08-27-2012 01:23 PM
Hello Everyone,
I have a problem here.
I trying configure ASN traffic loadbalance, but doesn't works.
Explanation: I have one Cisco Catalyst 6509 and onde Cisco Ace10 module, in my context "PanWEB" i have the interfaces above:
interface vlan 4(rservers interface)
bridge-group 10
no normalization
no icmp-guard
access-group input all-access
nat-pool 1 172.17.3.254 172.17.3.254 netmask 255.255.255.255 pat(used for others aplications in this context).
service-policy input Access
service-policy input VIP
no shutdown
interface vlan 82(VIP interface)
ip address 10.96.202.4 255.255.255.0
alias 10.96.202.5 255.255.255.0
peer ip address 10.96.202.6 255.255.255.0
no normalization
no icmp-guard
access-group input all-access
service-policy input Access
service-policy input VIP
no shutdown
interface bvi 10
ip address 172.17.2.199 255.255.0.0
peer ip address 172.17.1.199 255.255.0.0
no shutdown
I trying to configure ASN traffic because my application needs original client IP, NAT is not a option in this scenario, my configuration is:
rserver host PANVCTXP308B
ip address 172.17.2.218
inservice
rserver host PANVCTXP308C
ip address 172.17.2.224
serverfarm host SF-PAN-CITRIX
transparent
rserver PANVCTXP308B 80
inservice
rserver PANVCTXP308C 80
inservice
sticky ip-netmask 255.255.255.255 address source sticky_citrix
serverfarm SF-PAN-CITRIX
class-map match-all SLB_CITRIX
2 match virtual-address 10.96.202.10 tcp eq www
policy-map type loadbalance first-match SLB_CITRIX
class class-default
sticky-serverfarm sticky_citrix
policy-map multi-match VIP
class SLB_CITRIX
loadbalance vip inservice
loadbalance policy SLB_CITRIX
loadbalance vip icmp-reply active primary-inservice
If i try to establish a telnet session(telnet 10.96.202.10 80) i see the SYN packet passing through the ACE and going to the real server, but, the server do not response the SYN packet.
I done a capture in the server using wireshark and could see that the IP address of the destination is the VIP and not the rserver ip address , this is a problem? Why can not I have the SYN + ACK from the server?
Thanks a lot!
Rafael
08-27-2012 08:54 PM
Hi Rafael,
Why have you created a BVI? All you want is that NAT should not happen so you can simply not apply any NAT statement in the policy multi-match.
The configuration looks fine, just ensure that you have loopback interface configured on server with the VIP address of the ACE on which the client sends the traffic. Plus when you configure ASN, the destination IP of the packet forwarded by ACE will not translate to rserver ip address and that is perfectly fine.
Since server has to reply directly and client sent SYN to the VIP, it is very important that packet that is sent by the server has source IP address as VIP otherwise connection will fail.
Regards,
Kanwal
08-28-2012 05:53 AM
Hi Kanwaljeet,
BVI interface was already created before this inplementation, i only created interface vlan 82 for add a VIP address in a different subnet, i took the configuration.
The server receive the connection(SYN) with correct ip address from client(10.93.7.25) but, the destination ip adress is 10.96.202.10(VIP Address) and not rserver ip adress, server do not response the packet, to the client, and i see a timeout in the client browser, i do not see SYN ACK.
Topology example:http://3.bp.blogspot.com/_Tdhn-HYCK18/SKGWUzrw0gI/AAAAAAAAAjk/2wR4mjAOn3g/s1600/ASN-simple.gif
http://snippets101.blogspot.in/2008/08/asymmetric-server-normalization-on.html
08-28-2012 11:56 AM
I create loopback interface on the server, but, telnet still not established.
I log the packets in two sides(server and client) i see:
1 - Client 10.93.7.25 send SYN packet to 10.96.202.10(VIP ACE)
2 - ACE Directs SYN request to rserver 172.17.2.218
3 - Rserver response the SYN request with SYN+ACK to the client 10.93.7.25, but using the IP 172.17.2.218 and not ip address of configured loopback interface 10.96.202.10.
4 - Client does not response for SYN+ACK from ip address 172.17.2.218(becase he send SYN to ip 10.96.202.10 and not 172.17.2.218).
5 - Connection timeout/reset
Ideas for resolve this?
Tks.
08-28-2012 08:19 PM
Hi Rafael,
I am not sure why server is not using loopback address while replying to the SYN. There must be some setting on server which tells it to you use loopback address while replying to the SYN. Also, ACE will foward the traffic to Rserver without changing destination IP. Destination IP would still be ACE VIP since only Layer 2 forwarding happens in case of ASN and since destination IP never changes, server should reply using loop back interface IP which is VIP of ACE.
Which server are you using ? Let me google on this a bit and if i find something i will let you know.
Regards,
Kanwal
08-29-2012 05:20 AM
Hi Kanwaljeet,
I agree with you.
I using Windows Server 2008 R2 Standard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide