Cisco ACE 4710 and the VIP

grichardson661 · ‎10-26-2011

Howdi!

I've also posted this at www.networking-forum.com. Struggling to find if this is even possible...

So i've been working on a global load balanced web hosted context based platform. Its working a treat but i've got a question on the VIP on the ACE.

Has anybody managed to figure out if there is a flag/command to totally disable the VIP from accepting any sort of TCP/UDP connections should the health monitor fail. My health monitor is doing a HTTP query every 30 seconds. If it fails the VIP goes 'out of service' all good there but the VIP will still accept a TCP port 80 connect. What i mean by this is if i open command prompt and do telnet x.x.x.x 80 (internet address that is NAT'd to the VIP) the socket is established. Is there a way to totally disable the VIP from accepting connections if the health monitor fails?

Any ideas?

Cheers guys,
Garry

Daniel Arrondo Ostiz · ‎10-27-2011

Hi Garry,

The behavior you are describing could be normal if there is another VIP listening on the same IP address (maybe different url?). In that case, since the ACE cannot identify the policy-map to use until the HTTP request is received, the TCP connection is allowed.

If there are no other VIPs matching that IP and port, the ACE should stop replying to ping and accepting connections.

I hope this helps

Daniel

grichardson661 · ‎11-01-2011

Hi Daniel,

Thanks for the response.

So you understand my topology. I'm running the ACE in layer 2 mode. I have client and server side vLANS. And the subnet for example the servers sit on is 10.10.10.0/24, the gateway is 10.10.10.254 (client/internet side of the ACE).

I have two VIP's with different IP addresses BUT in the same subnet, for example 10.10.10.1 and 10.10.10.2. 10.10.10.1 is bound to a serverfarm that has one rserver 10.10.10.50 within. Same for 10.10.10.2 (10.10.10.51).

So in my example if the health monitor fails that is bound to the VIP 10.10.10.1, 10.10.10.1 will still accept a TCP port 80 connect and i want to disable this.

A guy on another forum suggested 'Under serverfarm config, if you set "failaction purge", it will sent a RST to all connections to that server.' which i am yet to try however i did research "failaction purge" and it refers to the rserver failing not the health monitor if i'm not mistaken

Surya ARBY · ‎11-01-2011

The rserver is marked down when the probe fails.

The failaction purge is a best practice. By default if a whole serverfarm becomes down, all existing TCP connections are not flushed.

Daniel Arrondo Ostiz · ‎11-03-2011

Hi Garry,

If you paste your full configuartion, I can check it further. Of course, if you are concerned about privacy, you can always open a TAC case instead.

The "failaction purge" will not help in your case, because what this command does is, that whenever the probe for one server goes down, the ACE will send a RST to all the connections currently established on that server. However, what you are trying to do is blocking new connections.

Regards

Daniel

grichardson661 · ‎11-29-2011

Hi Daniel, apologies for the late reply. Here is my config from another build. Same issues but the health monitor is based around SMTP port 25 connects. Any ideas i've still not found a way to totally disable the VIP should the health monitor fail.

I would like to ICMP echo the VIP from a router that is configured with IP SLA and HSRP tracking. I want HSRP to failover should the IP SLA fail. The IP SLA icmp echo's the VIP. The VIP should reply should the intelligent health monitors return working SMTP status codes 250 and 211. See where i am going? its a hierarchy model i'm looking at but fails because of how the VIP behaves

probe icmp ICMP-PROBE
interval 15
passdetect interval 60
probe smtp SMTP-PROBE
interval 15
passdetect interval 60
open 1
expect status 211 250

rserver host SVR1

ip address 100.99.75.22
probe ICMP-PROBE
inservice
rserver host SVR2
ip address 100.99.75.23
probe ICMP-PROBE
inservice

serverfarm host vFARM
predictor response app-req-to-resp samples 4
probe SMTP-PROBE
rserver SVR1

inservice
rserver SVR2
inservice

class-map match-all CLASS-MAP
2 match virtual-address 100.99.75.100 any

policy-map type management first-match remote-mgmt-allow-policy
class remote-mgmt-allow
permit

policy-map type loadbalance first-match POLICY
class class-default
serverfarm vFARM

policy-map multi-match VIP-POLICY
class CLASS-MAP
    loadbalance vip inservice
    loadbalance policy POLICY
    loadbalance vip icmp-reply

interface vlan 10
description NorthSide
bridge-group 1
access-group input allow-all-ip
service-policy input VIP-POLICY
no shutdown
interface vlan 20
description SouthSide
bridge-group 1
access-group input allow-all-ip
no shutdown
interface vlan 30
description Management
bridge-group 8
no normalization
mac-sticky enable
service-policy input remote-mgmt-allow-policy
no shutdown

interface bvi 1
ip address 100.99.75.247 255.255.255.0
alias 100.99.75.246 255.255.255.0
description L3 Bridge Group 1 Interface
no shutdown
interface bvi 8
ip address x.x.x.x x.x.x.x
description Management
no shutdown

ip route 0.0.0.0 0.0.0.0 100.99.75.254

Daniel Arrondo Ostiz · ‎12-02-2011

Hi Garry,

There is nothing wrong with the configuration you just pasted. In fact, I just tested it in my lab and confirmed that, as soon as the rserver goes down, the VIP stops replying to ICMP and accepting connections.

Moving forward, I would strongly recommend you to open a TAC service request to have it investigated further.

Regards

Daniel