I can not ping VIPs

alashmoury · ‎09-08-2011

Dear All

We have tow Cisco ACE 4710, one (ACE-1) for load balancing OCS Frontend servers and the other (ACE-2) for load balancing OCS edge servers, after doing the following configuration we could not ping the VIPs (10.x.1.55 and 172.16.x.20).

could you please check this configuration and help me to solve this issue?!

hostname ACE-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
speed 1000M
duplex FULL
switchport trunk allowed vlan 100
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
switchport access vlan 500
no shutdown

access-list ALL line 8 extended permit ip any any
access-list qqq line 8 extended permit icmp any any

probe tcp FQDN-CWA-1
ip address 10.x.1.53 routed
interval 15
passdetect interval 60
open 1
probe tcp FQDN-CWA-2
ip address 10.x.1.54
interval 15
passdetect interval 60
open 1
probe tcp FQDN-OCSPool-3
ip address 10.x.1.51
interval 15
passdetect interval 60
open 1
probe tcp FQDN-OCSPool-4
ip address 10.x.1.52 routed
interval 15
passdetect interval 60
open 1
probe icmp FQDN-ocspool-1
description monitoring probe for the first FQDN-ocspool server
ip address 10.x.1.51 routed
interval 5
passdetect interval 10
passdetect count 2
receive 5
probe icmp FQDN-ocspool-2
description monitoring probe for the second FQDN-ocspool server
ip address 10.x.1.52 routed
interval 5

passdetect interval 10

passdetect count 2

receive 5

probe tcp OCE01

ip address 172.16.x.9 routed

port 443

interval 15

passdetect interval 60

open 1

probe tcp OCE02

ip address 172.16.x.10 routed

port 443

interval 15

passdetect interval 60

open 1

rserver host FQDN-CWA-1

ip address 10.x.1.53

inservice

rserver host FQDN-CWA-2

ip address 10.x.1.54

inservice

rserver host FQDN-ocspool-1

ip address 10.x.1.51

inservice

rserver host FQDN-ocspool-2

ip address 10.x.1.52

inservice

rserver host OCE01

ip address 172.16.x.9

conn-limit max 4000000 min 4000000

inservice

rserver host OCE02

ip address 172.16.x.10

conn-limit max 4000000 min 4000000

inservice

serverfarm host FQDN-CWA-servers

description this server farm load-balances between FQDN-CWA-1 and FQDN-CWA-2

rserver FQDN-CWA-1

probe FQDN-CWA-1

inservice

rserver FQDN-CWA-2

probe FQDN-CWA-2

inservice

serverfarm host FQDN-OCSPool-Servers

rserver FQDN-ocspool-1

conn-limit max 4000000 min 4000000

probe FQDN-OCSPool-3

inservice

rserver FQDN-ocspool-2

conn-limit max 4000000 min 4000000

probe FQDN-OCSPool-4

inservice

serverfarm host OCE

description This serverfarm is for OCE01&2

rserver OCE01

probe OCE01

inservice

rserver OCE02

probe OCE02

inservice

class-map match-all FQDN-CWA

2 match virtual-address 10.x.1.56 any

class-map match-all FQDN-OCSPool

2 match virtual-address 10.x.1.57 any

class-map match-all L4VIPCLASS

2 match virtual-address 10.x.1.55 any

class-map type management match-any remote_access

2 match protocol xml-https any

4 match protocol telnet any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

class class-default

permit

policy-map type loadbalance first-match FQDN-CWA

class class-default

serverfarm FQDN-CWA-servers

policy-map type loadbalance first-match FQDN-OCSPool-l7slb

class class-default

serverfarm FQDN-OCSPool-Servers

policy-map type loadbalance first-match OCE

class class-default

serverfarm OCE

policy-map multi-match VIPs

class L4VIPCLASS

loadbalance vip inservice

loadbalance policy OCE

loadbalance vip icmp-reply active

class FQDN-CWA

loadbalance vip inservice

loadbalance policy FQDN-CWA

loadbalance vip icmp-reply active

nat dynamic 1 vlan 100

class FQDN-OCSPool

loadbalance vip inservice

loadbalance policy FQDN-OCSPool-l7slb

loadbalance vip icmp-reply active

nat dynamic 1 vlan 100

interface vlan 100

ip address 10.x.1.110 255.255.255.0

access-group input ALL

access-group output ALL

nat-pool 1 10.x.1.240 10.x.1.249 netmask 255.255.255.0 pat

service-policy input remote_mgmt_allow_policy

service-policy input VIPs

no shutdown

interface vlan 500

ip address 10.x.5.1 255.255.255.0

access-group input ALL

access-group output ALL

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 600

ip address 10.x.6.4 255.255.255.0

access-group input ALL

access-group output ALL

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 1000

ip address 1.1.1.1 255.255.255.0

access-group input ALL

access-group output ALL

service-policy input remote_mgmt_allow_policy

no shutdown

ip route 0.0.0.0 0.0.0.0 10.x.5.2

ip route 10.x.2.0 255.255.255.0 10.x.5.2

ip route 78.x.x.240 255.255.255.240 10.x.5.2

Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 100
service-policy: VIPs

    class: FQDN-CWA
      nat:
        nat dynamic 1 vlan 100
        curr conns       : 0         , hit count        : 41
        dropped conns    : 0
        client pkt count : 2788      , client byte count: 904455
        server pkt count : 7311      , server byte count: 9541139
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
     VIP Address:    Protocol: Port:
     10.x.1.56      any
      loadbalance:
        L7 loadbalance policy: FQDN-CWA
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 41
        dropped conns    : 0
        client pkt count : 2788      , client byte count: 904455
        server pkt count : 7311      , server byte count: 9541139
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : FQDN-CWA
          class/match : class-default
            LB action :
               primary serverfarm: FQDN-CWA-servers
                    state: UP
                backup serverfarm : -
            hit count        : 41
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 100
service-policy: VIPs

    class: FQDN-OCSPool
      nat:
        nat dynamic 1 vlan 100
        curr conns       : 15        , hit count        : 6757
        dropped conns    : 105
        client pkt count : 735221    , client byte count: 207648039
        server pkt count : 496785    , server byte count: 73460926
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
     VIP Address:    Protocol: Port:
     10.x.1.57      any
      loadbalance:
        L7 loadbalance policy: FQDN-OCSPool-l7slb
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 15        , hit count        : 7061
        dropped conns    : 370
        client pkt count : 735618    , client byte count: 207669423
        server pkt count : 496785    , server byte count: 73460926
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : FQDN-OCSPool-l7slb
          class/match : class-default
            LB action :
               primary serverfarm: FQDN-OCSPool-Servers
                    state: UP
                backup serverfarm : -
            hit count        : 6800
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 100
service-policy: VIPs

    class: L4VIPCLASS
     VIP Address:    Protocol: Port:
     10.x.1.55      any
      loadbalance:
        L7 loadbalance policy: OCE
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP state: OUTOFSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 6
        dropped conns    : 6
        client pkt count : 6         , client byte count: 839
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : OCE
          class/match : class-default
            LB action :
               primary serverfarm: OCE
                    state: DOWN
                backup serverfarm : -
            hit count        : 0
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

hostname ACE-2
interface gigabitEthernet 1/1
description connection to the ASA
switchport access vlan 300
no shutdown
interface gigabitEthernet 1/2
description trunk with DELL SW module A1
switchport trunk allowed vlan 200,250,600
no shutdown
interface gigabitEthernet 1/3
switchport access vlan 500
no shutdown
interface gigabitEthernet 1/4
no shutdown

context Admin

member Sticky

access-list anyone line 8 extended permit ip any any

access-list qqq line 8 extended permit ip any host 10.x.2.3

access-list qqq line 16 extended permit ip host 10.x.2.3 any

probe tcp Edge-1

ip address 78.x.x.244 routed

port 443

interval 15

passdetect interval 60

open 1

probe tcp Edge-2

ip address 78.x.x.245 routed

port 443

interval 15

passdetect interval 60

open 1

probe tcp Edge-3

ip address 78.x.x.246 routed

port 443

interval 15

passdetect interval 60

open 1

probe tcp Edge-4

ip address 78.x.x.250 routed

port 443

interval 15

passdetect interval 60

open 1

probe tcp Edge-5

ip address 78.x.x.251 routed

port 443

interval 15

passdetect interval 60

open 1

probe tcp Edge-6

ip address 78.x.x.252 routed

port 443

interval 15

passdetect interval 60

open 1

probe tcp FrontEnd-01

ip address 10.x.1.51 routed

port 5061

interval 15

passdetect interval 60

open 1

probe tcp FrontEnd-02

ip address 10.x.1.52 routed

port 5061

interval 15

passdetect interval 60

open 1

rserver host DTSHQ-1

ip address 78.x.x.244

inservice

rserver host DTSHQ-2

ip address 78.x.x.245

inservice

rserver host DTSHQ-3

ip address 78.x.x.246

inservice

rserver host DTSHQ-4

ip address 78.x.x.250

inservice

rserver host DTSHQ-5

ip address 78.x.x.251

inservice

rserver host DTSHQ-6

ip address 78.x.x.252

inservice

rserver host DTSHQ-OCE01

ip address 172.16.x.9

inservice

rserver host DTSHQ-OCE02

ip address 172.16.x.10

inservice

rserver host FrontEnd-01

ip address 10.x.1.10

conn-limit max 4000000 min 4000000

inservice

rserver host FrontEnd-02

ip address 10.x.1.52

conn-limit max 4000000 min 4000000

inservice

serverfarm host DTSHQ-servers

rserver DTSHQ-1

probe Edge-1

inservice

rserver DTSHQ-4

probe Edge-4

inservice

serverfarm host DTSHQ-servers1

rserver DTSHQ-2

probe Edge-2

inservice

rserver DTSHQ-5

probe Edge-5

inservice

serverfarm host DTSHQ-servers2

rserver DTSHQ-3

probe Edge-3

inservice

rserver DTSHQ-6

probe Edge-6

inservice

serverfarm host FrontEnd

rserver FrontEnd-01

probe FrontEnd-01

inservice

rserver FrontEnd-02

probe FrontEnd-02

inservice

sticky ip-netmask 255.255.255.240 address source Internet-Users

timeout 180

timeout activeconns

serverfarm DTSHQ-servers

sticky ip-netmask 255.255.255.240 address source Internet-Users1

timeout 180

timeout activeconns

serverfarm DTSHQ-servers1

sticky ip-netmask 255.255.255.240 address source Internet-Users2

timeout 180

timeout activeconns

serverfarm DTSHQ-servers2

class-map match-all FrontEnd

2 match virtual-address 172.16.x.20 any

class-map match-all L4VIPCLASS-1-any

2 match virtual-address 10.x.2.4 any

class-map match-all L4VIPCLASS-2-any

2 match virtual-address 10.x.2.5 any

class-map match-all L4VIPCLASS-any

2 match virtual-address 10.x.2.3 any

class-map type management match-any remote_access

2 match protocol xml-https any

4 match protocol telnet any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

class class-default

permit

policy-map type loadbalance first-match DTSHQ-servers

class class-default

sticky-serverfarm Internet-Users

policy-map type loadbalance first-match DTSHQ-servers1

class class-default

sticky-serverfarm Internet-Users1

policy-map type loadbalance first-match DTSHQ-servers2

class class-default

sticky-serverfarm Internet-Users2

policy-map type loadbalance first-match FrontEnd

class class-default

serverfarm FrontEnd

policy-map multi-match DTSHQ-servers-LB

class L4VIPCLASS-any

loadbalance vip inservice

loadbalance policy DTSHQ-servers

loadbalance vip icmp-reply active

class L4VIPCLASS-1-any

loadbalance vip inservice

loadbalance policy DTSHQ-servers1

loadbalance vip icmp-reply active

class L4VIPCLASS-2-any

loadbalance vip inservice

loadbalance policy DTSHQ-servers2

loadbalance vip icmp-reply active

policy-map multi-match L4FrontEnd

class FrontEnd

loadbalance vip inservice

loadbalance policy FrontEnd

loadbalance vip icmp-reply active

interface vlan 200

ip address 78.x.x.243 255.255.255.240

access-group input anyone

access-group output anyone

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 250

ip address 172.16.x.98 255.255.255.0

access-group input anyone

access-group output anyone

service-policy input remote_mgmt_allow_policy

service-policy input L4FrontEnd

no shutdown

interface vlan 300

description communication vlan with the ASA

ip address 10.x.2.2 255.255.255.0

access-group input anyone

access-group output anyone

service-policy input remote_mgmt_allow_policy

service-policy input DTSHQ-servers-LB

no shutdown

interface vlan 500

description Connection to ACE-1

ip address 10.x.5.2 255.255.255.0

access-group input anyone

access-group output anyone

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 600

ip address 10.x.6.3 255.255.255.0

access-group input anyone

access-group output anyone

service-policy input remote_mgmt_allow_policy

no shutdown

ip route 0.0.0.0 0.0.0.0 10.x.2.1

ip route 10.x.1.0 255.255.255.0 10.x.5.1

Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 250
service-policy: L4FrontEnd

    class: FrontEnd
     VIP Address:    Protocol: Port:
     172.16.x.20    any
      loadbalance:
        L7 loadbalance policy: FrontEnd
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP state: OUTOFSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 5
        dropped conns    : 5
        client pkt count : 5         , client byte count: 610
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : FrontEnd
          class/match : class-default
            LB action :
               primary serverfarm: FrontEnd
                    state: DOWN
                backup serverfarm : -
            hit count        : 0
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 300
service-policy: DTSHQ-servers-LB

    class: L4VIPCLASS-1-any
     VIP Address:    Protocol: Port:
     10.x.2.4       any
      loadbalance:
        L7 loadbalance policy: DTSHQ-servers1
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 1461
        dropped conns    : 96
        client pkt count : 19015     , client byte count: 3214677
        server pkt count : 18643     , server byte count: 6141422
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : DTSHQ-servers1
          class/match : class-default
            LB action :
               sticky group: Internet-Users1
                  primary serverfarm: DTSHQ-servers1
                    state: UP
                  backup serverfarm : -
            hit count        : 1441
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 300
service-policy: DTSHQ-servers-LB

    class: L4VIPCLASS-2-any
     VIP Address:    Protocol: Port:
     10.x.2.5       any
      loadbalance:
        L7 loadbalance policy: DTSHQ-servers2
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 1087
        dropped conns    : 67
        client pkt count : 10309     , client byte count: 1285741
        server pkt count : 10098     , server byte count: 1758646
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : DTSHQ-servers2
          class/match : class-default
            LB action :
               sticky group: Internet-Users2
                  primary serverfarm: DTSHQ-servers2
                    state: UP
                  backup serverfarm : -
            hit count        : 1085
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 300
service-policy: DTSHQ-servers-LB

    class: L4VIPCLASS-any
     VIP Address:    Protocol: Port:
     10.x.2.3       any
      loadbalance:
        L7 loadbalance policy: DTSHQ-servers
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 1021
        dropped conns    : 71
        client pkt count : 14750     , client byte count: 1636324
        server pkt count : 12807     , server byte count: 5138009
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : DTSHQ-servers
          class/match : class-default
            LB action :
               sticky group: Internet-Users
                  primary serverfarm: DTSHQ-servers
                    state: UP
                  backup serverfarm : -
            hit count        : 1021
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

davidfarjecalderon · ‎09-08-2011

Hi,

Your configuration looks good. Try adding the following to your management class-map

class-map type management match-any remote_access

2 match protocol xml-https any

4 match protocol telnet any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

9 match protocol icmp any

alashmoury · ‎09-09-2011

Hi

Thank you sir for your response.

I tried it but still the problem as it is.

Status :

ACTIVE

Description: -

-----------------------------------------

Interface: vlan 1 100

service-policy:

VIPs

class:

L4VIPCLASS

VIP Address: Protocol: Port:

10.x.1.55 any

loadbalance:

L7 loadbalance policy: OCE

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP state:

OUTOFSERVICE

Persistence Rebalance:

DISABLED

curr conns : 0 , hit count :

6

dropped conns :

6

client pkt count :

6

, client byte count:

839

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : OCE

class/match : class-default

LB action :

primary serverfarm: OCE

state: DOWN

backup serverfarm : -

hit count : 0

dropped conns : 0

compression : off

compression:

bytes_in : 0

bytes_out : 0

Compression ratio : 0.00%

Status :

ACTIVE

Description: -

-----------------------------------------

Interface: vlan 1 250

service-policy:

L4FrontEnd

class:

FrontEnd

VIP Address: Protocol: Port:

172.16.x.20 any

loadbalance:

L7 loadbalance policy: FrontEnd

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP state:

OUTOFSERVICE

Persistence Rebalance:

DISABLED

curr conns : 0 , hit count :

5

dropped conns :

5

client pkt count :

5

, client byte count:

610

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : FrontEnd

class/match : class-default

LB action :

primary serverfarm: FrontEnd

state: DOWN

backup serverfarm : -

hit count : 0

dropped conns : 0

compression : off

compression:

bytes_in : 0

bytes_out : 0

Compression ratio : 0.00%

pablo.nxh · ‎09-09-2011

Hi,

As you highlighted it the OUTOFSERVICE state is the cause of the VIP not responding to ICMP requests and if you scroll down a little through your output the reason of the VIP being out of service is the state of the SF.

primary serverfarm: OCE

state: DOWN

primary serverfarm: FrontEnd

state: DOWN

Both real servers are down due to a probe failure on your SF so you can check if the ports being monitored are alive on the backend server, you can also paste the output of the show probe [name] detail,

HTH

__ __

Pablo

Cesar Roque · ‎09-09-2011

In addition, when you have this:

policy-map multi-match L4FrontEnd

class FrontEnd

loadbalance vip inservice

loadbalance policy FrontEnd

loadbalance vip icmp-reply active======================== here

The "active" means that the VIP will response to pings only when at least one of the rservers in the farm is OPERATIONAL.

If you remove the "active" the VIP will response if the service-policy is applied to the interface or globally

http://tools.cisco.com/squish/18976

However, the main problem as Pablo mentioned is that the probes are down.

Cesar R.

--------------------- Cesar R ANS Team

alashmoury · ‎09-09-2011

Hi Mr. Cesar

But May you explane we the other VIPs which match to the same servers work fine?

As you can see our problem is in the load balancing between the edge Load Balancer and the frontend Load Balancer.

Status :

ACTIVE

Description: -

-----------------------------------------

Interface: vlan 1 100

service-policy:

VIPs

class:

FQDN-OCSPool

nat:

nat dynamic 1 vlan 100

curr conns :

11

, hit count :

8264

dropped conns :

105

client pkt count :

904665

, client byte count:

256530290

server pkt count :

610952

, server byte count:

89835486

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

VIP Address: Protocol: Port:

10.x.1.57 any

loadbalance:

L7 loadbalance policy: FQDN-OCSPool-l7slb

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State:

INSERVICE

Persistence Rebalance:

DISABLED

curr conns :

11

, hit count :

8568

dropped conns :

370

client pkt count :

905062

, client byte count:

256551674

server pkt count :

610952

, server byte count:

89835486

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : FQDN-OCSPool-l7slb

class/match : class-default

LB action :

primary serverfarm: FQDN-OCSPool-Servers

state: UP

backup serverfarm : -

hit count :

8307

dropped conns : 0

compression : off

compression:

bytes_in : 0

bytes_out : 0

Compression ratio : 0.00%

Status : ACTIVE

Description: -

-----------------------------------------

Interface: vlan 1 100

service-policy:

VIPs

class: FQDN-OCSPool

nat:

nat dynamic 1 vlan 100

curr conns :

11 , hit count :

8264

dropped conns :

105

client pkt count :

904665 , client byte count:

256530290

server pkt count :

610952 , server byte count:

89835486

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

VIP Address: Protocol: Port:

10.10.1.57 any

loadbalance:

L7 loadbalance policy: FQDN-OCSPool-l7slb

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State:

INSERVICE

Persistence Rebalance: DISABLED

curr conns :

11 , hit count :

8568

dropped conns :

370

client pkt count :

905062 , client byte count:

256551674

server pkt count :

610952 , server byte count:

89835486

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : FQDN-OCSPool-l7slb

class/match : class-default

LB action :

primary serverfarm: FQDN-OCSPool-Servers

state: UP

backup serverfarm : -

hit count :

8307

dropped conns : 0

compression : off

compression:

bytes_in : 0

bytes_out : 0

Compression ratio : 0.00%

alashmoury · ‎09-09-2011

Hi Pablo

Thank you for yor response.

I would like to alert that we configured the edge H/W load balance to telnet over the real IPs of 443 (78.x.x.244,245,246 and 50,51,52)

Then in the internal ACE we will have 2 scenarios:-

First one which deals

With the 10.x.1.56 is to TCP over port 80 or 443 for both 10.x.1.53 and 10.x.1.54

and the 10.x.1.57 is to TCP over port 80 or 443 for both 10.x.1.51 and 10.x.1.52

Second scenario:-

Is for 172.16.x.20 which load balances between

10.x.1.51 and 10.x.1.52 here we will use the telnet over port 5061

The following output of the show probe:

probe : FrontEnd-01

type : TCP

state :

ACTIVE

description :

----------------------------------------------

port :

5061

address : 10.x.1.51 addr type : ROUTED

interval : 15 pass intvl : 60 pass count : 3

fail count: 3 recv timeout: 10

conn termination : GRACEFUL

expect offset : 0 , open timeout : 1

expect regex : -

send data : -

------------------ probe results ------------------

associations ip-address port porttype probes failed passed health

------------ ---------------+-----+--------+--------+--------+--------+------

real : FrontEnd-

01

[0]

serverfarm: FrontEnd

10.x.1.51 5061 PROBE 324 324 0

FAILED

Socket state :

CLOSED

No. Passed states : 0 No. Failed states :

1

No. Probes skipped : 0 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err :

Server open timeout (no SYN ACK)

Last probe time : Fri Sep 9 12:30:04 2011

Last fail time : Fri Sep 9 07:08:52 2011

Last active time : Never

probe : FrontEnd-02

type : TCP

state :

ACTIVE

description :

----------------------------------------------

port :

5061

address : 10.x.1.52 addr type : ROUTED

interval : 15 pass intvl : 60 pass count : 3

fail count: 3 recv timeout: 10

conn termination : GRACEFUL

expect offset : 0 , open timeout : 1

expect regex : -

send data : -

------------------ probe results ------------------

associations ip-address port porttype probes failed passed health

------------ ---------------+-----+--------+--------+--------+--------+------

real : FrontEnd-

02

[0]

serverfarm: FrontEnd

10.x.1.52 5061 PROBE 340 340 0

FAILED

Socket state :

CLOSED

No. Passed states : 0 No. Failed states :

1

No. Probes skipped : 0 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err :

Server open timeout (no SYN ACK)

Last probe time : Fri Sep 9 12:46:08 2011

Last fail time : Fri Sep 9 07:08:56 2011

Last active time : Never

probe : OCE01

type : TCP

state :

ACTIVE

description :

----------------------------------------------

port :

443

address : 172.16.x.9 addr type : ROUTED

interval : 15 pass intvl : 60 pass count : 3

fail count: 3 recv timeout: 10

conn termination : GRACEFUL

expect offset : 0 , open timeout : 1

expect regex : -

send data : -

------------------ probe results ------------------

associations ip-address port porttype probes failed passed health

------------ ---------------+-----+--------+--------+--------+--------+------

real : OCE

01

[0]

serverfarm: OCE

172.16.x.9 443 PROBE 366 366 0

FAILED

Socket state :

CLOSED

No. Passed states : 0 No. Failed states :

1

No. Probes skipped : 0 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err :

Server open timeout (no SYN ACK)

Last probe time : Fri Sep 9 13:04:32 2011

Last fail time : Fri Sep 9 07:01:20 2011

Last active time : Never

probe : OCE02

type : TCP

state :

ACTIVE

description :

----------------------------------------------

port :

443

address : 172.16.x.10 addr type : ROUTED

interval : 15 pass intvl : 60 pass count : 3

fail count: 3 recv timeout: 10

conn termination : GRACEFUL

expect offset : 0 , open timeout : 1

expect regex : -

send data : -

------------------ probe results ------------------

associations ip-address port porttype probes failed passed health

------------ ---------------+-----+--------+--------+--------+--------+------

real : OCE

02

[0]

serverfarm: OCE

172.16.x.10 443 PROBE 366 366 0

FAILED

Socket state :

CLOSED

No. Passed states : 0 No. Failed states :

1

No. Probes skipped : 0 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err :

Server open timeout (no SYN ACK)

Last probe time : Fri Sep 9 13:04:31 2011

Last fail time : Fri Sep 9 07:01:19 2011

Last active time : Never

Cesar Roque · ‎09-09-2011

Hi

The problem with the probes is that the ACE sends the SYN but never received a SYN/ACK from the server.

You are using the "routed" keyword in the probe configuration. By default probes are sent to the server the probe is attached to. If you do no want this to happen, you use the keyword routed.

So, if you have in your vlan a server and a gateway and the probe attached to the rserver is a ping to the gateway. You probably do not want the ping to be sent to the server itself.

So you use the "routed" keyword to force ACE to do a lookup for the destination ip address.

The lookup will say the ip is local to vlan x, and therefore ace will do arp request and forward the ping to the mac of the gateway.

Try with a probe like this:

probe tcp OCE00

port 443

interval 15

passdetect interval 60

open 1

The serverfarm will look like this:

serverfarm host OCE

description This serverfarm is for OCE01&2

rserver OCE01

probe OCE00

inservice

rserver OCE02

probe OCE00

inservice

Cesar R

--------------------- Cesar R ANS Team

alashmoury · ‎09-10-2011

Hi Cesar

I tried this but the problem is not solved.

Do you think that the problem may be in the VLAN 500 (10.x.5.0) which is the gateway trafic between VLAN 100 (10.x.1.0) which has the frontend Load Balancer and VLAN 250 (172.16.x.0) which has the Edge Load Balancer?

Because I can not ping any IP in VLAN 100 from Edge Load Balancer aslo I can not ping any IP in VLAN 250 from FrontEnd Load Balancer.

What you see?!

best regards,

rodrguti_2 · ‎09-11-2011

Hi,

Can you please provide me with this info?

- source IP of the device that originates the ping

This will tell us which is going to be the ingress vlan, if the policy is not enabled on this vlan, the ping wont work. Also like explained above the Vip has to be operational.

Let me know.

Cheers,

Rodrigo

alashmoury · ‎09-12-2011

Hi Rodrigo

Thank you for your response.

Regarding to your question, I use the ping tools from ACE 4710 Device Manager A3(2.0) to ping the real servers and other IPs.

For note: we connect the ACE1 (1/3)& ACE2 (1/4)by physical link and assigned to the VLAN 500 as access type (I tried to change it to trunk type also).

through this link I can ping the gateway in both side (10.x.5.1 & 10.x.5.2), but beyond the gateway no way .

best regards,

Marko Leopold · ‎09-12-2011

One more thing. Check if your outgoing interface of the traffic is the incoming interface too. To check this you can disable ip-normalization on your interfaces. By default the ACE acts as a firewall and dont accept this.

alashmoury · ‎09-12-2011

Hi Marko

I tried that but bad nothing knew.

May you have onther solutions?!

best regards,

Marko Leopold · ‎09-12-2011

Hello Alash!

Please check the placement of your service-policy. On ACE2 your routing the VIPs of ACE1 is like this:

ip route 10.x.1.0 255.255.255.0 10.x.5.1

But on your interface there is no service-policy attached to the interface. Same for the connection from ACE1 to ACE2.

alashmoury · ‎09-12-2011

Hi Marko

I use (remote_mgmt_allow_policy) as the following:

interface vlan 500

description Connection to ACE-1

ip address 10.x.5.2 255.255.255.0

access-group input anyone

access-group output anyone

service-policy input remote_mgmt_allow_policy

interface vlan 500

description Connection to ACE-2

ip address 10.x.5.1 255.255.255.0

access-group input anyone

access-group output anyone

service-policy input remote_mgmt_allow_policy

best regards,