ACE: RDP loadbalancing connection problem

Ralf Kleineisel · ‎04-05-2011

I have a problem setting up RDP loadbalancing.

My setup is a WS-C6509-E with IOS 12.2(33)SXI5 and a ACE20-MOD-K9 running
A2(3.3).

I have the ACE in two-arm-mode, I can connect to the real servers via RDP. The
real servers use a MS Terminal Server Session Broker with routing tokens.

The serverfarm is operational:

# show serverfarm FARM-TSFARM1 det
serverfarm     : FARM-TSFARM1, type: HOST
total rservers : 4
active rservers: 4
description    : srv-f1-tsX.mydomain.de
state          : ACTIVE
predictor      : ROUNDROBIN
failaction     : -
back-inservice    : 0
partial-threshold : 0
num times failover       : 0
num times back inservice : 1
total conn-dropcount : 0
---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: RS-SRV-F1-TS1
       10.7.43.201:0         8      OPERATIONAL 0          1          0
         description          : -
         max-conns            : 500       , out-of-rotation count : 0
         min-conns            : 500
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

   rserver: RS-SRV-F1-TS2
       10.7.43.202:0         8      OPERATIONAL 0          0          0
         description          : -
         max-conns            : 500       , out-of-rotation count : 0
         min-conns            : 500
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

   rserver: RS-SRV-F1-TS3
       10.7.43.203:0         8      OPERATIONAL 0          0          0
         description          : -
         max-conns            : 500       , out-of-rotation count : 0
         min-conns            : 500
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

   rserver: RS-SRV-F1-TS4
       10.7.43.204:0         8      OPERATIONAL 0          0          0
         description          : -
         max-conns            : 500       , out-of-rotation count : 0
         min-conns            : 500
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

The service policy is active, it shows an increasing hit count for the VIP
connections (47 as shown below), no drop-count, no dropped connections, but
zero bytes server packets and no hit counts for the L7 policy:

# show service-policy VIP-TSFARM1 detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 44
service-policy: VIP-TSFARM1
    class: VIP-TSFARM1-RDP
     VIP Address:    Protocol: Port:
     10.7.44.106     tcp        eq    3389
      loadbalance:
        L7 loadbalance policy: VIP-TSFARM1-RDP-l7slb
        VIP Route Metric     : 77
        VIP Route Advertise : ENABLED-WHEN-ACTIVE
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        curr conns       : 0         , hit count        : 47
        dropped conns    : 0
        client pkt count : 221       , client byte count: 10996
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : VIP-TSFARM1-RDP-l7slb
          class/match : class-default
            LB action: :
               primary serverfarm: FARM-TSFARM1
                    state: UP
                  backup serverfarm : -
            hit count        : 0
            dropped conns    : 0

I never get a "Built TCP connection" syslog message.

When I make a VIP with "policy-map type loadbalance generic" instead of
"policy-map type loadbalance rdp" everything works as expected, apart from the
fact that users cannot be redirected to the correct server if they have an
active session on one of them.

Here is the config of the rdp setup:

rserver host RS-SRV-F1-TS1
description srv-f1-ts1.mydomain.de
ip address 10.7.43.201
conn-limit max 500 min 500
rate-limit connection 10000
rate-limit bandwidth 12500000
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS2
description srv-f1-ts2.mydomain.de
ip address 10.7.43.202
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS3
description srv-f1-ts3.mydomain.de
ip address 10.7.43.203
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS4
description srv-f1-ts4.mydomain.de
ip address 10.7.43.204
conn-limit max 500 min 500
probe PING_PROBE
inservice

serverfarm host FARM-TSFARM1
description srv-f1-tsX.mydomain.de
rserver RS-SRV-F1-TS1
    inservice
rserver RS-SRV-F1-TS2
    inservice
rserver RS-SRV-F1-TS3
    inservice
rserver RS-SRV-F1-TS4
    inservice

class-map match-all VIP-TSFARM1-RDP
2 match virtual-address 10.7.44.106 tcp eq 3389

policy-map type loadbalance rdp first-match VIP-TSFARM1-RDP-l7slb
class class-default
serverfarm FARM-TSFARM1

policy-map multi-match VIP-TSFARM1
class VIP-TSFARM1-RDP
    loadbalance vip inservice
    loadbalance policy VIP-TSFARM1-RDP-l7slb
    loadbalance vip icmp-reply active
    loadbalance vip advertise active

interface vlan 44
service-policy input VIP-TSFARM1

Any ideas?