08-17-2013 06:54 AM
Hi,
Our same configuration was working fine for last 2.6yrs, now we are getting connection aborted message in server debug with our ACE natted IP.
we are using ACE20-MOD- K9 in routed mode using SSO.
Stickness-> IP based
Application-> SSO.
Application flow->VIP->SSO->LDAP->BIP(bill display oracle)
currenlty we are getting error 403 authorization failed when user hits bill display frequently. After restarting the SSO application problem gets rsolved but it appears again and again. The logs of LDAP server PFB. 10.96.7.254 is our natted IP on LB.
15/Aug/2013:14:15:44 +0530] conn=1737137 op=-1 msgId=-1 - closing from 10.96.7.254:33563 - A1 - Client aborted connection -
[15/Aug/2013:14:15:44 +0530] conn=1737137 op=-1 msgId=-1 - closed.
At the time of error i observed L4 & L7 service policies for all the Applications and found 0 dropped connection.
As per the suggestion from Oracle. We have tested by passing LB when traffic goes from SSO->LDAP by direct entry in hostfile of SSO for LDAP and it worked perfectly.
During problem there is no any resouce crunch/connection drops in L4/L7 service policies of respective VIPs.
Kindly suggest.
Regards
Ravi K. Sharma
08-17-2013 10:48 PM
Ravi,
Please paste your configuration to see it
Any recent change in the servers?
08-18-2013 08:44 PM
Ravi,
But what´s the VIP in question?
Can you do "show service-policy
Additionally, please add #show stats http
Jorge
08-18-2013 10:15 PM
Hi Jorge,
Thanks for the reply.
PFB the requried O/Ps.
sh service-policy L4_LB_OPENSSO_POLICY class-map L4_VIP_OPENSSO detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 2 20
service-policy: L4_LB_OPENSSO_POLICY
class: L4_VIP_OPENSSO
VIP Address: Protocol: Port:
10.96.7.115 any
loadbalance:
L7 loadbalance policy: L7_VIP_OPENSSO
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 133 , hit count : 334609
dropped conns : 0
client pkt count : 12259277 , client byte count: 3027459828
server pkt count : 11716968 , server byte count: 7483341978
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : L7_VIP_OPENSSO
class/match : class-default
LB action: :
sticky group: ACESSO-sticky
primary serverfarm: OPENSSO
state: UP
backup serverfarm : -
hit count : 334605
dropped conns : 0
sh service-policy L4_LB_LDAP_POLICY class-map L4_VIP_LDAP de
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 2 20
service-policy: L4_LB_LDAP_POLICY
class: L4_VIP_LDAP
VIP Address: Protocol: Port:
10.96.7.125 any
loadbalance:
L7 loadbalance policy: L7_VIP_LDAP
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 20 , hit count : 380805
dropped conns : 0
client pkt count : 45665045 , client byte count: 2376800225
server pkt count : 45538701 , server byte count: 2202536753
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : L7_VIP_LDAP
class/match : class-default
LB action: :
sticky group: ACELDAP-sticky
primary serverfarm: LDAP
state: UP
backup serverfarm : -
hit count : 380712
dropped conns : 0
sh stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 0 , TCP rst msgs sent: : 0
Bounced fin msgs sent : 0 , Bounced rst msgs sent: : 0
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
Unproxy msgs sent : 0
08-19-2013 06:56 PM
Ravi,
I see this is your current configuration:
policy-map multi-match L4_LB_OPENSSO_POLICY
class L4_VIP_OPENSSO
loadbalance vip inservice
loadbalance policy L7_VIP_OPENSSO
loadbalance vip icmp-reply
policy-map type loadbalance first-match L7_VIP_OPENSSO
class class-default
sticky-serverfarm ACESSO-sticky
sticky ip-netmask 255.255.255.255 address both ACESSO-sticky
timeout 15
serverfarm OPENSSO
serverfarm host OPENSSO
probe SSO
rserver OPENSSO1
inservice
rserver OPENSSO2
inservice
rserver OPENSSO3
probe SSO
rserver OPENSSO4
probe SSO
But I do not see you are using NAT, at least for this configuration, can you explain what exactly the issue is?
Do you have the same behavior if you use only one server at the time?
Jorge
08-19-2013 10:32 PM
Hi Jorge,
PFB, this config would help you better. Behaviour is same on single server also. At the time of issue we need to restart SSO applications and it works for 1-2 again we face the same issue.
rserver host LDAP1
ip address 10.96.7.172
inservice
rserver host LDAP2
ip address 10.96.7.178
inservice
rserver host OPENSSO1
ip address 10.96.7.173
inservice
rserver host OPENSSO2
ip address 10.96.7.179
inservice
serverfarm host LDAP
probe TCP-1200
rserver LDAP1
inservice
rserver LDAP2
inservice
serverfarm host OPENSSO
failaction reassign
probe SSO
rserver OPENSSO1
inservice
rserver OPENSSO2
inservice
sticky ip-netmask 255.255.255.255 address both ACELDAP-sticky
timeout 60
serverfarm LDAP
sticky ip-netmask 255.255.255.255 address both ACESSO-sticky
timeout 10
serverfarm OPENSSO
class-map match-all L4_VIP_LDAP
2 match virtual-address 10.96.7.125 any
class-map match-all L4_VIP_OPENSSO
2 match virtual-address 10.96.7.115 any
class-map match-all NAT_CLASS
2 match source-address 10.96.7.128 255.255.255.128
policy-map type loadbalance first-match L7_VIP_LDAP
class class-default
sticky-serverfarm ACELDAP-sticky
policy-map type loadbalance first-match L7_VIP_OPENSSO
class class-default
sticky-serverfarm ACESSO-sticky
policy-map multi-match L4_LB_LDAP_POLICY
class L4_VIP_LDAP
loadbalance vip inservice
loadbalance policy L7_VIP_LDAP
loadbalance vip icmp-reply
policy-map multi-match L4_LB_OPENSSO_POLICY
class L4_VIP_OPENSSO
loadbalance vip inservice
loadbalance policy L7_VIP_OPENSSO
loadbalance vip icmp-reply
policy-map multi-match NAT_POLICY
class NAT_CLASS
nat dynamic 1 vlan 2
interface vlan 2
description APPLICATION SERVER
ip address 10.96.7.129 255.255.255.128
alias 10.96.7.131 255.255.255.128
peer ip address 10.96.7.130 255.255.255.128
no normalization
no icmp-guard
access-group input PERMIT
nat-pool 1 10.96.7.254 10.96.7.254 netmask 255.255.255.128 pat
service-policy input MANAGEMENT
service-policy input L4_LB_LDAP_POLICY
service-policy input L4_LB_OPENSSO_POLICY
no shutdown
interface vlan 20
description APPLICATION FIREWALL
ip address 10.96.7.4 255.255.255.128
alias 10.96.7.6 255.255.255.128
peer ip address 10.96.7.5 255.255.255.128
no normalization
no icmp-guard
access-group input PERMIT
service-policy input MANAGEMENT
service-policy input L4_LB_OPENSSO_POLICY
service-policy input L4_LB_LDAP_POLICY
no shutdown
08-21-2013 11:10 PM
Hi,
Anyone else in this forum facing this issue.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide