ACE4710 TCP RESET

bmlakar · ‎01-16-2009

Hi there,

we are using ACE4710 sw version 3_2_1.

We have a real host using two ethernet adapters, on ip address on each (IP1-MAC1, IP2-MAC2). If we simulate server loosing one adapter IP1 is moving to eth2 nad using MAC2 (IP1-MAC2).

There is no probe or serverfarm failure log. We have a purge configuration for sessions. When IP1 address is moved to eth2 ACE register this as:

Received ARP REQUEST collision from 172.17.19.36 08.00.8e.03.e6.05 on interface vlan319

and send TCP reset for IP1 RS connections to client and server.

We believe this is not right since RS IP1 is alive (but is on different MAC).

ARP inspection is not used, is there any other security feature involved?

Regards

Branko Mlakar

Gilles Dufour · ‎01-19-2009

Is your RS sendinga G-ARP when changing from MAC1 to MAC2 ?

If no G-ARP this will indeed totally messed up the loadbalancer.

Dual network adapters on RS has always been painfull to implement with loadbalancers.

And honestly, I have never seen the benefit of it.

Too much trouble for very little advantages.

Gilles.

bmlakar · ‎01-20-2009

Hi Gilles,

thanks for your reply.

Yes, from capture traces we see G-ARP send from Tandem host. G-ARP is right formatted with new MAC address of the other eth adapter. After G-ARP is sent, there are still two KA application messages going through ACE in both direction with mac updated (packets are seen on server and also on client site). To this point everything is fine from packet structure view. Right after, ACE sends TCP RST to client and server segment for session which was on ethernet adapter experienced a fault condition.

I have to point out that this happens if serverfarm (SF)is configured with "failaction purge" cmd. If we configure SF with "no failaction" everything works fine.

From application standpoint we need to have "purge" connection.

Thanks.

Kind regards,

Branko