Solved: ACE 4710 Configuration problem

peersels187 · ‎01-23-2013

Hello all,

I am configuring a load balancer from cisco, a ACE 4710.

Load blancing is completely new to me, and i am unexpereinced in this field. It has to be configured for a customer that want to load balance HTTP and RTSP traffic over 4 application servers (Back-end)

I searched alot on google for possible solutions, and got RTSP in some way to work, but http wont work says my customer.

Is there someone that can help me with this issue, cause i am running really low on options here. Underneath is the config that i have already sofar.

If you need a topology of the layout, please let me know and i will try to upload one.

Generating configuration....

logging enable

logging buffered 5

logging host 172.18.251.182 udp/514

logging host 172.18.146.241 udp/514

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

login timeout 30

peer hostname ACE4710-Zabrze-2

hostname ACE4710-Zabrze-1

interface gigabitEthernet 1/1

switchport access vlan 2000

no shutdown

interface gigabitEthernet 1/2

switchport trunk allowed vlan 14,21

no shutdown

interface gigabitEthernet 1/3

no shutdown

interface gigabitEthernet 1/4

ft-port vlan 22

no shutdown

clock timezone mst 1 0

radius-server host 172.18.252.2 key 7 "01000F175004" authentication

radius-server host 172.18.250.2 key 7 "01000F175004" authentication

aaa group server radius prv_rad

server 172.18.252.2

server 172.18.250.2

switch-mode

ntp server 172.18.250.160

ntp server 172.18.251.160

aaa authentication login default group prv_rad local

access-list ALL remark Access for all, permit all

access-list ALL line 8 extended permit ip any any

access-list ALL line 10 extended permit icmp any any

access-list PRV remark Access for Management

access-list PRV line 10 extended permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255

access-list STB remark Access For STB's to Serverfarm

access-list STB line 7 extended permit ip 10.0.0.0 0.255.255.255 172.25.248.0 0.0.0.255

access-list STB line 15 extended deny ip any any

probe tcp Traxis_HTTP

port 80

probe rtsp Traxis_RTSP

port 554

rserver host Traxis_FE1

description FE1

ip address 172.25.248.2

conn-limit max 4000000 min 4000000

probe Traxis_RTSP

probe Traxis_HTTP

fail-on-all

inservice

rserver host Traxis_FE2

description FE2

ip address 172.25.248.3

conn-limit max 4000000 min 4000000

inservice

rserver host Traxis_FE3

description FE3

ip address 172.25.248.4

conn-limit max 4000000 min 4000000

inservice

rserver host Traxis_FE4

description FE4

ip address 172.25.248.5

conn-limit max 4000000 min 4000000

inservice

serverfarm host Traxis

probe Traxis_HTTP

rserver Traxis_FE1

inservice

rserver Traxis_FE2

inservice

rserver Traxis_FE3

inservice

rserver Traxis_FE4

inservice

sticky ip-netmask 255.255.255.255 address source Sticky_Traxis

replicate sticky

serverfarm Traxis

class-map match-all L4STICKY-IP_6:ANY_CLASS

5 match virtual-address 172.25.255.6 tcp range 80 555

class-map type management match-any remote_access

2 match protocol xml-https any

3 match protocol icmp any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY

class class-default

sticky-serverfarm Sticky_Traxis

policy-map multi-match CLIENT_VIPS_PROD

class L4STICKY-IP_6:ANY_CLASS

loadbalance vip inservice

loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY

loadbalance vip icmp-reply active

interface vlan 14

description Server_side

ip address 172.25.248.250 255.255.255.0

alias 172.25.248.1 255.255.255.0

peer ip address 172.25.248.251 255.255.255.0

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 21

description Firewall_Side

ip address 172.25.255.2 255.255.255.248

alias 172.25.255.4 255.255.255.248

peer ip address 172.25.255.3 255.255.255.248

access-group input ALL

service-policy input CLIENT_VIPS_PROD

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 2000

description management VLAN and Query interface VLAN

ip address 172.18.146.150 255.255.255.0

peer ip address 172.18.146.151 255.255.255.0

access-group input PRV

service-policy input remote_mgmt_allow_policy

no shutdown

ft interface vlan 22

ip address 192.168.255.1 255.255.255.252

peer ip address 192.168.255.2 255.255.255.252

no shutdown

ft peer 1

heartbeat interval 300

heartbeat count 20

ft-interface vlan 22

query-interface vlan 2000

ft group 1

peer 1

priority 200

peer priority 150

associate-context Admin

inservice

ip route 172.18.0.0 255.255.0.0 172.18.146.1

ip route 0.0.0.0 0.0.0.0 172.25.255.1

snmp-server location "lb_env_traffic"

snmp-server community vnet_device_7Gxp2BdhXJ9Ke group Network-Monitor

snmp-server host 172.18.250.185 traps version 1 vnet_device_7Gxp2BdhXJ9Ke

snmp-server trap-source vlan 2000

snmp-server trap link ietf

I really hope someone inhere can help me out !!!

Best Regards

Peter

Francesco Casotto · ‎01-25-2013

Hello Peter,

if it's RTSP not working one it might be that for your kind of traffic you would need to have inspection enabled, please see the example here:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Server_Load-Balancing_Configuration_Examples#Example_of_an_RTSP_Load-Balancing_Configuration

if further analysis should be needed then we would probably need a packet capture and to investigate this further inside a TAC case.

Cheers,

Francesco

View solution in original post

Francesco Casotto · ‎01-25-2013

Hello Peter,

you will have to give us more details and I need to say the foreword that if much troubleshooting will be needed we will ask you to open a TAC SR.

How exactly is not working? Does the browser connect? Does it get an http error?

I see that you are using the same VIP with multiple ports, so I guess that it's covering both the RTSP and HTTP LB, as you are using exactly the same setup for both services then from a LB perspective they should either both work or both fail, unless there is a difference on the servers, like is the web server up and running, is it listening on the same port that the client is connecting to the vip to (so most likely 80)?

Two general considerations:

is it really needed to deal with this two services together with the same vip and same serverfarm? It is if you wish that the same client will be stuck to the same server for both RTSP and HTTP connections, if not needed personally I would separate them for clarity's sake so that I would have separate VIPs (same vip different port) and separate serverfarms with different, appropriate, probing for the diferent services
it's generally a good idea to perform the LB configuration in other contexts than the Admin one.

Cheers,

Francesco

peersels187 · ‎01-25-2013

Hi,

Thanks for replying Francesco.

Above you can see the layout of their setup.

At the moment HTTP traffic is working but for RTSP it doesnt work.

To follow you on your remarks a bit.

The reason for one VIP i guess is that HTTP and RTSP should be hitting the same rserver. For that reason i created a stickiness and the predictor (under serverfarm) it first was at the default one Round Robin, now i changed this to "HASH ADDRESS SOURCE"

The reason for this is, how the cutomer explains it

When a user gets the catalog on the STB and selects a VOD movie to watch, he does a purchase.

When the purchase is completed he tries to start watching the movie

Say the purchase and the watch both end up on a different server. Then the server who receives the watch command doesnt know the user purchased the VOD movie and returns an unauthorized message. Which results in the user not being able to watch his just bought movie.

So both HTTP and RTSP requests should be received at the same rserver.

About the Admin context, i thought about this, but the customer doesnt wanted it in another.

Below you find the new updated config :

ACE4710-Zabrze-1/Admin# sh run

Generating configuration....

logging enable

logging buffered 5

logging host 172.18.251.182 udp/514

logging host 172.18.146.241 udp/514

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

login timeout 30

peer hostname ACE4710-Zabrze-2

hostname ACE4710-Zabrze-1

interface gigabitEthernet 1/1

switchport access vlan 2000

no shutdown

interface gigabitEthernet 1/2

switchport trunk allowed vlan 14,21

no shutdown

interface gigabitEthernet 1/3

no shutdown

interface gigabitEthernet 1/4

ft-port vlan 22

no shutdown

clock timezone mst 1 0

radius-server host 172.18.252.2 key 7 "01000F175004" authentication

radius-server host 172.18.250.2 key 7 "01000F175004" authentication

aaa group server radius prv_rad

server 172.18.252.2

server 172.18.250.2

switch-mode

ntp server 172.18.250.160

ntp server 172.18.251.160

aaa authentication login default group prv_rad local

access-list ALL remark Access for all, permit all

access-list ALL line 8 extended permit ip any any

access-list ALL line 10 extended permit icmp any any

access-list ALL line 15 extended permit tcp any any

access-list PRV remark Access for Management

access-list PRV line 10 extended permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255

