Re: ACE ping probe

Robert Saurer · ‎12-09-2006

Hi,

I have a strange problem on my ACE in one-arm design.

I have a real server which I can ping from the ACE, but a ping probe always fails:

server : APACHE4

10.144.131.6 28 28 0 FAILED

Socket state : CLOSED

No. Passed states : 0 No. Failed states : 1

No. Probes skipped : 4 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err : Server reply timeout (no reply)

Last probe time : Sat Dec 9 11:42:57 2006

Last fail time : Sat Dec 9 11:29:57 2006

Last active time : Never

ace/INTRANET# ping 10.144.131.6

Pinging 10.144.131.6 with timeout = 2, count = 5, size = 100 ....

Response from 10.144.131.6 : seq 1 time 0.335 ms

Response from 10.144.131.6 : seq 2 time 0.181 ms

Response from 10.144.131.6 : seq 3 time 0.340 ms

Response from 10.144.131.6 : seq 4 time 0.266 ms

Response from 10.144.131.6 : seq 5 time 0.341 ms

5 packet sent, 5 responses received, 0% packet loss

I have a couple of other real servers which do not have this problem.

Any ideas?

According to netflow on the 6500 the server answers correctly.

There are no syslog messages.

interface vlan 552

ip address 10.144.130.3 255.255.255.0

alias 10.144.130.1 255.255.255.0

peer ip address 10.144.130.2 255.255.255.0

no normalization

no icmp-guard

access-group input PERMIT

service-policy input MANAGEMENT

service-policy input SLB

no shutdown

probe icmp PING

interval 2

faildetect 5

passdetect interval 30

passdetect count 2

rserver host APACHE1

ip address 10.144.131.131

probe PING

inservice

rserver host APACHE2

ip address 10.144.131.132

probe PING

inservice

rserver host APACHE3

ip address 10.144.131.133

probe PING

inservice

rserver host APACHE4

ip address 10.144.131.6

probe TEST

probe PING

inservice

probe tcp TEST

port 22

interval 2

faildetect 5

passdetect interval 30

passdetect count 2

ace/INTRANET# sh probe

probe : PING

type : ICMP, state : ACTIVE

----------------------------------------------

port : 0 address : 0.0.0.0 addr type : -

interval : 2 pass intvl : 30 pass count : 2

fail count: 5 recv timeout: 10

--------------------- probe results --------------------

probe association probed-address probes failed passed health

------------------- ---------------+----------+----------+----------+-------

rserver : APACHE1

10.144.131.131 2312 0 2312 SUCCESS

rserver : APACHE2

10.144.131.132 2311 0 2311 SUCCESS

rserver : APACHE3

10.144.131.133 2311 0 2311 SUCCESS

rserver : APACHE4

10.144.131.6 38 38 0 FAILED

rserver : IIS1

10.144.131.129 2311 0 2311 SUCCESS

rserver : IIS2

10.144.131.130 2311 0 2311 SUCCESS

probe : TEST

type : TCP, state : ACTIVE

----------------------------------------------

port : 22 address : 0.0.0.0 addr type : -

interval : 2 pass intvl : 30 pass count : 2

fail count: 5 recv timeout: 10

--------------------- probe results --------------------

probe association probed-address probes failed passed health

------------------- ---------------+----------+----------+----------+-------

rserver : APACHE4

10.144.131.6 557 0 557 SUCCESS

I have 3.0(0)A1(3b)

smahbub · ‎12-18-2006

This URL should help you:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080683a12.html

Robert Saurer · ‎12-18-2006

Hi,

unfortunately your URL did not help me.

I found out that the sup720-3b adds a 23bytes zero-byte padding to exact the frames corresponding to the failing ping probe. I saw this by spanning the internal te4/1 port from the switch to the ACE to a sniffer.

The strange thing is that the frame is padded although it's larger than the minimum frame size of 64 bytes.

When I configure a log-input ACL on the sup720-3b to force the traffic to be routed by the MSFC3 instead of the PFC3 then the ping probe works and the same frames are not padded any more!!

We run IOS modularity on the sups and according to the 12.2SX release notes they do not support the ACE. I suppose that's the root cause. We will change the sup sw ASAP.