02-29-2012 02:10 AM
Good day,
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network. Problem.
Any one experienced this? This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,
This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
Any assitance or feedback would be appreciated.
Thank you.
Paul.
02-29-2012 05:54 AM
Hi all,
Anyone have any experience with this before? Any feedback ot advice would be appreciated. This is obviuosly causing quiet a problem.
Thanks in advance.
Paul.
02-29-2012 07:13 AM
Hi,
In the class-map under the policy map do you have something like:
policy-map multi-match L4POLICY
class L4VIPCLASS
...
loadbalance vip advertise
If so do you have the "active" keyword after the advertise? Without this the ACE will advertise the IP address of the VIP as a host route even if there are no active rservers in the serverfarm. Obvious error but worth eliminating first.
Kind Regards
Cathy
02-29-2012 08:05 AM
Hi,
Policy-map attched:
policy-map multi-match CLIENT-VIPS
class L4VIPCLASS_XXXX
loadbalance vip inservice
loadbalance policy LB-Policy-XXXX
loadbalance vip icmp-reply active
loadbalance vip advertise active
So this is there. Hence my confussion and concern.
Maybe worth mentioning, may or may not contibute to issue.
Dual ACE in Dual 6500 Service Chassis (one ACE in each 6K paired HA) connecting to Dual Nexus 7K Agg switches. Layer 3 is on 7K (6K Servcie Chassis has L2). ACE obviuosly has L3 for Client and Server as Routed mode. Servers connection to Nexus 5K L2, thier connection back to Nexus 7K Agg. switches L2.
Maybe the lack of L3 on the 6K Service Chassis is issue? Even with the scenario above, the "port/service" associated with the VIP should not be accesible? NO/YES?
Thank you for your response Cathy.
Paul.
02-29-2012 09:54 PM
Paul,
Are you using any L7 features like header insertion , cookie or so? Could you post the complete config of the VIP?
02-29-2012 10:32 PM
Hi,
No layer 7 features utlised. The rserver state changes to PROBE-FAILED. The service policy state changes to VIP state: OUTOFSERVICE. At this point am still able to connect to VIP address on any of the four ports.
Config below:
class-map match-any L4VIPCLASS_XXX
2 match virtual-address 10.144.180.7 tcp eq 3640
5 match virtual-address 10.144.180.7 tcp eq 3341
6 match virtual-address 10.144.180.7 tcp eq 3240
7 match virtual-address 10.144.180.7 tcp eq 3241
policy-map type loadbalance http first-match LB-Policy-A
class class-default
serverfarm Prod_Farm
policy-map multi-match CLIENT-VIPS
class L4VIPCLASS_XXX
loadbalance vip inservice
loadbalance policy LB-Policy-A
loadbalance vip icmp-reply active
loadbalance vip advertise active
Thanks.
Paul
02-29-2012 10:37 PM
Please also post sh service CLIENT-VIPS class L4VIPCLASS_XXX det output
02-29-2012 10:42 PM
Hi,
Output as requested:
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 2850
service-policy: CLIENT-VIPS
class: L4VIPCLASS_XXX
VIP Address: Protocol: Port:
10.144.180.7 tcp eq 3640
10.144.180.7 tcp eq 3641
10.144.180.7 tcp eq 3341
10.144.180.7 tcp eq 3240
10.144.180.7 tcp eq 3241
loadbalance:
L7 loadbalance policy: LB-Policy-A
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP state: OUTOFSERVICE
curr conns : 0 , hit count : 1981494
dropped conns : 421
client pkt count : 5906330 , client byte count: 236253200
server pkt count : 1981242 , server byte count: 87100364
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : LB-Policy-A
class/match : class-default
LB action: :
primary serverfarm: Prod_Farm
state: DOWN
backup serverfarm : -
hit count : 1981073
dropped conns : 0
Thanks.
Paul
02-29-2012 10:46 PM
As Cathy mentioned "loadbalance vip advertise active" could be the reason
02-29-2012 10:52 PM
Hi,
policy-map multi-match CLIENT-VIPS
class L4VIPCLASS_XXX
loadbalance vip inservice
loadbalance policy LB-Policy-A
loadbalance vip icmp-reply active
loadbalance vip advertise active
Active keyword is there, hence my confusion. The status is active, but state is OUTOFSERVICE. Should this not result in VIP not being accesible?
Thanks.
Paul.
03-06-2012 10:17 PM
Hi all,
Just wanted to provide some feedback.
Process followed:
Removed all rserver, server-farm, class-map and policy-map configurations. Removed service-policy from Client interface. Re-applied all of above.
No positive result. During troubleshooting, also found was not able to ping VIP.
Resolution was to remove interface configurations and re-apply interface configurations.
As previously stated, version A2(3.3) on ACE 20 Module. Not sure is this a know issue.
Just some feedback for anyone else who may encounter this.
Thanks.
Paul.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide