cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1699
Views
0
Helpful
6
Replies

Getting connection aborted message with ACE natted IP

ravi281278
Level 1
Level 1

Hi,

Our same configuration was working fine for last 2.6yrs, now we are getting connection aborted message in server debug with our ACE natted IP.

we are using ACE20-MOD- K9 in routed mode using SSO.

Stickness-> IP based

Application-> SSO.

Application flow->VIP->SSO->LDAP->BIP(bill display oracle)

currenlty we are getting error 403 authorization failed when user hits bill display frequently. After restarting the SSO application problem gets rsolved but it appears again and again. The logs of LDAP server PFB. 10.96.7.254 is our natted IP on LB.

15/Aug/2013:14:15:44 +0530] conn=1737137 op=-1 msgId=-1 - closing from 10.96.7.254:33563 - A1 - Client aborted connection -

[15/Aug/2013:14:15:44 +0530] conn=1737137 op=-1 msgId=-1 - closed.

At the time of error i observed L4 & L7 service policies for all the Applications and found 0 dropped connection.

As per the suggestion from Oracle. We have tested by passing LB when traffic goes from SSO->LDAP by direct entry in hostfile of SSO for LDAP and it worked perfectly.

During problem there is no any resouce crunch/connection drops in L4/L7 service policies of respective VIPs.

Kindly suggest.

Regards

Ravi K. Sharma

6 Replies 6

jbejaranos976
Level 1
Level 1

Ravi,

Please paste your configuration to see it

Any recent change in the servers?

Ravi,

But what´s the VIP in question?

Can you do "show service-policy class-map detail?

Additionally, please add #show stats http

Jorge

Hi Jorge,

Thanks for the reply.

PFB the requried O/Ps.

sh service-policy L4_LB_OPENSSO_POLICY class-map L4_VIP_OPENSSO detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 2 20
  service-policy: L4_LB_OPENSSO_POLICY
    class: L4_VIP_OPENSSO
     VIP Address:    Protocol:  Port:
     10.96.7.115     any
      loadbalance:
        L7 loadbalance policy: L7_VIP_OPENSSO
        VIP Route Metric     : 77
        VIP Route Advertise  : DISABLED
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        curr conns       : 133       , hit count        : 334609
        dropped conns    : 0
        client pkt count : 12259277  , client byte count: 3027459828
        server pkt count : 11716968  , server byte count: 7483341978
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : L7_VIP_OPENSSO
          class/match : class-default
             LB action: :
               sticky group: ACESSO-sticky
                  primary serverfarm: OPENSSO
                    state: UP
                  backup serverfarm : -
            hit count        : 334605
            dropped conns    : 0

sh service-policy L4_LB_LDAP_POLICY class-map L4_VIP_LDAP de

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 2 20
  service-policy: L4_LB_LDAP_POLICY
    class: L4_VIP_LDAP
     VIP Address:    Protocol:  Port:
     10.96.7.125     any
      loadbalance:
        L7 loadbalance policy: L7_VIP_LDAP
        VIP Route Metric     : 77
        VIP Route Advertise  : DISABLED
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        curr conns       : 20        , hit count        : 380805
        dropped conns    : 0
        client pkt count : 45665045  , client byte count: 2376800225
        server pkt count : 45538701  , server byte count: 2202536753
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : L7_VIP_LDAP
          class/match : class-default
             LB action: :
               sticky group: ACELDAP-sticky
                  primary serverfarm: LDAP
                    state: UP
                  backup serverfarm : -
            hit count        : 380712
            dropped conns    : 0

sh stats http

+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0          , TCP data msgs sent       : 0
Inspect parse result msgs : 0          , SSL data msgs sent       : 0
                      sent
TCP fin msgs sent         : 0          , TCP rst msgs sent:       : 0
Bounced fin msgs sent     : 0          , Bounced rst msgs sent:   : 0
SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0
Drain msgs sent           : 0          , Particles read           : 0
Reuse msgs sent           : 0          , HTTP requests            : 0
Reproxied requests        : 0          , Headers removed          : 0
Headers inserted          : 0          , HTTP redirects           : 0
HTTP chunks               : 0          , Pipelined requests       : 0
HTTP unproxy conns        : 0          , Pipeline flushes         : 0
Whitespace appends        : 0          , Second pass parsing      : 0
Response entries recycled : 0          , Analysis errors          : 0
Header insert errors      : 0          , Max parselen errors      : 0
Static parse errors       : 0          , Resource errors          : 0
Invalid path errors       : 0          , Bad HTTP version errors  : 0
Headers rewritten         : 0          , Header rewrite errors    : 0
Unproxy msgs sent         : 0

Ravi,

I see this is your current configuration:

policy-map multi-match L4_LB_OPENSSO_POLICY

  class L4_VIP_OPENSSO

    loadbalance vip inservice

    loadbalance policy L7_VIP_OPENSSO

    loadbalance vip icmp-reply

policy-map type loadbalance first-match L7_VIP_OPENSSO

  class class-default

    sticky-serverfarm ACESSO-sticky

sticky ip-netmask 255.255.255.255 address both ACESSO-sticky

  timeout 15

  serverfarm OPENSSO

serverfarm host OPENSSO

  probe SSO

  rserver OPENSSO1

    inservice

  rserver OPENSSO2

    inservice

  rserver OPENSSO3

    probe SSO

  rserver OPENSSO4

    probe SSO

But I do not see you are using NAT, at least for this configuration, can you explain what exactly the issue is?

Do you have the same behavior if you use only one server at the time?

Jorge

Hi Jorge,

PFB, this config would help you better. Behaviour is same on single server also. At the time of issue we need to restart SSO applications and it works for 1-2 again we face the same issue.

rserver host LDAP1
  ip address 10.96.7.172
  inservice
rserver host LDAP2
  ip address 10.96.7.178
  inservice

rserver host OPENSSO1
  ip address 10.96.7.173
  inservice
rserver host OPENSSO2
  ip address 10.96.7.179
  inservice


serverfarm host LDAP
  probe TCP-1200
  rserver LDAP1
    inservice
  rserver LDAP2
    inservice

serverfarm host OPENSSO
  failaction reassign
  probe SSO
  rserver OPENSSO1
    inservice
  rserver OPENSSO2
    inservice
 
sticky ip-netmask 255.255.255.255 address both ACELDAP-sticky
  timeout 60
  serverfarm LDAP

sticky ip-netmask 255.255.255.255 address both ACESSO-sticky
  timeout 10
  serverfarm OPENSSO


class-map match-all L4_VIP_LDAP
  2 match virtual-address 10.96.7.125 any


class-map match-all L4_VIP_OPENSSO
  2 match virtual-address 10.96.7.115 any


class-map match-all NAT_CLASS
  2 match source-address 10.96.7.128 255.255.255.128

policy-map type loadbalance first-match L7_VIP_LDAP
  class class-default
    sticky-serverfarm ACELDAP-sticky

policy-map type loadbalance first-match L7_VIP_OPENSSO
  class class-default
    sticky-serverfarm ACESSO-sticky

policy-map multi-match L4_LB_LDAP_POLICY
  class L4_VIP_LDAP
    loadbalance vip inservice
    loadbalance policy L7_VIP_LDAP
    loadbalance vip icmp-reply


policy-map multi-match L4_LB_OPENSSO_POLICY
  class L4_VIP_OPENSSO
    loadbalance vip inservice
    loadbalance policy L7_VIP_OPENSSO
    loadbalance vip icmp-reply

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 2


interface vlan 2
  description APPLICATION SERVER
  ip address 10.96.7.129 255.255.255.128
  alias 10.96.7.131 255.255.255.128
  peer ip address 10.96.7.130 255.255.255.128
  no normalization
  no icmp-guard
  access-group input PERMIT
  nat-pool 1 10.96.7.254 10.96.7.254 netmask 255.255.255.128 pat
  service-policy input MANAGEMENT
  service-policy input L4_LB_LDAP_POLICY
  service-policy input L4_LB_OPENSSO_POLICY
  no shutdown

interface vlan 20
  description APPLICATION FIREWALL
  ip address 10.96.7.4 255.255.255.128
  alias 10.96.7.6 255.255.255.128
  peer ip address 10.96.7.5 255.255.255.128
  no normalization
  no icmp-guard
  access-group input PERMIT
  service-policy input MANAGEMENT
  service-policy input L4_LB_OPENSSO_POLICY
  service-policy input L4_LB_LDAP_POLICY
  no shutdown

ravi281278
Level 1
Level 1

Hi,

Anyone else in this forum facing this issue.

Thanks!

Review Cisco Networking for a $25 gift card