11-24-2008 08:21 AM
I have been load balancing our mail servers for quite sometime without an issue however I have been using a dynamic Nat statement. This however causes our mail team to have problems with logging. I then created a whole new vlan and ace context for the mail servers to use. This is where my dilemma is.
I now have dropped connections going to my vip but only from one server which is our Anti-span / Antivirus server which filters the mail from the internet and then passes it on to these other mail servers.
I can send mail just fine if I don't use the VIP I created.
Also if I use a Nat statement the mail sends fine but obviously I don't want to use that anymore.
The only thing I see that the ACE is not doing is closing the connections. So if every five minutes I do a clear conn all, I won't get any dropped connections for at least 10 to 15 minutes but I am not going to be doing this. Right now I have a server with a script that logs into the ace and then clears the connection but this is a band aid problem.
Here is my config. This is the only thing on this context. All 6 of my other contexts do not have this issue.
access-list ALL line 10 extended permit ip any any
access-list ALL line 18 extended permit icmp any any
probe smtp SMTP_Probe
interval 15
passdetect interval 30
expect status 210 250
parameter-map type connection TCP_Mail_TO
slowstart
set timeout inactivity 2
set tcp timeout half-closed 15
set tcp ack-delay 300
tcp-options timestamp allow
rserver host hub2
ip address *.*.*.*.*.*
inservice
serverfarm host Mail_Hub_Servers_SF
probe SMTP_Probe
rserver hub2 25
inservice
class-map match-all Mail_Hub_VIP
2 match virtual-address *.*.*.*.*.* tcp eq smtp
class-map type management match-any Remote_Management
2 match protocol http any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
policy-map type management first-match rmt_mgt_policy
class Remote_Management
permit
policy-map type loadbalance first-match Mail_Hub_VIP-l7slb
class class-default
serverfarm Mail_Hub_Servers_SF
policy-map multi-match int7
class Mail_Hub_VIP
loadbalance vip inservice
loadbalance policy Mail_Hub_VIP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
connection advanced-options TCP_Mail_TO
access-group input ALL
interface vlan 108
ip address *.*.*.*.
alias *.*.*.*
peer ip address *.*.*.*.
no normalization
no icmp-guard
service-policy input rmt_mgt_policy
service-policy input int7
no shutdown
ip route 0.0.0.0 0.0.0.0 *.*.*.*
11-24-2008 11:10 AM
Since you are using one-arm mode you need to make sure that the return traffic (from mail servers) shouldnt bypass ACE.
This is normally achieved using Source NAT or PBR. I dont see source NAt in your config, are you using Policy based routing?
Since you are trying to avoid NAT and you are playing with your VLANS, why dont you use routed mode in this ACE context. With routed mode your VIPs will listen on one vlan (separate address space)and reals will reside in a different vlan (address space).
This way ACE will do the destination address translation and you will be able to preserve Source addresses hitting the mail servers.
Syed Iftekhar Ahmed
11-24-2008 12:26 PM
I would like to avoid trying routed mode for this just right now because we haven't had a good experience in routed mode here. I can try creating a new context in routed mode because I cannot experiment with production mail. Also I have this scenario working fine on 3 other contexts with 0 Connections being dropped. The other thing is I am not dropping all connections its dropping about 2-8%. of the connections. I have been playing around with connection limits.
Interface: vlan 108
service-policy: int7
class: Mail_Hub_VIP
loadbalance:
L7 loadbalance policy: Mail_Hub_VIP-l7slb
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 1 , hit count : 12052
dropped conns : 839
client pkt count : 385190 , client byte count: 375718706
server pkt count : 133814 , server byte count: 11089648
conn-rate-limit : 50 , drop-count : 0
bandwidth-rate-limit : - , drop-count : -
Parameter-map(s):
TCP_Mail_TO
11-25-2008 04:57 AM
I am sorry I looked back through my notes and it was not policy based Routing which caused a whole network issue. It was creating BVI interfaces. I am going to work on PBR and read up on it and see what I need to do. If you have any whole configuration examples on setting it up that would be great.. I know the commands but I don't want to mess this up if I don't have an example to follow.
11-26-2008 06:22 AM
Well I did do the PBR and it made no difference.
The following are the commands I ran.
access-list 100 permit tcp host 172.16.7.67 eq smtp any
route-map 7_Subnet permit 10
match ip address 100
set ip next-hop 172.16.7.254 <-- This is my ACE Default Gateway.
!
interface Vlan108
ip address 172.16.7.2 255.255.255.0
ip policy route-map 7_Subnet
glbp 108 ip 172.16.7.1
glbp 108 load-balancing host-dependent
glbp 108 authentication text ****
11-24-2008 12:15 PM
With the current configuration your connections are asymetric, if you do not do source nat then you will need PBR to get return traffic back through the ace.
What you have right now has ace handling client to server traffic and server to client traffic going around the ace. This is being allowed right now because you have no normalization on the interface.
11-24-2008 02:41 PM
In my scenario (one-armed mode), I am using SNAT for requests originating from server vlan hitting its own VIP. This resolved the self-hit issue.
However, I am unable to get a successful response from the Rserver after mapping the public IP to the VIP on ACE. Would I need Source NAT for Client to Server traffic originated from outside network - internet.
Static translation on ASA and ACL hits are showing correct statistics. I am able to ping the VIP via public IP (icmp is also load balanced on ACE) but the http request fails. The http requests from all other inside networks is successful.
Any suggestions.
Regards.
11-25-2008 06:37 AM
With two armed mode shouldn't the ACe know how to get the traffic back to me without using PBR?
Two Armed Mode - This topology is used when the device that makes the connection to the VIP enters the ACE on a different VLAN than that on which the servers reside. If the servers have the default gateway set to the ACE, there is no need for source NAT. The reply traffic returns to the ACE before it is sent back to the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide