10-26-2011 12:22 AM
Howdi!
I've also posted this at www.networking-forum.com. Struggling to find if this is even possible...
So i've been working on a global load balanced web hosted context based platform. Its working a treat but i've got a question on the VIP on the ACE.
Has anybody managed to figure out if there is a flag/command to totally disable the VIP from accepting any sort of TCP/UDP connections should the health monitor fail. My health monitor is doing a HTTP query every 30 seconds. If it fails the VIP goes 'out of service' all good there but the VIP will still accept a TCP port 80 connect. What i mean by this is if i open command prompt and do telnet x.x.x.x 80 (internet address that is NAT'd to the VIP) the socket is established. Is there a way to totally disable the VIP from accepting connections if the health monitor fails?
Any ideas?
Cheers guys,
Garry
10-27-2011 07:30 AM
Hi Garry,
The behavior you are describing could be normal if there is another VIP listening on the same IP address (maybe different url?). In that case, since the ACE cannot identify the policy-map to use until the HTTP request is received, the TCP connection is allowed.
If there are no other VIPs matching that IP and port, the ACE should stop replying to ping and accepting connections.
I hope this helps
Daniel
11-01-2011 12:43 AM
Hi Daniel,
Thanks for the response.
So you understand my topology. I'm running the ACE in layer 2 mode. I have client and server side vLANS. And the subnet for example the servers sit on is 10.10.10.0/24, the gateway is 10.10.10.254 (client/internet side of the ACE).
I have two VIP's with different IP addresses BUT in the same subnet, for example 10.10.10.1 and 10.10.10.2. 10.10.10.1 is bound to a serverfarm that has one rserver 10.10.10.50 within. Same for 10.10.10.2 (10.10.10.51).
So in my example if the health monitor fails that is bound to the VIP 10.10.10.1, 10.10.10.1 will still accept a TCP port 80 connect and i want to disable this.
A guy on another forum suggested 'Under serverfarm config, if you set "failaction purge", it will sent a RST to all connections to that server.' which i am yet to try however i did research "failaction purge" and it refers to the rserver failing not the health monitor if i'm not mistaken
11-01-2011 04:51 AM
The rserver is marked down when the probe fails.
The failaction purge is a best practice. By default if a whole serverfarm becomes down, all existing TCP connections are not flushed.
11-03-2011 03:31 AM
Hi Garry,
If you paste your full configuartion, I can check it further. Of course, if you are concerned about privacy, you can always open a TAC case instead.
The "failaction purge" will not help in your case, because what this command does is, that whenever the probe for one server goes down, the ACE will send a RST to all the connections currently established on that server. However, what you are trying to do is blocking new connections.
Regards
Daniel
11-29-2011 06:07 AM
Hi Daniel, apologies for the late reply. Here is my config from another build. Same issues but the health monitor is based around SMTP port 25 connects. Any ideas i've still not found a way to totally disable the VIP should the health monitor fail.
I would like to ICMP echo the VIP from a router that is configured with IP SLA and HSRP tracking. I want HSRP to failover should the IP SLA fail. The IP SLA icmp echo's the VIP. The VIP should reply should the intelligent health monitors return working SMTP status codes 250 and 211. See where i am going? its a hierarchy model i'm looking at but fails because of how the VIP behaves
probe icmp ICMP-PROBE
interval 15
passdetect interval 60
probe smtp SMTP-PROBE
interval 15
passdetect interval 60
open 1
expect status 211 250
rserver host SVR1
ip address 100.99.75.22
probe ICMP-PROBE
inservice
rserver host SVR2
ip address 100.99.75.23
probe ICMP-PROBE
inservice
serverfarm host vFARM
predictor response app-req-to-resp samples 4
probe SMTP-PROBE
rserver SVR1
inservice
rserver SVR2
inservice
class-map match-all CLASS-MAP
2 match virtual-address 100.99.75.100 any
policy-map type management first-match remote-mgmt-allow-policy
class remote-mgmt-allow
permit
policy-map type loadbalance first-match POLICY
class class-default
serverfarm vFARM
policy-map multi-match VIP-POLICY
class CLASS-MAP
loadbalance vip inservice
loadbalance policy POLICY
loadbalance vip icmp-reply
interface vlan 10
description NorthSide
bridge-group 1
access-group input allow-all-ip
service-policy input VIP-POLICY
no shutdown
interface vlan 20
description SouthSide
bridge-group 1
access-group input allow-all-ip
no shutdown
interface vlan 30
description Management
bridge-group 8
no normalization
mac-sticky enable
service-policy input remote-mgmt-allow-policy
no shutdown
interface bvi 1
ip address 100.99.75.247 255.255.255.0
alias 100.99.75.246 255.255.255.0
description L3 Bridge Group 1 Interface
no shutdown
interface bvi 8
ip address x.x.x.x x.x.x.x
description Management
no shutdown
ip route 0.0.0.0 0.0.0.0 100.99.75.254
12-02-2011 05:12 AM
Hi Garry,
There is nothing wrong with the configuration you just pasted. In fact, I just tested it in my lab and confirmed that, as soon as the rserver goes down, the VIP stops replying to ICMP and accepting connections.
Moving forward, I would strongly recommend you to open a TAC service request to have it investigated further.
Regards
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide