Simple Loadbalancing on Cisco ACE with stickiness

This guide describes simple loadbalancing configuration with sticky connections enabled. In this example we use HTTP-cookie method to do that.

Cisco ACE: configuration

Required elements and the initial server (A and B) configurations should be the same as in (VrackLoadBalancingACESimple)
Some parts of ACE config described before are listed here without details.

Basic configuration

rbx-99-6k-ace-1/vrack2070(config)# access-list ANY line 8 extended permit icmp any any
rbx-99-6k-ace-1/vrack2070(config)# access-list ANY line 16 extended permit ip any any

internal vlan:
rbx-99-6k-ace-1/vrack2070(config)# interface vlan 2070
ip address
access-group input ANY
nat-pool 1 netmask pat
no shutdown

tcp probe:
rbx-99-6k-ace-1/vrack2070(config)# probe tcp PROBE_TCP
interval 30
passdetect interval 60

http-parameter map:
rbx-99-6k-ace-1/vrack2070(config)# parameter-map type http HTTP_PARAMETER_MAP

real servers:
rbx-99-6k-ace-1/vrack2070(config)# rserver host SERVER1
ip address
conn-limit max 50000 min 40000
rbx-99-6k-ace-1/vrack2070(config)# rserver host SERVER2
ip address
conn-limit max 50000 min 40000

serverfarm config:
rbx-99-6k-ace-1/vrack2070(config)# serverfarm host FARM_WEB
predictor leastconns
rserver SERVER1
rserver SERVER2

Layer4 class-map:
rbx-99-6k-ace-1/vrack2070(config)# class-map match-all L4-WEB-IP
2 match virtual-address tcp eq www

Stickiness configuration

Set cookie name and timeout parameter. We expect cookie named "CookieACE" send from a webfarm to a client. If it's found, then it's stored on ACE in a sticky connection database.
We set timeout for 3600min and put CookieACE in StickyGroup1? which is connected to our FARM_WEB:
sticky http-cookie CookieACE StickyGroup1?
timeout 3600
serverfarm FARM_WEB

Next thing is Layer7 policy-map loadbalance configuration. In this part we have to use sticky-serverfarm parameter:
policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
sticky-serverfarm StickyGroup1?
insert-http x-forward header-value "%is"

As in the previous example, policy-map multi-match WEB-to-vIPs is used to put all things together:
policy-map multi-match WEB-to-vIPs
description Ties 4-WEB-IP class-map, WEB_L7_POLICY maps together and applies HTTP_PARAMETER_MAP. Uses NAT.
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2070
appl-parameter http advanced-options HTTP_PARAMETER_MAP

Apply service-policy and access-list to inbound VLAN interface
rbx-99-6k-ace-1/vrack2070(config)# interface vlan 270
service-policy input WEB-to-vIPs
access-group input ANY

Server cookie setting

For testing stickiness we have to configure cookies on the website which reqiures that.
Let's save page cookie.php in the main web-docs root. This will set cookie name CookieACE with some random value or just display it when it's already set on the browser:
$n = 'CookieACE';
if( ! $_COOKIE["$n"]) {
echo '<meta http-equiv="Set-Cookie" content="'.$n.'='.$cookie.'; path=/" />';
Hello from SERVER1
echo "Got cookie: $n = $cookie";
echo "New cookie set: $n = $cookie";

Do the same on Server B, but put there "Hello from SERVER2" to see the difference between them.

Testing Loadbalancing

To test stickiness let's go to the We can see for example:
Hello from SERVER1 set a new cookie: CookieACE = 3028

Now if our browser accepts cookies, after refreshing the site you should still get answers from the SERVER1.
Example set of requests with cookies enabled in browser:
Hello from SERVER1 Got cookie: CookieACE = 3028

Hello from SERVER1 Got cookie: CookieACE = 3028

Hello from SERVER1 Got cookie: CookieACE = 3028

Hello from SERVER1 Got cookie: CookieACE = 3028

Let's have a look at sticky database on ACE:
rbx-99-6k-ace-1/vrack2070# show sticky database
sticky group : StickyGroup1?
timeout : 3600 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
12411268269029278684 SERVER1:0 215995 -

There is http-cookie from StickyGroup1? set. You could see there ACE timeout as well as cookie-type, name or real server instance.

While the TCP session is alive it is possible to see the connection:
rbx-99-6k-ace-1/vrack2070# show conn port 80

conn-id np dir proto vlan source destination state

383186 1 in TCP 270 ESTAB
230973 1 out TCP 2070 ESTAB

In the browser you can see the cookie details:
1 cookie set:
Name CookieACE
Value 3028
path /
secure No
expires End of session

Finally, after removing this one and disabling cookies in the browser, it is possible to notice different requests are handled by different servers from serverfarm (but the TCP session must expire - one TCP session is handled by one rserver).

Example set of requests with cookies disabled:
Hello from SERVER1 set a new cookie: CookieACE = 6077

Hello from SERVER1 set a new cookie: CookieACE = 4231

Hello from SERVER2 set a new cookie: CookieACE = 4199

Hello from SERVER2 set a new cookie: CookieACE = 2803

Hello from SERVER1 set a new cookie: CookieACE = 926

Additional documents

-Cisco Application Control Engine Module Load Balancing Guide