Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
4
Replies

ACE : can't get to loadbalance

laurent55
Level 1
Level 1

‎08-03-2011 09:18 AM

Hi

I've got a ACE wich should loadbalance to 2 web servers.

From the router itself (ssh) I can ping the 2 servers with their internal address.

I can also ping the ACE, but when I try to telnet the router on port 80 to see if loadbalancing is functional, my request timed out.

I used the OVH documentation (my hoster) and I cannot find what's wrong ! And I think it's a really basic configuration...

Here is my actual configuration :

(vlan 265 is my external interface)

access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe tcp PROBE_TCP
  interval 30
  passdetect interval 60
rserver host LABS
  ip address 172.16.0.1
  inservice
rserver host MICHELINE
  ip address 172.16.0.2
  inservice
serverfarm host FARM_LABS
  predictor leastconns
  probe PROBE_TCP
  rserver LABS
    inservice
  rserver MICHELINE
    inservice
parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
class-map match-all L4-WEB-IP
  2 match virtual-address 178.33.159.32 tcp eq www
class-map type management match-all REMOTE_ACCESS
  2 match protocol ssh any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm FARM_LABS
    insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
  ip address 178.33.159.170 255.255.255.240
  alias 178.33.159.169 255.255.255.240
  peer ip address 178.33.159.171 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input WEB-to-vIPs
  no shutdown
interface vlan 2369
  ip address 172.31.255.250 255.240.0.0
  alias 172.31.255.249 255.240.0.0
  peer ip address 172.31.255.251 255.240.0.0
  access-group input ANY
  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
  no shutdown
ft track interface  VLAN265
  track-interface vlan 265
  peer track-interface vlan 265
  priority 50
  peer priority 5

Thanks for any help !

Labels:
0 Helpful
4 Replies 4

Ahmad Basel Jaber
Level 1
Level 1

‎08-03-2011 07:35 PM

HI Laurent,

What do you mean by " I can also ping the ACE, but when I try to telnet the router on port 80 to see if loadbalancing is functional, my request timed out."

What is the IP addresses you are pinging or telneting (the VIP or the actual servers IP addresses)?

It would great if you can provide the output of show conn, show service-policy detail before and after trying the http connection.

If you can test the http connection from normal PC and collect sniffer traces from the server and the client simultaneously that will be great also, otherwise, please enable the capture on the ACE and try the connection, then copy the output.

Is it ACE module or appliance?

Note: Let me know if you need any help with capture tool on ACE.

Best regards,

Ahmad

0 Helpful

laurent55
Level 1
Level 1
In response to Ahmad Basel Jaber

‎08-04-2011 03:41 AM

Hi Ahmad,

I misunderstood by using of one IP address wich is pingable but it was a wrong lead.

My test was to telnet the VIP on port 80 so that a connection should be opened on one of the load-balanced servers.

These are the results :

rbx-s1-ace/vrack2369# show conn
total current connections : 2
conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
892000     2  in  TCP   265  93.17.95.165:56172    178.33.159.169:22     ESTAB
3169004    2  out TCP   265  178.33.159.169:22     93.17.95.165:56172    ESTAB

I'm trying to make http traces but since I can't reach the ACE itself I don't have any atm.

I *think* it's ACE module, ovh give me that link

Thanks !

0 Helpful

ciscocsoc
Level 4
Level 4

‎08-04-2011 01:23 AM

Hi,

Your VIP address isn't in VLAN 265. If you look really close at the OVH documentation then you'll see that they define the VIP in the client-side VLAN. If you define it as an unused address in 173.33.8.64/28 then things should get better.

Kind Regards

Cathy

0 Helpful

laurent55
Level 1
Level 1
In response to ciscocsoc

‎08-04-2011 03:21 AM

Hi Cathy,

Thanks for the answer. I defined my VIP address as part of the IP RIPE blocks that were given by OVH :

178.33.159.160 / 28

178.33.159.144 / 28

(in their doc, they said to use "one of IP RIPE block IPs")

I started using 178.33.159.160 from block#1, didn't work. Changed for the actual one from block#2 : 178.33.159.32

I can ping 178.33.159.32, and if I change to 178.33.159.160 it doesn't work.

So I assume that 178.33.159.32 isn't correct no more but responds to ping

0 Helpful
Customers Also Viewed These Support Documents