Connections Failed on SLB

olesvanherman · ‎06-27-2005

Hi,

I have a sup720 with SLB module:

6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL

7 4 SLB Application Processor Complex WS-X6066-SLB-APC

and I have Connections Failed:

#sh module contentSwitchingModule 7 stats

Connections Created: 3866

Connections Destroyed: 3157

Connections Current: 709

Connections Timed-Out: 0

Connections Failed: 154

I have only smtp, ftp and web:

#sh module contentSwitchingModule 7 vservers

vserver type prot virtual vlan state conns

---------------------------------------------------------------------------

XXX_WWW SLB TCP ZZZ/32:80 ALL OPERATIONAL 692

XXX_FTP SLB TCP ZZZ/32:21 ALL OPERATIONAL 8

XXX_SMTP SLB TCP ZZZ/32:25 ALL OPERATIONAL 1

Any idea why some connexion failed ?

Thanks in advance

Oles

Gilles Dufour · ‎06-27-2005

the connection failed counter indicates that a real server did not respond to a SYN or responded with a RESET.

You can do 'sho mod csm X vserver name detail' for all your vserver and check the server packet column. If it shows '0' it means one of your server is not responding to the client through the CSM.

Don't forget the CSM needs to see both way of traffic by default.

If the problem are due to RESET, you will need to sniff traffic.

FTP is usually a potential candidate due to its nature to use control and data channel.

Regards,

Gilles.

olesvanherman · ‎06-28-2005

Gilles,

Now I have no more '0', but still connection failed.

I think now it is not a problem with SYN

but RESET. Maybe ECN problem (I have no

ECN on my servers but maybe Cisco crashs

connexion when ECN packet arrives ?

Oles

#sh mod csm 7 stats

Connections Created: 389212

Connections Destroyed: 388467

Connections Current: 745

Connections Timed-Out: 0

Connections Failed: 7782

#sh mod csm 7 vservers name WWW detail

WWW, type = SLB, state = OPERATIONAL, v_index = 15

virtual = XXX/32:80 bidir, TCP, service = NONE, advertise = FALSE

idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

max parse len = 2000, persist rebalance = TRUE

ssl sticky offset = 0, length = 32

conns = 776, total conns = 382103

Policy Tot matches Client pkts Server pkts

-----------------------------------------------------

LOCAL 5049 40452 43679

SLOW 153 1337 1453

FAST 376901 9044263 12593053

(default) 0 0 0

#sh mod csm 7 vservers name FTP detail

FTP, type = SLB, state = OPERATIONAL, v_index = 16

virtual = XXX/32:21 bidir, TCP, service = ftp, advertise = FALSE

idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

max parse len = 2000, persist rebalance = TRUE

ssl sticky offset = 0, length = 32

conns = 10, total conns = 5305

Default policy:

server farm = FTP, backup =

sticky: timer = 0, subnet = 0.0.0.0, group id = 0

Policy Tot matches Client pkts Server pkts

-----------------------------------------------------

(default) 5305 163681 183205

#sh mod csm 7 vservers name SMTP detail

SMTP, type = SLB, state = OPERATIONAL, v_index = 17

virtual = XXX/32:25 bidir, TCP, service = NONE, advertise = FALSE

idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

max parse len = 2000, persist rebalance = TRUE

ssl sticky offset = 0, length = 32

conns = 0, total conns = 882

Default policy:

server farm = SMTP, backup =

sticky: timer = 0, subnet = 0.0.0.0, group id = 0

Policy Tot matches Client pkts Server pkts

-----------------------------------------------------

(default) 882 6852 8435

Gilles Dufour · ‎06-28-2005

I forgot to mention the command 'sho mod csm X real detail' so we can see the connection failure per real and see if they all show the problem or only a few of them.

We can do focus on the one having the problem and capture a sniffer trace.

Regards,

Gilles.

olesvanherman · ‎06-30-2005

Hi,

I found out:

I had 2 vserver/slb-policy with the same sticky.

It creates a crash of connexion when 1 ip connects to 2 vserver: first work, second crashs.

Oles