cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2003
Views
0
Helpful
10
Replies

ACE service-policy out of service - still able to connect to VIP on port.

Paul Pinto
Level 1
Level 1

Good day,

We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network. Problem.

Any one experienced this? This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).

Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,

This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.

Any assitance or feedback would be appreciated.

Thank you.

Paul.

10 Replies 10

Paul Pinto
Level 1
Level 1

Hi all,

Anyone have any experience with this before? Any feedback ot advice would be appreciated. This is obviuosly causing quiet a problem.

Thanks in advance.

Paul.

Hi,

In the class-map under the policy map do you have something like:

policy-map multi-match L4POLICY

  class L4VIPCLASS

    ...

    loadbalance vip advertise

If so do you have the "active" keyword after the advertise? Without this the ACE will advertise the IP address of the VIP as a host route even if there are no active rservers in the serverfarm. Obvious error but worth eliminating first.

Kind Regards

Cathy

Hi,

Policy-map attched:

policy-map multi-match CLIENT-VIPS

  class L4VIPCLASS_XXXX

    loadbalance vip inservice

    loadbalance policy LB-Policy-XXXX

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

So this is there. Hence my confussion and concern.

Maybe worth mentioning, may or may not contibute to issue.

Dual ACE in Dual 6500 Service Chassis (one ACE in each 6K paired HA) connecting to Dual Nexus 7K Agg switches. Layer 3 is on 7K (6K Servcie Chassis has L2). ACE obviuosly has L3 for Client and Server as Routed mode. Servers connection to Nexus 5K L2, thier connection back to Nexus 7K Agg. switches L2.

Maybe the lack of L3 on the 6K Service Chassis is issue? Even with the scenario above, the "port/service" associated with the VIP should not be accesible? NO/YES?

Thank you for your response Cathy.

Paul.

Paul,

Are you using any L7 features like header insertion , cookie or so? Could you post the complete config of the VIP?

Hi,

No layer 7 features utlised. The rserver state changes to PROBE-FAILED. The service policy state changes to VIP state: OUTOFSERVICE. At this point am still able to connect to VIP address on any of the four ports.

Config below:

class-map match-any L4VIPCLASS_XXX

  2 match virtual-address 10.144.180.7 tcp eq 3640

  5 match virtual-address 10.144.180.7 tcp eq 3341

  6 match virtual-address 10.144.180.7 tcp eq 3240

  7 match virtual-address 10.144.180.7 tcp eq 3241

policy-map type loadbalance http first-match LB-Policy-A

  class class-default

    serverfarm Prod_Farm

policy-map multi-match CLIENT-VIPS

  class L4VIPCLASS_XXX

    loadbalance vip inservice

    loadbalance policy LB-Policy-A

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

Thanks.

Paul

Please also post sh service CLIENT-VIPS class L4VIPCLASS_XXX det output

Hi,

Output as requested:

Status     : ACTIVE

Description: -----------------------------------------

Interface: vlan 2850

  service-policy: CLIENT-VIPS

    class: L4VIPCLASS_XXX

     VIP Address:    Protocol:  Port:

     10.144.180.7    tcp        eq    3640

     10.144.180.7    tcp        eq    3641

     10.144.180.7    tcp        eq    3341

     10.144.180.7    tcp        eq    3240

     10.144.180.7    tcp        eq    3241

      loadbalance:

        L7 loadbalance policy: LB-Policy-A

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED-WHEN-ACTIVE

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP state: OUTOFSERVICE

        curr conns       : 0         , hit count        : 1981494  

        dropped conns    : 421      

        client pkt count : 5906330   , client byte count: 236253200          

        server pkt count : 1981242   , server byte count: 87100364           

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : LB-Policy-A

          class/match : class-default

            LB action: :

               primary serverfarm: Prod_Farm

                    state: DOWN

                  backup serverfarm : -

            hit count        : 1981073  

            dropped conns    : 0        

Thanks.

Paul

As Cathy mentioned "loadbalance vip advertise active"  could be the reason

Hi,

policy-map multi-match CLIENT-VIPS

  class L4VIPCLASS_XXX

    loadbalance vip inservice

    loadbalance policy LB-Policy-A

    loadbalance vip icmp-reply active

    loadbalance vip advertise active

Active keyword is there, hence my confusion. The status is active, but state is OUTOFSERVICE. Should this not result in VIP not being accesible?

Thanks.

Paul.

Hi all,

Just wanted to provide some feedback.

Process followed:

Removed all rserver, server-farm, class-map and policy-map configurations. Removed service-policy from Client interface. Re-applied all of above.

No positive result. During troubleshooting, also found was not able to ping VIP.

Resolution was to remove interface configurations and re-apply interface configurations.

As previously stated, version A2(3.3) on ACE 20 Module. Not sure is this a know issue.

Just some feedback for anyone else who may encounter this.

Thanks.

Paul.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: