manualshive.com logo in svg

Coyote Point Systems E350GX, Installation And Administration Manual

The Coyote Point Systems E350GX Installation And Administration Manual is a comprehensive guide that provides step-by-step instructions for setting up and managing your E350GX device. Download this manual for free from our website to easily configure and maximize the performance of your product.

Share
Download
background image

Using Certificates in HTTPS Clusters

Equalizer Installation and Administration Guide

279

About Client Certificates

Similarly, if you want to use client certificates with an HTTPS cluster, you’ll need to get a signed client certificate 
from a CA, or create a self-signed certificate. A client certificate needs to be installed on each client that will access 
the Equalizer cluster, as well as on Equalizer.

Just as with server certificates, you may need to install a client certificate and a chained root certificate, if you obtain 
your certificates from a CA without its own Trusted Root CA certificate. Some sites prefer to use self-signed 
certificates for clients, or set up their own local CA to issue client certificates.

Client certificates can be used in two ways with Equalizer:

1.

Install the entire client certificate chain on Equalizer.

  This requires that every client passes the exact same 

certificate to Equalizer for validation.

2.

Install an intermediate CA certificate as the client certificate on Equalizer. 

This allows unique certificates 

to be used on clients and a single client certificate to be uploaded to Equalizer. Following this method requires 
some certificate processing on the servers behind Equalizer in order to prevent access by clients with revoked 
certificates. 

This method, therefore, should be used only under the following conditions

:

a.

If the site is able to use an intermediate CA, or multiple CAs, which signs 

all and only

 certificates 

authorized for use with the cluster,

AND

b. If the application running on the servers behind Equalizer is able to perform Certificate Revocation List 

(CRL) processing by matching the CSN (certificate serial number) to the intermediate CA's CRL, and does 
so for 

all

 requests,

THEN

c.

The Equalizer can safely support the use of individual client certificates for different clients, by 
appropriately setting the 

verify depth

 option for the HTTPS cluster and uploading the intermediate CA's 

certificate to the cluster as the client certificate. If client certificates use different CAs, multiple 
intermediate CAs can be uploaded to Equalizer in a single file.

This method ensures that only certificates that pass the CRL check on the server can be used to access the 
cluster. Note that this method also assumes that validating the intermediate certificate only in (b) above is 
sufficiently secure for the site.

General Certificate Guidelines

Whichever method you choose, follow these general guidelines for certificates you want to use with Equalizer:

Equalizer accepts both the 

x509 PEM

 or 

PKCS12

 certificate formats; PEM files usually have a 

.pem

 

extension; PKCS12 files usually have a 

.pfx

 extension. Most CA vendors provide certificates in PEM 

format.

Some older Equalizer models are equipped with an Xcel I Hardware SSL Acceleration, which requires a 

private key length

 of 1024 bits. This key length restriction does not apply to the newer generation Xcel II 

hardware, though a private key length of 1024 is recommended for best performance. (Note that all 
Equalizer GX hardware models that have Xcel are equipped with Xcel II.)

When uploading certificates to Equalizer in 

PEM 

format, the certificates and private key must be contained 

in a single plain-text file, in the following order:

certificate

private key

chained root (intermediate) certificates (if any)

Summary of Contents for E350GX

Page 1: ...Equalizer Installation and Administration Guide Version 8 6 October 2010 Coyote Point Systems Inc 675 North First Street Suite 975 San Jose California 95112 ...

Page 2: ...GX E650GX All other brand or product names used in this document are trademarks or registered trademarks of their respective companies or organizations THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND E...

Page 3: ...ession Persistence 24 Layer 7 Load Balancing and Server Selection 24 Geographic Load Balancing 25 Geographic Load Balancing Routing 26 Distributing the Geographic Load 26 Adding Equalizer to Your Network 29 Equalizer E250GX Network Configuration 29 Using Equalizer E250GX in a Single Network Environment 30 Using Equalizer E250GX in a Dual Network Environment 31 Equalizer E350GX E450GX E650GX Networ...

Page 4: ...ualizer 46 Adding Alternate DNS Servers 46 Managing Remote Access to the Equalizer 47 Managing the Remote Access Account 47 Using the Remote Access Account 47 Configuring a Second Equalizer As a Backup Failover 48 Configuring DNS and Firewalls for Envoy 48 Configuring the Authoritative Name Server to Query Envoy 48 Using Geographic Load Balancing with Firewalls 48 Testing Basic Connectivity 49 Usi...

Page 5: ... Routes 76 Adding a Static Route 76 Modifying a Static Route 77 Deleting a Static Route 77 Configuring Servers on Your Network 78 Configuring Routing on Servers 78 Server Configuration Constraints 78 Configuring Equalizer Operation 81 Licensing Equalizer 82 Requesting a License Online 82 Requesting a License Offline 84 Modifying Global Parameters 85 Global Probe Parameters 85 Global Networking Par...

Page 6: ... Information Archive 108 Upgrading Equalizer Software 108 Administering Virtual Clusters 111 Working with Virtual Clusters 112 Adding a Layer 7 Virtual Cluster 113 Modifying a Layer 7 Virtual Cluster 114 Layer 7 Required Tab 114 Layer 7 Probes Tab 115 Layer 7 Persistence Tab 116 LB Policy Tab 117 Layer 7 Networking Tab 118 Layer 7 Security Certificates Tab HTTPS only 119 Layer 7 Security SSL Tab H...

Page 7: ...on 138 Managing Servers 140 The Server Table 140 Server Software Configuration 141 Adding a Server to a Cluster 142 Modifying a Server 144 Configuring Outbound NAT 145 Enabling Outbound NAT 146 Configuring Outbound NAT for a Server 146 Using Outbound NAT on a Server IP in Multiple Clusters 147 Adjusting a Server s Initial Weight 147 Setting initial Weights for Homogenous Clusters 147 Setting initi...

Page 8: ...ing a Smart Event 168 Deleting a Smart Event 168 Displaying Smart Event Statistics 168 Using the Smart Event Expression Editor 168 Smart Event Examples 169 Logging a Message When Server Count is Low 169 Unquiescing a Server When Server Count is Low 170 Using IPMI to Conserve Server Resources 172 Configuring Direct Server Return DSR 177 Configuring Servers for Direct Server Return 179 Configuring W...

Page 9: ...iguring Custom Event Handling 200 Forwarding Equalizer Log Information 200 Specifying a Command to Run on an Event 200 Configuring Email Notification 201 Disabling Email Notification 202 Browsing Equalizer Configurations using SNMP 203 Enabling the SNMP Agent 204 Setting Up an SNMP Management Station 205 MIB Description 205 Siblings 206 Configuration and Status 206 Clusters 206 Servers 206 Events ...

Page 10: ...NAT Setting Using Match Rules 231 Server Selection Based on Content Type Using Match Rules 233 Using the Custom Load Balancing Policy with Match Rules 235 Administering GeoClusters 237 Overview of Geographic Load Balancing with Envoy 238 Overview of Configuration Process 238 Overview of Envoy Site Selection 238 Licensing and Configuring Envoy 242 Enabling Envoy 242 Configuring the Authoritative Na...

Page 11: ...Application Server Timeouts 264 Connection Timeout Kernel Variables 264 Server Health Check Probes and Timeouts 265 ICMP Probes 265 High Level TCP and ACV Probes 265 TCP Probe Aggregation 268 Server Agent Probes 269 Agent Probe Process 269 Enabling and Disabling Server Agents 269 Using Reserved IP Addresses 271 Outbound NAT and Failover 272 Regular Expression Format 273 Regular Expressions in Matc...

Page 12: ...Certificate from PEM to PKCS12 Format 287 Private Key Storage for Cluster Certificates 288 Clearing Secure Key Storage on Xcel I 289 Configuring Cipher Suites 289 Default Cipher Suites 289 Updating the Cipher Suites Field 289 No Xcel Software and Xcel II Cipher Suites 290 Xcel I Cipher Suites 290 Equalizer VLB 293 Equalizer VLB Basic 294 Using VLB Basic 294 Equalizer VLB Advanced 295 Using VLB Adv...

Page 13: ...d on Equalizer is not responding 309 Equalizer Doesn t Respond to Pings to the Admin Address 309 Equalizer is not powered on 309 Equalizer isn t connected to your network 309 Administration address not configured on the external interface 309 Browser Hangs When Trying to Connect Via FTP to an FTP Cluster 309 FTP server returns its private IP address in response to a PASV command 309 Return Packets...

Page 14: ...ion 317 Power Supply Cord 317 Installation into an Equipment Rack 317 Chassis Warning Rack Mounting and Servicing 318 Battery 318 Specifications 318 Power Requirements 318 Power Consumption 319 110V Test Results 319 220V Test Results 320 Operating Environment 320 Physical Dimensions 320 Regulatory Certification 320 Glossary 321 Index 331 ...

Page 15: ...onfigure system and global resources through the Equalizer Administration Interface including setting up a failover configuration Chapter 6 Administering Virtual Clusters tells you how to add and remove virtual clusters and servers changing load balancing options and shutting down servers Chapter 7 Monitoring Equalizer Operation describes how to view information statistics and graphical displays a...

Page 16: ...r Boldface text highlights graphical administrative interface screen elements labels buttons tabs icons etc Courier text is used to denote computer output messages commands file names directory names keywords and syntax exactly as displayed by the system Sequences such as Equalizer Status Event Log are used to indicate the Administrative Interface click path the user should follow to display the i...

Page 17: ...he Basic Configuration Guide also contains a Resource CD with copies of all product documentation including support documents that help you configure Equalizer for a variety of environments The latest Resource CD content is available on the web at http docs coyotepoint com Customer Support contact information is available from http www coyotepoint com support php Register today to get access to th...

Page 18: ...Chapter Preface 18 Equalizer Installation and Administration Guide ...

Page 19: ... Balancing and Server Selection 24 Geographic Load Balancing 25 Geographic Load Balancing Routing 26 Distributing the Geographic Load 26 Adding Equalizer to Your Network 29 Equalizer E250GX Network Configuration 29 Using Equalizer E250GX in a Single Network Environment 30 Using Equalizer E250GX in a Dual Network Environment 31 Equalizer E350GX E450GX E650GX Network Configuration 32 Using Equalizer...

Page 20: ...est to a site that Equalizer manages Equalizer identifies the virtual cluster for which the request is intended determines the server in the cluster that will be best able to handle the request and forwards the request to that server for processing To route the request Equalizer modifies the header of the request packet with the appropriate server information and forwards the modified packet to th...

Page 21: ...rcentage of the total load based on its fraction of the total weights in the server cluster Equalizer dynamically adjusts server weights according to real time conditions to ensure that Equalizer routes requests to the server that is best able to respond A server with a weight of zero 0 is considered down or unavailable and Equalizer does not route requests to servers in this state Real Time Serve...

Page 22: ... For more information see Server Agent Probes on page 255 For those who have one or more VMware ESX Servers Equalizer VLB can be configured to use VMware s status reporting to determine server status and can also be configured to automatically manage VMware servers based on status information obtained from VMware For more information see Appendix F Equalizer VLB Network Address Translation and Spo...

Page 23: ...ing cart for example session data the item in the cart customer information etc is created that potentially needs to persist across many individual TCP connections before the data is no longer needed and the session is complete It s important to note that session persistence is managed by the server application not Equalizer Equalizer provides server persistence so that a persistent connection bet...

Page 24: ... IP address to maintain a persistent connection Sticky network aggregation directs the user to the same server no matter which proxy he or she connects through You can also configure Equalizer to ensure that it directs requests from a particular client to the same server even if the incoming connection is to a different virtual cluster When you enable intercluster stickiness for a cluster Equalize...

Page 25: ...vel the client uses to connect Client IP address Request method GET POST etc All elements of the request URI host name path filename query etc Pattern matches against request headers Match functions can be combined using logical constructs AND OR NOT etc to create extremely flexible cluster configurations Please see Using Match Rules on page 207 for an overview of Match Rules a complete list of ma...

Page 26: ...protocol1 to perform its geographic load distribution DNS translates fully qualified domain names such as www coyotepoint com into the IP addresses that identify hosts on the Internet For Envoy the authoritative name server for the domain is configured to query the Equalizers in the geographic cluster to resolve the domain name When Envoy receives a resolution request it uses the load balancing al...

Page 27: ...ve name server for coyotepoint com see Figure 4 Figure 4 Client s local DNS queries the authoritative name server for coyotepoint com Envoy Site B West Coast USA Envoy Site A East Coast USA Internet Envoy Site C Europe Client California USA Client s Local DNS Authoritative DNS for coyotepoint com Envoy Site B West Coast USA Envoy Site A East Coast USA Internet Envoy Site C Europe Client California...

Page 28: ...each Envoy site in the list until one of them responds 5 The Envoy site contacted returns the IP Address of the virtual cluster best able to handle the client s request For an overview of how Envoy chooses the virtual cluster IP to return to the client s DNS see Administering GeoClusters on page 237 6 Finally the client s local DNS server returns the virtual cluster IP to the client which then sen...

Page 29: ...ace ports The figure below shows the port configuration of an E250GX model Equalizer Figure 6 Equalizer E250GX default port configuration The E250GX can be deployed in either a single network or a dual network configuration In a single network configuration all cluster IPs and server IPs are on the same subnet and are connected to Equalizer using the Internal Interface Port the External Interface ...

Page 30: ...c port mapping or multiple TCP UDP ports may also work best in a single network environment As you can see in the example above Equalizer s internal IP cluster IP and all server IPs are located on the 192 168 0 x network and communicate through the same switch The switch in turn is connected to a router which is this subnet s gateway to other subnets on the Intranet and Internet networks The gatew...

Page 31: ...d cluster IP on the 172 16 0 x network connected to the External Port and all servers are located on the 192 168 0 x network on the Internal Port The External Port is connected to a router which is this subnet s gateway to other subnets on the Intranet and Internet networks The router is assumed to perform all necessary NAT for external clients so that clients from outside the 172 16 0 x network c...

Page 32: ...D VLAN ID 1 Additional configuration is performed by logging into the graphical browser based Administrative Interface on the Default VLAN IP address The VLAN Configuration Wizard leads you through the creation of three basic VLAN configurations A single VLAN the Default VLAN for all management cluster and server IP addresses This is similar to the single network configuration supported in release...

Page 33: ... in a single VLAN environment In the example above all of Equalizer s ports have been configured for the same VLAN the Default VLAN which hosts the 192 168 0 0 24 subnet Equalizer s Management IP cluster IP and all server IPs are located on the 192 168 0 x network Equalizer is connected to a router which is this subnet s gateway to other subnets on the Intranet and Internet networks The gateway or...

Page 34: ... for the Internal VLAN which hosts all servers on the 192 168 0 x subnet The router is the Default VLAN s gateway to other subnets on the Intranet and Internet networks The router is assumed to perform all necessary NAT for external clients so that clients from outside the 172 16 0 x network can access Equalizer cluster IPs Equalizer uses the router as its default gateway If desired a separate VLA...

Page 35: ...net The router is the Default VLAN s gateway to other subnets on the Intranet and Internet networks The router is assumed to perform all necessary NAT for external clients so that clients from outside the 172 16 0 x network can access Equalizer cluster IPs Equalizer uses the router as its default gateway If desired a separate VLAN can be configured for all cluster IPs and the Default VLAN can be r...

Page 36: ...e backup unit If the primary Equalizer stops functioning the backup unit adopts the primary unit s IP addresses clusters and begins servicing connections In a failover configuration the servers in a virtual cluster use a separate failover IP alias as their default gateway rather than the IP address of the cluster or external port on a particular Equalizer The failover alias migrates between the pr...

Page 37: ...default gateway In a hot backup environment the gateway address can migrate between the primary and backup unit This requires an additional address 3 The Equalizer kernel changes from BACKUP mode to PRIMARY mode The PRIMARY mode Equalizer performs gateway routing of packets between its cluster and external ports address translation and load balancing When a failed unit is brought back online it be...

Page 38: ...Chapter 1 Equalizer Overview 38 Equalizer Installation and Administration Guide ...

Page 39: ...ternal and Internal Interfaces on E250GX 42 Configuring the Default VLAN on E350 450 650GX 43 Setting the Time Zone 44 Setting the Date and Time 44 Adding Administrative Interface Logins 44 Changing Equalizer s Console Password 44 Upgrading Equalizer Software 45 Shutting Down Equalizer 46 Adding Alternate DNS Servers 46 Managing Remote Access to the Equalizer 47 Managing the Remote Access Account ...

Page 40: ...al limits and power requirements for your Equalizer 3 Connect a console to Equalizer Do one of the following a Connect a serial terminal or a workstation running terminal emulator software to the serial port on the front panel of the Equalizer see Figure 9 on page 32 Use the serial cable supplied with Equalizer b Some Equalizer models also have a USB keyboard connector and VGA display adapter at t...

Page 41: ...ystems you can use the cu 1 command or any other Unix serial communication program If you use HyperTerminal in addition to the settings shown above select File Properties Settings from HyperTerminal s menu select VT100 in the Emulation drop down box and then Terminal Setup to enable these options keyboard application mode cursor keypad mode Tera Term is freely available at http hp vector co jp aut...

Page 42: ...window Then press Enter to continue Configuring External and Internal Interfaces on E250GX On an E250GX Equalizer has two front panel ports To configure the Hostname Network Interfaces Default Router and DNS on an E250GX use the following steps Even if you are using the E250GX in a single network configuration you need to enter information for both the external and internal server interfaces See E...

Page 43: ...the Equalizer s hostname default gateway and DNS follow these steps See Equalizer E350GX E450GX E650GX Network Configuration on page 32 for an overview of the network configurations supported on the E350GX and higher models 1 In the Equalizer Configuration Menu window select option 1 Interfaces and press Enter Equalizer displays the Network Configuration window a In the Host field required enter t...

Page 44: ...To set the system date and time using eqadmin follow these steps 1 In the Equalizer Configuration Menu window select option 3 Time then press Enter 2 Specify the current date and time based on a 24 hour clock in the format MM DD YY HH MM 3 Highlight OK then press Enter Adding Administrative Interface Logins The browser based Administrative Interface by default supports two logins touch and look Th...

Page 45: ...ser based Administrative Interface please see Upgrading Equalizer Software on page 108 In order to upgrade Equalizer must be licensed see Licensing Equalizer on page 82 for more information Equalizer must be able to access the Internet using FTP or have access to a local FTP server that already has the upgrade image The procedure below contains the basic upgrade instructions for the current Equali...

Page 46: ... then press Enter 2 After the shutdown process completes power off the system Adding Alternate DNS Servers Only one DNS server can be specified via eqadmin as shown in the section Configuring the Default VLAN on E350 450 650GX on page 43 If you want to add additional alternate DNS servers follow the procedure below 1 Log in to Equalizer via ssh as eqsupport or the serial interface as root If you u...

Page 47: ...ht Enable and press Enter The account is now enabled b To disable the remote access account use the arrow keys to highlight Disable and press Enter The account is now disabled c To change the password use the arrow keys to highlight Password and press Enter Follow the prompts to change the password If you modify the password for the account when it is disabled Equalizer will display a reminder tha...

Page 48: ...terface as described in the section Setting Up a Failover Configuration on page 90 Configuring DNS and Firewalls for Envoy If you are configuring Equalizer to use Envoy for geographic load balancing you need to configure your authoritative domain name server to delegate authority to the Envoy sites If you will use Envoy across firewalled networks you also need to configure the firewalls to allow t...

Page 49: ...side the firewall When a client attempts a DNS resolution Equalizer sites send an ICMP echo request packet to the client the client might respond with an ICMP echo response packet Testing Basic Connectivity Once you have installed and configured Equalizer as described in this chapter do the following to test basic connectivity 1 Ping Equalizer s Default VLAN IP address from another host on the sam...

Page 50: ...Chapter 2 Installing and Configuring Equalizer Hardware 50 Equalizer Installation and Administration Guide ...

Page 51: ...tions that show you how to log in and configure access to the interface Logging In and Navigating the Administrative Interface 52 Logging In 52 Navigating Through the Interface 53 Managing Access to Equalizer 55 Viewing and Changing GUI and SSH Access 55 Updating the Administration Interface Certificate 56 Managing Multiple Interface Users 56 Objects and Permissions 57 Viewing or Modifying Login P...

Page 52: ...nabled for GUI access you can log in using the VLAN IP address on those VLANs as well The instructions below assume you are logging in on the Default VLAN 1 Open a Javascript enabled web browser We recommend that you use one of these browsers Internet Explorer Version 7 or later Firefox Version 2 or later 2 From the browser open the URL that corresponds to Equalizer s Default VLAN IP address using...

Page 53: ...g Coyote means the peer is in backup mode or failover is not enabled a running Coyote means the peer is in primary mode Click this item to open the Failover configuration tab on the right hand side of the screen Right click this item to open a menu that displays the currently configured IP addresses and a menu of failover commands eq_IP address where IP address is the IP address assigned to the De...

Page 54: ...s the following buttons Alert Displayed when a critical system message has been logged Clicking on this icon displays the text of the system message Log Out Logs you out of the Administrative Interface Help Displays a sub menu of commands View Guide opens the Equalizer Installation and Administration Guide this book in PDF View Release Notes opens the Release Notes for the currently installed vers...

Page 55: ... configured IP addresses Use a login that has read or write access to global parameters see Objects and Permissions on page 57 2 Select Equalizer Networking VLAN Configuration 3 Each row in the table corresponds to a VLAN Click the modify icon in the Actions column to display the Modify VLAN screen 4 Under Permissions the enabled flags indicate current access permissions GUI http enables GUI acces...

Page 56: ... a file that is in PEM or PKCS12 format Once the certificate file is successfully uploaded to Equalizer the tab displays the certificate information at the bottom of the screen Managing Multiple Interface Users Equalizer is shipped with two logins for the browser based Administrative Interface look read only mode and touch administrator or edit mode The definitions of these users and any additiona...

Page 57: ...s defined on Equalizer The permission set on the ALL object specifies the user s permission on all clusters with their permission set to none the default unless a different permission is set on the cluster The table on the following page explains the permissions used on objects Permissions Objects none read write add del global parameters ALL cluster parameters ...

Page 58: ... object has read permission on all clusters unless write or add del is set on an individual cluster write In addition to read permission the user can modify existing objects but cannot add new objects or delete existing objects For global parameters the user can update all global parameters including parameters that are not already assigned a value The user cannot however add or delete global obje...

Page 59: ...table 3 To view or modify login details select the modify icon in the Actions column in the same row as the login name you want to view The user definition appears as shown in this example for the default touch login This screen contains the following information about the login user details The description field contains a text description of the purpose of the login The password field is empty w...

Page 60: ...rs see Logging In on page 52 2 Select Equalizer Permissions Users 3 Select the add icon The Add New User screen is displayed Figure 18 The add user screen 4 Type a user name and a description for the login User names may only contain alphanumeric characters periods dashes and underscores _ 5 Type a password for the login and re type it into the confirm password text box Passwords must be between 6...

Page 61: ...inistrators Read Only login see 1 Log in to Equalizer using a login other than the one you want to delete the login you use must have the add del permission on users see Logging In on page 52 2 Select Equalizer Permissions Users 3 Select the delete icon on the same row as the name of the user login you want to delete 4 A confirmation box appears Select Commit to delete the login Entering Names for...

Page 62: ...Chapter 3 Using the Administration Interface 62 Equalizer Installation and Administration Guide ...

Page 63: ...rent Port Settings 72 Editing Port Settings 73 Commiting and Applying Switch Port Configuration Changes 74 Switch Interface Usage Scenarios 75 Resetting the Front Panel Switch 75 Switch Interface Notes for Pre GX Equalizer Hardware 75 Configuring Static Routes 76 Adding a Static Route 76 Modifying a Static Route 77 Deleting a Static Route 77 Configuring Servers on Your Network 78 Server Configurat...

Page 64: ...e layout of a traditional LAN is therefore restricted to those systems that can be wired together using Layer 2 devices a physically distant system that requires connectivity to the LAN would require special routing and address translation at Layer 3 in order to reach the LAN The dependence of LAN technology on physical connectivity at Layer 2 leads to two basic difficulties broadcasts are receive...

Page 65: ...tch is a VLAN capable switch then it is possible to configure several ports on the switch for VLAN A several others to VLAN B others to VLAN C and so on This allows you to both reduce the number of devices in local broadcast domains extend broadcast domains across devices separated by more than one switch The predominant VLAN standard is 802 1q This standard adds a VLAN tag to the information in t...

Page 66: ...side on the same network segment All ports will be assigned to this VLAN yes single 2 untagged VLANs one for Equalizer with port 1 assigned and one for all clusters and servers with the remaining ports assigned no dual 2 untagged VLANs one VLAN for the Equalizer and all clusters with ports 1 and 2 assigned and one VLAN for servers with the remaining ports assigned yes dual 3 untagged VLANs are con...

Page 67: ...r VID A unique integer identifier for the VLAN between 1 and 4095 VLAN IP Equalizer s IP address on the VLAN Netmask The netmask for the VLAN Failover IP If failover is to be configured the failover IP for the VLAN The Failover IP has two purposes it can be used as the floating gateway IP for servers behind Equalizer and to provide GUI and SSH access to the Equalizer in the primary failover mode F...

Page 68: ...ble any all or none of these check boxes to allow GUI access to Equalizer using the indicated protocols and IP addresses GUI http HTTP on the VLAN IP GUI https HTTPS on the VLAN IP GUI Failover http HTTP on the Failover IP GUI Failover https HTTPS on the Failover IP Enable ssh access to Equalizer via one both or neither of the following IP addresses ssh ssh on the VLAN IP Failover ssh ssh on the V...

Page 69: ...I session you will lose your current GUI connection Note Modifying the VLAN IP address of the Default VLAN requires a reboot A popup window will request confirmation before rebooting the system Netmask The netmask for the VLAN Failover IP If failover is to be configured the failover IP for the VLAN The Failover IP has two purposes it can be used as the floating gateway IP for servers behind Equali...

Page 70: ...nnectivity between the failover peers on this VLAN is lost Permissions Enable any all or none of these check boxes to allow GUI access to Equalizer using the indicated protocols and IP addresses GUI http HTTP on the VLAN IP GUI https HTTPS on the VLAN IP GUI Failover http HTTP on the Failover IP GUI Failover https HTTPS on the Failover IP Enable ssh access to Equalizer via one both or neither of t...

Page 71: ...e that the 1 and 2 ports are identified with red labels to remind the user that these are configured by default into the Default VLAN as shown in the figure below Figure 19 Equalizer 650GX Front Panel Note Equalizer model E250GX does not support VLANs and does not support the Switch Configuration interface described in this section The E250GX has two ports each of which is connected to one of the ...

Page 72: ...ration in the right frame to display the Switch Configuration tab Viewing Link Status The current link status of each port is displayed graphically as shown in the Legend Ports whose configuration have been modified but not committed saved are displayed with a red border and a coyote paw print Viewing Current Port Settings To display the configuration settings for any port mouse over the port to d...

Page 73: ...is is the recommended setting for the majority of modern networking devices and is the default autonegotiation setting for all switch ports Port Status Displays Active if the port has an active link No Link if not Port Speed If the port is Active this is the current port speed If there is No Link this is the highest speed that can be negotiated or the forced speed setting Port Duplex If the port i...

Page 74: ...y autonegotiate and Equalizer may for example be able to determine the correct speed setting but cannot determine the duplex setting For such devices the Force setting is probably appropriate Similarly some devices set to autonegotiate may not work with a forced speed duplex setting even if that setting is correct for the device Commiting and Applying Switch Port Configuration Changes As shown in ...

Page 75: ... enter eqadmin and press Enter to display the Equalizer Configuration Menu 2 Press 0 or use the arrow keys to scroll down to the last option on the screen Reset Switch and press Enter 3 A confirmation screen is displayed Select Yes and press Enter to reset the switch The change takes effect immediately Switch Interface Notes for Pre GX Equalizer Hardware The switch management interface is primaril...

Page 76: ...ace exclusively to manage static routes on Equalizer The interface manages changes to the var etc rc conf eq file for you and updates Equalizer s routing tables displayed using the netstat nr shell command as you add and delete them Adding a Static Route 1 Log into the Administrative Interface using a login that has add del access for global parameters see Logging In on page 52 2 Select Equalizer ...

Page 77: ...es 3 Highlight the route you want to change in the table and select the Modify icon The Modify Route screen is displayed 4 Edit the values shown as needed and select commit to submit your changes You are returned to the Static Routes screen which now displays the updated route Deleting a Static Route 1 Log into the Administrative Interface using a login that has write access for global parameters ...

Page 78: ...er IP address on the VLAN associated with the Equalizer front panel port to which the server is connected The commands or utilities that you use to configure routing on a server depends on the server s operating system but usually involves some form of the route command check your server s operating system documentation To verify that you have configured a server s routing correctly trace the rout...

Page 79: ...ll servers and clients via the same subnet The example cluster shown above contains three servers two on the local 10 0 0 0 subnet and one on another subnet In this example a static route would be needed on Equalizer to forward all packets for the 172 16 0 0 network to the gateway at 10 0 0 172 Similarly the server at 172 16 0 33 would need a static route that forwards all traffic for the 10 0 0 0...

Page 80: ...Chapter 4 Equalizer Network Configuration 80 Equalizer Installation and Administration Guide ...

Page 81: ...ver 94 Modifying the Failover Configuration 99 Disabling the Failover Configuration 99 Re enabling Failover After Disabling 100 Clearing the Failover Configuration 101 Modifying VLANs with Failover Configured 101 Changing from a Multi VLAN to a Single VLAN Network Configuration 101 Managing System Time and NTP 103 NTP and Plotting 103 Selecting an NTP Server 104 General System Maintenance 106 Savi...

Page 82: ...or offline using a license file obtained from Coyote Point Support via email Requesting a License Online To request a license using this method Equalizer needs to be able to connect to the internet on port 127 You may need to work with your local network administrator to ensure that Equalizer can connect to the license server through any firewalls or other network devices on your network If this i...

Page 83: ...ly and ask you if you want to reboot to apply the license Select Yes to reboot b If Equalizer is not connected to the Internet or DNS is not configured then see the section Requesting a License Offline on page 84 below After the system comes back up there should be no unlicensed error in the left frame or on the Help About screen If you licensed Envoy the Help About screen should show Envoy geogra...

Page 84: ... this address in the To field of a new mail message Specify license request in the Subject field and attach the license request file you saved in the previous step Send the email 5 Once Coyote Point processes your request you will receive a signed license file in a return email from Coyote Point Save the licensing file you receive from Coyote Point to an appropriate location on your local system 6...

Page 85: ...ters Global Probe Parameters Selecting Equalizer Probes displays the global probe parameters The global probe parameters are described below probe interval The target interval between TCP probes of a cluster that has been marked failing in the load balancing daemon s internal tables If the server does not respond to strikeout threshold see below additional TCP probes after it is marked failing the...

Page 86: ...more seconds increases the delay to at least that number of seconds plus additional time due to load latency and other factors agent delay The minimum time in seconds default is 10 between successive probes of server agents by the probe daemon Specifying 0 to 5 seconds for agent delay means a 5 second delay due to the fact that Equalizer s probe daemon goes through a probing cycle about every 5 se...

Page 87: ...of memory in kilobytes reserved by each L7 proxy process to store data that has been received on an interface before it is processed by an L7 proxy process Default 16 Minimum 4 Maximum 128 If this value is set for a cluster the cluster value overrides the global value connect timeout The time in seconds that Equalizer waits for a server to respond to a connection request Layer 7 clusters only See ...

Page 88: ...e same server In practice this has not been a problem Equalizer s load balancing algorithms direct other visitors to different servers to keep the load balanced Note If you are using two Equalizers in a failover configuration you must set the sticky network aggregation mask identically on both Equalizers enable outbound NAT When outbound NAT Network Address Translation is enabled Equalizer modifie...

Page 89: ...ed the default Equalizer will forward all RST packets allow extended chars By default support for extended characters 8 bit ASCII and multibyte UTF characters in URIs is disabled Equalizer returns a 400 Bad Request error when a request URI contains 8 bit or multibyte characters To enable support for 8 bit and multibyte characters in URIs turn on the allow extended chars flag Caution There are pote...

Page 90: ...mments to the console Once the network interfaces are active the failover peers begin a negotiation in which one system becomes the primary unit and the other becomes the backup unit This is accomplished by the backup system performing a reboot When a backup Equalizer loses contact with its failover peer it tries to determine the cause If it cannot identify the cause it will try to assume the prim...

Page 91: ...zer running Version 8 5 1 the following exceptions apply to the instructions in this chapter Version 8 5 of EQ OS and si model Equalizers support up to two untagged port based VLANs This limits the VLAN configuration on both failover Equalizers to two untagged VLANs In Version 8 6 on GX models the VLAN Wizard can help you automatically mirror the VLAN configuration supported on Version 8 5 and si ...

Page 92: ...X and an si Equalizer both running Version 8 6 in a failover pair The GX Equalizer must have exactly the same VLAN configuration as the si system Note that si systems support up to two untagged port based VLANs Both Equalizers must be configured using the Failover tabs as described in Enabling Failover Using the Failover Tabs on page 94 The Failover Wizard cannot be used Setting Up or Modifying Fa...

Page 93: ...e menu Point at the System Information box to expand it and show the sequence number The configuration file with the highest sequence number will be transferred to the other when failover is established See the section Updating the Configuration File Sequence Number on page 312 if you need to edit the sequence number to preserve the configuration you require 4 Log into the Equalizer Administration...

Page 94: ...Once synchronization is complete and the failover process has been restarted on both systems the Status for one peer should read STABLE_PRIMARY and the other should read STABLE_BACKUP Click close to exit the wizard Enabling Failover Using the Failover Tabs The Failover Wizard allows you to setup failover on one machine and transfer the configuration over to the other The only information that both...

Page 95: ...e to set failover configuration transfer options If you make any changes click commit 5 Open the Timing tab to update the default failover timer settings if necessary dont transfer By default changes committed to the configuration on the primary system are transmitted to the backup system when the next heartbeat occurs Enabling this flag tells Equalizer not to transfer configuration changes to the...

Page 96: ...lizer has regained contact with its peer you may want to increase the values If you make any changes click commit 6 Open the Failover Peers tab which should look like this when failover has not yet been enabled Uncheck the Disable Failover check box See Disabling the Failover Configuration on page 99 for an explanation of this option 7 The information below for This Equalizer is filled in automati...

Page 97: ...N is listed If you need to make any changes to the VLANs defined use the VLAN Configuration button at the bottom of the dailog Preferred Primary Indicates that this system should assume the primary role when both peers come up together Check this box Equalizer Name A unique name for the failover peer you already configured We suggest eq_ followed by the IP address of the Default VLAN on the peer E...

Page 98: ... be changed Equalizer Name A unique system name for this Equalizer The default is eq_ followed by the VLAN IP address of the Default VLAN interface Signature The unique identifying signature for this Equalizer VLAN name For each currently defined VLAN on this Equalizer the VLAN IP for the VLAN is listed Preferred Primary Indicates that this system should assume the primary role when both peers com...

Page 99: ...u use the failover wizard to change the configuration settings found on the Required tab so that the changes are validated communicated to the other system and the two systems can renegotiate failover status By using the failover wizard you ensure that there will be minimal interruption of failover services and no attempt by the backup system to assume the cluster IP addresses Disabling the Failov...

Page 100: ...updates have been made on one or both of them Each time a configuration change is made the sequence number in the configuration file is updated When failover is established the configuration file with the highest sequence number is transferred to the other during the first synchronization between the units unless the dont transfer option is enabled on the Failover Synchronization tab For this reas...

Page 101: ...nfigure failover or cancel to leave the wizard 4 Perform Steps 1 through 3 on the peer Equalizer To re establish failover between the two systems see Setting Up or Modifying Failover Using the Failover Wizard on page 92 or Enabling Failover Using the Failover Tabs on page 94 Modifying VLANs with Failover Configured The Administrative Interface prevents all updates to the VLAN configuration when fa...

Page 102: ...er peers interface if_flags disable sibling eq140 switch sw01 intaddr 192 168 0 140 extaddr 172 16 0 140 sysid 00 30 48 66 a9 66 fingerprint E99041C0FD010BA6084E8C01042EC7563270A83DAC10008C flags preferred_primary sibling eq_172 16 0 230 switch sw01 intaddr 192 168 0 230 extaddr 172 16 0 230 sysid 00 30 48 d3 ee b6 fingerprint 2698C0ED8E67FB2C3C48E489C88185F534EAF7B7AC1000E6 flags preferred_primar...

Page 103: ...lling delay to increase from minpoll to maxpoll will vary based on a number of factors including the accuracy of the clocks on the client and server network latency and other timing factors NTP calculates when the local and remote system clocks are sufficiently in sync to begin increasing the polling delay towards maxpoll When the accuracy of the two clocks is significantly different or there is s...

Page 104: ...rop down boxes at the top of the date and time field to manually set the date and time Make sure the enable NTP synchronization check box is disabled b Turn on the enable NTP synchronization check box and type in the name of an NTP server into the primary server text box You can also specify two additional servers to be used in sequence if the first is unavailable See the section Selecting an NTP ...

Page 105: ...untries contain a very limited number of time servers In these cases it is best to use a mix of country and continent based pool servers If a country has only one time server then it is recommended you use a time server pool based in another nearby country that supports more servers or use the continent based server pools For example Japan has 6 six time servers as of the date this document was pu...

Page 106: ...m etc including hosts master passwd ntp conf passwd rc conf eq resolv conf syslog conf and etc ssh including ssh_config sshd_config and host keys Using a Backup Archive Created on Another Equalizer The restore mechanism assumes that the system on which the restore is performed already has the same network configuration as configured in the backup archive It was not designed to be able to restore a...

Page 107: ...ve Interface which may be incompatible with the interface used in the current version We recommend that you clear your browser cache or restart your browser after the restore is complete so that you are sure to be using the correct version of the interface Equalizer cluster and server settings This includes cluster and server IP addresses and ports as well as match rules responders and smart event...

Page 108: ...eqcollect tgz we recommend you use a unique file name that includes the name of the system from which the archive was taken and the date as in eqcollect_system name_dd mm yy tgz This ensures that you don t overwrite an existing archive and helps identify the archive to Coyote Point Support 4 Open your email client and send the file you saved to support coyotepoint com as an attachment Explain the ...

Page 109: ... always located at the following URL ftp ftp coyotepoint com pub patches upgrades latest upgrade tgz If you chose User FTP Server Enter the upgrade image URL appropriate for your local FTP server as provided by your local network administrator Click commit to start the download 6 The wizard displays the progress of the download and prompts you to continue the upgrade once the download is complete ...

Page 110: ...Chapter 5 Configuring Equalizer Operation 110 Equalizer Installation and Administration Guide ...

Page 111: ... HTTPS Clusters 136 Performance Considerations for HTTPS Clusters 137 Providing FTP Services on a Virtual Cluster 138 Managing Servers 140 The Server Table 140 Server Software Configuration 141 Adding a Server to a Cluster 142 Modifying a Server 144 Configuring Outbound NAT 145 Adjusting a Server s Initial Weight 147 Setting Maximum Connections per Server 148 Interaction of Server Options and Conn...

Page 112: ...m of an Equalizer with three clusters Figure 27 An Equalizer with three defined clusters The parameters you specify when setting up a virtual cluster determine how the Equalizer manages connections between the Equalizer and the servers in a cluster and how incoming requests are routed through the Equalizer to the cluster Before beginning to define a cluster we recommend you read this chapter in it...

Page 113: ...options start with the defaults and make incremental changes as you examine traffic passing through your clusters Adding a Layer 7 Virtual Cluster To add a new virtual cluster follow these steps 1 Log into the Administrative Interface using a login that has add del access for global parameters see Logging In on page 52 2 Right click on Equalizer or the configure Failover Peer Name for this Equaliz...

Page 114: ... cluster IP interface If this is defined it is assumed that the customer has the proper routing in place for clients to access multiple IP subnets defined on the Equalizer The default is the netmask of the network interface for the cluster IP disable Disable this cluster The cluster IP address will not accept requests when this flag is enabled ignore case ignore case causes all of the cluster s ma...

Page 115: ...is enabled Equalizer augments its high level TCP probe mechanism by searching for the ACV response string in the first 1024 characters of the server s response to high level TCP probes If the ACV response string is not found the server is marked down An ACV probe see above can be specified if the service running on the probe port requires inputin order to respond For more information refer to Usin...

Page 116: ...In order for cookies to be valid the specified cookie generation must match the equivalent number embedded in the cookie Conversely if you need to invalidate old cookies increment this number cookie domain If a cookie domain is specified then Equalizer will honor cookies in client requests only if the server s host name is within the specified domain For example if the cookie domain is coyotepoint...

Page 117: ... for this cluster For more information refer to Configuring a Cluster s Load Balancing Options on page 127 delay weight The relative influence on the policy of the current response time between Equalizer and the server active connections weight The relative influence on the policy of the number of active connections currently open to a server agent weight The relative influence on the policy of th...

Page 118: ...fault 16 Minimum 4 Maximum 128 This global parameter applies to Layer 7 HTTP and HTTPS clusters only and can also be set per cluster request max The maximum amount of memory in kilobytes reserved for HTTP request headers Default 32 Minimum 4 Maximum 64 This global parameter applies to Layer 7 HTTP and HTTPS clusters only response max The maximum amount of memory in kilobytes reserved for HTTP resp...

Page 119: ...dle client connection The default is the global value See HTTP and HTTPS Connection Timeouts on page 260 server timeout The time in seconds that Equalizer waits before closing an idle server connection The default is the global value See HTTP and HTTPS Connection Timeouts on page 260 abort server By default when a client closes a connection Equalizer waits for a response from the server before clo...

Page 120: ...evels above it levels 1 and 2 are checked any certificates above level 2 in the chain are ignored You should only need to increase this value if the Certificate Authority that issued your certificate provided you with more than 2 chained certificates in addition to your client certificate See Appendix E Using Certificates in HTTPS Clusters on page 277 certify client Indicates whether the server as...

Page 121: ...ertificate If the allow unsafe renegotiation option is enabled all clients will be permitted to renegotiate SSL session IDs Enabling this option is not recommended by Coyote Point since it leaves your configuration open to session stealing and data injection Note that if SSL processing is done in software as on the E250GX and E350GX then newer clients that contain the fix for CVE 2009 3355 will be...

Page 122: ... port fields These are the ports on the Equalizer to be used to send traffic to the servers in the cluster Port ranges allow Equalizer users to create a single cluster to control the traffic for multiple contiguous ports There are two typical uses for port ranges Specific applications that require a range of ports The need to open up access to servers behind the Equalizer for all ports Enter the f...

Page 123: ...Timeouts on page 231 for a full description If you enable direct server return see below you may also need to increase this value as explained in the section Configuring Direct Server Return DSR on page 177 disable Disable this cluster The cluster ip will not accept requests when this flag is enabled spoof spoof causes Equalizer to spoof the client IP address when Equalizer routes a request to a s...

Page 124: ...the ACV response string in the first 1024 characters of the server s response to high level TCP probes If the ACV response string is not found the server is marked down An ACV probe see above can be specified if the service running on the probe port requires inputin order to respond For more information refer to Using Active Content Verification ACV on page 134 probe delay The minimum number of se...

Page 125: ...llows you to extend Layer 4 persistence across multiple server ports For more information refer to Enabling Sticky Connections on page 129 policy For all cluster protocols choose the appropriate load balancing policy to be used by this cluster Choose from round robin default static weight adaptive fastest response least connections server agent and custom For more information refer to Configuring ...

Page 126: ...or a review of cluster settings see the following sections For HTTP and HTTPS clusters see Modifying a Layer 7 Virtual Cluster on page 114 For TCP and UDP clusters see Modifying a Layer 4 Virtual Cluster on page 122 All servers and server settings are copied to the new cluster For a review of server settings see Modifying a Server on page 144 1 Log into the Administrative Interface using a login t...

Page 127: ...ncing distributes requests among the servers depending on their assigned initial weights A server with a higher initial weight gets a higher percentage of the incoming requests Think of this method as a weighted round robin implementation Static weight load balancing does not support Equalizer s adaptive load balancing feature Equalizer does not dynamically adjust server weights based on server pe...

Page 128: ...ge to a server s dynamic weight The weight spread coefficient causes dynamic weight changes to happen more slowly as the difference between the dynamic weight and the initial weight increases Optimization Threshold controls how frequently Equalizer adjusts dynamic weights If Equalizer adjusts server weights too aggressively oscillations in server weights can occur and cluster wide performance can ...

Page 129: ... using the persist and always cluster flags See Enabling Cookies for Persistent Connections on page 130 Enabling Sticky Connections For Layer 4 TCP and UDP clusters you can use IP address based sticky connections to maintain persistent sessions The sticky time period is the length of time over which Equalizer ensures that it directs new connections from a particular client to the same server The t...

Page 130: ...erface using a login that has add del access for the cluster see Logging In on page 52 2 In the left frame click the name of the Layer 4 TCP or UDP cluster to be configured The cluster s parameters appear in the right frame 3 Select the Persistence tab in the right frame 4 In the sticky time field specify the sticky time period in seconds greater than zero 5 To direct all requests from a particula...

Page 131: ...without the bother of opening additional connections This is how Equalizer behaves For a Layer 7 cluster Equalizer evaluates and possibly changes both the request and response headers that flow between the client and server the request and response bodies are not examined Match rules are applied to each client header cookies may be inserted and headers may be rewritten When a client includes keep ...

Page 132: ...uest to the server in the cookie If request contains a cookie and there is a match rule hit send the request to the server in the cookie only if it is in the list of servers selected in the match rule definition Otherwise ignore the cookie If there is no cookie load balance the request and send to the server chosen If request contains a cookie and there is no match rule hit send request to the ser...

Page 133: ...y both turned off and with no match rules By defining a Layer 7 cluster in such a way you are essentially disabling Layer 7 processing while still incurring extra overhead for the Layer 7 cluster If your application requires a cluster with no persistence header processing or match rules then we recommend that you define a Layer 4 UDP or TCP cluster for the best performance once only enabled once o...

Page 134: ...fication ACV Active Content Verification ACV is a mechanism for checking the validity of a server When you enable ACV for a cluster Equalizer requests data from each server in the cluster and verifies that the returned data contains a character string that indicates that the data is valid You can use ACV with most network services that support a text based request response protocol such as HTTP No...

Page 135: ...e not present the server is marked down The response string should be text that appears only in a valid response This string is case sensitive An example of a poorly chosen string would be HTML since most web servers automatically generate error pages that contain valid HTML For more information on probing see Server Health Check Probes and Timeouts on page 265 Enabling ACV To enable ACV in an HTT...

Page 136: ...qualizer before being forwarded to the server These headers are inserted into every request if the once only flag is disabled if once only is enabled then only the first request in a connection will have these headers inserted Some application may require a special header in the request and the following section describes how Equalizer can be configured to provide a custom HTTPS header for such ap...

Page 137: ...ualizer terminated the HTTPS connection and performed SSL processing on the incoming request see the previous section above The munging or translation of HTTP redirects to HTTPS redirects see the description of the no header rewrite flag under Modifying a Layer 7 Virtual Cluster The once only flag This flag is present to speed up processing of HTTP requests by only looking at the first request but...

Page 138: ... and server sides must be configured to monitor FTP transactions and provide appropriate address translation and packet rewriting Firewalls on the client and server sides must be configured to let traffic on the ports used for FTP through the firewall Consult the documentation for the firewalls and NAT devices used at your site to determine how to set up those devices appropriately for FTP transfe...

Page 139: ...owsers use This means that there will be one sticky record kept for each FTP data connection For an explanation of sticky records see Enabling Sticky Connections on page 129 FTP clusters occupy two internal virtual cluster slots even though only one appears in the interface This permits Equalizer s NAT subsystem to rewrite server originated FTP data connections as they are forwarded to the externa...

Page 140: ...g a Server s Initial Weight Setting Maximum Connections per Server Shutting Down a Server Gracefully Deleting a Server The Server Table Every cluster has a Servers tab that lists all of the currently defined servers in the cluster and provides basic configuration and status information for each server To display the server table for a cluster click on the cluster name in the left frame and then cl...

Page 141: ... to return 64 headers or less in any response it sends back through Equalizer If your application must use 64 headers or more in server responses then you can turn the spoof flag off so that server responses go back to the client without going through Equalizer Be aware however that this has no effect on the client side any packets from the client with more than 64 headers will still be dropped by...

Page 142: ...Layer 7 HTTPS clusters Equalizer performs all the SSL encryption and decryption and forwards traffic to the servers using the HTTP protocol This is why when you add servers to an HTTPS cluster the default server port is 80 and should always be a port other than port 443 For L4 UDP and L4 TCP protocol clusters a cluster port range can be defined These are the ports on the Equalizer to be used to se...

Page 143: ... Server with a Virtual Machine on page 299 If you are not using Equalizer VLB an VMware virtual machines as servers click the Next icon 5 A confirmation screen appears click commit to create the server with the parameters shown 6 The Configuration tab for the new server is opened See the following section for an explanation of the server configuration parameters Cluster Port Range Server Port Port...

Page 144: ...Equalizer communicates with servers in an HTTPS cluster via HTTP For L4 UDP and L4 TCP protocol clusters a cluster port range can be defined These are the ports on the Equalizer to be used to send traffic to the servers in the cluster Port ranges allow Equalizer users to create a single cluster to control the traffic for multiple contiguous ports The port defined for a server in the cluster for wh...

Page 145: ...zer to direct incoming connections to this server only if all the other servers in the cluster are down You should only configure one server in a cluster as a hot spare For example you might configure a server as a hot spare if you are using licensed software on your servers and the license allows you to run the software only on one node at a time In this situation you could configure the software...

Page 146: ...ogin that has add del access for global parameters see Logging In on page 52 2 Click on Equalizer or the configured Failover Peer Name for this Equalizer in the left frame and open the Networking tab in the right frame 3 Enable the check box next to enable outbound NAT 4 Select the commit button Configuring Outbound NAT for a Server Each server defined on Equalizer can have a specifically assigned...

Page 147: ... these servers to 100 and 50 is equivalent to setting the initial weights to 180 and 90 Values for server weights can be in the range 0 200 with 0 meaning that no new requests will be routed to the server essentially disabling the server for subsequent requests In general you should use higher initial weights When you have enabled Equalizer s ALB feature that is the load balancing policy is not se...

Page 148: ...rver reaches the specified limit requests will not be routed to that server until the number of active connections falls below the limit Typical reasons to set a maximum number of connections include implementing a connection limit that is required due to software limitations such as an application that can service a limited number of concurrent requests implementing license restrictions that are ...

Page 149: ...d Layer 7 persistence Note that persistence is set at the cluster level but can be disabled for individual servers using the dont persist option The hierarchy of server option settings is shown in the table below Shutting Down a Server Gracefully To avoid interrupting user sessions make sure that a server to be shut down or deleted from a cluster no longer has any active connections When a server ...

Page 150: ...ht to zero click commit to save the change 4 Click on the server name in the left frame and open the Reporting tab Check the number of total connections click the server name to refresh If this number does not go to zero after a reasonable period of time then there are clients that still have open persistent connections to the server To make sure that these connections are not dropped but are rene...

Page 151: ...e Server command from the menu 4 When prompted click delete to confirm that you want to remove the server from the cluster Clicking delete removes the server from the configuration immediately To cancel the deletion click cancel If you attempt to delete a server that has active connections If the server is being deleted from a Layer 4 cluster clicking delete removes the server from the configurati...

Page 152: ... you can either click the Edit icon in one of the rows in the table above or click the Responder name in the left frame click the plus sign next to Responders to display a list of Responder names To delete a Responder you can either click the Delete icon in one of the rows in the table above or right click the Responder name in the left frame and select Delete Responder from the menu click the plu...

Page 153: ...izer will return to clients The text size limit is 4096 bytes Create a standard Redirect page by supplying the following information in the popup screen Status The HTTP status code to return to the client The default return code is 307 Temporary Redirect Use the drop down box to choose a different return code 301 Moved Permanently 302 Found 303 See Other URL The HTTP Redirect URL the full URL of t...

Page 154: ...pearing in the Redirect URL are replaced with strings from the Test URL Click commit to add the Redirect responder or cancel to close the dialog without adding the responder Modifying a Responder 1 To modify the configuration of an existing Responder you can either Click on the name of the Responder under Responders in the left frame Click Responders in the left frame and then click on the Edit ic...

Page 155: ...gular expressions as described in Appendix D Regular Expression Format on page 273 See the examples that follow below to help you understand how regular expressions are constructed and interpreted by Responders Example 1 HTTPS Redirect The simplest form of HTTPS redirect involves simply referring the user to the top level of the https site regardless of the path information that may have been incl...

Page 156: ...ts to the same hostname prefixes with a net suffix We also want to include the rest of the URL exactly as specified by the client For example we want requests to URLs in these formats http www example com path http www example2 com path http www example3 com path to be redirected to the following URLs http www example net path http www example2 net path http www example3 net path The following reg...

Page 157: ...both or an additional Responder with a regular expression that matches IP addresses as well as two match rules to match the two types of hostnames so that the appropriate Responder replies to the client Example 3 Directory Redirect The next example involves redirecting requests that include a particular directory to a different domain omitting the directory from the redirect URL s path Let s say w...

Page 158: ...equests If you want the Responder to be used only for specific requests then create an appropriate Match Rule expression to match those requests see Using Match Rules on page 207 server selection By default no servers are selected in a match rule This means that any incoming request URL that matches the match rule expression will be handled by the Responder specified in the match rule If you want ...

Page 159: ... select Sorry Server 3 Type the HTML content for the page to display into the text box that appears as shown in the following example 4 Click commit to save the new Responder 5 Right click on the name of the cluster for which you want to display the sorry page in the left frame and select Add Match Rule from the menu 6 If more than one match rule already exists in the cluster select the appropriat...

Page 160: ...e status of the servers in the cluster 9 Click commit to create the match rule 10 If more than one match rule already exists in the cluster select the appropriate position for the rule from the immediately before drop down box Our example redirect rule should be immediately before the first existing match rule in the list 11 Select RedirectExample in the response drop down box 12 Click commit to s...

Page 161: ... for a cluster are evaluated periodically at an interval set by the smart timer parameter on a cluster s Probe tab the default is 15 seconds If a Trigger expression evaluates to true then the associated Action expression is evaluated and the action specified by the expression result is performed Trigger and Action expressions are logical constructs that use Smart Event functions and operators to s...

Page 162: ...s for heuristic 1 lowest dynamic weight 2 highest dynamic weight 3 unquiesced server with lowest current weight 4 unquiesced server with highest current weight All quiesced server Query to see if a server is currently quiesced Returns true if the specified server s quiesce flag is enabled returns false if quiesce is disabled All reboot_equalizer The reboot_equalizer function supports failover betw...

Page 163: ...tual machine is running or not Otherwise returns false VM only running server Queries VMware and returns true if the specified server name is associated with a virtual machine whose guest operating system is currently running otherwise returns false For example the powered function would return true and the running function would return false if the virtual machine used as an argument to both had ...

Page 164: ...nable the quiesce option for the indicated server Returns true if the quiesce option is set by this function false if not for example if the option is already set All server_wait server seconds Sets the server_wait timer for the specified server which blocks any function from operating on the server for the given number of seconds This function always returns true Events called on blocked servers ...

Page 165: ...r function only and specifies the number of samples used for the CPU weight calculation The default value is 5 which means that weight_server will look at the last 5 server dynamic weight values recorded in server statistics and average them The result is the dynamic weight value returned by the function event timer Specifies an event specific timer frequency for executing an event in seconds The ...

Page 166: ...ssing in a Smart Event expression honors short circuiting rules this includes chained events which use the logical OR and AND operators to decide whether expressions on the right side of the operator are evaluated Essentially this means that the right hand side of an expression is not evaluated if the evaluation of the left side of the expression determines the outcome For example if the left side...

Page 167: ...re done click Next 5 The trigger and action you have entered are displayed for confirmation click commit to save the new event Editing a Smart Event 1 To view and edit a Smart Event do one of the following Click on the Smart Event name in the left frame Use the expand control plus sign next to a cluster name to see all the Smart Events defined for the cluster Click the cluster name in the left fra...

Page 168: ...he name of the function or variable appears in the edit box below if you chose the variable button used to enter data values a blank element appears If the function you chose requires a parameter click the down arrow next to the function name in the edit box to supply the argument Click accept to save the value which now appears in the edit box Click on an expression element in the edit box and th...

Page 169: ...d click on the drop down arrow shown in the blank parameter Type 2 into the numeric value text box and then click accept 5 At the top of the Add New Event popup window click the Next icon This displays the Event Action editor 6 In the functions field click on log 7 In the expression workbench field click on the drop down arrow next to log Type the following into the message text box that appears T...

Page 170: ...e left frame and select Add Event from the popup menu 2 Type a Name for the event such as unquiesce sv02 or accept the default Click the Next icon to open the Event Trigger expression editor 3 In the operators field click on the following controls a active_servers b the less than operator c numeric The expression workbench field should now look like this 4 In the expression workbench field click o...

Page 171: ...drop down arrow shown in the blank parameter Type 3 into the numeric value text box and then click accept The expression workbench field should now look like this 4 At the top of the Add New Event popup window click the Next icon to open the Event Action editor 5 In the functions field click on quiesce 6 In the expression workbench field click on the drop down arrow next to quiesce Select sv02 in ...

Page 172: ...to boot and be available to handle traffic Set the event timer on peak off ipmi01 to 0 to enable it Set a long event timer on this event such as 864000 or 10 days so that it does not continually fire while the trigger conditions are true Event peak off ipmi01 If the number active connections to sv01 and sv02 are both below some threshold Power off ipmi01 and log a message Set a wait timer on serve...

Page 173: ...ssociated event see the last two bullet items in each event description above To create the peak and spare events shown in the table above do the following 1 Right click on the cluster name and select Add Event from the popup menu a Type peak on ipmi01 into the Event Name text box and click the next icon b Construct the Event Trigger shown below using the expression editor controls Click the next ...

Page 174: ... in the right frame Use the expression editor to add an event wait timer for this event as shown below f Click commit 3 Right click on the cluster name and select Add Event from the popup menu a Type spare on ipmi01 into the Event Name text box and click the next icon b Construct the Event Trigger shown below using the expression editor controls Click the next icon c Construct the Event Action sho...

Page 175: ...ssion editor controls Click the next icon c Construct the Event Action shown below using the expression editor controls Click the next icon d Click commit to create the spare off ipmi01 event The object tree at left refreshes to display the new event e Click on the new event name and open the Action tab in the right frame Use the expression editor to add an event wait timer for this event as shown...

Page 176: ...t timer on the event s Required tab default 15 seconds If your system is in a test environment use a load generation tool to generate client connections and test the operation of the events you may need to adjust the number of connections used in the triggers for the peak events to meet the capabilities of your load generation tool As load is applied and the events fire You can watch the processin...

Page 177: ...equests cluster performance is dramatically improved when using DSR in high bandwidth applications especially those that deliver a significant amount of streaming content In such applications it is not necessary for Equalizer to receive and examine the server s responses the client makes a request and the server simply streams a large amount of data to the client DSR is supported on Layer 4 TCP an...

Page 178: ...dress Since the cluster IP address is configured on the loopback interface of each server see Configuring Servers for Direct Server Return on page 179 one or more may respond to the ARP request The client and possibly even the gateway will then route requests for the cluster IP to servers directly without going through Equalizer If this occurs you need to reconfigure the servers so that they do no...

Page 179: ...turns a Bad Hostname error to the client if there is an IP mismatch 4 Check the routing on your network to ensure that traffic is being routed as expected For example Equalizer is usually not going to be used as the default gateway on your servers since we want the servers to respond to clients directly In most DSR configurations the default gateway used on servers is the gateway most appropriate ...

Page 180: ...r DSR a Open Start Administrative Tools Internet Information Service IIS Manager b In the left frame expand the local computer and then Web Sites to display a list of the web sites running on the server c Right click on the web site you want to configure for DSR and select Properties d On the Web Site tab next to IP address select the Advanced button e Select the Add button under the top list box ...

Page 181: ...Linux system example Weak and Strong Host Models and DSR Network interfaces on non routing systems use either the weak host or strong host models for packet transmission and reception these models are defined in RFC1122 In the strong host model a system that is not acting as a router cannot send or receive any packets on a given interface unless the destination source IP in the packet is assigned ...

Page 182: ...h your Internet router Then follow these steps 1 Ping Equalizer s external address if configured from a host on the external network interface address 2 Ping Equalizer s internal address from a host on the internal network interface address 3 If DNS is configured ping a host on the Internet e g www coyotepoint com from Equalizer to ensure that DNS and the network gateway are functioning properly 4...

Page 183: ...uster Statistics 191 Displaying Server Statistics 191 Displaying Envoy Statistics 191 Displaying Site Statistics 192 Plotting Global Performance History 193 Plotting Cluster Performance History 193 Plotting Server Performance History 194 Plotting Match Rule Performance History 196 Plotting Responder Performance History 196 Plotting GeoCluster Performance History 196 Plotting Site Performance Histo...

Page 184: ...he current user See Objects and Permissions on page 57 Equalizer version The currently running version of the Equalizer software system ID The unique identifier for the Equalizer unit Note in previous releases this was shown with a colon separating each pair of numbers serial no The hardware serial number This is the same as the serial number on the tag on the back of Equalizer s metal housing pla...

Page 185: ...failover mode The current failover mode standalone no failover initializing the failover subsystem is coming up primary the system is the primary failover peer or backup the system is the backup failover peer Envoy geographic load balancing Envoy status enabled licensed or disabled not licensed SSL acceleration Xcel SSL Hardware Acceleration status enabled or disabled hardware GZIP compression Exp...

Page 186: ...ing system other entries display log entries for the appropriate cluster only 4 Select the Refresh button to display the selected log entries To export the contents of a log copy text from the log viewer screen and paste it into another application such as Windows Notepad then save the text to a file Type The cluster type one of tcp_l4 Layer 4 TCP udp_l4 Layer 4 UDP http Layer 7 HTTP https Layer 7...

Page 187: ...s when no server is marked Up Initial Weight The initial server weight asigned to the server by the administrator This weight is used by Equalizer as it starts to load balance requests amongst the servers in the cluster For all load balancing policies other than static weight and round robin Equalizer adjusts the server initial weights to reflect the relative performance of the servers in the clus...

Page 188: ...the system was last rebooted This number includes both requests that matched and did not match the match rule expression Site The site name Status Status indicators for each site in the GeoCluster Up responding to health check probes Down not responding to health check probes Quiesced not accepting new connections and Hot Spare only responding to requests when no site is marked Up Weight The site ...

Page 189: ...over which data has passed L7 peak The peak highest number of Layer 7 connections processed per second since the last reboot Basic Statistics L4 total connections processed The total number of Layer 4 connections processed since the last reboot These are connections that have been opened and data has passed over the connection L4 peak connections processed The peak number of Layer 4 connections pr...

Page 190: ...y Equalizer L7 total client connections The total number of Layer 7 clients connections received not necessarily processed L7 current client connections The number of currently active client connections L7 requests processed The total number of Layer 7 clients requests processed L7 responses processed The total number of Layer 7 server responses processed L7 server conx reused The number of times ...

Page 191: ...7 http compressed bytes output1 The total number of compressed bytes output from all server responses L7 http compression ratio1 The approximate current compression ratio bytes selected for compression divided by the compressed bytes output total number of servers The number of servers defined for the cluster server active connections The number of active current connections to this cluster total ...

Page 192: ... agent probes that received no response Interruptions in network connectivity between the Equalizer server and site agents and site failures can result in missed probes agent errors The number of Equalizer to agent probes that returned a resource unavailable error that is Envoy on the remote site determined that the requested resource is unavailable unavailable The number of times the server was c...

Page 193: ...nt of in use memory over the selected time period L4 Connections Timed Out The number of Layer 4 connections that were closed because a connection timeout expired see Appendix B Timeout Configuration L7 Connections Timed Out The number of Layer 7 connections that were closed because a connection timeout expired see Appendix B Timeout Configuration L4 Total Connections Processed The number of clien...

Page 194: ...ce of the cluster Initialized to 0 when the system boots By design when a server with a non zero service time transitions to having no active connections for some period of time Equalizer stops adjusting the service time and continues using the last service time value in load balancing decisions This is why sometimes the service time is not equal to 0 when there are no active connections to the se...

Page 195: ... below the overall cluster performance Equalizer derives a server s computed load value from its service time number of active connections and server agent value if configured It is also takes into account the load balancing policy used by the cluster Ideally a server s computed load should be around 100 though values in the range 85 to 115 are reasonable If the server s computed load is higher th...

Page 196: ...nder was executed by a match rule This counter is incremented each time a Responder is executed by any match rule in any cluster 3 Use the slider controls to select the following Server Agent The value that the server agent daemon returns When queried the server agent returns a value in the range 2 to 100 If you have not configured the cluster to use the server agent or the server agent daemon is ...

Page 197: ...e selected site To plot the performance history for a site follow these steps 1 In the left frame right click the name of the site whose history you want to view and select Plot Site from the menu The graphical history for the selected cluster appears in the right frame 2 To change the information being plotted scroll down using the scrollbar at the right of the plot screen to display the plot con...

Page 198: ...or export The following statistics are reported in the exported file with one row for every five seconds in the selected time period No Agent Response The number of requests in which an agent failed to reply to Equalizer s probes Resource Down The number of times that the target resource failed to respond during the period plotted Default Chosen The number of times the default site was chosen in r...

Page 199: ...l to the number of servers in the cluster times 100 For each L7 Match Rule Smoothed Processed Connections The total number of incoming requests that were examined and matched the match rule expression For each Server Delay The average service time of the server The service time is the time it takes a server to start sending reply packets once it receives a client request Initialized to 0 when the ...

Page 200: ...d of 250 would be twice as likely to be chosen to receive a new incoming request as a server with a load value of 500 By design when a server with a non zero load transitions to having no active connections for some period of time Equalizer stops adjusting the load and continues using the last load value in load balancing decisions This is why sometimes the server load is not equal to 0 when there...

Page 201: ...g checkbox 4 In the syslog host text box type the hostname or IP address of the machine to which you want to forward syslog messages The system you specify must be running a system logging daemon such as syslogd that is configured as a system logging host see the documentation for the operating system running on that system for more information 5 Click the commit button Specifying a Command to Run...

Page 202: ...tration Interface see Logging In on page 52 2 Select Equalizer Monitoring Events 3 In the handling field enter the command that you want Equalizer to run when it detects a server event For our example above you would enter usr local bin echomsgs 4 Click the commit button Configuring Email Notification You can configure Equalizer to send an email notification whenever a server event occurs for the ...

Page 203: ...hostname domain for example events sv01 example com will be used The hostname and domain used are part of the global parameters specified when you set up the Equalizer hardware 4 Enter the recipient of the email in the to field using the format required by your SMTP server as described in the previous step At least one recipient address must be specified Specify multiple email addresses by includi...

Page 204: ...in a free personal edition is the iReasoning MIB Browser available from http www ireasoning com A MIB database is a hierarchical tree of variables whose values describe the state of the monitored device A management station that want to browse the MIB database on a device sends a request to the SNMP agent running on the device The agent queries the MIB database for the variables requested by the m...

Page 205: ...n is the user assigned description of the Equalizer Location describes its physical location Contact is the name of the person responsible for this unit Name is the administrative name for the Equalizer 4 Enter a value for the community string Any SNMP management console needs to send the correct community string along with all SNMP requests If the sent community string is not correct Equalizer di...

Page 206: ... On the Equalizer these are located in the directory usr local www eqmanual MIB Description Equalizer s Management Information Base MIB contains five major sections These sections describe Equalizer s siblings failover configuration and status clusters servers and events Each object in the MIB contains a description field that describes the object s purpose All of the MIB objects are read only tha...

Page 207: ...n variables specific to Layer 4 load balancing the state of passive FTP idle timeout stale timeout etc eqL7DynamicCfg This group contains configuration variables specific to Layer 7 load balancing including send and receive buffer sizes the state of SSL encryption etc eqStatus This group consists of two sub groups and contains no variables of it s own The sub groups are eqL4Status This group conta...

Page 208: ...Chapter 7 Monitoring Equalizer Operation 208 Equalizer Installation and Administration Guide ...

Page 209: ...he Default Match Rule 215 Creating a New Match Rule 216 Modifying a Match Rule 219 Removing a Match Rule 219 Match Functions 219 Match Function Notes 224 Match Rule Behavior When Server Status is not Up 224 Considering Case in String Comparisons 224 Regular Expressions 225 Supported Headers 225 HTTPS Protocol Matching 225 Supported Characters in URIs 226 Logical Operators and Constructs in the GUI...

Page 210: ...rs that the load balancing algortihms will use for a particular request By default a request is load balanced over all the available non spare servers in a cluster Match rules allow you to select the group of servers that will be used to load balance the request For each virtual cluster you can specify any number of match rules For each match rule you specify the subset of servers that can handle ...

Page 211: ...an if then statement an expression is evaluated and if it evaluates to true the body of the match rule applies to the request A match expression is a combination of match functions with logical operators and can be arbitrarily complex This allows for matching requests that have for example attribute A AND NOT attribute B If the match expression evaluates to true then the data in the request has se...

Page 212: ...ears on the Networking tab When using Match Rules it is usually desirable to turn off the once only flag for the cluster so that Equalizer matches against each individual request on the stream not just the initial one You can also enable or disable once only in a match rule to override the setting on the cluster for any request that matches that rule For example if once only is enabled on a cluste...

Page 213: ...by the match function For example a match function common to all Layer 7 protocols is the any function which always returns true independent of the contents of the request data So the most simple match expression is any which will always result in the match rule being selected Use the logical NOT operator sometimes to invert the sense of the truth value of the expression So you can use the NOT ope...

Page 214: ...parated list of server names which specifies the set of servers to be used for load balancing all requests that match the expression in the match rule The reserved server names all and none specify respectively the set of all servers in the virtual cluster and none of the servers in the virtual cluster If you do not assign servers none will be available for load balancing as a result the connectio...

Page 215: ...of flag that is when the connection is made to the server the server sees a connection to the Equalizer not to the client This rule looks as follow in the Administrative Interface Figure 43 Example match rule The expression section of the screen shows the expression that is evaluated against the incoming request If the expression evaluates to true the servers and options section specifies the serv...

Page 216: ...al concepts of match rules covered in General Match Expressions and Match Bodies on page 211 The Match Rules Table Click on a cluster name in the left frame and then click on the Match Rules tab to display a list of match rules defined for that cluster Figure 44 The match rules table Name The match rule name Server in Rule Status indicators for all servers in the rule Shows the number of servers i...

Page 217: ...s rule is always the last match rule in the ordered list of match rules for a cluster You cannot modify delete or move this match rule The Default rule can be viewed by clicking in the left frame on match Default for any Layer 7 cluster If you have not created a Layer 7 cluster see Working with Virtual Clusters on page 112 Figure 45 shows the default match rule for an HTTPS cluster on an E650GX wi...

Page 218: ...Interface using a login that has add del access for the cluster see Logging In on page 52 2 In the left frame right click the name of the Layer 7 cluster to which you want to add a match rule and select Add Match Rule Figure 46 Example Add New Match Rule dialog box 3 Enter a name for the new rule in the match name field or accept the default All match names within a cluster must be unique 4 In the...

Page 219: ...is important as they are processed from first to last until one of them evaluates to true at which time the match body is processed The initial match expression of a new rule any is one that will always evaluate to true meaning that this match rule will always be selected It is good practice to be cautious when adding new match rules to ensure that all the traffic to a cluster does not get mishand...

Page 220: ...sponder field allows you to specify an automatic responder for client requests that match this rule when none of the servers selected in the rule are available The responder must already be configured For a description of responders as well as examples of using responders in match rules see the section Automatic Cluster Responders on page 152 9 Click commit to save the match rule definition policy...

Page 221: ...s a match function the arguments to the function are displayed so you can edit them along with a list of items that can replace the function In the Administration Interface logical operators and constructs are introduced using special entries in the drop down list for expressions These allow you to build complex boolean expressions in match rules See the section Logical Operators and Constructs in...

Page 222: ... string This function evaluates to true if the string argument exactly matches the Request Method e g GET POST etc specified in the request Note that by default Equalizer forwards packets to servers without determining whether or not the method specified in the request is valid i e is a method specified in Section 9 of RFC2616 One use of the method function is to be able to override this default b...

Page 223: ...mponent are not provided Use the pathname and filename functions to match characters at the end of the path and filename components Match functions for the optional fragment component are not provided The fragment portion of a URI is not transmitted by the browser to the server but is instead retained by the client and applied after the reply from the server is received The following table lists t...

Page 224: ...he path component of the request URI The path component is the entire directory path including the trailing slash for example foo bar is the directory portion of foo bar file html dirname_prefix string This function evaluates to true if the string argument is a prefix of the directory portion of the path component of the request URI The leading slash must be included in the string for example fo i...

Page 225: ... string argument is a substring of the filename portion of the URI path filename_regex string This function evaluates to true if the string argument interpreted as a regular expression matches the filename portion of the URI path query string This function evaluates to true if the string argument exactly matches the optional query component of the request URI The query if present appears in a URI ...

Page 226: ...r you would use the following construct to force the header_substr function to make case sensitive string comparisons observe_case AND header_substr host MySystem Regular Expressions Some match functions have prefix suffix substr or regex variants The regex variants interpret an argument as a regular expression to match against requests Regular expressions can be very costly to compute so use the ...

Page 227: ... expressions and manipulate the functions in the match expression All of these operators and constructs affect the part of the match expression that is currently selected highlighted in red in the graphical interface Accept Encoding If Match Trailer Accept Language If Modified Since Transfer Encoding Authorization If None Match Upgrade Cache Control If Range User Agent Connection If Unmodified Sin...

Page 228: ...e any function logically AND ed with the current selection replace with any OR self Replaces the currently selected function or logical construct with the any function logically OR ed with the current selection replace with any AND function Replaces the currently selected function or logical construct with the any function logically AND ed with the current selection replace with any OR function Re...

Page 229: ...vers sv_support sv01 sv02 sv03 has already been defined 1 Log into the Administrative Interface using a login that has add del access for the cluster see Logging In on page 52 2 In the left frame right click the name of the Layer 7 cluster to which you want to add the rule and select Add Match Rule The Add Match Rule dialog appears a Type support into the match name text box b Select sv_support in...

Page 230: ...Chapter 8 Using Match Rules 228 Equalizer Installation and Administration Guide 4 Select the commit button to save your changes to the support rule ...

Page 231: ...ffix match rule function to test for the above hostname format For this example we assume that a cluster with three servers sv00 sv01 sv02 has already been defined We will construct a match rule that turn off persist for any request that contains the host suffix testexample com this request will be balanced across all three servers in the cluster 1 Log into the Administrative Interface using a log...

Page 232: ... Type testexample com into the hostname suffix text box The dialog should now look like this c Click continue 4 In the servers and options field disable both of the two check boxes to the right of the persist flag 5 Select the commit button to save your changes to the nopersist rule ...

Page 233: ...erver subnet as well as other subnets In network configurations where Equalizer needs to be able to forward server responses to clients on the server subnet as well as other subnets for the same virtual cluster IP the spoof option can be selectively enabled or disabled by creating a Layer 7 match rule that looks for specific client IP addresses in incoming requests When an incoming request s sourc...

Page 234: ...n the ip text box specify a simple IP address e g 192 168 0 240 or an IP address in Classless Inter Domain Routing CIDR notation e g 192 168 0 0 24 to specify an entire subnet c Click continue The expression field should now contain the client_ip function with the ip argument you specified above 5 In the servers and options field look for the spoof option and disable both of the checkboxes to the ...

Page 235: ...lected by the new match rule should now be able to connect successfully to the cluster IP Right click the name of the match rule in the left frame the Processed counter in the popup menu should increase as clients are selected by the match rule Select Match Rule Plots from the popup menu to display a history of the number of connections processed by the match rule all servers selected spoof option...

Page 236: ...maintaining session information To do this we ll create two match rules as follows 1 Log into the Administrative Interface using a login that has add del access for the cluster see Logging In on page 52 2 In the left frame click the name of the Layer 7 cluster to which you want to add the rule The cluster Configuration screen appears in the right frame a Make sure that the once only flag is not ch...

Page 237: ...les now we need a rule to determine which servers will receive all the other requests The Default rule is not sufficient and in fact we don t want it to be reached since it could send a request for content to one of the image servers So we ll create another rule with the same match expression as the Default any but a restricted list of servers This effectively replaces the Default match rule with ...

Page 238: ...requirements This changes the policy specified on the Default match rule to custom Create a match rule that matches all requests that DO NOT specify the URL that you want to load balance using the custom policy In this match rule specify the adaptive policy The following procedure shows you how to do this In this example we ll assume that the custom policy is to be used for requests to the URL htt...

Page 239: ...ules Equalizer Installation and Administration Guide 237 6 In the servers and options field select adaptive from the policy drop down box 7 Click commit at the bottom of the tab to save your changes to the match rule ...

Page 240: ...Chapter 8 Using Match Rules 238 Equalizer Installation and Administration Guide ...

Page 241: ...voy 242 Configuring the Authoritative Name Server to Query Envoy 242 Using Envoy with Firewalled Networks 244 Using Envoy with NAT Devices 244 Upgrading a Version 7 GeoCluster to Version 8 244 Working with GeoClusters 245 Adding a GeoCluster 245 Viewing and Modifying GeoCluster Parameters 246 Deleting a GeoCluster 248 Displaying Envoy Statistics 249 Plotting GeoCluster History 249 Working with Sit...

Page 242: ... setting up Envoy for the first time on two or more Equalizers running Version 8 1 Configure appropriate clusters and servers on all of the Equalizers to be included as Envoy sites in the GeoCluster 2 Configure the GeoCluster on each Equalizer the parameters used should be the same on all sites 3 Configure the authoritative DNS server for your website s domain with DNS records for all Equalizers i...

Page 243: ...lso queries its local Envoy agent see Figure 52 Figure 52 The selected Equalizer queries other Equalizers and its own servers in the GeoCluster The GQP probes contain information about the requesting client and the local resource i e local cluster that is being requested by the client If ICMP triangulation is enabled the GQP probes also tell the sites to send an ICMP echo request ping to the clien...

Page 244: ... or lack thereof in its GQP response to Site A 4 After all GQP responses are received or the GQP probes time out Site A determine the best available site to return to the client s DNS server using this process a If at least one GQP probe is received from a site at which the resource is available then Envoy uses the resource availability and network latency information if present in the GQP replies...

Page 245: ... the IP address of the resource at any site marked up Else if a site is marked as the default Then send the IP address of the resource at that site even if the site is marked down Else send a NULL response back to the client s DNS server 5 Once the client s local DNS server sends the client the IP address of the selected site the client sends the request to the site see Figure 55 The site then res...

Page 246: ...alizer on page 108 in Chapter 5 Configuring Equalizer Operation 3 After the system reboots confirm that Envoy is enabled Log into the Equalizer Administration Interface and expand the Equalizer System Information box in the right frame The line Envoy geographic load balancing should indicate that Envoy is enabled Configuring the Authoritative Name Server to Query Envoy You must configure the autho...

Page 247: ...cumentation for the version of DNS that you are using for more information on the zone file content and format TTL 86400 coyotepoint com IN SOA ns1 coyotepoint com hostmaster coyotepoint com 0000000000 00000 0000 000000 00000 coyotepoint com IN NS ns1 coyotepoint com coyotepoint com IN NS ns2 coyotepoint com www coyotepoint com IN NS east coyotepoint com www coyotepoint com IN NS west coyotepoint ...

Page 248: ...n ICMP echo response packet Using Envoy with NAT Devices If an Envoy site is located behind a device such as a firewall that is performing Network Address Translation NAT on incoming IP addresses then you must specify the public non translated IP as the Site IP and use the translated IP the non public IP as the resource cluster IP in the Envoy configuration This is because Envoy must return the pu...

Page 249: ...ummary table with one GeoCluster and two GeoSites configured Figure 58 GeoCluster Summary The table shows the GeoCluster name and the status of the sites in the cluster The icons in the Actions column let you add modify and delete GeoClusters To see an exapandable list of existing GeoClusters click Envoy Status Adding a GeoCluster To add a new GeoCluster follow these steps 1 Log into the Administr...

Page 250: ...to view or change permission on the GeoCluster see Logging In on page 52 2 Do one of the following Click on the GeoCluster name Click Envoy in the left frame and then click the Modify icon in the GeoCluster Summary table row for the GeoCluster you want to modify FQDN name Enter the GeoCluster name which is the fully qualified domain name FQDN of the GeoCluster for example www coyotepoint com The F...

Page 251: ...gs cause site measurements to be averaged over a longer period of time before Equalizer applies them to the cluster wide load balancing slower settings also tend to ignore spikes in cluster measurements caused by intermittent network glitches We recommend that you select the medium setting as a starting point DNS cache ttl The cache time to live which is the length of time in seconds that the clie...

Page 252: ... less weight to the initial weight for the site This is the default setting site load weights the current load at each site more heavily than other criteria site weight weights the user defined initial weight for each site more heavily than other criteria Note For all policies the current site load metric is ignored for the first 10 minutes that the site is up so that the metric value is a meaning...

Page 253: ...s tab in the right frame The following is an example of a GeoSite Summary table with two sites configured The table shows the GeoSite Name the DNS AAA Record IP address and the Agent IP address supplied when the sites were created It also displays the current Status of each Site The icons in the Actions column let you add modify and delete GeoSites Adding a Site to a GeoCluster 1 Log into the Admi...

Page 254: ...the IP address for www coyotepoint com This is usually the address of an Equalizer cluster and in this case is also used as the resource IP However the site s A record IP may be different from the cluster resource IP if the A record IP address is NAT ed to an internal address the actual cluster IP In this case you specify the A record IP as the site IP and the cluster IP as the resource IP Agent I...

Page 255: ...ion tab is displayed The Site Configuration parameters are explained in the table below ip The IP address returned by DNS when the GeoCluster is accessed For example when a client open www coyotepoint com the local DNS server returns an A record that contains the IP address for www coyotepoint com This is usually the address of an Equalizer cluster and in this case is also used as the resource IP ...

Page 256: ...er performance you might need to adjust the initial weights of the sites in the cluster based on their performance Site weights can range from 10 to 200 When you set up sites in a GeoCluster you should set each site s initial weight value in proportion to its capacity for handling requests It is not necessary for all of the initial weights in a cluster to add up to any particular number default si...

Page 257: ...elete Site from the menu You may need to expand the GeoCluster first to see the Sites Click the GeoCluster name in the left frame and open the Sites tab Click the Delete icon on the row for the GeoSite you want to delete 3 When prompted click delete to confirm removing the Site Equalizer deletes the Site and removes it from the object tree Displaying Site Statistics See Displaying Site Statistics ...

Page 258: ...Chapter 9 Administering GeoClusters 254 Equalizer Installation and Administration Guide Envoy Configuration Worksheet ...

Page 259: ...n the server agent cluster flag The default agent port is 1510 Make sure that any agent you deploy is listening and able to respond to TCP connections on the same port number on all the servers in the cluster The time between server agent probes is determined by the agent delay global parameter default is 10 seconds Equalizer will open up a connection to the server agent s IP port and wait for a r...

Page 260: ...r in the cluster down if either of the following are true Equalizer does not get a response from the server agent running on the server before the probe timeout elapses Equalizer receives either a 1 or 2 response from the server agent running on a server Sample Server Agent in Perl You can write custom agents as shell scripts or in Java Perl C or other languages The code below is a simple server a...

Page 261: ...server agent response value print CLIENT response close connection close CLIENT Here is the output of the server program when it is started on the server serveragent pl 50 Server agent started on port 1510 Connection from 10 0 0 32 Another Connection line prints each time the server agent is probed by Equalizer From Equalizer s perspective all that is returned by the server agent is the integer se...

Page 262: ...Appendix A Server Agent Probes 258 Equalizer Installation and Administration Guide ...

Page 263: ...n clusters probe timeouts used by Equalizer to manage the various server health check mechanisms that assess server availability Most parameters are global and apply to all clusters many can be overridden in the cluster settings Connection Timeouts 260 HTTP and HTTPS Connection Timeouts 260 The Once Only Option and HTTP HTTPS Timeouts 263 Layer 4 Connection Timeouts 263 Application Server Timeouts...

Page 264: ...amount of time that the Equalizer tries to establish a connection to the server is the connect timeout Once the server connection is established the connect timeout is no longer used 3 After Equalizer establishes a connection with a server the server timeout is the amount of time Equalizer waits for the next bit of data from the server Any response from the server restarts the server timeout The i...

Page 265: ...outs Equalizer Installation and Administration Guide 261 Figure 59 summarizes the connection timeout parameters Equalizer uses for Layer 7 client and server connections Figure 59 Layer 7 connection timeout parameters ...

Page 266: ...tion server to respond to a client request plus 1 second If there is high latency between Equalizer and the servers in your cluster then you may need to increase the connect timeout The client timeout usually does not need to be changed but in some situations HTTPS clusters will require a client timeout between 15 and 30 seconds for best performance If you do need to increase the client timeout us...

Page 267: ...set at the global and cluster levels while stale timeout can be set at the global level only The parameters affect how Equalizer manages Layer 4 connection records Connection records need to be removed in cases where the connection is not closed by the client or server and is left idle If no data has been received on a connection from either the client or the server after the time period specified...

Page 268: ...ache server timeouts above the client timeout for Layer 7 connections or the idle timeout for Layer 4 connections should be of shorter duration than the timeouts set for Apache Similarly the Layer 7 server timeout and connect timeout on Equalizer should be of shorter duration than the TCP connection timeouts set on the servers Connection Timeout Kernel Variables Equalizer uses a number of kernel v...

Page 269: ...y other probes TCP ACV server agent configured for the cluster This means for example that if TCP and ICMP probes are both configured the default then a server can fail any number of ICMP probes and will still be marked up as long as it continues to respond to TCP probes If a server does not respond to an ICMP echo request and no other probes are configured the server is marked down and Equalizer ...

Page 270: ...t handshake within the probe timeout period Equalizer marks the server failing go to Step 3 2 Equalizer then determines whether or not to send the server an ACV probe If an ACV Response string is not defined for the cluster to which the server belongs Equalizer marks the server up and waits for the probe delay period before it starts the HLP process again at Step 1 Otherwise if an ACV Response str...

Page 271: ...probe delay period before it starts the probing process again at Step 1 If a failing server responds to one of the strikeout probes Equalizer marks the server up and waits for the probe delay period before it starts the probing process again at Step 1 The following figure shows the relationship between the probe timeout and probe delay parameters in a successful probing sequence Figure 62 Successf...

Page 272: ... below These apply to TCP and ACV probes only TCP Probe Aggregation If a server is defined in more than one cluster and ACV probing is not enabled on any of the clusters to which the server belongs then probes for that server are aggregated meaning Equalizer only sends the server one TCP probe during each probe cycle instead of sending one probe for each cluster This reduces redundant probing Once...

Page 273: ... agent value is not returned Equalizer continues load balancing without the server agent return value unless the cluster parameter require agent response is enabled if it is Equalizer must receive an agent response or the server is marked down Note that server agent probing does not use any of the timeout values defined in the previous sections for High Level Probes For example The period of time ...

Page 274: ...Appendix B Timeout Configuration 270 Equalizer Installation and Administration Guide ...

Page 275: ...he conservation of IP addresses is important using reserved IP addresses can minimize the number of real IP addresses needed For example an ISP hosting several hundred unique web sites replicated on three servers might not want to assign real IP addresses for all of them because each virtual cluster would consume four addresses three on the back end servers and one for the virtual cluster In this ...

Page 276: ...e configured on the gateway for the VLAN subnet so that the reserved IP addresses on Equalizer are translated by the gateway To enable Equalizer to perform outbound NAT follow these steps 1 Open the Equalizer Administration Interface and log in under edit mode 2 In the left frame click the Equalizer or system name entry near the top of the object tree In the right frame select the Clusters Network...

Page 277: ...matches one of the branches A branch consists of one or more concatenated pieces A branch matches a match for the first piece followed by a match for the second and so on A piece is an atom optionally followed by a single or or by a bound An atom followed by an asterisk matches a sequence of 0 or more matches of the atom An atom followed by a plus sign matches a sequence of 1 or more matches of th...

Page 278: ... make it a collating element see below With the exception of these and some combinations using see next paragraphs all other special characters including lose their special significance within a bracket expression Within a bracket expression a collating element a character a multi character sequence that collates as if it were a single character or a collating sequence name for either enclosed in ...

Page 279: ...s starting earlier in the real expression taking priority over ones starting later Note that higher level subexpressions thus take priority over their lower level component subexpressions Match lengths are measured in characters not collating elements A null string is considered longer than no match at all For example bb matches the three middle characters of abbbc wee week knights nights matches ...

Page 280: ...Appendix D Regular Expression Format 276 Equalizer Installation and Administration Guide ...

Page 281: ...cates 279 General Certificate Guidelines 279 Software vs Hardware Encryption Decryption 280 Using Certificates in a Failover Configuration 280 Enabling HTTPS with a Server Certificate 280 Enabling HTTPS with Server and Client Certificates 281 Generating a CSR and Getting It Signed by a CA 282 Generating a CSR using OpenSSL 282 Generating a Self Signed Certificate 283 Preparing a Signed CA Certific...

Page 282: ...o certificates a server certificate and a chained root or intermediate certificate for the CA The intermediate certificate associates the server certificate with a Trusted Root certificate About Server Certificates In a typical HTTPS scenario described above the client and server are communicating directly and the server is doing all the work of encrypting and decrypting packets and sending the se...

Page 283: ...hind Equalizer is able to perform Certificate Revocation List CRL processing by matching the CSN certificate serial number to the intermediate CA s CRL and does so for all requests THEN c The Equalizer can safely support the use of individual client certificates for different clients by appropriately setting the verify depth option for the HTTPS cluster and uploading the intermediate CA s certific...

Page 284: ...ificate To get a server certificate do one of the following a Create a Certificate Signing Request CSR and send it to a Certificate Authority for signing This provides the highest level of trust to the client as the client can be assured that the certificate it receives from the server in this case Equalizer was approved i e digitally signed by a trusted third party Thus the client has the assuran...

Page 285: ...e raised if you received more than one chained root certificate in addition to a client certificate from your Certificate Authority Note that this setting has an impact on performance since SSL operations are resource intensive d By default Equalizer requests a client certificate but does not require the client to provide one Enable the require certificate flag to require that a client return a va...

Page 286: ...u use 1024 in this example can be any multiple of 8 If you already have a private key use key filename instead of newkey rsa 1024 to specify the file containing the private key The key length you use i e 1024 in this example can be any multiple of 8 After generating the private key the following prompts are displayed example responses shown Enter PEM pass phrase password Verifying Enter PEM pass p...

Page 287: ... also be asked for a challenge password and other optional information Make sure you remember the password and if prompted the challenge password you specify as you will need it to install the certificate The Common Name provided must be the DNS resolvable fully qualified domain name FQDN used by the Equalizer cluster For a server certificate when the client receives the certificate from the serve...

Page 288: ... installed on your web server or client browser If you get more than one certificate the signed server certificate plus one or more intermediate certificates from your CA then 1 Save each certificate to a separate text file e g servcert pem intmcert pem 2 Open a new text file and read the signed certificate your private key and any intermediate certificates in this order into the file Your private...

Page 289: ... page 52 3 In the left frame click the name of the HTTPS or SSL cluster for which you want to install a certificate and select the Security Certificates tab in the right frame Figure 65 The cluster Certificates tab Note If your Equalizer has Xcel I Hardware SSL Acceleration installed a check box labeled use secure key storage will appear at the top of the select client or cluster certificate field...

Page 290: ...ge 287 Using IIS with Equalizer Using Internet Information Services IIS is optional when creating and managing certificates for Equalizer Layer 7 HTTPS clusters and clients In fact one of the advantages of using Equalizer is that only one server certificate is required for an HTTPS cluster The cluster certificate is installed on Equalizer not on the servers in the HTTPS cluster So you do not need ...

Page 291: ...website to submit your certificate request 7 Once the SSL vendor has mailed the new signed certificate back to you do one of the following a If you are using this certificate with a Layer 4 cluster copy the new certificate onto the system on which you generated the request and double click to install If this is a server certificate for a server in a Layer 4 TCP or UDP cluster make sure you attach ...

Page 292: ...have Xcel enabled or if you have Xcel II private keys are kept in Equalizer s file system Xcel I also provides the option to store provate keys in dedicated write only memory Note that you should not check the sks check box when uploading client certificates which are always stored on Equalizer without a private key Equalizer Xcel SSL Hardware Acceleration provides hardware based SSL encryption an...

Page 293: ...t login 2 Enter the following command SKSManager R u 0 3 After the operation completes which should take about 1 minute re add all certificates for all HTTPS clusters Configuring Cipher Suites The cipher suite HTTPS cluster parameter lists the supported encryption algorithms for incoming HTTPS requests If a client request comes into Equalizer that does not use a cipher in this list the connection ...

Page 294: ...r generation SSL Acceleration Hardware Xcel I Cipher Suites The following cipher suites are supported by the older generation Xcel I SSL Acceleration Hardware OpenSSL Cipher Suite Name TLS SSL Cipher Suite Names AES128 SHA TLS_RSA_WITH_AES_128_CBC_SHA DES CBC3 SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA RC4 SHA TLS_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_SHA RC4 MD5 TLS_RSA_W...

Page 295: ...Configuring Cipher Suites Equalizer Installation and Administration Guide 291 RC4 MD5 TLS_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_MD5 OpenSSL Cipher Suite Name TLS SSL Cipher Suite Names ...

Page 296: ...Appendix E Using Certificates in HTTPS Clusters 292 Equalizer Installation and Administration Guide ...

Page 297: ...alizer VLB Advanced 295 Using VLB Advanced 295 Installation and Licensing 296 Enabling Equalizer VLB 296 Enabling VLB Agents on a Cluster 297 Disabling VLB Agents for a Cluster 298 Disabling Equalizer VLB for all Clusters 298 Associating a Server with a Virtual Machine 299 Smart Control Event Examples Using VLB 299 Configuring Multiple Hot Spares VLB Only 300 Rebooting an Unresponsive Virtual Mach...

Page 298: ...t up to communicate directly with the ESX Server instead of VSphere or vCenter and load balance among the virtual machines defined on that ESX Server only Equalizer uses statistics such as the amount of memory in use by a virtual machine the amount of memory in use by all virtual machines on the physical host and CPU utilization to automatically distribute incoming cluster requests to the virtual ...

Page 299: ...you are not limited to associating servers automatically by IP as in VLB Basic An existing server s Virtual Machine tab displays the current association you can also change the association by selecting a different VM from a list retrieved from VMware With VLB Basic automatic VM association will work only if the VM server is running and has the VMtools software installed With VLB Advanced neither i...

Page 300: ...is it will be available at http VMwareIP sdk Where VMwareIP is the IP address of the VMware system If it is not available follow the instructions in the VMware SDK API documentation to install the VMware SDK on the system running vCenter or on a single ESX Server The SDK must be installed in order for Equalizer to be able to use VMware Infrastructure API calls and obtain virtual machine status For...

Page 301: ...n the previous section you can configure clusters with VLB Agents Doing so enables Equalizer to communicate with the vCenter and get detailed information on all the virtual machines configured in the cluster To enable VLB Agents on a cluster 1 Log into Equalizer using an account that as add del permission on the cluster to be modified 2 Do one of the following a For VLB Basic Click the cluster nam...

Page 302: ...ual machines without the VLB Agent return value Smart Rules defined for the cluster that use VLB specific functions to query VMware will continue to be executed You can still also add servers and associate virtual machines with them as long as the VMware login information on the VLB tab is correct see Enabling Equalizer VLB on page 296 1 Log into Equalizer using an account that as add del permissi...

Page 303: ...achines is displayed Choose the virtual machine you want to associate with the Equalizer server definition and click the Associate button Note that in order for VM selection to work VLB must be enabled as described in the section Enabling Equalizer VLB on page 296 You can add both virtual machines and non virtual machines physical servers to a VLB cluster The non virtual machines will be load bala...

Page 304: ...ers and disable it on the second server otherwise do nothing Event 3 If both the first server and the second server are not running enable the quiesce option on the first and second servers and unquiesce the third server otherwise do nothing To create Event 1 1 Right click on the cluster name in the left frame and select Add Event from the menu 2 Type in an event name such as activate sv00 or acce...

Page 305: ...next to quiesce Select sv00 and click accept 9 In the operators field click 10 In the functions field click quiesce In the expression workbench field at bottom click on the drop down arrow next to quiesce Select sv02 and click accept 11 In the operators field click 12 In the functions field click unquiesce In the expression workbench field at bottom click on the drop down arrow next to unquiesce S...

Page 306: ...ers Click accept The expression workbench should now look like this 16 Click the next icon at top and then commit to create the event The Configuration tabs for the event open in the right frame Note that the above example is very basic and does not handle all possible event combinations In particular No action is taken when one of the hot spares becomes unavailable while the first server is passi...

Page 307: ... expression workbench should now look like this 5 Click the next icon at top to open the Event Action editor 6 In the functions field click power_off In the expression workbench field at bottom click on the drop down arrow next to power_off Select sv00 and click accept The expression workbench should now look like this 7 Click the next icon at top and then commit to create the event The Configurat...

Page 308: ...sion workbench should now look like this 8 Click the next icon at top and then commit to create the event The Configuration tabs for the event open in the right frame VLB Logging Equalizer VLB writes a number of messages to the equalizer log Equalizer Status Event Log These messages are described below timestamps normally displayed at the beginning of each line have been omitted Logged into Virtua...

