cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9515
Views
2
Helpful
11
Replies

ACE connection refused but not when accesing directly the server

ion.zabalza
Level 1
Level 1

Hello,

I am facing the following problem when I try to load a specific webpage using the VIP:



If I skip the load balancer and hitting the real server, then the page is correctly loaded:

I capture traffic and I saw that the VIP sends a 400 http error to both real server and to my laptop IP (10.160.8.73)

Has someone any idea why this is happening?

Thanks in advance

Ion

11 Replies 11

p.mcgowan
Level 3
Level 3

Is the ACE the default gateway of the server or is the server using a different gateway?

the return path from the server should also go via the ACE to keep the tcp connections

please rate helpful posts

Thanks for the reply. I forgot to mention that I am using a one-arm mode and source NAT in the configuration. As I said, the application is reachable as well as VIP but can not load the /archive/admin/open url

Hello Ion,

Please send me the showtech of the ACE to check the rest of the configuration

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Hi Cesar,

I sent you a txt file to your email with the requested command. Please, let me know if you receive it or not.

Many thanks

Ion

Hi Ion,

I have checked the configuration and it is fine.  Checking the capture the response is always a 400 Bad request.

However, this 400 code comes from the server, the ACE will never generate this HTTP response code.

Please gather a Tengig capture of the ACE to have both sides of the connection.

In addition gather a capture in the client and server simultaneously when you bypass the ACE

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

kwansoo kim
Level 1
Level 1

I got same issue with yours but we are using routed mode. We still couldn't solve this issue.

I need to capture packets from trunk between MSFC and ACE as following tac request but there are about 3~4G traffic/s

but i have no idea to capture with common PC or labtop.

Do anyone knows how to capture and what problem is in ACE?

Hi,

This may help you:

The ACE's tengig port is always /1.

Let's say your ACE is in slot 3. It's backplane interface would then be

Te3/1. You then use

the monitor command to configure the source (SPAN) port to this interface.

monitor session 1 source interface TenGigabitEthernet 3/1 both

monitor session 1 destination interface GigabitEthernet x/y

monitor session 1 filter vlan 510 - 511 , 640 , 652 - 656        <---- Line

is optional and will capture only specified VLANs

Configure the destination (SPAN) port as a trunk port so that the VLAN IDs

will be preserved:

interface Gix/y

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

Be sure that the network analyzer connected to the destination port can

monitor VLAN tags

(a trunked port). Here is a link on how to configure NICs using some of the

Intel chipsets to

pass the VLAN tagging info:

http://support.intel.com/support/network/sb/CS-005897.htm

Wireshark has posted this info, as well as how to configure NICs with the

Broadcom chipset:

http://wiki.wireshark.org/CaptureSetup/VLAN#head-e0dc0f9fe0cc6b1b1866d78da7b97ead34dca1d8

With IOS Release 12.2(18)SXD and later releases, when a destination port is

a trunk, you can

use the list of VLANs allowed on the trunk to filter the traffic transmitted

from the

destination port.  This should not be necessary if you configured the

optional 'filter' line

in the monitor session configuration.

interface Gix/y

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 102, 103

switchport mode trunk

switchport nonegotiate

For additional information, see:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1036881

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic6

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Hi Cesar,

I did not work before with SPAN but I think it is not useful in this case. Let me explain why: the ACE module is installed in a VSS system which has EIGRP installed. In fact, it is located in another location, not where I am, and the MPLS cloud we use does not forward VLAN information between locations. Furthermore, the NAM module is installed in the same VSS system

XXXXX#sh module

Mod Ports Card Type                              Model              Serial No.

--- ----- -------------------------------------- ------------------ ----------- 

1  24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       

2    1  Application Control Engine Module      ACE20-MOD-K9       

3    8  Network Analysis Module                WS-SVC-NAM-2       

5    5  Supervisor Engine 720 10GE (Active)    VS-S720-10G   

Does it has any sense what I say? Maybe not so excuse my ignorance in this topic.

Just for info, the capture file I added in the first post was taken in the NAM module, not using Wireshark in my laptop. Thus, both sides of the connection were displayed.

I will attach on Monday the requested files.

Ion

P.S. Podemos hablar en español si quieres

Ion

No hay problema en realidad el destination del capture.  Lo puedes enviar al NAM module, lo importante es capturar la comunicacion interna que pasa por el puerto Tengig que crea el Cat con el ACE.

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Hi Cesar,

I followed your request and I set the NAM module to vlan 1353, which is the vlan of the context, and I changed my network card to allow vlan tagging.

Therefore, in the attached files you should find what you ask.

Please let me know if you need something else.

Ion

Hi Cesar,

thanks a lot for your useful informations.

In addition to your feedback, are NICs like broadcom, intel meaning in capture device(PC, labtop with wireshark..etc)?

I think allowed vlan# configuration is available in interface trunk on IOS 12.2(18)SXF10 we are using, if it is possible, no need to config filter as monitor session 1 filter vlan#? I'm slightly confusing whether i should do all you mentioned or just one thing with my selection.

Thanks & regards,

eric

Review Cisco Networking for a $25 gift card