This post is intended to be a general guide for configuring “stickied” load balanced HTTP servers. Whether it’s F5 load balancers, foundry load balancers or open source based load balancers (keepalived/lvs), the concepts are the same and can be migrated across said platforms.
If you have a paid of foundry’s and are looking to configure stickied load balanced HTTP servers, hopefully this guide will provide some assistance.
Logging into the load balancer
Telnet to the box and ‘enable’ to allow admin access. The first thing you want to do is show the current configuration to view the existing setup for other working boxes :
> telnet 192.x.x.x Trying 192.x.x.x... Connected to 10.x.x.x. Escape character is '^]'. User Access Verification Please Enter Login Name: admin Please Enter Password: User login successful. SLB-telnet@XXXX>enable Enable Password: Error - Incorrect username or password. SLB-telnet@XXXX>enable Enable Password: SLB-telnet@XXXX#
Real servers : defining the multiple load balanced boxes
Show the existing configuration on the foundary :
Take a look at the configuration of two “real” servers, which are the two servers that are behind the load balancer that will have balanced sticky connections :
server real serverposapp01-tomcat01 192.168.1.141 port default disable port 8001 ! ! server real serverposapp03-tomcat01 192.168.1.143 port default disable port 8001
The above example is balancing TCP 8001 traffic, which is for TOMCAT. Here are entries for two servers doing simple HTTP traffic :
server real serverapp01-vhost01 192.168.1.195 port default disable port http port http keepalive port http url "HEAD /" ! server real serverapp02-vhost01 192.168.1.196 port default disable port http port http keepalive port http url "HEAD /"
This example is similar to the tomcat example, except you have several options. “port default disable” disables all other ports. “port http keepalive” and “port http url “HEAD /”” define the http checks that take place to ensure apache is running on that box. If not , it will fail over to the second box and stop sending traffic to it.
SSL incoming connections are handled by the load balancer initially, then passed off to the actual server as regular http / port 80 traffic. The internal box configuration would be similar to the above configuration examples :
server virtual portal 192.168.1.104 port default disable port ssl sticky port ssl ssl-terminate portal bind ssl serverapp01-portal01 http Notice how instead of "port http sticky" , its "port ssl sticky". First of all, the sticky option is only set on the "virtual" configuration directives. Secondly, the SSL traffic is bound to the real servers via http in the last line of this example. Its pretty self explanatory.  Regular HTTP Sticky Connections If no SSL Is being used on the site at all, then all you need is to set an HTTP virtual configuration :server virtual serverapp-vhost01 192.168.1.106 port default disable port http sticky bind http serverapp02-vhost01 http
Configuring the external IP to NAT to the internal virtual
Typically, you will have a firewall in front of the load balancer that actaully holds the external ip addresses. The traffic is filtered initially by the firewall, then NAT'd to the virtual ip (VIP) of the load balancer, which then handles balancing the traffic.
You will need to either establish a new external ip , or use an existing one (for instance, if you are moving from 1 web server to 2 web servers , and want to balance the traffic using the load balancer). You need to setup the external IP address, and NAT it to the internal VIP.
Verifying the configuration works
Once everything is setup properly, and the external IP is being NAT'd to the load balancer, it is time to ensure the load balancer is seeing the connections. You could do this before doing the switchover on the firewall as well, just to ensure everything looks right before actually doing the switchover.
To see the active connections being load balanced, issue the following command (replacing the servername for whichever one you want to check) :
sh server real serverapp02-vhost01
That should display information similar to this :
Real Servers Info ======================== State(St) - ACT:active, ENB:enabled, FAL:failed, TST:test, DIS:disabled, UNK:unknown, UNB:unbind, AWU:await-unbind, AWD:await-delete Name: serverapp02-vhost01 State: Active Cost: 0 IP:192.168.1.196: 1 Mac: 0012.7990.d06a Weight: 0 MaxConn: 2000000 SrcNAT: not-cfg, not-op DstNAT: not-cfg, not-op Serv-Rsts: 0 tcp conn rate:udp conn rate = 1:0, max tcp conn rate:max udp conn rate = 8:0 BP max local conn configured No: 0 0 0 0 0 0 BP max conn percentage configured No: 0 0 0 0 0 0 Use local conn : No Port St Ms ServerConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas ---- -- -- ------- ------- ------- ------- -------- -------- ---- default DIS 0 0 0 0 0 0 0 0 http ACT 0 104 13094 181671 150813 162364862 20325115 0 Server Total 104 13094 181671 150813 162364862 20325115 0
The above is displaying the specific connection details for a single real server. To check the VIP / Virtual server :
sh server virtual tomcat
Which will display the following :
Virtual Servers Info Name: tomcat State: Enabled IP:192.168.1.101: 1 Pred: least-conn ACL-Id: 0 TotalConn: 149959 Port State Sticky Concur Proxy DSR ServerConn TotConn PeakConn ---- ----- ------ ------ ----- --- ------- ------- -------- default disabled NO NO NO NO 0 0 0 ssl enabled YES NO NO NO 46 149959 443
You can see that "ServerConn" is displaying 46 connections. Thats it!