No Stickies

No Health Checks

Layer 3 Rule.

It is a pretty basic config. Heres what is looks like.

service NS

ip address 10.1.48.3

active

service VPN

ip address 10.1.48.2

active

content WEB

add service VPN

add service NS

vip address 192.168.128.81

protocol tcp

port 80

active

could you post a 'show summary' and 'sho service summary'.

Also what software version are you using ?

Thanks,

Gilles

Interesting that the "sh summary" shows hits on both services but the "sh service summary" only shows hits on the e2e-VPN

CSS11501# sh ver

Version: sg0730106 (07.30.1.06)

Flash (Locked): 07.30.1.06

Flash (Operational): 07.30.1.06

Type: PRIMARY

Licensed Cmd Set(s): Standard Feature Set

Owner Content Rules State Services Service Hits

E2E test Suspended

E2E-WEB Master e2e-EXT 9

e2e-VPN 10

CSS11501# sh service summary

Service Name State Conn Weight Avg State

Load Transitions

e2e-EXT Alive 0 1 2 0

e2e-NS Alive 0 1 2 0

e2e-VPN Alive 4 1 128 0

up-down Alive 0 1 2 0

HI Heath,

how do you check connecitions?

1) Are you accessing the wabpage by IP or name?

2) which type of HTTP (1.0/1.1) are you using when testing?

3) Has the webserver 10.1.48.3 redirecets in its webpages pointing to 10.1.48.2 or the name of 10.1.48.2 or to some name which might get solved as 10.1.48.2/3?

4) Did you do sniffer traces infront and behind the CSS telling you the answers of the webpages?

Regards,

Joerg

1.Accessing by IP only

2.I beleive it is HTTP1.1

3.There are no redirects

In fact - the e2e-EXT Service is an Extreme Switch and the e2e-VPN Service is a Cisco 3005 Concentrator. I can get to each one by thier real IP.

I will run a trace to see what happens.

E2E test Suspended

E2E-WEB Master e2e-EXT 9

...............e2e-VPN 10

The CSS is loadbalancing.

9 connections were sent to e2e-EXT

and 10 connections to e2e-vpn

During your test, make sure you are not using persistent connections.[disable http 1.1 in your browser] or configure "no persistent" in the content rule.

Regards,

Gilles.

OK I tried both of those suggestions with no luck.

I can still get to both Web Servers by real IP.

But the loadbalanced IP always goes to the e2e-VPN server.

Service Name State Conn Weight Avg State

Load Transitions

e2e-EXT Alive 0 1 2 0

e2e-VPN Alive 0 1 128 0

Owner Content Rules State Services Service Hits

E2E test Suspended

E2E-WEB Master e2e-EXT 13

e2e-VPN 13

This is getting frustrating!!!

Any other suggestions would be appreciated.

Heath

once again the counter indicates correct loadbalancing.

13 connections for each service.

Are you really sure you are going always to the same server ?

Please use a sniffer trace or check the log on the server.

Also use the command 'show flows' on the CSS to see which server you are connected to.

Every info you showed us seems to indicate there is no issue.

Another way to test is by using a telnet application and doing telnet to vip address port 80 [be sure to change the default telnet port to 80].

Then type 'GET / HTTP/1.0\r\nHost: 1.1.1.1\r\n\r\n'

[replace the \r\n with a ENTER]

Thanks,

Gilles.

Hi Gilles,

I know I am connecting to the corrent server because one is a Cisco VPN concentrator and the other is an extreme switch - they are totally different pages. I can also get to them by their real IP's.

I have also noticed a delay in getting to the pages of about 7 -10 seconds - it looks like it is doing a DNS lookup even though I am connecting by IP.

Here is the show flows output.

CSS11501# sh flows

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.161.48.2 80 192.168.128.2 3623 192.168.128.2 TCP e1 e5

192.168.128.2 3623 192.168.128.81 80 10.161.48.2 TCP e5 e1

192.168.128.2 3620 206.47.244.109 53 0.0.0.0 UDP e5 e5

192.168.128.2 3620 206.47.244.59 53 0.0.0.0 UDP e5 e5

10.161.48.2 80 192.168.128.2 3615 192.168.128.2 TCP e1 e5

192.168.128.2 3615 192.168.128.81 80 10.161.48.2 TCP e5 e1

The default "load balancing" algorithm is round robin. It was my understanding that this algorithm actually does not actually kick off unless a certain load is reached. Until then the CSS will just default all connections to the first REAL on the list (unless there is a fault or load is reached)

I could be totally off on this though.

not exactly correct.

The algorithm kicks in immediately.

However, this is not a perfect algorithm. Especially if you are using a 1150x which uses a distributed architecture.

With very few hosts/connections, you may see very bad loadbalancing. But under normal conditions with many hosts/connections the algorithm should get better.

Regards,

Gilles.

I will start by saying thanks for everyones help.

I have given up on this issue and I have determine it is probably a combination of a couple of things - please correct me if I am wrong.

I have been testing loadbalancing by adding services that are of totally different devices - i.e. VPN Concentrator, Extreme Switch, Netscreen FW etc. Each of these may have a number of limitations not found in a standard web site (only supporting a limited number of connections for example)

Gilles also pointed out that at low load we may see bad load balancing - which I beleive is the case. However the testing I did with telnet was rock solid. Right down to the weighted connections.

Once again thanks. I just hope this goes well when I put it into production.

Heath