04-09-2010 08:26 AM
I'm wondering if anyone knows if I can have an ace4710 not reply to ICMP requests for a VIP unless atleast one of the host rservers is up. It appears to reply if just a single redirect service is online.
Thanks,
Chad
Solved! Go to Solution.
04-09-2010 03:10 PM
Chad,
Can you verify this again at your side? the CSS does respond ICMP even when no services are UP and only the content doing the redirect is active.
content Redirect
vip address 10.198.16.105
url "/*"
port 80
protocol tcp
redirect "http://website.com/blah.htm"
active
content Web
vip address 10.198.16.105
port 80
protocol tcp
url "/blah*"
add service Z
C:\Documents and Settings\>ping 10.198.16.105
Pinging 10.198.16.105 with 32 bytes of data:
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=2ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
04-09-2010 12:17 PM
Hi Chad,
Yes this can be done however it depends the way you configured the backup availability on the ACE.
As the best of my knowledge the only way you can have the ACE to reply ICMP queries only if "host" rservers are alive is if you configure a separate SF for your backup server then include it on the first-match policy as backup (can be included on the sticky group also, if configured), then you apply the command "loadbalance vip icmp-reply active primary-inservice" under the multi-match policy, for example:
serverfarm host Sorry
rserver SS
inservice
serverfarm host Web
probe HTTP
rserver Web
inservice
policy-map type loadbalance first-match Web
class class-default
serverfarm P backup Sorry
policy-map multi-match LB
class HTTP
loadbalance vip inservice
loadbalance policy Web
loadbalance vip icmp-reply active primary-inservice
****************************************************************
If you've configured the backup service as inservice standby under the same SF then most likely ICMP requests will be responded as the ACE only needs an rserver (host|redirect) to consider the SF "inservice"
serverfarm host Web
probe HTTP
rserver B
inservice standby
rserver N
backup-rserver B
inservice
Hope this helps.
__ __
Pablo
Cisco TAC
04-09-2010 12:30 PM
Pablo,
Thank you for your answer but I don't think it will accomplish what I want as the redirect isn't a sorry error page. I'm trying to replicate a CSS config on my ACE. Basically what I'm trying to do is this.
server x
ip addr 1.1.1.1
keep uri "/blah/blah.htm"
active
server y
ip addr 2.2.2.2
keep uri "/blah/blah.htm"
act
owner x
content x-redirect
redirect "/blah"
vip addr 3.3.3.3
act
content x
vip addr 3.3.3.3
url "/blah*"
add serv y
add serv x
act
In this config the VIP will be pingable if either of the servers are up(redirect doesn't matter)
Thanks,
Chad
04-09-2010 02:16 PM
Chad,
Thanks for the clarification regretably I'm pretty sure the ACE works alike as the CSS in this requirement.
The problem is that the content rules (CSS) and the class-maps (ACE) are not dependent with each other. i.e with a config like the one shown below regardless if you suspend the service SIP or the content Web, ICMP still is going to be answered as the MAC address is still allocated on the arp table of your SW, in this case for the content Redirect there's no way you can stop ICMP replies other than manually suspending the rule.
owner Web
content Redirect
vip address 10.10.10.10
url "/*"
port 80
protocol tcp
redirect "http://website.com/blah.htm"
active
content Web
vip address 10.10.10.10
port 80
protocol tcp
url "/blah*"
add service SIP
active
I had thought I would've been able to it with an ACL like this one buuuut this is not traffic directed to the VIP :S
acl 5
clause 1 deny icmp any destination content Web/Redirect
clause 2 permit icmp any destination content Web/Web
clause 3 permit any any destination any
apply circuit-(VLAN10)
*************************************************************************
Same happens with the ACE redirect services will always make the VIP show as "inservice" as they don't require a health check to check the aliveness, these ones were thought to be UP all the time.
serverfarm host Web
probe HTTP
rserver Web-1
inservice
rserver Web-2
inservice
rserver redirect Redirect
webhost-redirection https://%h/blah.htm
inservice
serverfarm redirect Blah
rserver Redirect
inservice
class-map type http loadbalance match-any Any
2 math http url .*
class-map type http loadbalance match-any Blah
2 match http url /blah.htm
policy-map type loadbalance first-match Insertion
class Blah
serverfarm Web
class Any
serverfarm Blah
*************************************************************************
04-09-2010 02:25 PM
OK I think that is the answer then. I'll have to submit a feature request. On CSS the VIP is only pingable
if an actual service is up(on css redirect is configured in a content rule not as a redirect service so I think this is the difference) you can have redirects on a VIP and the VIP wont respond to ICMP until atleast one service is up. We use this feature so that various tools can monitor VIP status with a simple ping script.
Thanks,
Chad
04-09-2010 03:10 PM
Chad,
Can you verify this again at your side? the CSS does respond ICMP even when no services are UP and only the content doing the redirect is active.
content Redirect
vip address 10.198.16.105
url "/*"
port 80
protocol tcp
redirect "http://website.com/blah.htm"
active
content Web
vip address 10.198.16.105
port 80
protocol tcp
url "/blah*"
add service Z
C:\Documents and Settings\>ping 10.198.16.105
Pinging 10.198.16.105 with 32 bytes of data:
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=2ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
04-09-2010 03:26 PM
You are right one of my coworkers told me that they had tested this on the CSS but I just tried it and the redirect holds the VIP up so this is expected.
Thanks,
Chad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide