08-03-2011 09:18 AM
Hi
I've got a ACE wich should loadbalance to 2 web servers.
From the router itself (ssh) I can ping the 2 servers with their internal address.
I can also ping the ACE, but when I try to telnet the router on port 80 to see if loadbalancing is functional, my request timed out.
I used the OVH documentation (my hoster) and I cannot find what's wrong ! And I think it's a really basic configuration...
Here is my actual configuration :
(vlan 265 is my external interface)
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe tcp PROBE_TCP
interval 30
passdetect interval 60
rserver host LABS
ip address 172.16.0.1
inservice
rserver host MICHELINE
ip address 172.16.0.2
inservice
serverfarm host FARM_LABS
predictor leastconns
probe PROBE_TCP
rserver LABS
inservice
rserver MICHELINE
inservice
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
class-map match-all L4-WEB-IP
2 match virtual-address 178.33.159.32 tcp eq www
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
serverfarm FARM_LABS
insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2369
appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
ip address 178.33.159.170 255.255.255.240
alias 178.33.159.169 255.255.255.240
peer ip address 178.33.159.171 255.255.255.240
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input WEB-to-vIPs
no shutdown
interface vlan 2369
ip address 172.31.255.250 255.240.0.0
alias 172.31.255.249 255.240.0.0
peer ip address 172.31.255.251 255.240.0.0
access-group input ANY
nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
no shutdown
ft track interface VLAN265
track-interface vlan 265
peer track-interface vlan 265
priority 50
peer priority 5
Thanks for any help !
08-03-2011 07:35 PM
HI Laurent,
What do you mean by " I can also ping the ACE, but when I try to telnet the router on port 80 to see if loadbalancing is functional, my request timed out."
What is the IP addresses you are pinging or telneting (the VIP or the actual servers IP addresses)?
It would great if you can provide the output of show conn, show service-policy detail before and after trying the http connection.
If you can test the http connection from normal PC and collect sniffer traces from the server and the client simultaneously that will be great also, otherwise, please enable the capture on the ACE and try the connection, then copy the output.
Is it ACE module or appliance?
Note: Let me know if you need any help with capture tool on ACE.
Best regards,
Ahmad
08-04-2011 03:41 AM
Hi Ahmad,
I misunderstood by using of one IP address wich is pingable but it was a wrong lead.
My test was to telnet the VIP on port 80 so that a connection should be opened on one of the load-balanced servers.
These are the results :
rbx-s1-ace/vrack2369# show conn
total current connections : 2
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
892000 2 in TCP 265 93.17.95.165:56172 178.33.159.169:22 ESTAB
3169004 2 out TCP 265 178.33.159.169:22 93.17.95.165:56172 ESTAB
I'm trying to make http traces but since I can't reach the ACE itself I don't have any atm.
I *think* it's ACE module, ovh give me that link
Thanks !
08-04-2011 01:23 AM
Hi,
Your VIP address isn't in VLAN 265. If you look really close at the OVH documentation then you'll see that they define the VIP in the client-side VLAN. If you define it as an unused address in 173.33.8.64/28 then things should get better.
Kind Regards
Cathy
08-04-2011 03:21 AM
Hi Cathy,
Thanks for the answer. I defined my VIP address as part of the IP RIPE blocks that were given by OVH :
178.33.159.160 / 28
178.33.159.144 / 28
(in their doc, they said to use "one of IP RIPE block IPs")
I started using 178.33.159.160 from block#1, didn't work. Changed for the actual one from block#2 : 178.33.159.32
I can ping 178.33.159.32, and if I change to 178.33.159.160 it doesn't work.
So I assume that 178.33.159.32 isn't correct no more but responds to ping
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide