cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2713
Views
0
Helpful
2
Replies

ACE: Basic question about connection table and sticky table

snakayama
Level 3
Level 3

Hello everyone,

I have a basic question about the connection table and sticky table on ACE 4700 appliance.

ACE has the connection inactivity timer to disconnect established ICMP, TCP, and UDP connections that are remained idle for the duration of the specified timeout period and by default the following timers are applied for each protocol.

ICMP—2 seconds
TCP—3600 seconds (1 hour)
UDP—120 seconds (2 minutes)

If I configure IP Address Stickiness and use default sticky timeout value (1440 minutes, 24 hours), I guess the following thing might be happened.

==========
1: CLIENT#1 accesses ACE VIP with TCP

2: ACE performs load balancing (by default, round robin) and connects one server (RSERVER#1)

3: ACE creates the entries on connection table and sticky table and start to decrease each timeout value

If CLIENT#1 never send any packets to ACE VIP

4: After 1 hour ACE removes the entry from connection table, but sticky entry still exists on sticky table

   connection table: not exist
   sticky table: exist
==========

In this case, if ACE receives the TCP packet from the CLIENT#1, How ACE handle the traffic?

ACE looks up sticky table and connects same server (RSERVER#1) and then created the entry on connection table?

or

ACE performs load balancing (as 2: above) and then connects another server RSERVER#2 even if the sticky entry exist on sticky table?

Your information would be appreciated.

Best regards,

Shinichi

1 Accepted Solution

Accepted Solutions

yushimaz
Cisco Employee
Cisco Employee

If the request from same client is syn packet(new connection) and the client ip address address is listed on the sticky table, ACE use this entry and  forward packets to the same server(RSERVER#1).

If the request from same client is not syn packet(such as data packet), ACE rejects the packet.

ACE20/Admin# sh sticky database

ACE20/Admin#

!___ before access to vip (no entry is listed)

ACE20/Admin#

!___ after access to vip

ACE20/Admin# sh sticky database

sticky group    : ip_sticky

type         : IP

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags

  ---------------------+--------------------------------+--------------+-------+

  3232253707            sv1:0                            86387          -

!___ both sticky and connection entry are created

ACE20/Admin#

ACE20/Admin# sh sticky database

sticky group    : ip_sticky

type         : IP

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags

  ---------------------+--------------------------------+--------------+-------+

  3232253707            sv1:0                            86261          -

!___ time-to-expire value is decreased with time

ACE20/Admin#

ACE20/Admin# sh conn

total current    connections : 0

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

ACE20/Admin#

!___ confirm that connection entry is removed

!___ and then access to vip from same client

ACE20/Admin# sh sticky database

sticky group    : ip_sticky

type         : IP

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags

  ---------------------+--------------------------------+--------------+-------+

  3232253707            sv1:0                            86388          -

!___ new connection is created and time-to-expire value is reset

If you can read Japanese, the following page would be helpful.

https://supportforums.cisco.com/docs/DOC-12242

Regards,

Yuji

View solution in original post

2 Replies 2

yushimaz
Cisco Employee
Cisco Employee

If the request from same client is syn packet(new connection) and the client ip address address is listed on the sticky table, ACE use this entry and  forward packets to the same server(RSERVER#1).

If the request from same client is not syn packet(such as data packet), ACE rejects the packet.

ACE20/Admin# sh sticky database

ACE20/Admin#

!___ before access to vip (no entry is listed)

ACE20/Admin#

!___ after access to vip

ACE20/Admin# sh sticky database

sticky group    : ip_sticky

type         : IP

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags

  ---------------------+--------------------------------+--------------+-------+

  3232253707            sv1:0                            86387          -

!___ both sticky and connection entry are created

ACE20/Admin#

ACE20/Admin# sh sticky database

sticky group    : ip_sticky

type         : IP

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags

  ---------------------+--------------------------------+--------------+-------+

  3232253707            sv1:0                            86261          -

!___ time-to-expire value is decreased with time

ACE20/Admin#

ACE20/Admin# sh conn

total current    connections : 0

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

ACE20/Admin#

!___ confirm that connection entry is removed

!___ and then access to vip from same client

ACE20/Admin# sh sticky database

sticky group    : ip_sticky

type         : IP

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags

  ---------------------+--------------------------------+--------------+-------+

  3232253707            sv1:0                            86388          -

!___ new connection is created and time-to-expire value is reset

If you can read Japanese, the following page would be helpful.

https://supportforums.cisco.com/docs/DOC-12242

Regards,

Yuji

Good morning Yuji,

Thank you very much for your detailed and concrete explanation.

I understand you said and I can read Japanese so I 'm going to read the
https://supportforums.cisco.com/docs/DOC-12242

Best regards,

Shinichi

Review Cisco Networking for a $25 gift card