Solved: Re: ACE - probing TCP port on VIP of failed sfarm

Krzysztof Obara · ‎11-26-2013

Hi,

I've noticed that ACE is responding for TCP SYN sent from external device (in my particular example: GSS device) to VIP address of a serverfarm which is in OUTOFSERVICE state - because of failed rservers (ARP FAILED).

A context is configured on the ACE module which is in bridge mode. VIP of serverfarm is set to listen on a TCP port.

Do you know why the ACE sends TCP SYN ACK even though all rservers in the serverfarm are down?

How to overcome that situation and set the ACE to respond on those request only if VIP is ACTIVE due to INSERVICE state of sfarm?

Kanwaljeet Singh · ‎11-26-2013

Hi Krzysztof,

Which version of ACE are you running?

When ACE replies to GSS keepalive what is the status of VIP(inservice or out of service) in show service-policy

It could be a bug like one below:

CSCtz42618 VIP on port 443 accepts connection when all real servers are down

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎11-26-2013

Hi Krzysztof,

Also, try and telnet to VIP (which is responding to SYN) on port it is configured for and see if it succeeds, if yes then that is a problem and it must be matching the above DDTS. Please look at the DDTS mentioned above for details.

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎11-26-2013

Hi Krzysztof,

Which version of ACE are you running?

When ACE replies to GSS keepalive what is the status of VIP(inservice or out of service) in show service-policy

It could be a bug like one below:

CSCtz42618 VIP on port 443 accepts connection when all real servers are down

Regards,

Kanwal

Kanwaljeet Singh · ‎11-26-2013

Hi Krzysztof,

Also, try and telnet to VIP (which is responding to SYN) on port it is configured for and see if it succeeds, if yes then that is a problem and it must be matching the above DDTS. Please look at the DDTS mentioned above for details.

Regards,

Kanwal

Krzysztof Obara · ‎11-26-2013

Hi Kanwal,

Thank you for your answer.

It seems to be the same bug. GSS is set to send keepalives on TCP port 443.

I also tested TCP connection from ASA fw (ping tcp) on port 443 to VIP and the VIP answered to all requests.

My software version in the ACE module is:

Version A2(3.5) [build 3.0(0)A2(3.5)]

Should I upgrade the version?

I can see there is no workaround to that issue:

CSCtz42618—When real servers are down and you try to telnet to the VIP IP, a connection is established in the ACE because the ICM (Ingress Connection Manager) is not checking the VIP status. If you send another request, the connection is dropped with an L7 rejection. Workaround: None.

Best regards,

Krzysztof

Kanwaljeet Singh · ‎11-26-2013

Hi Krzysztof,

You can upgrade to A236a but problem is that the DDTS doesn't mention if it is fixed in that version or not.

I would suggest opening a TAC case and see what can be done about since there is no work around mentioned for it.

It is fixed in A5 train but it seems that is for ACE 30 MODULE.

Regards,

Kanwal

Krzysztof Obara · ‎11-26-2013

Thanks Kanwal,

It's a strange issue because today it worked as expected - probes from GSS failed to TCP port 443 on VIP of sfarm (when all reals were down). Some entries from connection table had been removed yesterday but GSS was still announcing that port was accessible.

There is another method to set probes from GSS - check HTTPS headers but not tested yet.

Regarding the type of module, there is ACE 20.

Anyway, I will raise a TAC ticket if the problem will occur again as you suggested.

Kind of regards,

Krzysztof