Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2320
Views
0
Helpful
5
Replies

ACE - can't reach the virtual server

challet_admin
Level 1
Level 1

‎11-26-2012 09:31 AM

Hello,

I'm trying to set up a load balancer within an OVH (hoster) infrastrcture, I've followed their instructions

http://guide.ovh.com/VrackLoadBalancingACESimple (french written)

I'm using a RIPE block (5.135.193.xxx/28) and would like the first 8 (5.135.193.xxx/29) to be used as the virtual server.

vlan 2676 is the local one, and vlan 1227 is the public one.

After all the config steps, none of these IPs are responding to a ping, nor a direct http request.

I don't really know what can be wrong, if someone please could have a look at it, that could greatly help me.

the full configuration is :

=============================================

ssh maxsessions 1

access-list ANY line 8 extended permit icmp any any

access-list ANY line 16 extended permit ip any any

probe tcp PROBE_TCP

  passdetect interval 30

rserver host master.xxx.com

  ip address 172.16.0.1

  conn-limit max 29500 min 20000

  inservice

rserver host slave1.xxx.com

  ip address 172.16.0.2

  conn-limit max 29500 min 20000

  inservice

serverfarm host xxx.com

  predictor leastconns

  probe PROBE_TCP

  rserver master.xxx.com

    inservice

  rserver slave1.xxx.com

    inservice

parameter-map type http HTTP_PARAMETER_MAP

  persistence-rebalance

class-map match-all L4-WEB-IP

  2 match virtual-address 5.135.193.xxx 255.255.255.248 tcp eq www

class-map type management match-all PUBLIC_REMOTE

  2 match protocol ssh source-address 88.170.209.xxx 255.255.255.255

class-map type management match-all REMOTE_ACCESS

  2 match protocol ssh any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type management first-match REMOTE_PUBLIC_MGMT

  class PUBLIC_REMOTE

    permit

policy-map type loadbalance http first-match WEB_L7_POLICY

  class class-default

    serverfarm xxx.com

    insert-http x-forward header-value "%is"

policy-map multi-match WEB-to-vIPs

  class L4-WEB-IP

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 2676

    appl-parameter http advanced-options HTTP_PARAMETER_MAP

interface vlan 1227

  ip address 5.135.193.xxx 255.255.255.240

  alias 5.135.193.xxx 255.255.255.240

  peer ip address 5.135.193.xxx 255.255.255.240

  access-group input ANY

  service-policy input REMOTE_PUBLIC_MGMT

  service-policy input WEB-to-vIPs

  no shutdown

interface vlan 2676

  ip address 172.31.255.251 255.240.0.0

  alias 172.31.255.249 255.240.0.0

  peer ip address 172.31.255.250 255.240.0.0

  access-group input ANY

  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

ft track interface VLAN1227

  track-interface vlan 1227

  peer track-interface vlan 1227

  priority 5

  peer priority 50

ip route 0.0.0.0 0.0.0.0 5.135.193.xxx

=============================================

--

Clément

Labels:
0 Helpful
5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-26-2012 09:47 AM

Hi Clement,

Can you check if the servers in serverfarm are showing "Operational"? Can you send the output of show serverfarm detail and show service-policy detail.

Regards,

Kanwal

0 Helpful

challet_admin
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-26-2012 09:57 AM

Hi Kenwal,

Thanks for your help,

There is indeed an INACTIVE policy, the "WEB_L7_POLICY" one.

Does it need to be activated, or it's like that because of a configuration error ?

edit : more detailed output

--

Clément

===================================================
rbx-s2-ace2/vrack2676# show serverfarm xxx.com detail
 serverfarm     : xxx.com, type: HOST
 total rservers : 2
 state          : ACTIVE
 DWS state      : DISABLED
 active rservers: 2
 description    : -
 predictor      : LEASTCONNS
   slowstart    : 0 secs
 failaction     : -
 back-inservice    : 0
 partial-threshold : 0
 num times failover       : 0
 num times back inservice : 0
 total conn-dropcount : 0
 Probe(s) :
    PROBE_TCP,  type = TCP
 ---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total      failures 
   ---+---------------------+------+------------+----------+----------+---------
   rserver: master.xxx.com
       172.16.0.1:0          8   OPERATIONAL     0          0          0
         sticky-conns         :                  0          0               
         description          : -
         max-conns            : 29500     , out-of-rotation count : 0
         min-conns            : 20000     
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         inband HM out-of-rotation count : -
   rserver: slave1.xxx.com
       172.16.0.2:0          8   OPERATIONAL     0          0          0
         sticky-conns         :                  0          0               
         description          : -
         max-conns            : 29500     , out-of-rotation count : 0
         min-conns            : 20000     
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         inband HM out-of-rotation count : -
===================================================
rbx-s2-ace2/vrack2676# show service-policy WEB_L7_POLICY detail
Status     : INACTIVE
Description: -----------------------------------------
  service-policy: WEB_L7_POLICY
===================================================
rbx-s2-ace2/vrack2676# show service-policy WEB-to-vIPs detail
Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 1227 
  service-policy: WEB-to-vIPs
    class: L4-WEB-IP
      nat:
        nat dynamic 1 vlan 2676
        curr conns       : 0         , hit count        : 0         
        dropped conns    : 0         
        client pkt count : 0         , client byte count: 0                   
        server pkt count : 0         , server byte count: 0                   
        conn-rate-limit      : 0         , drop-count : 0         
        bandwidth-rate-limit : 0         , drop-count : 0         
     VIP Address:                              Protocol:  Port:     
     5.135.193.64                              tcp    eq   80        
      loadbalance:
        L7 loadbalance policy: WEB_L7_POLICY
        VIP Route Metric     : 77
        VIP Route Advertise  : DISABLED
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        VIP DWS state: DWS_DISABLED
        Persistence Rebalance: ENABLED
        curr conns       : 0         , hit count        : 0         
        dropped conns    : 0         
        conns per second    : 0         
        client pkt count : 0         , client byte count: 0                   
        server pkt count : 0         , server byte count: 0                   
        conn-rate-limit      : 0         , drop-count : 0         
        bandwidth-rate-limit : 0         , drop-count : 0         
        L7 Loadbalance policy : WEB_L7_POLICY
          class/match : class-default
            LB action : 
               primary serverfarm: xxx.com
                    state: UP
                backup serverfarm : -
            hit count        : 0         
            dropped conns    : 0         
            compression      : off
      compression:
        bytes_in  : 0                          bytes_out : 0                   
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0         
      compression errors:
        User-Agent  : 0               Accept-Encoding    : 0         
        Content size: 0               Content type       : 0         
        Not HTTP 1.1: 0               HTTP response error: 0         
        Others      : 0         
        Parameter-map(s):
          HTTP_PARAMETER_MAP
===================================================
0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to challet_admin

‎11-27-2012 01:00 AM

Hi Clement,

That policy showing INACTIVE is normal. But L4 policy detail show that policy is correctly bound and VIP is showing as inservice as well.

I don't see any dropped connections or any hit on the policy which indicates that traffic is not reaching the ACE at all.

Can you try and capture the traffic on ACE to see if the traffic is hitting the ACE at all or not? Also, try to do tracert and see whether packet is hitting ACE or not. You can also try and  take pcap on client itself and see why your connection is getting rejected.

Ensure that routing part is taken care of. Other than that configuration looks fine.

Regards,

Kanwal

0 Helpful

challet_admin
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-27-2012 04:42 PM

Hi Kanwal,

I did as you suggested and both packets capturing and traceroute show that the no traffic goes to the ACE when trying to reach the virtual server, except for the ACE IPs themself, as configured in the external vlan interface.

Could it be an OVH (hoster) network lack of routing ? Since they don't want to provide support unless they made a mistake, I'm kind of clueless here.

And thanks again, you've been of great help.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to challet_admin

‎11-28-2012 01:40 AM

Hi Clement,

Could you please send me the complete configuration.

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card