Solved: ACE- VIP not showing web page from real server

hamz-zackops · ‎03-28-2013

Hello All,

I need advise with my ACE 4710-K9

I cannot reach a web page when accessing my VIP on ACE,

here is i paste my configuration

VIP at 10.49.30.223

RS1 at 10.49.30.221

RS2 at 10.49.30.221

########### START

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe https HTTPS_probe

port 443

interval 5

passdetect interval 10

ssl version SSLv3

expect status 200 200

probe http HTTP_probe

port 80

interval 5

passdetect interval 10

expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

description JBOSS web server 1

ip address 10.49.30.221

inservice

rserver host RS_WEB2

description JBOSS web server 2

ip address 10.49.30.222

inservice

serverfarm host SF_WEB

probe HTTPS_probe

rserver RS_WEB1 443

inservice

rserver RS_WEB2 443

inservice

sticky http-cookie ipos414 Sticky-G1

serverfarm SF_WEB

class-map match-all VS_WEB

3 match virtual-address 10.49.30.223 any

policy-map type loadbalance first-match HTTP_LB

class class-default

serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

class VS_WEB

loadbalance vip inservice

loadbalance policy HTTP_LB

loadbalance vip icmp-reply active

interface vlan 260

description Client and Server Side

ip address 10.49.30.214 255.255.255.192

access-group input INBOUND

nat-pool 1 10.49.30.227 10.49.30.227 netmask 255.255.255.192 pat

service-policy input HTTP_MULTI_MATCH

no shutdown

ip route 10.0.0.0 255.0.0.0 10.49.30.250

ip route 0.0.0.0 0.0.0.0 10.49.30.251

####### END

Im just new with this appliance, before this i use nginx as load balancer, i really need advise please

Kanwaljeet Singh · ‎03-28-2013

Hi Hamzah,

I don't think i am missing anything unless i am looking at the configuration again and again, and missing the same thing:)

I don't see any hit on service-policy at all. Access-list is fine. Server in serverfarms are operational.

In the past i have seen that IP's defined for NAT or VIP are already in use and that sometimes causes an issue. Can you double check on the IP's are you using or may be use a different one if you have free ip's in the pool.

If it still has no match on service-policy and nothing is working, i would suggest to open a TAC case and have a webex session with engineer and let him have a look at it first hand.

BTW did you see anything in show conn?

My next response may be delayed as i am leaving. I am sure someone else will reply then:)

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎03-28-2013

Hi Hamzah,

I had a look at the config and you seem to be missing a NAT statement under multi-match.

Please put the nat statement and check again:

policy-map multi-match HTTP_MULTI_MATCH

class VS_WEB

loadbalance vip inservice

loadbalance policy HTTP_LB

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

Regards,

Kanwal

hamz-zackops · ‎03-28-2013

thx very much for your quick reply bro,

the results is stll the same

here is the config

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe https HTTPS_probe

port 443

interval 5

passdetect interval 10

ssl version SSLv3

expect status 200 200

probe http HTTP_probe

port 80

interval 5

passdetect interval 10

expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

description JBOSS web server 1

ip address 10.49.30.221

inservice

rserver host RS_WEB2

description JBOSS web server 2

ip address 10.49.30.222

inservice

serverfarm host SF_WEB

probe HTTPS_probe

rserver RS_WEB1 443

inservice

rserver RS_WEB2 443

inservice

sticky http-cookie ipos414 Sticky-G1

serverfarm SF_WEB

class-map match-all VS_WEB

3 match virtual-address 10.49.30.223 any

policy-map type loadbalance first-match HTTP_LB

class class-default

serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

class VS_WEB

loadbalance vip inservice

loadbalance policy HTTP_LB

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

interface vlan 260

description Client and Server Side

ip address 10.49.30.214 255.255.255.192

access-group input INBOUND

nat-pool 1 10.49.30.227 10.49.30.227 netmask 255.255.255.192 pat

service-policy input HTTP_MULTI_MATCH

no shutdown

ip route 10.0.0.0 255.0.0.0 10.49.30.250

ip route 0.0.0.0 0.0.0.0 10.49.30.251

any advice are welcome please, BTW the VIP i still can ping but when i access the VIP from browser failed

fully regards

hamzah

Kanwaljeet Singh · ‎03-28-2013

Hi Hamzah,

Please send me the output of :

show serverfarm detail

show service-policy HTTP_MULTI_MATCH detail.

Are you opening HTTP or HTTPS request? When you send a request what do you see in sh conn output. Please filter it with your client IP address if you have a lot of traffic. Example: sh conn

Config seems to be fine.

Regards,

Kanwal

hamz-zackops · ‎03-28-2013

DCACEAPP1/VC_web# sh serverfarm SF_WEB detail

serverfarm : SF_WEB, type: HOST

total rservers : 2

state : ACTIVE

DWS state : DISABLED

active rservers: 2

description : -

predictor : ROUNDROBIN

failaction : -

back-inservice : 0

partial-threshold : 0

num times failover : 0

num times back inservice : 0

total conn-dropcount : 0

Probe(s) :

HTTPS_probe, type = HTTPS

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: RS_WEB1

10.49.30.221:443 8 OPERATIONAL 0 0 0

sticky-conns : 0 0

description : -

max-conns : - , out-of-rotation count : -

min-conns : -

conn-rate-limit : - , out-of-rotation count : -

bandwidth-rate-limit : - , out-of-rotation count : -

retcode out-of-rotation count : -

inband HM out-of-rotation count : -

rserver: RS_WEB2

10.49.30.222:443 8 OPERATIONAL 0 0 0

sticky-conns : 0 0

description : -

max-conns : - , out-of-rotation count : -

min-conns : -

conn-rate-limit : - , out-of-rotation count : -

bandwidth-rate-limit : - , out-of-rotation count : -

retcode out-of-rotation count : -

inband HM out-of-rotation count : -

DCACEAPP1/VC_web# sh service-policy HTTP_MULTI_MATCH detail

Status : ACTIVE

Description: -----------------------------------------

Interface: vlan 1 260

service-policy: HTTP_MULTI_MATCH

class: VS_WEB

nat:

nat dynamic 1 vlan 260

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

VIP Address: Protocol: Port:

10.49.30.223 any

loadbalance:

L7 loadbalance policy: HTTP_LB

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

VIP DWS state: DWS_DISABLED

Persistence Rebalance: DISABLED

curr conns : 0 , hit count : 0

dropped conns : 0

conns per second : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : HTTP_LB

class/match : class-default

LB action :

primary serverfarm: SF_WEB

state: UP

backup serverfarm : -

hit count : 0

dropped conns : 0

compression : off

compression:

bytes_in : 0 bytes_out : 0

Compression ratio : 0.00%

Gzip: 0 Deflate: 0

compression errors:

User-Agent : 0 Accept-Encoding : 0

Content size: 0 Content type : 0

Not HTTP 1.1: 0 HTTP response error: 0

Others : 0

thx

Kanwaljeet Singh · ‎03-28-2013

Hi Hamzah,

I see no traffic is matching the class-map. I am not too sure about this but can you change the class-map statment to following to check again.

class-map match-all VS_WEB

3 match virtual-address 10.49.30.223 any

After change:

class-map match-all VS_WEB

3 match virtual-address 10.49.30.223 443.

Again please do take the show service-policy detail output.

Also, what is this route for?

ip route 10.0.0.0 255.0.0.0 10.49.30.250

Regards,

Kanwal

hamz-zackops · ‎03-28-2013

C:\>ping 10.49.30.223

Pinging 10.49.30.223 with 32 bytes of data:

Reply from 10.49.30.223: bytes=32 time=16ms TTL=253

Reply from 10.49.30.223: bytes=32 time<1ms TTL=253

Ping statistics for 10.49.30.223:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 16ms, Average = 5ms

C:\>telnet 10.49.30.223 443

Connecting To 10.49.30.223...Could not open connection to the host, on port 443:

Connect failed

###########################

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe https HTTPS_probe

port 443

interval 5

passdetect interval 10

ssl version SSLv3

expect status 200 200

probe http HTTP_probe

port 80

interval 5

passdetect interval 10

expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

description JBOSS web server 1

ip address 10.49.30.221

inservice

rserver host RS_WEB2

description JBOSS web server 2

ip address 10.49.30.222

inservice

serverfarm host SF_WEB

probe HTTPS_probe

rserver RS_WEB1 443

inservice

rserver RS_WEB2 443

inservice

sticky http-cookie ipos414 Sticky-G1

serverfarm SF_WEB

class-map match-all VS_WEB

2 match virtual-address 10.49.30.223 tcp eq https

policy-map type loadbalance first-match HTTP_LB

class class-default

serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

class VS_WEB

loadbalance vip inservice

loadbalance policy HTTP_LB

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

interface vlan 260

description Client and Server Side

ip address 10.49.30.214 255.255.255.192

access-group input INBOUND

nat-pool 1 10.49.30.227 10.49.30.227 netmask 255.255.255.192 pat

service-policy input HTTP_MULTI_MATCH

no shutdown

ip route 10.0.0.0 255.0.0.0 10.49.30.250

ip route 0.0.0.0 0.0.0.0 10.49.30.251

DCACEAPP1/VC_web# sh service-policy HTTP_MULTI_MATCH detail

Status : ACTIVE

Description: -----------------------------------------

Interface: vlan 1 260

service-policy: HTTP_MULTI_MATCH

class: VS_WEB

nat:

nat dynamic 1 vlan 260

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

VIP Address: Protocol: Port:

10.49.30.223 tcp eq 443

loadbalance:

L7 loadbalance policy: HTTP_LB

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

VIP DWS state: DWS_DISABLED

Persistence Rebalance: DISABLED

curr conns : 0 , hit count : 0

dropped conns : 0

conns per second : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : HTTP_LB

class/match : class-default

LB action :

primary serverfarm: SF_WEB

state: UP

backup serverfarm : -

hit count : 0

dropped conns : 0

compression : off

compression:

bytes_in : 0 bytes_out : 0

Compression ratio : 0.00%

Gzip: 0 Deflate: 0

compression errors:

User-Agent : 0 Accept-Encoding : 0

Content size: 0 Content type : 0

Not HTTP 1.1: 0 HTTP response error: 0

Others : 0

########################

ip route 10.0.0.0 255.0.0.0 10.49.30.250 is for connecting into private LAN

thx

Kanwaljeet Singh · ‎03-28-2013

Hi Hamzah,

I don't think i am missing anything unless i am looking at the configuration again and again, and missing the same thing:)

I don't see any hit on service-policy at all. Access-list is fine. Server in serverfarms are operational.

In the past i have seen that IP's defined for NAT or VIP are already in use and that sometimes causes an issue. Can you double check on the IP's are you using or may be use a different one if you have free ip's in the pool.

If it still has no match on service-policy and nothing is working, i would suggest to open a TAC case and have a webex session with engineer and let him have a look at it first hand.

BTW did you see anything in show conn?

My next response may be delayed as i am leaving. I am sure someone else will reply then:)

Regards,

Kanwal

hamz-zackops · ‎03-28-2013

Thx to you too Mr. Singh

Now Its worked

i changed the VIP into 10.49.30.215

and the NAT to 10.49.30.253

in my documentation last IP'S is not use, may be the IP's Conflict.

Now It's Worked Like a Charm

Thank you Thank you you saved my weekend now

thank you sir

DCACEAPP1/VC_web# sh run

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe https HTTPS_probe

port 443

interval 5

passdetect interval 10

ssl version SSLv3

expect status 200 200

probe http HTTP_probe

port 80

interval 5

passdetect interval 10

expect status 200 200

probe icmp PING_Probe

probe tcp TCP_PROBE

rserver host RS_WEB1

description JBOSS web server 1

ip address 10.49.30.221

inservice

rserver host RS_WEB2

description JBOSS web server 2

ip address 10.49.30.222

inservice

serverfarm host SF_WEB

probe HTTPS_probe

rserver RS_WEB1 443

inservice

rserver RS_WEB2 443

inservice

sticky http-cookie ipos414 Sticky-G1

serverfarm SF_WEB

class-map match-all VS_WEB

2 match virtual-address 10.49.30.215 tcp eq https

policy-map type loadbalance first-match HTTP_LB

class class-default

serverfarm SF_WEB

policy-map multi-match HTTP_MULTI_MATCH

class VS_WEB

loadbalance vip inservice

loadbalance policy HTTP_LB

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

interface vlan 260

description Client and Server Side

ip address 10.49.30.214 255.255.255.192

access-group input INBOUND

nat-pool 1 10.49.30.253 10.49.30.253 netmask 255.255.255.192 pat

service-policy input HTTP_MULTI_MATCH

no shutdown

ip route 0.0.0.0 0.0.0.0 10.49.30.251

ip route 10.0.0.0 255.0.0.0 10.49.30.250

Fully regards Hamzah