access-list STB remark Access For STB's to Serverfarm

access-list STB line 7 extended permit ip 172.25.248.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list STB line 15 extended deny ip any any

probe tcp Traxis_HTTP

port 80

probe tcp Traxis_RTSP

port 554

rserver host Traxis_FE1

description FE1

ip address 172.25.248.2

conn-limit max 4000000 min 4000000

probe Traxis_HTTP

probe Traxis_RTSP

inservice

rserver host Traxis_FE2

description FE2

ip address 172.25.248.3

conn-limit max 4000000 min 4000000

probe Traxis_HTTP

probe Traxis_RTSP

inservice

rserver host Traxis_FE3

description FE3

ip address 172.25.248.4

conn-limit max 4000000 min 4000000

probe Traxis_HTTP

probe Traxis_RTSP

inservice

rserver host Traxis_FE4

description FE4

ip address 172.25.248.5

conn-limit max 4000000 min 4000000

probe Traxis_HTTP

probe Traxis_RTSP

inservice

serverfarm host Traxis

predictor hash address source

rserver Traxis_FE1

inservice

rserver Traxis_FE2

inservice

rserver Traxis_FE3

inservice

rserver Traxis_FE4

inservice

sticky ip-netmask 255.255.255.0 address source Sticky_Traxis

replicate sticky

serverfarm Traxis

class-map match-all L4STICKY-IP_6:ANY_CLASS

5 match virtual-address 172.25.255.6 any

class-map type management match-any remote_access

2 match protocol xml-https any

3 match protocol icmp any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY

class class-default

sticky-serverfarm Sticky_Traxis

policy-map multi-match CLIENT_VIPS_PROD

class L4STICKY-IP_6:ANY_CLASS

loadbalance vip inservice

loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY

loadbalance vip icmp-reply active

interface vlan 14

description Server_side

ip address 172.25.248.250 255.255.255.0

alias 172.25.248.1 255.255.255.0

peer ip address 172.25.248.251 255.255.255.0

access-group input ALL

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 21

description Firewall_Side

ip address 172.25.255.2 255.255.255.248

alias 172.25.255.4 255.255.255.248

peer ip address 172.25.255.3 255.255.255.248

access-group input ALL

service-policy input CLIENT_VIPS_PROD

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 2000

description management VLAN and Query interface VLAN

ip address 172.18.146.150 255.255.255.0

peer ip address 172.18.146.151 255.255.255.0

access-group input PRV

service-policy input remote_mgmt_allow_policy

no shutdown

ft interface vlan 22

ip address 192.168.255.1 255.255.255.252

peer ip address 192.168.255.2 255.255.255.252

no shutdown

ft peer 1

heartbeat interval 300

heartbeat count 20

ft-interface vlan 22

query-interface vlan 2000

ft group 1

peer 1

priority 200

peer priority 150

associate-context Admin

inservice

ip route 172.18.0.0 255.255.0.0 172.18.146.1

ip route 10.0.0.0 255.0.0.0 172.25.255.1

snmp-server location "lb_env_traffic"

snmp-server community vnet_device_7Gxp2BdhXJ9Ke group Network-Monitor

snmp-server host 172.18.250.185 traps version 1 vnet_device_7Gxp2BdhXJ9Ke

snmp-server trap-source vlan 2000

snmp-server trap link ietf

Francesco Casotto · ‎01-25-2013

Hello Peter,

if it's RTSP not working one it might be that for your kind of traffic you would need to have inspection enabled, please see the example here:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Server_Load-Balancing_Configuration_Examples#Example_of_an_RTSP_Load-Balancing_Configuration

if further analysis should be needed then we would probably need a packet capture and to investigate this further inside a TAC case.

Cheers,

Francesco