04-10-2013 02:38 AM
Hello guys,
Hope you all are doing well. I need some advise on the following setup.
We migrated one URL from ACE-MOD to ACE-4710 and got the following error.
URL is http://abc.com/portal/eng
When we hit this URL on individual real server (http://realserver1/portal/eng), DNS returns host names of the client PC.
But when they hit actual URL (http://abc.com/portal/eng ) they got reply from abc.com.
Here's the detail,
abc.com-----> Id#Rank#HostName--->007#xxx#abc.com
real server ----> Id#Rank#HostName--->007#xxx#client PC name
Do we need to change any setting on ACE appliance? Appreciate to all the response.
Thank you in advanced.
Cheer!
Andrew
04-11-2013 09:25 PM
Andrew,
Can you paste the configuration which you got under the ACE module before and what changes you have applied under the ACE 4710?
Technically, it should not make any difference besides a couple of features.
Could you explain a little bit more what you would expect to see?
What is the behavior if you type the VIP IP address of abc.com in the browser instead of the DNS domain?
Jorge
04-15-2013 02:01 AM
Jorge,
Thank you for your reply.
In one arm mode, servers will respond to LB (ACE), where the server’s IP is replaced with the VIP and the response message is sent to the client.
We don't want server's respond to be replaced with VIP. We'd like server to reply to Client directly and we also want to use One arm mode.
Please find the configuration for both Module and appliance.
ACE MODULE CONFIG ( bridge mode )
probe tcp TCP_1
ip address 10.1.1.11
interval 60
faildetect 5
passdetect interval 150
receive 5
probe tcp TCP_2
ip address 10.1.1.12
interval 60
faildetect 5
passdetect interval 150
receive 5
rserver host TCP_1_ABC
ip address 10.1.1.11
probe TCP_1
inservice
rserver host TCP_2_ABC
ip address 10.1.1.12
probe TCP_2
inservice
serverfarm host ABC
rserver TCP_1_ABC
inservice
rserver TCP_2_ABC
inservice
class-map match-all ABC_VIP
2 match virtual-address 10.1.1.13 any
policy-map type management first-match ACE-MGMT-TRAFFIC
description Policy-map for Remote Management of ACE context
class ACE-MGMT-TRAFFIC
permit
policy-map type loadbalance first-match ABC_PROD
class class-default
serverfarm ABC
policy-map multi-match L4POLICY
class ABC_PROD
loadbalance vip inservice
loadbalance policy ABC_PROD
loadbalance vip icmp-reply active
loadbalance vip advertise active
access-group input permit_all
interface vlan 2
bridge-group 3
no shutdown
interface vlan 3
bridge-group 3
no normalization
no icmp-guard
service-policy input ACE-MGMT-TRAFFIC
service-policy input POLICY
no shutdown
interface bvi 3
ip address 10.1.1.3 255.255.255.0
alias 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ACE APPLIANCE CONFIG ( One arm mode )
probe tcp TCP80
port 80
interval 5
passdetect interval 5
connection term forced
rserver host TCP_1_ABC
ip address 10.1.1.11
inservice
rserver host TCP_2_ABC
ip address 10.1.1.12
inservice
serverfarm host ABC
probe TCP80
rserver TCP_1_ABC 80
inservice
rserver TCP_2_ABC 80
inservice
policy-map type loadbalance first-match ABC_POLICY
class class-default
serverfarm ABC
class-map match-all ABC_CLASS
2 match virtual-address 10.1.1.13 any
policy-map multi-match POLICY
class ABC_CLASS
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance policy ABC_POLICY
nat dynamic 5 vlan 2
interface vlan 2
nat-pool 5 10.1.1.13 10.1.1.13 netmask 255.255.255.255 pat
Thank you again.
Sincerely,
Andrew
04-17-2013 11:50 AM
Hi Andrew,
Here is a good post related to "DSR Mode -- Direct server response"
http://snippets101.blogspot.be/2008/08/asymmetric-server-normalization-on.html
The key thing is to make few changes on the server :
Loop back adapter on server with VIP IP address.
On ACE:
no normalization
no icmp-guard
If you have specific question please let me know I would be happy to answer.
Hope that helps,
regards,
Ajay Kumar
04-18-2013 12:31 AM
Hi Ajay,
Thank you for your reply.
We are not using asymmetrical routing, we configured Source NAT on ACE. Therefore all the response from Server goes through ACE.
In this case, I'm not sure do we still need to disable normalization?
Currently, we unabled "X-Forward-For" on that particular serverfarm. But still doesn't work. The application log is still showing the reply came from VIP of ACE to Client.
Appreciate for your help. Thanks again.
Sincerely,
Andrew
04-18-2013 12:42 AM
Hi,
If your motive is to log the IP address of the client on the servers in serverfarm then use the following example to configure Cisco ACE to insert the IP address of the client ( "X-Forward-For). Just enabling it on server is not going to log it you also have to enable it on the Cisco ACE.
----------------------------------------
access-list ANYONE line 10 extended permit ip any any
probe tcp TCP
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
probe TCP
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 172.16.51.30 tcp eq www
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
interface vlan 251
description Client vlan
ip address 172.16.51.11 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
service-policy input CLIENT_VIPS
no shutdown
interface vlan 451
description Servers vlan
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.51.1
regards,
Ajay Kumar
04-18-2013 12:44 AM
Hi,
Also on this point :
"The application log is still showing the reply came from VIP of ACE to Client."
This is expected as client is also trying to connect to VIP not to the server directly.
regards,
Ajay Kumar
04-18-2013 12:58 AM
Hi Ajay,
Yes, it's correct behaviour of current setup on ACE appliance
Unfortunately, Client was getting the reply directly from real server in previous setup in ACE Module.
We migrated this URL from Module to appliance and the behaviour of the response had been changed. Client is now getting response from VIP.
As a requirement, we need to get the reply directly from real server to client in current config
Any suggestions please? Thanks in advance.
Sincerely,
Andrew
04-18-2013 01:04 AM
That is only possible if you disable Normalization and ICMP guard on ACE and by making the flow assymetric.
regards,
Ajay Kumar
04-18-2013 02:50 AM
Hi Ajay,
Really appreciate your reply.
We only have one interface in LB context. By disabling normilization and ICMP guard, will there be impact to others URL and serverfarms? Below is the current interface vlan config.
interface vlan 2
nat-pool 5 10.1.1.13 10.1.1.13 netmask 255.255.255.255 pat
nat-pool 6 10.1.1.14 10.1.1.14 netmask 255.255.255.255 pat
nat-pool 7 10.1.1.15 10.1.1.15 netmask 255.255.255.255 pat
nat-pool 8 10.1.1.16 10.1.1.16 netmask 255.255.255.255 pat
nat-pool 9 10.1.1.17 10.1.1.17 netmask 255.255.255.255 pat
Thank you again.
Sincerely,
Andrew
04-18-2013 03:01 AM
Hi,
By disabling normalization all the connection will close by timeout. Also any packet can create connection on ACE. Even a Syn-ack.
As ACE will not be able to see half of the connection.
So you will see an increase in resource usage in ACE. You should also reduce the timeout on TCP inactivity and half closed connection to ensure that the connection gets clear faster in order to avoid over utilization of resource.
regards,
Ajay Kumar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: