topic Re: ACE dropped conns problem (Bridged mode) in Application Networking

ACE dropped conns problem (Bridged mode)

Adelaziz Ben Aziza — Sun, 15 May 2011 22:06:27 GMT

Dear all,

I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).

interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown

But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.

Can anyone helps?

Regards

Abdelaziz

Re: ACE dropped conns problem (Bridged mode)

ohynderi — Mon, 16 May 2011 07:24:51 GMT

Hello Abdelaziz,

I am not sure to understand your issue. Are all connections to vip (172.22.22.130) failing or only connections initiated from server in vlan 2122 to vip failing? Do you see some hits in show service-policy when connection are failing?

Thanks,

Olivier

Re: ACE dropped conns problem (Bridged mode)

Adelaziz Ben Aziza — Mon, 16 May 2011 08:16:27 GMT

Hi Olivier,

Only connections initiated from server in vlan 2122 to vip (172.22.22.130) failing. No problem with connection from Outside. Moreover, I see hits in show service-policy when connection are failing.

Thanx,

Abdelaziz

Re: ACE dropped conns problem (Bridged mode)

Marko Leopold — Mon, 16 May 2011 09:20:53 GMT

My guess is, that you have a direct-server-return in your VLAN 2122.

Re: ACE dropped conns problem (Bridged mode)

ohynderi — Mon, 16 May 2011 09:56:15 GMT

Very likely you have asymetric routing (ie traffic from server to client bypassing the ACE). If this is indeed the case, you should see the client pkt counter increasing but not the server pkt counter in show service-policy. To workaround this you should source nat traffic from server in that vlan to vip.

Thanks,

Olivier

Re: ACE dropped conns problem (Bridged mode)

Adelaziz Ben Aziza — Mon, 16 May 2011 12:44:18 GMT

Hi Olivier,

This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.

Thanx,

Abdealziz

--------------------------

Generating configuration....

access-list BPDU-Allow ethertype permit bpdu

probe tcp HTTPS
port 443
interval 15
passdetect interval 15
passdetect count 1
probe icmp PING
interval 5

rserver host CASHUB131
ip address 172.22.22.131
inservice

rserver host CASHUB132
ip address 172.22.22.132
inservice

serverfarm host SFARM-EXCAS130
probe HTTPS
rserver CASHUB131
inservice
rserver CASHUB132
inservice

parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800

class-map match-all CLASS-L4-VIP-EXCAS130
2 match virtual-address 172.22.22.130 any

class-map type management match-any REMOTE-ACCESS
description management ACE
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
31 match protocol https any
32 match protocol snmp any

policy-map type management first-match REMOTE-MGT
class REMOTE-ACCESS
permit

policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
class class-default
serverfarm SFARM-EXCAS130

policy-map multi-match POLICY-LB-HMC-2112
class CLASS-L4-VIP-EXCAS130
    loadbalance vip inservice
    loadbalance policy POLICY-L7-VIP-EXCAS130
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min

interface bvi 1
ip address 172.22.22.250 255.255.255.0
peer ip address 172.22.22.251 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 172.22.22.254

Re: ACE dropped conns problem (Bridged mode)

ohynderi — Tue, 17 May 2011 06:50:20 GMT

Abdealziz,

Did you check this?

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml

Olivier

Re: ACE dropped conns problem (Bridged mode)

Adelaziz Ben Aziza — Tue, 17 May 2011 22:42:38 GMT

Hi Olivier,

I checked this document and it's talking about routed mode where the problem can be easily solved with SNAT. In my cas, i need to iniate traffic from machine 172.22.12.141 to the VIP following this diagram:

I can ping the VIP from .141 but i can't initiate HTTP session. Moreover, I think it's impossible for me to use SNAT with Bridged Mode and I can't change to routed mode. So is there any solution for this issue?

Regards,

Abdelaziz

Re: ACE dropped conns problem (Bridged mode)

ohynderi — Wed, 18 May 2011 13:20:00 GMT

Abdelaziz,

I understand that the example i gave to you is in routed mode, but, if not mistaken, you should still be able to configure the nat pool (and so the source nat) under vlan 2012.

Thanks

Olivier

Re: ACE dropped conns problem (Bridged mode)

Adelaziz Ben Aziza — Wed, 18 May 2011 23:20:05 GMT

Olivier,

I configure the nat pool and apply the SNAT policy under vlan 2012 and it's working. This is the config to be added to the standard configuration in bridged mode:

-------------------------

class-map match-any SNAT
2 match source-address 172.22.12.0 255.255.255.0

policy-map multi-match POLICY-NAT
class SNAT
nat dynamic 1 vlan 2012

interface vlan 2012
nat-pool 1 172.22.12.200 172.22.12.200 netmask 255.255.255.255 pat
service-policy input POLICY-NAT

----------------------------

It's working.

Thanks,

Abdelaziz