cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4193
Views
0
Helpful
10
Replies

ACE-Module

Andrew_Khai
Level 1
Level 1

Hello guys,

Hope you all are doing well. I need some advise on the following setup.

We migrated one URL from ACE-MOD to ACE-4710 and got the following error.

URL is http://abc.com/portal/eng

When we hit this URL on individual real server (http://realserver1/portal/eng), DNS returns host names of the client PC.

But when they hit actual URL (http://abc.com/portal/eng ) they got reply from abc.com.

Here's the detail,  

abc.com-----> Id#Rank#HostName--->007#xxx#abc.com

real server ----> Id#Rank#HostName--->007#xxx#client PC name

Do we need to change any setting on ACE appliance? Appreciate to all the response.

Thank you in advanced.

Cheer!

Andrew

10 Replies 10

Jorge Bejarano
Level 4
Level 4

Andrew,

Can you paste the configuration which you got under the ACE module before and what changes you have applied under the ACE 4710?

Technically, it should not make any difference besides a couple of features.

Could you explain a little bit more what you would expect to see?

What is the behavior if you type the VIP IP address of abc.com in the browser instead of the DNS domain?

Jorge

Jorge,

Thank you for your reply.

In one arm mode, servers will respond to LB (ACE), where the server’s IP is replaced with the VIP and the response message is sent to the client.

We don't want server's respond to be replaced with VIP. We'd like server to reply to Client directly and we also want to use One arm mode.

Please find the configuration for both Module and appliance.

ACE MODULE CONFIG ( bridge mode )

probe tcp TCP_1

  ip address 10.1.1.11

  interval 60

  faildetect 5

  passdetect interval 150

  receive 5

probe tcp TCP_2

  ip address 10.1.1.12

  interval 60

  faildetect 5

  passdetect interval 150

  receive 5

rserver host TCP_1_ABC

  ip address 10.1.1.11

  probe TCP_1

  inservice

rserver host TCP_2_ABC

  ip address 10.1.1.12

  probe TCP_2

  inservice

serverfarm host ABC

  rserver TCP_1_ABC

    inservice

  rserver TCP_2_ABC

    inservice

class-map match-all ABC_VIP

  2 match virtual-address 10.1.1.13 any

policy-map type management first-match ACE-MGMT-TRAFFIC

  description Policy-map for Remote Management of ACE context

  class ACE-MGMT-TRAFFIC

    permit

policy-map type loadbalance first-match ABC_PROD

  class class-default

    serverfarm ABC

policy-map multi-match L4POLICY

  class ABC_PROD

    loadbalance vip inservice

    loadbalance policy ABC_PROD

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

access-group input permit_all

interface vlan 2

  bridge-group 3

  no shutdown

interface vlan 3

  bridge-group 3

  no normalization

  no icmp-guard

  service-policy input ACE-MGMT-TRAFFIC

  service-policy input POLICY

  no shutdown

interface bvi 3

  ip address 10.1.1.3 255.255.255.0

  alias 10.1.1.1 255.255.255.0

  peer ip address 10.1.1.2 255.255.255.0

  no shutdown

ACE APPLIANCE CONFIG ( One arm mode )

probe tcp TCP80

  port 80

  interval 5

  passdetect interval 5

  connection term forced

rserver host TCP_1_ABC

  ip address 10.1.1.11

  inservice

rserver host TCP_2_ABC

  ip address 10.1.1.12

  inservice

serverfarm host ABC

  probe TCP80

  rserver TCP_1_ABC 80

    inservice

  rserver TCP_2_ABC 80

    inservice

policy-map type loadbalance first-match ABC_POLICY

  class class-default

    serverfarm ABC

class-map match-all ABC_CLASS

  2 match virtual-address 10.1.1.13 any

policy-map multi-match POLICY

  class ABC_CLASS

    loadbalance vip inservice

    loadbalance vip icmp-reply active

    loadbalance policy ABC_POLICY

    nat dynamic 5 vlan 2

interface vlan 2

  nat-pool 5 10.1.1.13 10.1.1.13 netmask 255.255.255.255 pat

Thank you again.

Sincerely,

Andrew

Hi Andrew,

Here is a good post related to "DSR Mode -- Direct server response"

http://snippets101.blogspot.be/2008/08/asymmetric-server-normalization-on.html

The key thing is to make few changes on the server :

Loop back adapter on server with VIP IP address.

On ACE:

no normalization

no icmp-guard

If you have specific question please let me know I would be happy to answer.

Hope that helps,

regards,

Ajay Kumar

Hi Ajay,

Thank you for your reply.

We are not using asymmetrical routing, we configured Source NAT on ACE. Therefore all the response from Server goes through ACE.

In this case, I'm not sure do we still need to disable normalization?

Currently, we unabled "X-Forward-For" on that particular serverfarm. But still doesn't work. The application log is still showing the reply came from VIP of ACE to Client.

Appreciate for your help. Thanks again.

Sincerely,

Andrew

Hi,

If your motive is to log the IP address of the client on the servers in serverfarm then use the following example to configure Cisco ACE to insert the IP address of the client ( "X-Forward-For). Just enabling it on server is not going to log it you also have to enable it on the Cisco ACE.

----------------------------------------

access-list ANYONE line 10 extended permit ip any any

probe tcp TCP

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  probe TCP
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all VIP-30
  2 match virtual-address 172.16.51.30 tcp eq www

policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS
    insert-http X-Forwarded-For header-value "%is"

policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active

interface vlan 251
  description Client vlan
  ip address 172.16.51.11 255.255.255.0

  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 451
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0

  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1

regards,

Ajay Kumar

Hi,

Also on this point :

"The application log is still showing the reply came from VIP of ACE to Client."

This is expected as client is also trying to connect to VIP not to the server directly.

regards,

Ajay Kumar

Hi Ajay,

Yes, it's correct behaviour of current setup on ACE appliance

Unfortunately, Client was getting the reply directly from real server in previous setup in ACE Module.

We migrated this URL from Module to appliance and the behaviour of the response had been changed. Client is now getting response from VIP.

As a requirement, we need to get the reply directly from real server to client in current config

Any suggestions please? Thanks in advance.

Sincerely,

Andrew

That is only possible if you disable Normalization and ICMP guard on ACE and by making the flow assymetric.

regards,

Ajay Kumar

Hi Ajay,

Really appreciate your reply.

We only have one interface in LB context. By disabling normilization and ICMP guard, will there be impact to others URL and serverfarms? Below is the current interface vlan config.

interface vlan 2

  nat-pool 5 10.1.1.13 10.1.1.13 netmask 255.255.255.255 pat

  nat-pool 6 10.1.1.14 10.1.1.14 netmask 255.255.255.255 pat

  nat-pool 7 10.1.1.15 10.1.1.15 netmask 255.255.255.255 pat

  nat-pool 8 10.1.1.16 10.1.1.16 netmask 255.255.255.255 pat

   nat-pool 9 10.1.1.17 10.1.1.17 netmask 255.255.255.255 pat

Thank you again.

Sincerely,

Andrew

Hi,

By disabling normalization all the connection will close by timeout. Also any packet can create connection on ACE. Even a Syn-ack.

As ACE will not be able to see half of the connection.

So you will see an increase in resource usage in ACE. You should also reduce the timeout on TCP inactivity and half closed connection to ensure that the connection gets clear faster in order to avoid over utilization of resource.

regards,

Ajay Kumar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: