cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3015
Views
2
Helpful
8
Replies

ACE- VIP not showing web page from real server

hamz-zackops
Level 1
Level 1

Hello All,

I need advise with my ACE 4710-K9

I cannot reach a web page when accessing my VIP on ACE,

here is i paste my configuration

VIP at 10.49.30.223

RS1 at 10.49.30.221

RS2 at 10.49.30.221

########### START

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe https HTTPS_probe

  port 443

  interval 5

  passdetect interval 10

  ssl version SSLv3

  expect status 200 200

probe http HTTP_probe

  port 80

  interval 5

  passdetect interval 10

  expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

  description JBOSS web server 1

  ip address 10.49.30.221

  inservice

rserver host RS_WEB2

  description JBOSS web server 2

  ip address 10.49.30.222

  inservice

serverfarm host SF_WEB

  probe HTTPS_probe

  rserver RS_WEB1 443

    inservice

  rserver RS_WEB2 443

    inservice

sticky http-cookie ipos414 Sticky-G1

  serverfarm SF_WEB

class-map match-all VS_WEB

  3 match virtual-address 10.49.30.223 any

policy-map type loadbalance first-match HTTP_LB

  class class-default

    serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

  class VS_WEB

    loadbalance vip inservice

    loadbalance policy HTTP_LB

    loadbalance vip icmp-reply active

interface vlan 260

  description Client and Server Side

  ip address 10.49.30.214 255.255.255.192

  access-group input INBOUND

  nat-pool 1 10.49.30.227 10.49.30.227 netmask 255.255.255.192 pat

  service-policy input HTTP_MULTI_MATCH

  no shutdown

ip route 10.0.0.0 255.0.0.0 10.49.30.250

ip route 0.0.0.0 0.0.0.0 10.49.30.251

####### END

Im just new with this appliance, before this i use nginx as load balancer, i really need advise please

1 Accepted Solution

Accepted Solutions

Hi Hamzah,

I don't think i am missing anything unless i am looking at the configuration again and again, and missing the same thing:)

I don't see any hit on service-policy at all. Access-list is fine. Server in serverfarms are operational.

In the past i have seen that IP's defined for NAT or VIP are already in use and that sometimes causes an issue. Can you double check on the IP's are you using or  may be use a different one if you have free ip's in the pool.

If it still has no match on service-policy and nothing is working, i would suggest to open a TAC case and have a webex session with engineer and let him have a look at it first hand.

BTW did you see anything in show conn?

My next response may be delayed as i am leaving. I am sure someone else will reply then:)

Regards,

Kanwal

View solution in original post

8 Replies 8

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Hamzah,

I had a look at the config and you seem to be missing a NAT statement under multi-match.

Please put the nat statement and check again:

policy-map multi-match HTTP_MULTI_MATCH

class VS_WEB

loadbalance vip inservice

loadbalance policy HTTP_LB

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

Regards,

Kanwal

thx very much for your quick reply bro,

the results is stll the same

here is the config

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any 

probe https HTTPS_probe

  port 443

  interval 5

  passdetect interval 10

  ssl version SSLv3

  expect status 200 200

probe http HTTP_probe

  port 80

  interval 5

  passdetect interval 10

  expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

  description JBOSS web server 1

  ip address 10.49.30.221

  inservice

rserver host RS_WEB2

  description JBOSS web server 2

  ip address 10.49.30.222

  inservice

serverfarm host SF_WEB

  probe HTTPS_probe

  rserver RS_WEB1 443

    inservice

  rserver RS_WEB2 443

    inservice

sticky http-cookie ipos414 Sticky-G1

  serverfarm SF_WEB

class-map match-all VS_WEB

  3 match virtual-address 10.49.30.223 any

policy-map type loadbalance first-match HTTP_LB

  class class-default

    serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

  class VS_WEB

    loadbalance vip inservice

    loadbalance policy HTTP_LB

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 260

interface vlan 260

  description Client and Server Side

  ip address 10.49.30.214 255.255.255.192

  access-group input INBOUND

  nat-pool 1 10.49.30.227 10.49.30.227 netmask 255.255.255.192 pat

  service-policy input HTTP_MULTI_MATCH

  no shutdown

ip route 10.0.0.0 255.0.0.0 10.49.30.250

ip route 0.0.0.0 0.0.0.0 10.49.30.251

any advice are welcome please, BTW the VIP i still can ping but when i access the VIP from browser failed

fully regards

hamzah

Hi Hamzah,

Please send me the output of :

show serverfarm detail

show service-policy HTTP_MULTI_MATCH detail.

Are you opening HTTP or HTTPS request? When you send a request what do you see in sh conn output. Please filter it with your client IP address if you have a lot of traffic. Example: sh conn

Config seems to be fine.

Regards,

Kanwal

DCACEAPP1/VC_web# sh serverfarm SF_WEB detail

serverfarm     : SF_WEB, type: HOST

total rservers : 2

state          : ACTIVE

DWS state      : DISABLED

active rservers: 2

description    : -

predictor      : ROUNDROBIN

failaction     : -

back-inservice    : 0

partial-threshold : 0

num times failover       : 0

num times back inservice : 0

total conn-dropcount : 0

Probe(s) :

    HTTPS_probe,  type = HTTPS

---------------------------------

                                                ----------connections-----------

       real                  weight state        current    total      failures

   ---+---------------------+------+------------+----------+----------+---------

   rserver: RS_WEB1

       10.49.30.221:443      8   OPERATIONAL     0          0          0

         sticky-conns         :                  0          0              

         description          : -

         max-conns            : -         , out-of-rotation count : -

         min-conns            : -        

         conn-rate-limit      : -         , out-of-rotation count : -

         bandwidth-rate-limit : -         , out-of-rotation count : -

         retcode out-of-rotation count : -

         inband HM out-of-rotation count : -

   rserver: RS_WEB2

       10.49.30.222:443      8   OPERATIONAL     0          0          0

         sticky-conns         :                  0          0              

         description          : -

         max-conns            : -         , out-of-rotation count : -

         min-conns            : -        

         conn-rate-limit      : -         , out-of-rotation count : -

         bandwidth-rate-limit : -         , out-of-rotation count : -

         retcode out-of-rotation count : -

         inband HM out-of-rotation count : -

DCACEAPP1/VC_web# sh service-policy HTTP_MULTI_MATCH detail

Status     : ACTIVE

Description: -----------------------------------------

Interface: vlan 1 260

  service-policy: HTTP_MULTI_MATCH

    class: VS_WEB

      nat:

        nat dynamic 1 vlan 260

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

     VIP Address:                              Protocol:  Port:    

     10.49.30.223                              any 

      loadbalance:

        L7 loadbalance policy: HTTP_LB

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: DISABLED

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : HTTP_LB

          class/match : class-default

            LB action :

               primary serverfarm: SF_WEB

                    state: UP

                backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

            compression      : off

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

thx

Hi Hamzah,

I see no traffic is matching the class-map. I am not too sure about this but can you change the class-map statment to following  to check again.

class-map match-all VS_WEB

3 match virtual-address 10.49.30.223 any

After change:

class-map match-all VS_WEB

3 match virtual-address 10.49.30.223 443.

Again please do take the show service-policy detail output.

Also, what is this route for?

ip route 10.0.0.0 255.0.0.0 10.49.30.250

Regards,

Kanwal

C:\>ping 10.49.30.223

Pinging 10.49.30.223 with 32 bytes of data:

Reply from 10.49.30.223: bytes=32 time=16ms TTL=253

Reply from 10.49.30.223: bytes=32 time<1ms TTL=253

Reply from 10.49.30.223: bytes=32 time<1ms TTL=253

Ping statistics for 10.49.30.223:

    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 16ms, Average = 5ms

C:\>telnet 10.49.30.223 443

Connecting To 10.49.30.223...Could not open connection to the host, on port 443:

Connect failed

###########################

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe https HTTPS_probe

  port 443

  interval 5

  passdetect interval 10

  ssl version SSLv3

  expect status 200 200

probe http HTTP_probe

  port 80

  interval 5

  passdetect interval 10

  expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

  description JBOSS web server 1

  ip address 10.49.30.221

  inservice

rserver host RS_WEB2

  description JBOSS web server 2

  ip address 10.49.30.222

  inservice

serverfarm host SF_WEB

  probe HTTPS_probe

  rserver RS_WEB1 443

    inservice

  rserver RS_WEB2 443

    inservice

sticky http-cookie ipos414 Sticky-G1

  serverfarm SF_WEB

class-map match-all VS_WEB

  2 match virtual-address 10.49.30.223 tcp eq https

policy-map type loadbalance first-match HTTP_LB

  class class-default

    serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

  class VS_WEB

    loadbalance vip inservice

    loadbalance policy HTTP_LB

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 260

interface vlan 260

  description Client and Server Side

  ip address 10.49.30.214 255.255.255.192

  access-group input INBOUND

  nat-pool 1 10.49.30.227 10.49.30.227 netmask 255.255.255.192 pat

  service-policy input HTTP_MULTI_MATCH

  no shutdown

ip route 10.0.0.0 255.0.0.0 10.49.30.250

ip route 0.0.0.0 0.0.0.0 10.49.30.251

DCACEAPP1/VC_web# sh service-policy HTTP_MULTI_MATCH detail

Status     : ACTIVE

Description: -----------------------------------------

Interface: vlan 1 260

  service-policy: HTTP_MULTI_MATCH

    class: VS_WEB

      nat:

        nat dynamic 1 vlan 260

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

     VIP Address:                              Protocol:  Port:    

     10.49.30.223                              tcp    eq   443      

      loadbalance:

        L7 loadbalance policy: HTTP_LB

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: DISABLED

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : HTTP_LB

          class/match : class-default

            LB action :

               primary serverfarm: SF_WEB

                    state: UP

                backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

            compression      : off

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

########################

ip route 10.0.0.0 255.0.0.0 10.49.30.250 is for connecting into private LAN

thx

Hi Hamzah,

I don't think i am missing anything unless i am looking at the configuration again and again, and missing the same thing:)

I don't see any hit on service-policy at all. Access-list is fine. Server in serverfarms are operational.

In the past i have seen that IP's defined for NAT or VIP are already in use and that sometimes causes an issue. Can you double check on the IP's are you using or  may be use a different one if you have free ip's in the pool.

If it still has no match on service-policy and nothing is working, i would suggest to open a TAC case and have a webex session with engineer and let him have a look at it first hand.

BTW did you see anything in show conn?

My next response may be delayed as i am leaving. I am sure someone else will reply then:)

Regards,

Kanwal

Thx to you too Mr. Singh

Now Its worked

i changed the VIP into 10.49.30.215

and the NAT to 10.49.30.253

in my documentation last IP'S is not use, may be the IP's Conflict.

Now It's Worked Like a Charm

Thank you Thank you you saved my weekend now

thank you sir

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe https HTTPS_probe

  port 443

  interval 5

  passdetect interval 10

  ssl version SSLv3

  expect status 200 200

probe http HTTP_probe

  port 80

  interval 5

  passdetect interval 10

  expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

  description JBOSS web server 1

  ip address 10.49.30.221

  inservice

rserver host RS_WEB2

  description JBOSS web server 2

  ip address 10.49.30.222

  inservice

serverfarm host SF_WEB

  probe HTTPS_probe

  rserver RS_WEB1 443

    inservice

  rserver RS_WEB2 443

    inservice

sticky http-cookie ipos414 Sticky-G1

  serverfarm SF_WEB

class-map match-all VS_WEB

  2 match virtual-address 10.49.30.215 tcp eq https

policy-map type loadbalance first-match HTTP_LB

  class class-default

    serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

  class VS_WEB

    loadbalance vip inservice

    loadbalance policy HTTP_LB

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 260

interface vlan 260

  description Client and Server Side

  ip address 10.49.30.214 255.255.255.192

  access-group input INBOUND

  nat-pool 1 10.49.30.253 10.49.30.253 netmask 255.255.255.192 pat

  service-policy input HTTP_MULTI_MATCH

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.49.30.251

ip route 10.0.0.0 255.0.0.0 10.49.30.250

Fully regards Hamzah

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: