08-17-2012 11:11 AM
here is config
we are trying to load balance non standard ports
rservers and vserver all show as up
but vip can not be pinged and no connections flow
logging enable
logging timestamp
logging buffered 3
resource-class RC1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
login timeout 60
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport access vlan 1001
no shutdown
interface gigabitEthernet 1/3
ft-port vlan 100
no shutdown
interface gigabitEthernet 1/4
shutdown
clock timezone standard EST
clock summer-time standard EDT
context Admin
member RC1
ntp server 208.44.49.1
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
probe http ghh-http
port 8888
interval 5
passdetect interval 5
request method head url /ProbeTrigger/probetrigger.htm
expect status 200 200
connection term forced
probe icmp ghh-icmp
interval 5
passdetect interval 5
rserver host ghh-1
ip address 172.16.2.137
conn-limit max 4000000 min 4000000
inservice
rserver host ghh-2
ip address 172.16.2.138
conn-limit max 4000000 min 4000000
inservice
rserver host ghh-3
ip address 172.16.2.139
rserver host ghh-4
ip address 172.16.2.140
rserver host ghh-5
ip address 172.16.2.142
rserver host ghh-6
ip address 172.16.2.143
rserver host ghh-7
ip address 172.16.2.144
rserver host ghh-8
ip address 172.16.2.145
serverfarm host ghh
predictor leastconns
probe ghh-icmp
rserver ghh-1 30037
inservice
rserver ghh-2 30038
inservice
rserver ghh-3 30039
rserver ghh-4 30040
rserver ghh-5 30042
rserver ghh-6 30043
rserver ghh-7 30044
rserver ghh-8 30045
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
parameter-map type generic case_generic
case-insensitive
class-map type management match-any TO-CP-POLICY
2 match protocol icmp any
3 match protocol telnet any
4 match protocol snmp any
5 match protocol ssh any
class-map match-all ghh_CLASS
2 match virtual-address 172.16.2.225 any
class-map type generic match-any ghh_generic
class-map type http loadbalance match-any ghh_http
2 match http url [.]*
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match TO-CP-POLICY
class TO-CP-POLICY
permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance generic first-match ghh_POLICY
class class-default
serverfarm ghh
policy-map multi-match ghhpolicy
class ghh_CLASS
loadbalance vip inservice
loadbalance policy ghh_POLICY
loadbalance vip icmp-reply
appl-parameter generic advanced-options case_generic
service-policy input TO-CP-POLICY
interface vlan 1000
bridge-group 15
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input ghhpolicy
no shutdown
interface vlan 1001
bridge-group 15
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input ghhpolicy
no shutdown
interface bvi 15
ip address 172.16.1.202 255.255.0.0
peer ip address 172.16.1.203 255.255.0.0
no shutdown
ft interface vlan 100
ip address 192.168.10.11 255.255.255.0
peer ip address 192.168.10.12 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 100
ft group 1
peer 1
priority 200
associate-context Admin
inservice
ft track interface track_vlan1000
track-interface vlan 1000
peer track-interface vlan 1000
priority 200
peer priority 100
ip route 0.0.0.0 0.0.0.0 172.16.1.2
08-17-2012 11:58 AM
Hi,
Are you able to ping the gateway? Can you get the output of "show service-policy detail"?
-
Siva
08-17-2012 12:04 PM
yes the ACE can ping gateway and all other servers
nothing can ping the VIP on the ACE
switch/Admin# sho service-policy detail
Policy-map : ghhpolicy
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 1000 1001
service-policy: ghhpolicy
class: ghh_CLASS
VIP Address: Protocol: Port:
172.16.2.225 any
loadbalance:
L7 loadbalance policy: ghh_POLICY
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : ghh_POLICY
class/match : class-default
LB action :
primary serverfarm: ghh
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
switch/Admin#
08-17-2012 01:18 PM
Hi,
It looks like the traffic is not even hitting the VIP. Can you check if the ARP entry for this VIP being learnt on the gateway? You also run a packet capture on ACE to check if the traffic is hitting VIP.
-
Siva
08-17-2012 01:28 PM
Yes the arp is on the gateway (ASA firewall)
Packet captures dont seem to show packets reaching the ACE
Even when they are sourced from anouther DMZ server that doesnt go through the firewall
08-17-2012 01:58 PM
final word for today
seems like vlan weirdness
this is bridge mode
vlan 1001 is target servers
when
service-policy input ghhpolicy
is on vlan 1001 target servers can ping the VIP
removed they cant
but that service policy is on vlan 1000 which is source clients and they cant ping the VIP
08-18-2012 04:05 AM
Hi,
One reason could the subnet mismatch between the ACE and gateway. If it was configured as /24 then it wont work and should be in same subnet /16 as that of ACE for vlan 1000
Rest of the config looks good and since the ARP entries are learnt, i dont see any other problem unless the firewall is dropping the packet going towards ACE.
-
Siva
08-20-2012 05:10 AM
subnets are all correct
I think the problem is because we have another ACE on the DMZ subnet and the vlans are confused
08-20-2012 06:56 AM
Also something I noticed in the arp table
on our working ACE that also have lans 1000 and 1001
the vserver arp only appears on vlan 1001
on this ACE
the vserver arp for 172.16.2.225 appears on both the 1000 and 1001 vlan
172.16.2.225 00.0b.fc.fe.1b.01 vlan1000 VSERVER LOCAL _ up
172.16.2.225 00.0b.fc.fe.1b.01 vlan1001 VSERVER LOCAL _ up
08-20-2012 11:47 AM
Because you might have applied the service-policy for the VIP on both the vlan's.
Can you change the config to a different vlan and subnet not used elsewhere in the netowrk and see if it works?
-
Siva
08-20-2012 12:07 PM
That is what I'm going to try in morning during low traffic times
08-21-2012 05:51 AM
no joy
and doesnt make any sense
vlans changed to 1010 and 1011
bvi changed to 20
here is what makes no sense
If I run the system offline on a test network it works fine
Aso soon as I hook it to our main DMZ network it stop responding to requests on the gigabit 1/1 or vlan 1010 interface
it however responds to requests on the gigabit 1/2 or vlan 1011 interface
here is relavent changes
interface gigabitEthernet 1/1
switchport access vlan 1010
no shutdown
interface gigabitEthernet 1/2
switchport access vlan 1011
no shutdown
interface gigabitEthernet 1/3
ft-port vlan 100
no shutdown
interface vlan 1010
bridge-group 20
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 1011
bridge-group 20
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface bvi 20
ip address 172.16.1.202 255.255.0.0
peer ip address 172.16.1.203 255.255.0.0
no shutdown
ft interface vlan 100
ip address 192.168.10.11 255.255.255.0
peer ip address 192.168.10.12 255.255.255.0
no shutdown
08-21-2012 06:21 AM
Here is simple network map
FIREWALL (gateway)
|
SWITCH
|
WEB ACE load balancer
|
SWITCH with web servers
|
NEW ACE LB for search servers
|
SWITCH with search servers
08-21-2012 06:44 AM
The config seem to be fine as it works in your test setup until you hook it to the DMZ. A capture on ACE should tell you whether the packet is really hitting the VIP which i guess you already did. We have to make sure that the packet is hitting the VIP and check the upstream devices where its getting dropped.
Regards,
Siva
08-21-2012 07:04 AM
captures dont work because so much data is going through that I cant find anything in it
the arp for the VIP shows up everywhere on the DMZ ,on firewall, switches, other ACE etc
it just never responds when it is placed on DMZ network
it responds fine offline
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide