. Then clients access directly their desktops.

    On VMware Manager servers:
    . Keep default “Require SSL for client connections”
    . Configure external URL with “https:// vmview.example.com” (with “vmview.example.com” = AX-VIP)
    . Check “direct connection to desktop”

    On AX:
    . VIP x.x.x.x
    . port 443 type https
    – Service Group with “View_Managers_servers:443”
    – Create aFleX for persistence based on the cookie JSESSIONID (see http://www.a10networks.com/vadc/index.php/forums/topic/aflex-for-individual-server-cookie-persist/)
    – Client-SSL-Template with your certificate for “https:/vmview.example.com”
    – Server-SSL-Template with default

    Case4:
    VMView using PCoIP + AX configured with SSL Offload (SSL up to AX only).
    In that case only authentication/authorization/accounting packets are received and load balanced by AX to VMView Managers servers. Then clients access directly their desktops.

    On VMware Manager servers:
    . Uncheck default “Require SSL for client connections” (under View Manager Administrator tool – View Configuration – Global Settings – Edit”
    . Configure external URL with “https:// vmview.example.com” (with “vmview.example.com” = AX-VIP)
    . Check “direct connection to desktop”
    . Restart the View Connection Server service (as explained in the http://www.vmware.com/pdf/view-46-administration.pdf)

    On AX:
    . VIP x.x.x.x
    . port 443 type https
    – Service Group with “View_Managers_servers:80”
    – Create aFleX for persistence based on the cookie JSESSIONID (see http://www.a10networks.com/vadc/index.php/forums/topic/aflex-for-individual-server-cookie-persist/)
    – Client-SSL-Template with your certificate for “https:/vmview.example.com”
    – No Server-SSL-Template

    If you plan to test it yourself, come back to us with the results :-)

    in reply to: ACL based on L2 or L3 headers #721
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Hi Daniel,

    We can use aFleX to do actions based on the IP protocol with the aFleX command “IP::protocol”.
    For instance:

    Code:

    when CLIENT_ACCEPTED {
    if { [IP::protocol] == 6 } {
    pool tcp_pool
    } else {
    pool slow_pool
    }
    }


    We don’t have today the ability to look at the layer2 (mac addresses).
    If that’s something important for you, I do recommend you escalate that with your A10 Networks Sales and I’m sure our Engineering can get it delivered fast to you 

    Dimitri

    in reply to: Node Failover #405
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Hi,

    Under Service Group (where you define your pool of servers) you can assign priority to each server.
    Let’s say you have 2 servers: S1 + S2.
    And let say you configure a priority of S1=2 and S2=1.
    As long as S1 is up, all clients will use S1.
    If S1 is detected down, S2 will be used.
    If S1 comes back, S1 will be used again for new clients connections.

    FYI you can do some other pretty cool stuff with priority.
    For instance you may want to use “master” servers and only an other group of “backup” servers if the number of servers in the master pool is below a specific threshold.
    I let you see our manual for more information and cool stuff around “priority”.

    Dimitri

    in reply to: exchange 2010 aflex #725
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Hi Bruno,

    I tested your aFleX quick.
    Works pretty well 

    I’ve just changed a couple of things:
    . Since 2.6.1, you don’t need to do the “persist add uie” in the response side. If in the request side you hit a “persist uie” and there is no entry, aFleX will automatically create the entry for you in the response.
    . I think you want to add “owa” only if the request is “/”

    Here is the aFleX I tested:

    Code:

    when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::uri]] {
    "/ews*" { set cookie 1 ; pool CAS-80 ; return }
    "/rpc*" { persist uie [IP::client_addr] ; pool CAS-80 ; return }
    "/microsoft-server-activesync*" { persist uie [IP::client_addr] ; pool CAS-80 ; return }
    "/owa*" { set cookie 1 ; pool CAS-80 ; return }
    "/oab*" { persist uie [IP::client_addr] ; pool CAS-80 ; return }
    "/public*" { persist uie [IP::client_addr] ; pool CAS-80 ; return }
    "/rpcwithcert*" { persist uie [IP::client_addr] ; pool CAS-80 ; return }
    "/autodiscover*" { persist uie [IP::client_addr] ; pool CAS-80 ; return }
    "/powershell*" { persist uie [IP::client_addr] ; pool CAS-80; return }
    }
    if { ([HTTP::uri] equals "/")} {
    HTTP::uri /owa[HTTP::uri]
    set cookie 1
    pool CAS-80
    }
    }

    in reply to: Backup AX from script? #870
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    FYI this will be fixed in the 2.6.1-P2.
    Note: I validated it in our 2.6.1-P2 candidate.

