Solved: Re: ACE: Basic question about connection table and sticky table

snakayama · ‎09-03-2010

Hello everyone,

I have a basic question about the connection table and sticky table on ACE 4700 appliance.

ACE has the connection inactivity timer to disconnect established ICMP, TCP, and UDP connections that are remained idle for the duration of the specified timeout period and by default the following timers are applied for each protocol.

ICMP—2 seconds
TCP—3600 seconds (1 hour)
UDP—120 seconds (2 minutes)

If I configure IP Address Stickiness and use default sticky timeout value (1440 minutes, 24 hours), I guess the following thing might be happened.

==========
1: CLIENT#1 accesses ACE VIP with TCP

2: ACE performs load balancing (by default, round robin) and connects one server (RSERVER#1)

3: ACE creates the entries on connection table and sticky table and start to decrease each timeout value

If CLIENT#1 never send any packets to ACE VIP

4: After 1 hour ACE removes the entry from connection table, but sticky entry still exists on sticky table

connection table: not exist
sticky table: exist
==========

In this case, if ACE receives the TCP packet from the CLIENT#1, How ACE handle the traffic?

ACE looks up sticky table and connects same server (RSERVER#1) and then created the entry on connection table?

or

ACE performs load balancing (as 2: above) and then connects another server RSERVER#2 even if the sticky entry exist on sticky table?

Your information would be appreciated.

Best regards,

Shinichi

yushimaz · ‎09-03-2010

If the request from same client is syn packet(new connection) and the client ip address address is listed on the sticky table, ACE use this entry and forward packets to the same server(RSERVER#1).

If the request from same client is not syn packet(such as data packet), ACE rejects the packet.

ACE20/Admin# sh sticky database

ACE20/Admin#

!___ before access to vip (no entry is listed)

ACE20/Admin#

!___ after access to vip

ACE20/Admin# sh sticky database

sticky group : ip_sticky

type : IP

timeout : 1440 timeout-activeconns : FALSE

sticky-entry rserver-instance time-to-expire flags

---------------------+--------------------------------+--------------+-------+

3232253707 sv1:0 86387 -

!___ both sticky and connection entry are created

ACE20/Admin#

ACE20/Admin# sh sticky database

sticky group : ip_sticky

type : IP

timeout : 1440 timeout-activeconns : FALSE

sticky-entry rserver-instance time-to-expire flags

---------------------+--------------------------------+--------------+-------+

3232253707 sv1:0 86261 -

!___ time-to-expire value is decreased with time

ACE20/Admin#

ACE20/Admin# sh conn

total current connections : 0

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

ACE20/Admin#

!___ confirm that connection entry is removed

!___ and then access to vip from same client

ACE20/Admin# sh sticky database

sticky group : ip_sticky

type : IP

timeout : 1440 timeout-activeconns : FALSE

sticky-entry rserver-instance time-to-expire flags

---------------------+--------------------------------+--------------+-------+

3232253707 sv1:0 86388 -

!___ new connection is created and time-to-expire value is reset

If you can read Japanese, the following page would be helpful.

https://supportforums.cisco.com/docs/DOC-12242

Regards,

Yuji

View solution in original post

yushimaz · ‎09-03-2010

If the request from same client is syn packet(new connection) and the client ip address address is listed on the sticky table, ACE use this entry and forward packets to the same server(RSERVER#1).

If the request from same client is not syn packet(such as data packet), ACE rejects the packet.

ACE20/Admin# sh sticky database

ACE20/Admin#

!___ before access to vip (no entry is listed)

ACE20/Admin#

!___ after access to vip

ACE20/Admin# sh sticky database

sticky group : ip_sticky

type : IP

timeout : 1440 timeout-activeconns : FALSE

sticky-entry rserver-instance time-to-expire flags

---------------------+--------------------------------+--------------+-------+

3232253707 sv1:0 86387 -

!___ both sticky and connection entry are created

ACE20/Admin#

ACE20/Admin# sh sticky database

sticky group : ip_sticky

type : IP

timeout : 1440 timeout-activeconns : FALSE

sticky-entry rserver-instance time-to-expire flags

---------------------+--------------------------------+--------------+-------+

3232253707 sv1:0 86261 -

!___ time-to-expire value is decreased with time

ACE20/Admin#

ACE20/Admin# sh conn

total current connections : 0

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

ACE20/Admin#

!___ confirm that connection entry is removed

!___ and then access to vip from same client

ACE20/Admin# sh sticky database

sticky group : ip_sticky

type : IP

timeout : 1440 timeout-activeconns : FALSE

sticky-entry rserver-instance time-to-expire flags

---------------------+--------------------------------+--------------+-------+

3232253707 sv1:0 86388 -

!___ new connection is created and time-to-expire value is reset

If you can read Japanese, the following page would be helpful.

https://supportforums.cisco.com/docs/DOC-12242

Regards,

Yuji

snakayama · ‎09-05-2010

Good morning Yuji,

Thank you very much for your detailed and concrete explanation.

I understand you said and I can read Japanese so I 'm going to read the
https://supportforums.cisco.com/docs/DOC-12242

Best regards,

Shinichi