cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 11 of 15

How to load balance in .PAC file

Jump to solution

Not all equipment supports all modes, but here goes.

Every time a new request comes through the router looks up in it's hash table to determine which cache to send the traffic to. At the moment for you, that cache determination is done via both Source IP and Destination IP which is almost the worst of all worlds as you can't guarantee which cache a specific user will use and can't guarantee which cache all users will use for a specific destination.

User A + Site A may go to cache 1

User A + Site B may go to cache 2

User B + Site A may go to cache 2

User B + Site B may go to cache 1 

Not ideal. It's not quite the worst option as at least you can keep track of the User/Destination pairs if you wanted to, but still a pain.

If you weren't authenticating and you were attempting to save bandwidth (not generally a concern in this day and age) you would probably want to hash just based on destination IP. That way regardless of the user, they would use the same cache which may have already cached that content. This used to be useful but is of limited use with web 2.0 stuff/dynamic sites and certainly looks odd if you are doing auth or troubleshooting.

Source IP + Source port is what you want to use if everyone is coming from the same IP address as each new connection would use some arbitrary high port. In this case it will be completely random as to which cache a user will end up using from request to request.

Source IP will just split the requests coming in across the caches based on the client's IP. That way assuming they don't change addresses and the cache pool is static, they use the same proxy.

It's a good thing for authentication, it's a good thing for troubleshooting and you should consider it.

On a side note, you should be able to switch it with almost no interruption of service basically by changing the options for WCCP on the MWGs. However, if you can, I would probably disable WCCP on all MWGs, change the settings and then rejoin with the router(s).

Highlighted
Level 12
Report Inappropriate Content
Message 12 of 15

How to load balance in .PAC file

Jump to solution

Very good explanation.  We are using Hash...but I believe we have to use Mask in order for the Source IP to actually matter.

Right now it is set to hash and I believe the WCCP ASA comes up with the hash and it doesn't matter what IP or Destination IP is. 

From the MWG Product Guide:

Input for load

distribution

(The main item does not appear in the list, but is visible in the Add and Edit windows. The

four elements shown below are related to it, specifying what is used in a data packet as the

criteria for load distribution.)

When running multiple appliances, load distribution can be configured for the proxies on

them. Data packets can be distributed to these proxies based on the masking of source or

destination IP addresses and port numbers or on a hash algorithm.

• Source IP — When selected, load distribution relies on the masking of source IP

addresses.

• Destination IP — When selected, load distribution relies on the masking of destination

IP addresses.

• Source port — When selected, load distribution relies on the masking of source port

numbers.

• Destination port — When selected, load distribution relies on the masking of the

destination port numbers.

Assignment method (The main item does not appear in the list, but is visible in the Add and Edit windows. The

two elements shown below are related to it, specifying the method used for load

distribution.)

• Assignment by mask — When selected, masking of the parameter specified above is

used for load distribution.

• Assignment by hash — When selected, a hash algorithm is used for load distribution.

Level 12
Report Inappropriate Content
Message 13 of 15

How to load balance in .PAC file

Jump to solution

Mask does not work with my Cisco ASA.  I put it back to Hash and selected only Source IP and it works like it should.  I was only hitting one proxy instead of both back and forth like it was.   This is definitely better for authentication and log purposes. 

Thanks for the help.

Highlighted
Level 10
Report Inappropriate Content
Message 14 of 15

How to load balance in .PAC file

Jump to solution

Great!

That documentation is a little misleading. Hash and mask are just slightly different mechanisms for coming up with the load distribution. Both support source IP only (and the other options for that matter). Basically the ASA/Router take whatever pairs you give it (source|destination IP|Port, or all iterations) and either hashes that value to determine which cache gets the traffic, or looks at a mask table of all the possibilities. You were using the default (maybe it shouldn't be) source ip + destination ip.

I believe hash is supposed to be a little smarter (which is why all modern Cisco equipment only supports it) especially when the pairs are all right next to each other.

--CN

Highlighted
Level 12
Report Inappropriate Content
Message 15 of 15

How to load balance in .PAC file

Jump to solution

After some modifications, I have com up with this as being the best way to load balance with a .pac file.    Notice I have replaced "if (myseg==Math.floor(myseg/2)*2)" which takes more time to process and used the MOD.

//Find the 4th octect

  

   var myIp = myIpAddress();

   var ipBits = myIp.split(".");

   var mySeg = parseInt(ipBits[3]);

  

   if((mySeq % 2) == 0)  //Check to see if 4th octect is EVEN

  {

   return "PROXY ed-proxy1:8080; PROXY ed-proxy2:8080; DIRECT";

  }

  else  //If ODD

   {

    return "PROXY ed-proxy2:8080; PROXY ed-proxy1:8080; DIRECT";

   }

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community