    Dimitri

    in reply to: Backup AX from script? #868
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Hello,

    That’s actually a bug that has been recently found by QA in our new 2.6.1 “backup periodically” feature.
    I’m sure it will be fixed soon.
    You can also open an A10 support bug to track it.

    Thanks and sorry for the inconvenience,
    Dimitri

    in reply to: Need assistance in creating a healthcheck #717
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    aFleX is very powerful and flexible.
    But aFleX applies to production client traffic and server response only.
    aFleX doesn’t generate traffic of its own (like a health check).

    Now about healthchecks AX offers:
    . health monitor templates with many protocol supported (ftp, ldap, snmp, http, https, etc)
    . health monitor scripts for even more flexibility (with perl, shell, tcl and python)

    You can do https healthchecks with both solutions, but unfortunately not with client certificates.
    I let you create a feature request.

    Thanks,
    Dimitri

    in reply to: How to limit DHCP Discover #711
    avatar
    ddesmidt
    Member

    Posted by ddesmidt

    Let’s go over your 2 problems:

    1. aFleX running only on the first packet of the UDP session
    The aFleX event you selected is: “when CLIENT_ACCEPTED”.
    This event triggers only once the session has been established. On TCP that’s after the SYN-SYN/ACK-ACK. On UDP that’s after the first UDP packet received.
    The event that triggers after each UDP packet is “When CLIENT_DATA”.

    2. Cannot insert an entry in an array
    Actually you inserted the entry in your array.
    The issue was with the display of the entry.
    Use instead: log “time is ::user_time($mac)”

    Anyway, here is the whole aFleX you need for your need (this time working on DHCP discover packets):

    Code:

    when RULE_INIT {
    set ::maxquery 100
    set ::holdtime 600
    set ::maxarraysize 400
    # the user_freq table contains "client_mac" + "how many req in the last second"
    array set ::user_freq { }
    # the user_time table contains "client_mac" + "when the req has been done"
    array set ::user_time { }
    # the blacklist table contains "client_mac" + "time when client entered in the blacklist"
    array set ::blacklist { }
    }

    when CLIENT_DATA {

    # Get the mac@ of the user sending the DHCP request and the time of the request
    binary scan [UDP::payload 28 6] H12H mac dammy
    set currtime [clock seconds]
    log "mac = $mac at time = $currtime"

    # Clear up user_time + user_freq table older than 1 second when table is bigger than ::maxarraysize
    if { [array size ::user_time] > $::maxarraysize } {
    log "Clear up user_time + user_freq table"
    foreach {client time} [array get ::user_time] {
    if {$time < $currtime} {
    unset ::user_time($client)
    unset ::user_freq($client)
    log "Client $client removed from the user_time + user_freq"
    }
    }
    }

    # Check if the client_mac is in the blacklist
    if { [info exists ::blacklist($mac)] } {
    # Check if the client_mac has been in the blacklist for less than $::holdtime
    if { [expr {$currtime - $::blacklist($mac)}] < $::holdtime } {
    # Drop the client_mac that is the the blacklist for less than $::holdtime
    log "Client $mac in the backlist for less than $::holdtime => drop"
    drop
    } else {
    # Remove the client_mac from the blacklist since he was there for more than $::holdtime
    log "Client $mac removed from the blacklist"
    unset ::blacklist($mac)
    }
    }

    # Test if the client_mac already sent queries and if so in the same second
    if { [info exists ::user_time($mac)] and $currtime == $::user_time($mac) } {
    # Increament the number of requests the client_mac did in the same second
    incr ::user_freq($mac)
    log "Client $mac sent multiple request in the same second. Now = $::user_freq($mac)"
    # Test if the client_mac sent more than the max authorized queries (::maxquery)
    if { $::user_freq($mac) > $::maxquery } {
    # Create a blacklist entry for the client_mac, drop its request and remove the client_mac from the user_time + user_freq
    set ::blacklist($mac) $currtime
    unset ::user_freq($mac)
    unset ::user_time($mac)
    log "Add client $mac in blacklist because it sent $::maxquery that second + drop"
    drop
    }

    # The client_mac never sent a query recently (not in usertable) or not in the same second
    } else {
    # Create/Update entry in usertable for client_mac
    set ::user_freq($mac) 1
    set ::user_time($mac) $currtime
    log "Creation/Update user_freq + user_time for the client $mac at $currtime"
    }
    }

Viewing 15 posts - 1 through 15 (of 79 total)