Page 309: ...ted for any virtual machine in a VLB cluster 1 Click on the server name in the left frame object tree Select the Reporting Plots tab in the right frame 2 In the display multi pick box select Server Agent Select other options as desired click Help Context Help for descriptions of each setting 3 Select plot to display the graph Additional Operational Notes 1 Failover All Equalizer VLB configuration ...

Page 310: ...Appendix F Equalizer VLB 306 Equalizer Installation and Administration Guide ...

Page 311: ...orts All Configuration Errors 312 Updating the Configuration File Sequence Number 312 You usually can diagnose Equalizer installation and configuration problems using standard network troubleshooting techniques This section identifies some common problems the most likely causes and the best solutions For additional Troubleshooting information as well as the most up to date documentation supplement...

Page 312: ... server is not forwarding its reply packets to Equalizer Equalizer is not active Is Equalizer functioning Try to ping the administration address If you do not get a response Equalizer Doesn t Respond to Pings to the Admin Address provides additional troubleshooting information Primary and Backup Equalizer Are in a Conflict Over Primary Certain switches often those from Cisco and Dell have Spanning...

Page 313: ...ck that power switch is on and the front panel LED is lit Connect the keyboard and monitor cycle the power and watch the startup diagnostic messages Equalizer isn t connected to your network Check the network wiring Administration address not configured on the external interface This applies to dual network configurations Use the Equalizer Configuration Utility to set the IP address and netmask fo...

Page 314: ...rs and that the server service or daemon is running Sometimes additional host or network routes will need to be added to the clustered servers in single network The traceroute Unix and tracert Windows commands area useful diagnostic tools Trace from the clustered server back to any client that is not able to resolve the cluster address If Equalizer is not showing up as the first hop routing is the...

Page 315: ...is also prevents you from deleting all logins via the interface However it is possible that all user logins could be deleted by manually editing the configuration file or in the unlikely event the configuration file becomes corrupted If this occurs do the following 1 Log into Equalizer using the serial line or SSH as eqadmin or root 2 Enter eqadmin 3 Select 4 Manage users and press Enter 4 Select ...

Page 316: ...r the HTTPS cluster Updating the Configuration File Sequence Number If you are establishing a failover configuration between two Equalizers you should check the sequence number of the configuration file on both Equalizers by clicking Help About and expanding the Equalizer System Information box The configuration file with the highest sequence number will be transferred to the other system during t...

Page 317: ...quence Number Equalizer Installation and Administration Guide 313 8 Enter the following two commands mv var tmp eq conf var eq eq conf shadow var eq eq conf 9 Restart the load balancing daemon to enable the new configuration file lbd H ...

Page 318: ...Appendix G Troubleshooting 314 Equalizer Installation and Administration Guide ...

Page 319: ...rets and copyrighted material Title to Software and documentation shall remain solely with Coyote Point Systems This License is effective until terminated Customer may terminate this License at any time by destroying all copies of Software including any documentation This License will terminate immediately without notice from Coyote Point Systems if Customer fails to comply with any provision of t...

Page 320: ...nse and Warranty 316 Equalizer Installation and Administration Guide LIMITED WARRANTY The Limited Warranty for your Coyote Point Systems product is available online at http www coyotepoint com pdfs warranty_detail pdf ...

Page 321: ...in den USA 120 V Wechselstrom 15 A an den Phasenleitern allen stromführenden Leitern verwendet wird Power Supply Cord CAUTION THE POWER SUPPLY CORD IS USED AS THE MAIN DISCONNECT DEVICE ENSURE THAT THE SOCKET OUTLET IS LOCATED INSTALLED NEAR THE EQUIPMENT AND IS EASILY ACCESSIBLE ATTENTION LE CORDON D ALIMENTATION EST UTILISÉ COMME INTERRUPTEUR GÉNÉRAL LA PRISE DE COURANT DOIT ÊTRE SITUÉE OU INSTA...

Page 322: ...asier de bas en haut en plaçant l élément le plus lourd dans le bas Si le casier est équipé de dispositifs stabilisateurs installer les stabilisateurs avant de monter ou de réparer l unité en casier Warnung Zur Vermeidung von Körperverletzung beim Anbringen oder Warten dieser Einheit in einem Gestell müssen Sie besondere Vorkehrungen treffen um sicherzustellen daß das System stabil bleibt Die folg...

Page 323: ...ad is emulated on the product The following data is captured during the test at both 110V and 220V Watts total power consumed by product PF VA Power Factor in Volt Amps a ratio of the real power and apparent power consumed by the product V KHz Voltage in kilohertz Amp total current consumed by product 110V Test Results Model 110V 60Hz Watts PF VA Volts Amps E650GX Rush in 112 5 1 000 118 9 0 954 N...

Page 324: ... product certification details Model 220V 50Hz Watts PF VA Volts Amps E650GX Rush in 109 1 0 645 224 0 752 No Load 109 9 0 925 222 0 536 100 CPU 140 5 0 943 222 0 671 E450GX Rush in 109 1 0 645 224 0 752 No Load 109 9 0 925 222 0 536 100 CPU 140 5 0 943 222 0 671 E350GX Rush in 74 6 0 877 445 0 378 No Load 68 5 0 862 225 0 354 100 CPU 96 3 0 923 224 0 466 E250GX Rush in No Load 100 CPU Model Weigh...

Page 325: ...n IP address See IP alias algorithm Instructions procedures or formulas used to solve a problem application layer Layer 7 of the Open Systems Interconnection OSI network model where communication between endpoints is defined by the application atom The smallest part of a regular expression in Equalizer See branch piece and regular expression authoritative name server A name server that maintains t...

Page 326: ...ut the user connection A connection is a Layer 4 transmission path established between two endpoints Clients open connections to Equalizer cluster IPs and Equalizer opens connections to the servers behind it The notion of a connection is supplied by the underlying protocol There are connection oriented protocols like TCP and connectionless protocols such as UDP daemon An application that runs in t...

Page 327: ... cluster A virtual cluster providing service on the FTP control port port 21 See cluster and virtual cluster Fully Qualified Domain Name FQDN The complete registered domain name of an Internet host which is written relative to the root domain and unambiguously specifies a host s location in the DNS hierarchy For example east is a hostname and east coyotepoint com is its fully qualified domain name...

Page 328: ...for load balancing using Equalizer based algorithms that assess the configuration options set for cluster and servers real time server status information and information in the request itself See algorithm and load balancing See also geographic load balancing interface The place at which two or more systems connect and communicate with each other See external interface internal interface and netwo...

Page 329: ...he time over which a signal travels over a network from the starting point to the endpoint See ping See also CMP echo request and echo Layer 4 L4 The transport layer Layer 4 uses its rules and those of the previous three layers to control accuracy of message delivery and service which controls accuracy of message delivery and service See ISO OSI model and Layer 7 Layer 7 L7 The application layer L...

Page 330: ...ters data payload The set of data to be transmitted A payload contains user information user overhead information and other information that a user requests A payload does not include system overhead information Also known as the mission bit stream persistence The act of storing or retaining data for use at a later time especially data that shows the state of the network before processing resumes ...

Page 331: ... contains information that responds to a request See packet and request packet round robin The default load balancing policy which distributes requests equally among all servers in a virtual cluster without regard to initial weights or adaptive load balancing criteria The first request received is routed to the first server in the list the second request to the second server and so on When the las...

Page 332: ... also be maintained on clients and servers Equalizer uses cookies at Layer 7 and a sticky timer at Layer 4 to provide server persistence the cookie lifetime or sticky time to set on Equalizer is determined by the application and should usually match the corresponding cookie or session timeouts set on the real servers in a cluster site An Envoy site is part of an Envoy geocluster It points to an ex...

Page 333: ...a message that synchronizes a sequence of data information and acknowledges the reception of that information syslog A system log file in which information warning and error messages are stored in a file sent to a system or printed TCP Transmission Control Protocol the rules for the conversion of data messages into packets TCP providesSee ISO OSI model Layer 4 packet transport layer TCP IP Transmi...

Page 334: ...twork VLAN virtual server address An IP address that is aliased to a physical server that has its own separate IP address See virtual web server virtual web server Software that imitates HTTP server hardware A virtual web server has its own domain name and IP address See domain name HTTP IP address server and virtual server address See also authoritative name server back end server name server phy...

Page 335: ... IP 42 43 server 327 translation 321 virtual server 330 adjusting server s static weight 147 administration address 321 interface 321 interface changing password 44 agent 321 Equalizer 239 retries 192 server 128 327 site 192 agent delay 86 Agent Misses status 192 Agent Retries status 192 agent site parameter 251 agent weight 117 125 agent to client triangulation probe 192 aggregation 321 sticky ne...

Page 336: ... FTP 323 geographic 25 323 geographic load balancing 246 Layer 4 L4 129 136 150 Layer 7 L7 136 150 NFS server 21 Responders 152 server 328 statistics plotting 193 virtual 330 cluster performance optimizing 147 cluster value Active Connections 194 Hit Rate 194 Server Agent 194 Servers 193 Service Time 194 cluster virtual 182 clusters heterogeneous 148 setting static weight for homogenous 147 settin...

Page 337: ...Direct Server Return 177 loopback interface 179 displaying site information 251 system log 186 virtual cluster summary 187 DNS 21 26 41 49 246 247 272 322 zone file 242 DNS Server field 41 DNS TTL 322 domain 26 322 domain name 26 322 fully qualified 26 domain name server 42 43 domain name service 26 domain name fully qualified 246 down 21 37 DSR 177 dynamic weight 128 147 322 oscillations 128 spre...

Page 338: ...26 246 G gateway 36 42 43 141 323 default route 78 Gateway field 42 43 GeoCluster defined 238 site 238 GeoCluster value Network Latency 197 Site Summary 192 geographic cluster 25 323 load balancing 20 25 26 48 323 probe 239 323 geographic cluster adding 245 adding site to 249 deleting 248 load balancing options 246 removing site from 253 Geographic Cluster Name field 246 geographic load balancing ...

Page 339: ...ncy 25 325 layer Secure Sockets 327 Layer 4 L4 150 325 cluster 129 136 150 Layer 4 load balancing 88 Layer 7 L7 20 24 150 325 cluster 136 150 load balancing 208 rules 208 Layers 1 2 3 5 and 6 325 license 82 315 licensing 82 load 325 computed 322 load balancing 209 325 adaptive 127 128 248 aggressive 128 geographic 20 25 26 48 323 geographic cluster 246 intelligent 324 Layer 4 88 Layer 7 L7 208 met...

Page 340: ...on See NAT Network Configuration window 42 network environment using Equalizer in single 30 31 network firewall 244 Network Latency GeoCluster value 197 network ports 71 Network Time Protocol See NTP networks Class A 88 Class B 88 Class C 88 NFS server cluster 21 none 212 NOT operator 211 NTP configuration 103 O once only 131 operation modes 184 Optimization Threshold 128 optimization threshold 12...

Page 341: ...FTP services on virtual cluster 138 proxy server 327 Q quiesce 327 quiescing servers 150 R RADIUS 21 327 receive buffer 87 118 redirect responder 152 redirection 327 redirection port 142 redirects drop 89 register see license 82 regular expression 212 regular expression RE 327 regular expressions Responders 154 relative value server static weight 147 relative workload 197 Remote Authentication Dia...

Page 342: ...r agents 21 server status messages 186 server timeout 87 119 server value Active Connections 194 Computed Load 195 Dynamic Weight 195 servers backup 145 deleting 150 Layer 4 L4 150 Layer 7 L7 150 managing 140 quiescing 150 Servers cluster value 193 Service Time cluster value 194 Service Time server value server value Service Time 195 session 328 telnet 78 session cache kbytes 120 session cache tim...

Page 343: ...nt Misses 192 Agent Retries 192 Resource Load 192 Returned as Default 192 Site Returned 192 sticky connection 328 connections 23 88 network aggregation 88 time period 139 timer 329 sticky connections enabling 129 sticky netmask 88 sticky time period 129 strikeout threshold 85 stuffing cookie 130 subdomain 329 subnet 329 summary virtual cluster 187 support information 108 switch 329 switch manageme...

Page 344: ...l history 196 virtual cluster 330 server address 330 web server 330 virtual cluster 20 182 adding 113 adding match rule to 216 adding server to 142 deleting 126 FTP services providing 138 geographic 25 virtual cluster summary 187 virtualization 293 VLAN 71 VLB 293 and Smart Events 161 VMware integration 293 VT100 emulation 42 W WAP gateway 21 WAP See Wireless Application Protocol warranty 40 web b...

Reviews:

No comments

Related manuals for E350GX

Harman Kardon AVR 135 Service Manual preview
AVR 135
Brand: Harman Kardon Pages: 115
Harman Kardon AVR 7000 Test Report preview
AVR 7000
Brand: Harman Kardon Pages: 3
Grundig CCF 23 Service Manual preview
CCF 23
Brand: Grundig Pages: 28
Daewoo RG-361 Service Manual preview
RG-361
Brand: Daewoo Pages: 31
Kenwood CR-ST700SCD Operating Manual preview
CR-ST700SCD
Brand: Kenwood Pages: 160
Advanced Native Technologies iROLLER 10 User Manual preview
iROLLER 10
Brand: Advanced Native Technologies Pages: 29
Philips FW 780P Instructions For Use Manual preview
FW 780P
Brand: Philips Pages: 28
Philips FW-C777/21 Product Information preview
FW-C777/21
Brand: Philips Pages: 2
Philips FW-C72 Specifications preview
FW-C72
Brand: Philips Pages: 2
Philips FW-C70 Specifications preview
FW-C70
Brand: Philips Pages: 2
Philips FW-C579 Specifications preview
FW-C579
Brand: Philips Pages: 2
Philips FW-C577 Specifications preview
FW-C577
Brand: Philips Pages: 2
Philips FW-C50 Specifications preview
FW-C50
Brand: Philips Pages: 2
Philips FW-C80 User Manual preview
FW-C80
Brand: Philips Pages: 30
Philips FW-C798/21 User Manual preview
FW-C798/21
Brand: Philips Pages: 32
Philips FW-C39 Product Information preview
FW-C39
Brand: Philips Pages: 2
Philips FW-C777 User Manual preview
FW-C777
Brand: Philips Pages: 27
Philips FW-C35 Specifications preview
FW-C35
Brand: Philips Pages: 2

Brands by name

Popular brands

Load more brands