Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2517
Views
0
Helpful
4
Replies

Cisco ACE transparent serverfarm with http

Go to solution
florentDet
Level 1
Level 1

‎02-22-2013 02:32 AM

I use ACE for load balance www and https to 3 servers. I use mode transparent for keep destination address and match it on each firewall (like failover).

For test, I tried on one server:

   Me (194.78.223.33)

     |

Internet

     | (vlan 1231)

  ACE

     | (vlan 2164)

Firewall

     |

Nginx (192.168.23.31)

Configuration:

access-list ANY line 8 extended permit icmp any any

access-list ANY line 16 extended permit ip any any

probe tcp PROBE_TCP

  interval 5

  passdetect interval 10

rserver host i1

  ip address 172.16.0.1

  conn-limit max 50000 min 40000

  inservice

serverfarm host FARM_WEB_SSL

  transparent

  predictor hash address destination 255.255.255.255

  probe PROBE_TCP

  rserver i1

    inservice

class-map match-any L4-WEB-SSL-IP

  2 match virtual-address 5.135.79.20 tcp eq https

  3 match virtual-address 5.135.79.20 tcp eq www

policy-map type loadbalance http first-match WEB_SSL_L7_POLICY

  class class-default

    serverfarm FARM_WEB_SSL

    insert-http x-forward header-value "%is"

policy-map multi-match LB-to-vIPs

  class L4-WEB-SSL-IP

    loadbalance vip inservice

    loadbalance policy WEB_SSL_L7_POLICY

access-group input ANY

interface vlan 1231

  ip address 5.135.79.26 255.255.255.240

  alias 5.135.79.25 255.255.255.240

  peer ip address 5.135.79.27 255.255.255.240

  service-policy input REMOTE_PUBLIC_MGMT

  service-policy input LB-to-vIPs

  no shutdown

interface vlan 2164

  ip address 172.31.255.250 255.240.0.0

  alias 172.31.255.249 255.240.0.0

  peer ip address 172.31.255.251 255.240.0.0

  no normalization

  mac-sticky enable

  no icmp-guard

  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

ft track interface VLAN1231

  track-interface vlan 1231

  peer track-interface vlan 1231

  priority 50

  peer priority 5

ip route 0.0.0.0 0.0.0.0 5.135.79.30

My proxy sever recive request :

11:23:12.027868 IP (tos 0x0, ttl 254, id 26864, offset 0, flags [none], proto TCP (6), length 44)

    194.78.223.33.53120 > 192.168.23.31.http: Flags [S], cksum 0x90ef (correct), seq 2632425798, win 32768, options [mss 1460], length 0

E..,h........N.!.......P...F....`...........

11:23:12.027884 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

    192.168.23.31.http > 194.78.223.33.53120: Flags [S.], cksum 0xa64f (correct), seq 556994644, ack 2632425799, win 14600, options [mss 1460], length 0

E..,..@.@........N.!.P..!3.T...G`.9..O......

11:23:12.548061 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

   192.168.23.31.http > 194.78.223.33.53018: Flags [S.], cksum 0x2225 (correct), seq 2696932208, ack 1878390816, win 14600, options [mss 1460], length 0

E..,..@.@........N.!.P.....po.. `.9."%......

But nothing in access log ... I tried with web server too .. Nothing ...

If I try without ACE, it works.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎02-22-2013 05:52 AM

Hi,

I see that you have tried to create a nat pool but I dont see any policy that use it.

policy-map multi-match LB-to-vIPs

  class L4-WEB-SSL-IP

    loadbalance vip inservice

    loadbalance policy WEB_SSL_L7_POLICY

    nat dynamic 1 vlan 2164  << Missing >>

access-group input ANY

try using the same that should help.

Also refer the following for more troubleshooting tips

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_Network_Address_Translation#Configuring_Dynamic_NAT_and_PAT

regards,

Ajay Kumar

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎02-22-2013 05:52 AM

Hi,

I see that you have tried to create a nat pool but I dont see any policy that use it.

policy-map multi-match LB-to-vIPs

  class L4-WEB-SSL-IP

    loadbalance vip inservice

    loadbalance policy WEB_SSL_L7_POLICY

    nat dynamic 1 vlan 2164  << Missing >>

access-group input ANY

try using the same that should help.

Also refer the following for more troubleshooting tips

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_Network_Address_Translation#Configuring_Dynamic_NAT_and_PAT

regards,

Ajay Kumar

0 Helpful

Go to solution
florentDet
Level 1
Level 1
In response to ajayku2

‎02-22-2013 06:08 AM

Thank you for the answer

Now, I've :

class L4-WEB-SSL-IP

    loadbalance vip inservice

    loadbalance policy WEB_SSL_L7_POLICY

    nat dynamic 1 vlan 2164

But the result is the same... With IP of ACE

15:02:49.730291 IP (tos 0x0, ttl 254, id 713, offset 0, flags [none], proto TCP (6), length 44)

    172.31.255.248.menandmice-mon > 192.168.23.31.http: Flags [S], cksum 0xabc8 (correct), seq 410041845, win 32768, options [mss 1460], length 0

E..,......6#...........P.p......`...........

15:02:49.730305 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

   192.168.23.31.http > 172.31.255.248.menandmice-mon: Flags [S.], cksum 0xd2f5 (correct), seq 2554169212, ack 410041846, win 14600, options [mss 1460], length 0

E..,..@.@............P...=.|.p..`.9.........

15:02:50.930111 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

    192.168.23.31.http > 172.31.255.248.menandmice-mon: Flags [S.], cksum 0xd2f5 (correct), seq 2554169212, ack 410041846, win 14600, options [mss 1460], length 0

E..,..@.@............P...=.|.p..`.9.........

15:02:52.713523 IP (tos 0x0, ttl 254, id 8483, offset 0, flags [none], proto TCP (6), length 44)

   172.31.255.248.menandmice-mon > 192.168.23.31.http: Flags [S], cksum 0xabc8 (correct), seq 410041845, win 32768, options [mss 1460], length 0

E..,!#.................P.p......`...........

15:02:52.713552 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

    192.168.23.31.http > 172.31.255.248.menandmice-mon: Flags [S.], cksum 0xd2f5 (correct), seq 2554169212, ack 410041846, win 14600, options [mss 1460], length 0

E..,..@.@............P...=.|.p..`.9.........

15:02:52.930118 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

    192.168.23.31.http > 172.31.255.248.menandmice-mon: Flags [S.], cksum 0xd2f5 (correct), seq 2554169212, ack 410041846, win 14600, options [mss 1460], length 0

E..,..@.@............P...=.|.p..`.9.........

15:02:56.930124 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

    192.168.23.31.http > 172.31.255.248.menandmice-mon: Flags [S.], cksum 0xd2f5 (correct), seq 2554169212, ack 410041846, win 14600, options [mss 1460], length 0

E..,..@.@............P...=.|.p..`.9.........

15:02:58.693106 IP (tos 0x0, ttl 254, id 23582, offset 0, flags [none], proto TCP (6), length 44)

    172.31.255.248.menandmice-mon > 192.168.23.31.http: Flags [S], cksum 0xabc8 (correct), seq 410041845, win 32768, options [mss 1460], length 0

E..,\..................P.p......`...........

15:02:58.693122 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)

   192.168.23.31.http > 172.31.255.248.menandmice-mon: Flags [S.], cksum 0xd2f5 (correct), seq 2554169212, ack 410041846, win 14600, options [mss 1460], length 0

E..,..@.@............P...=.|.p..`.9.........

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to florentDet

‎02-22-2013 06:54 AM

Let me clarify the issue.

1) The load balancing is not working ?

or

2) x-forward is not getting inserted ?

Also just for clarity :

----------------------------------

If you do not want the ACE to use NAT to translate the VIP to the server IP address, enter: 

host1/Admin(config-sfarm-host)# transparent

-----------------------------------

So in above case ACE will forward the request to mac address of the server with VIP ip address as destination.

If you issue command :

switch/C1#show stats http

You will notice this counter increasing if x-forward is being inserted. Plus the server should be enabled to read x-forward. 


Headers inserted          : 10

So far my understanding is you are unable to see any access log on the proxy or server.

regards,

Ajay Kumar

0 Helpful

Go to solution
florentDet
Level 1
Level 1
In response to ajayku2

‎02-22-2013 07:51 AM

It works !

Except in server 1 ... My 3 servers have exactly the same config. But server 1 continue to not respond

These are 3 servers Proxmox.

Headers inserted          : 30516 

Thanks for all

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents