ACE isssue for rserver with multiple IP on the same NIC

Adelaziz Ben Aziza · ‎06-11-2011

Dear all,

I'm doing to configure an ACE with bridged mode to load balance incoming traffic to 3 TMG servers following this network diagram:

The system design require to have 4 IP address on the same NIC, and 3 VIP for each pool of the IP as presented in the diagram (rserver: 172.22.14.52 & 62 & 72 - VIP: 172.22.14.82). The attached configuration of the ACE was tested successfully, but we discover that some NIC crash after a non-specific period (Server cannot ping their default gateway: Destination unreachable). I need then to restart the server to get things going well.

After troubleshooting many things, I discover that when I remove the service policy on the ACE interface, the problem disappears and server continue to work correctly.

Is it possible that this problem is due to having on the ACE arp table 3 IP address having the same mac? and how I can solve it?

Thanks, Abdelaziz

Adelaziz Ben Aziza · ‎06-12-2011

This is for help the show arp result. I see that the four IP address of each server have the same mac address but only the first IP is LEARNED. Is it normal?

================================================================================

IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status

================================================================================

172.22.14.51 00.c0.dd.16.90.4c vlan2014 LEARNED 15067 13964 sec up

172.22.14.52 00.c0.dd.16.90.4c vlan2014 RSERVER 15051 173 sec up

172.22.14.53 00.c0.dd.16.90.4c vlan2014 RSERVER 15057 177 sec up

172.22.14.54 00.c0.dd.16.90.4c vlan2014 RSERVER 15059 178 sec up

172.22.14.61 00.c0.dd.16.ae.60 vlan2014 LEARNED 15058 13677 sec up

172.22.14.62 00.c0.dd.16.ae.60 vlan2014 RSERVER 15050 172 sec up

172.22.14.63 00.c0.dd.16.ae.60 vlan2014 RSERVER 15064 181 sec up

172.22.14.64 00.c0.dd.16.ae.60 vlan2014 RSERVER 15061 179 sec up

172.22.14.71 00.c0.dd.16.93.b8 vlan2014 LEARNED 15065 13700 sec up

172.22.14.72 00.c0.dd.16.93.b8 vlan2014 RSERVER 15048 171 sec up

172.22.14.73 00.c0.dd.16.93.b8 vlan2014 RSERVER 15062 179 sec up

172.22.14.74 00.c0.dd.16.93.b8 vlan2014 RSERVER 15068 291 sec up

172.22.14.253 88.43.e1.75.9a.80 vlan2024 LEARNED 15019 9328 sec up

172.22.14.254 88.43.e1.75.96.00 vlan2024 GATEWAY 14463 36 sec up

172.22.14.250 00.23.5e.26.1e.71 bvi3 INTERFACE LOCAL _ up

================================================================================

Adelaziz Ben Aziza · ‎06-19-2011

Well, my question is very simple, it seems for sure that having 3 rserver having the same mac address is causing a problem with ACE on bridged mode and blocking the traffic betweend the server and the firewall.

Is there any solution for that?

Thanks.

Daniel Arrondo Ostiz · ‎06-20-2011

Hi Adelaziz,

As far as the ACE is concerned, there is no problem in having servers with multiple IP addresses. They will just be treated as separate reals.

From what you described, it seems that the fact that the server is receiving load-balancing connections may be leading to the issue, but bear in mind that the issue is on the server itself. Therefore, before trying to find a solution, you first need to understand what is causing the interface to fail. Then, if it's confirmed to be something related to the way the ACE handles connections, we can try to find a solution.

Regarding your question about the ARP table, the first IP address of each server is appearing as "Learned" indicating that it doesn't belong to either a real server or a gateway. This behavior is normal taking into account that those addresses are not associated to any real on the ACE.

Regards

Daniel

Adelaziz Ben Aziza · ‎06-20-2011

Hi Daniel,

I have 52 server working correctly and the only problem that I have is with these 3 server. I wanna ask if there is any problem to have rserver having the same mac address when we are using ACE in bridged mode?

Just for you information, when I remove the ACE, and having the traffic going directly to the firewall module, the problem disappear.

Regards, Abdelaziz

Daniel Arrondo Ostiz · ‎06-20-2011

No, as I said, there is not problem from the ACE point of view.

the-great-l0k1 · ‎06-21-2011

hey dude, can you share pcaps files from the rsevers? I'll would like se how tcp sessions are stablished.

one cuestion,, this issue occurs inmediatly or it takes some time?

thanks.

the-great-l0k1

mx