02-19-2014 07:40 PM
Hello,
I have been tasked with ACE configuration at work as the prior go-to guy for load balancing is no longer available. Trouble is, I have little idea what I’m doing when it comes to the ACE. So, forgive me if the question I have is super basic. After doing some research I put together a LB config, but its not working.
I was trying to load balance 10 servers, split into groups of 2 using 5 VIPS (1 VIP for each group of 2 servers). The servers serve an ssl web app.
Below is my configuration. What am I doing wrong? Does the config have any glaring errors? I've been staring at this thing on and off for a week and searching these forums trying to figure it out.
Any help provided will greatly appreciated.
probe tcp probe_443
port 443
interval 30
passdetect interval 5
probe https probe_https_test
interval 30
passdetect interval 5
ssl version all
request method get url /test.html
expect status 200 200
rserver host QA-1.1
ip address 10.200.162.126
inservice
rserver host QA-1.2
ip address 10.200.162.127
inservice
rserver redirect QA-group_1_redirect_rserver
webhost-redirection https://10.37.5.73/ 302
inservice
rserver host QA-2.1
ip address 10.200.162.22
inservice
rserver host QA-2.2
ip address 10.200.162.240
inservice
rserver redirect QA-group_2_redirect_rserver
webhost-redirection https://10.37.5.74/ 302
inservice
rserver host QA-3.1
ip address 10.200.162.181
inservice
rserver host QA-3.2
ip address 10.200.162.50
inservice
rserver redirect QA-group_3_redirect_rserver
webhost-redirection https://10.37.5.75/ 302
inservice
rserver host QA-4.1
ip address 10.200.162.23
inservice
rserver host QA-4.2
ip address 10.200.162.241
inservice
rserver redirect QA-group_4_redirect_rserver
webhost-redirection https://10.37.5.76/ 302
inservice
rserver host QA-5.1
ip address 10.200.162.182
inservice
rserver host QA-5.2
ip address 10.200.162.51
inservice
rserver redirect QA-group_5_redirect_rserver
webhost-redirection https://10.37.5.77/ 302
inservice
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-1.1 443
inservice
rserver QA-1. 2 443
inservice
serverfarm host SF_QA-group_2_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-2.1 443
inservice
rserver QA-2. 2 443
inservice
serverfarm host SF_QA-group_3_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-3.1 443
inservice
rserver QA-3. 2 443
inservice
serverfarm host SF_QA-group_4_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-4.1 443
inservice
rserver QA-4. 2 443
inservice
serverfarm host SF_QA-group_5_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-5.1 443
inservice
rserver QA-5. 2 443
inservice
serverfarm redirect SF_ QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_2_REDIRECT
rserver QA-group_2_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_3_REDIRECT
rserver QA-group_3_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_4_REDIRECT
rserver QA-group_4_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_5_REDIRECT
rserver QA-group_5_redirect_rserver
inservice
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_1_STICKY
serverfarm SF_ QA-group_1_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_2_STICKY
serverfarm SF_ QA-group_2_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_3_STICKY
serverfarm SF_ QA-group_3_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_4_STICKY
serverfarm SF_ QA-group_4_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_5_STICKY
serverfarm SF_ QA-group_5_HTTPS
timeout 30
replicate sticky
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.73 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.73 tcp eq https
class-map match-all QA-group_2_HTTP
3 match virtual-address 10.37.5.74 tcp eq www
class-map match-all QA-group_2_HTTPS
3 match virtual-address 10.37.5.74 tcp eq https
class-map match-all QA-group_3_HTTP
3 match virtual-address 10.37.5.75 tcp eq www
class-map match-all QA-group_3_HTTPS
3 match virtual-address 10.37.5.75 tcp eq https
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.76 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.77 tcp eq www
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.77 tcp eq https
class-map type management match-any remote-management
2 match protocol http any
3 match protocol https any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol ssh any
policy-map type management first-match remote-access
class remote-management
permit
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
serverfarm SF_ QA-group_1_REDIRECT
policy-map type loadbalance first-match QA-group_2_REDIRECT
class class-default
serverfarm SF_ QA-group_2_REDIRECT
policy-map type loadbalance first-match QA-group_3_REDIRECT
class class-default
serverfarm SF_ QA-group_3_REDIRECT
policy-map type loadbalance first-match QA-group_4_REDIRECT
class class-default
serverfarm SF_ QA-group_4_REDIRECT
policy-map type loadbalance first-match QA-group_5_REDIRECT
class class-default
serverfarm SF_ QA-group_5_REDIRECT
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_1_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
class QA-group_2_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_2_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_2_HTTP
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
class QA-group_3_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_3_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_3_HTTP
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
class QA-group_4_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_4_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
class QA-group_5_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_5_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
interface vlan 25
ip address 10.37.5.72 255.255.255.0
access-group input everyone
service-policy input remote-access
service-policy input SERVICE_VIPS
no shutdown
ip route 0.0.0.0 0.0.0.0 10.37.5.1
Solved! Go to Solution.
03-03-2014 12:44 PM
Hi John,
Forget this configuration. I will give you the configuration please try that. I will give you for one rserver, one serverfarm, one class map. You please do that same for rest of them. Test one first and replicate to others.
rserver redirect QA-group_1_redirect_rserver
webhost-redirection
inservice
This is the redirect server.
rserver host QA-1.1
ip address 10.37.5.111
inservice
rserver host QA-1.2
ip address 10.37.5.88
inservice
Normal servers to which the traffic would be loadbalanced.
serverfarm redirect SF_QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
This is redirect serverfarm
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
rserver QA-1.1 443
inservice
rserver QA-1.2 443
inservice
Normal serverfarm with two rservers in it to which we will loadbalance the traffic.
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.93 tcp eq www
The class-map is condition for redirection. If user comes on 10.37.5.93 on 80.
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.93 tcp eq https
Condition for user coming on port 443
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
serverfarm SF_QA-group_1_REDIRECT
This is a policy or action which ACE will take after the condition matches which is to redirect.
policy-map type loadbalance first-match QA_GROUP1_HTPPS
class class-default
serverfarm SF_QA-group_1_HTTPS
This is for HTTPS
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
loadbalance vip icmp-reply
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy QA_GROUP1_HTPPS
loadbalance vip icmp-reply
Same action is applied to the policy. If it matches class QA-group_1_HTTP, redirect it, since redirect policy is applied and if it matches class QA-group_1_HTTPS, loadbalance the traffic since LB policy is applied.
Hope this clears everything. My bad for not being clear. Also, note that i have not used sticky here. Just for example i have done this. This is how your configuration should look like for all the groups.
Again let me know if you have any questions.
Regards,
Kanwal
03-05-2014 08:18 AM
Hi John,
So that's a problem then. Return traffic from server should also pass through ACE. ACE is not seeing the return traffic. This is Asymmetric routing. You will either have to do src nat or change the default gateway of servers to ACE. Try changing for one serverfarm (two servers in a serverfarm) and test again. If that works you know this is the issue or you can add a route on the server as well.
Regards,
Kanwal
03-05-2014 09:48 AM
Hi John,
Remove the class map from policy map and then remove it. That should do the trick.
Regards,
Kanwal
02-20-2014 07:53 AM
Hi John,
If the idea is to redirect user requests from http to https and once user comes on https, just loadbalance the requests to servers who are also listening on 443, then the above configuration looks fine. What is not working, redirection or loadbalancing to real servers? What is the status of servers in serverfarm? They should be operational.
I don't see LB policies configuration like "HTTPS_ QA-group_1_HTTPS _L7_BALANCED" in the configuration you have pasted. May be you have omitted it on purpose.
Regards,
Kanwal
02-28-2014 08:37 AM
Fnu,
Thank you so much for your reply.
At this point I can get to the real server IP's via ping and https in a browser from my PC. I can also ping the gateway and all the real server IP's from the ACE context i'm working on. However, the VIPS are not working. When I attempt to use one of the VIPS in the browser, the request times out. When I issue the command ":show service-policy" I see a hit count (which increments every time I try and reach the VIP via the browser) but the dropped counter is equal to the hit counter. I will paste the running config from the context I’m working in along with the output from the show service-policy command.
Any suggestions on how I can get this working would be greatly appreciated.
csc# show run
Generating configuration....
access-list Servers line 3 extended permit tcp any any eq https
access-list Servers line 5 extended permit tcp any any eq www
access-list everyone line 1 extended permit ip any any
access-list everyone line 2 extended permit icmp any any
probe tcp probe_443
port 443
interval 30
passdetect interval 5
rserver host QA-1.1
ip address 10.37.5.111
inservice
rserver host QA-1.2
ip address 10.37.5.88
inservice
rserver host QA-2.1
ip address 10.37.5.84
inservice
rserver host QA-2.2
ip address 10.37.5.89
inservice
rserver host QA-3.1
ip address 10.37.5.85
inservice
rserver host QA-3.2
ip address 10.37.5.90
inservice
rserver host QA-4.1
ip address 10.37.5.86
inservice
rserver host QA-4.2
ip address 10.37.5.81
inservice
rserver host QA-5.1
ip address 10.37.5.87
inservice
rserver host QA-5.2
ip address 10.37.5.92
inservice
rserver redirect QA-group_1_redirect_rserver
webhost-redirection https://10.37.5.93/ 302
inservice
rserver redirect QA-group_2_redirect_rserver
webhost-redirection https://10.37.5.94/ 302
inservice
rserver redirect QA-group_3_redirect_rserver
webhost-redirection https://10.37.5.95/ 302
inservice
rserver redirect QA-group_4_redirect_rserver
webhost-redirection https://10.37.5.96/ 302
inservice
rserver redirect QA-group_5_redirect_rserver
webhost-redirection https://10.37.5.97/ 302
inservice
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-1.1 443
inservice
rserver QA-1.2 443
inservice
serverfarm redirect SF_QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
serverfarm host SF_QA-group_2_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-2.1 443
inservice
rserver QA-2.2 443
inservice
serverfarm redirect SF_QA-group_2_REDIRECT
rserver QA-group_2_redirect_rserver
inservice
serverfarm host SF_QA-group_3_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-3.1 443
inservice
rserver QA-3.2 443
inservice
serverfarm redirect SF_QA-group_3_REDIRECT
rserver QA-group_3_redirect_rserver
inservice
serverfarm host SF_QA-group_4_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-4.1 443
inservice
rserver QA-4.2 443
inservice
serverfarm redirect SF_QA-group_4_REDIRECT
rserver QA-group_4_redirect_rserver
inservice
serverfarm host SF_QA-group_5_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-5.1 443
inservice
rserver QA-5.2 443
inservice
serverfarm redirect SF_QA-group_5_REDIRECT
rserver QA-group_5_redirect_rserver
inservice
serverfarm host SF_QA-group_HTTPS
serverfarm host SF_QA-group__HTTPS
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_1_STICKY
serverfarm SF_QA-group_1_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_2_STICKY
serverfarm SF_QA-group_2_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_3_STICKY
serverfarm SF_QA-group_3_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_4_STICKY
serverfarm SF_QA-group_4_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_5_STICKY
serverfarm SF_QA-group_5_HTTPS
timeout 30
replicate sticky
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.93 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.93 tcp eq https
class-map match-all QA-group_2_HTTP
3 match virtual-address 10.37.5.94 tcp eq www
class-map match-all QA-group_2_HTTPS
3 match virtual-address 10.37.5.94 tcp eq https
class-map match-all QA-group_3_HTTP
3 match virtual-address 10.37.5.95 tcp eq www
class-map match-all QA-group_3_HTTPS
3 match virtual-address 10.37.5.95 tcp eq https
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.96 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
class-map match-all QA-group_5_HTTP
3 match virtual-address 10.37.5.97 tcp eq www
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.97 tcp eq https
class-map type management match-any remote-management
2 match protocol http any
3 match protocol https any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol ssh any
policy-map type management first-match remote-access
class remote-management
permit
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
policy-map type loadbalance first-match QA-group_2_REDIRECT
class class-default
serverfarm SF_QA-group_2_REDIRECT
policy-map type loadbalance first-match QA-group_3_REDIRECT
class class-default
serverfarm SF_QA-group_3_REDIRECT
policy-map type loadbalance first-match QA-group_4_REDIRECT
class class-default
serverfarm SF_QA-group_4_REDIRECT
policy-map type loadbalance first-match QA-group_5_REDIRECT
class class-default
serverfarm SF_QA-group_5_REDIRECT
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
loadbalance vip icmp-reply
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
class QA-group_2_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
loadbalance vip icmp-reply
class QA-group_2_HTTP
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
class QA-group_3_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
loadbalance vip icmp-reply
class QA-group_3_HTTP
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
class QA-group_4_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
loadbalance vip icmp-reply
class QA-group_4_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
class QA-group_5_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_5_REDIRECT
loadbalance vip icmp-reply
class QA-group_5_HTTP
loadbalance vip inservice
loadbalance policy QA-group_5_REDIRECT
interface vlan 25
ip address 10.37.5.98 255.255.255.0
access-group input everyone
service-policy input remote-access
service-policy input SERVICE_VIPS
no shutdown
ip route 0.0.0.0 0.0.0.0 10.37.5.1
csc# show service-policy SERVICE_VIPS
Status : ACTIVE
-----------------------------------------
Interface: vlan 25
service-policy: SERVICE_VIPS
class: QA-group_1_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_1_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP state: OUTOFSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 122
dropped conns : 122
conns per second : 0
client pkt count : 122 , client byte count: 6164
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_1_HTTP
loadbalance:
L7 loadbalance policy: QA-group_1_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP state: OUTOFSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 58
dropped conns : 58
conns per second : 0
client pkt count : 58 , client byte count: 3628
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_2_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_2_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 13
dropped conns : 0
conns per second : 0
client pkt count : 74 , client byte count: 7648
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_2_HTTP
loadbalance:
L7 loadbalance policy: QA-group_2_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 3
dropped conns : 0
conns per second : 0
client pkt count : 12 , client byte count: 1398
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_3_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_3_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 34
dropped conns : 0
conns per second : 0
client pkt count : 201 , client byte count: 23495
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_3_HTTP
loadbalance:
L7 loadbalance policy: QA-group_3_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 5
dropped conns : 0
conns per second : 0
client pkt count : 20 , client byte count: 1907
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_4_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_4_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_4_HTTP
loadbalance:
L7 loadbalance policy: QA-group_4_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 2
dropped conns : 0
conns per second : 0
client pkt count : 8 , client byte count: 697
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_5_HTTPS
loadbalance:
L7 loadbalance policy: QA-group_5_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
class: QA-group_5_HTTP
loadbalance:
L7 loadbalance policy: QA-group_5_REDIRECT
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
02-28-2014 08:49 AM
Hi John,
Let us take one 1 VIP and concentrate on that. Where are you testing from? Is client in same subnet as servers? If yes, you would NAT for return traffic to go through loadbalancer. Can you take a quick capture using wireshark on client and see where does the connection fail and why?
Also, you have not associated serverfarm in below:
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
Regards,
Kanwal
02-28-2014 09:11 AM
The client is not on the same network. There were NAT statements in my first attempt, but I took them out. Wasn't sure if they should be there.
The ACE configuration is like a whole new language to me. I can configure a router, or switch no problem, but the ACE, I’m a kind of lost. The configuration I pasted here is one I made by editing a config file written by the previous engineer that was made to accomplish a similar task.
What is the minimum required to perform load balancing between 2 HTTPS web servers? I’ve read a lot of Cisco documentation regarding the ACE, but its not clicking for me. For instance when you say the policy map is not associated with a server farm - I don’t know what the relationship is the two, nor am I clear on what a policy map’s function is.
I apologize profusely for my ignorance.
02-28-2014 09:12 AM
Hi John,
Please see my latest reply. Make this change to every policy map you have configured. My bad, i overlooked it.
You are missing configuration here. It should be like this:
policy-map type loadbalance first-match QA-group_1_REDIRECT
Class QA-group_1_HTTP
serverfarm SF_ QA-group_1_REDIRECT
class class-default
serverfarm SF_QA-group_1_HTTPS
This is how it should look for all the policy maps. You have LB policy which only redirects. No action for loadbalancing and hence the problem. Please change and try again. Sorry i overlooked it.
Regards,
Kanwal
02-28-2014 09:11 AM
Hi John,
You are missing configuration here. It should be like this:
policy-map type loadbalance first-match QA-group_1_REDIRECT
Class QA-group_1_HTTP
serverfarm SF_ QA-group_1_REDIRECT
class class-default
serverfarm SF_QA-group_1_HTTPS
This is how it should look for all the policy maps. You have LB policy which only redirects. No action for loadbalancing and hence the problem. Please change and try again. Sorry i overlooked it.
Regards,
Kanwal
03-02-2014 02:40 PM
Fnu,
Thanks again for your help. I really appreciate it.
When I tried to change the config as you suggested, I received the following error:
CSC#(config-pmap-lb)# policy-map type loadbalance first-match QA-group_2_REDIRECT
CSC#(config-pmap-lb)# class SF_QA-group_2_HTTPS
Error: class-map 'SF_QA-group_2_HTTPS' not configured
As before, the hit counters are incrementing, but the ACE is not forwarding the traffic it seems. I would be grateful for any suggestions you might have.
Below is the configuration as well as the output from the show service service-policy summery command.
CSC# show service-policy summary
service-policy: SERVICE_VIPS
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
QA-group_1_HTTPS 10.37.5.93 tcp eq 443 25 IN-SRVC 0 16 16
QA-group_1_HTTP 10.37.5.93 tcp eq 80 25 IN-SRVC 0 2 2
QA-group_2_HTTPS 10.37.5.94 tcp eq 443 25 IN-SRVC 0 20 20
QA-group_2_HTTP 10.37.5.94 tcp eq 80 25 IN-SRVC 0 4 4
QA-group_3_HTTPS 10.37.5.95 tcp eq 443 25 IN-SRVC 0 19 19
QA-group_3_HTTP 10.37.5.95 tcp eq 80 25 IN-SRVC 0 12 12
QA-group_4_HTTPS 10.37.5.76 tcp eq 443 25 IN-SRVC 0 0 0
QA-group_4_HTTP 10.37.5.96 tcp eq 80 25 IN-SRVC 0 12 12
QA-group_5_HTTPS 10.37.5.97 tcp eq 443 25 IN-SRVC 0 8 8
QA-group_5_HTTP 10.37.5.97 tcp eq 80 25 IN-SRVC 0 6 6
CSC# term length 0
CSC# show run
Generating configuration....
access-list Servers line 3 extended permit tcp any any eq https
access-list Servers line 5 extended permit tcp any any eq www
access-list everyone line 1 extended permit ip any any
access-list everyone line 2 extended permit icmp any any
probe tcp probe_443
port 443
interval 30
passdetect interval 5
rserver host QA-1.1
ip address 10.37.5.111
inservice
rserver host QA-1.2
ip address 10.37.5.88
inservice
rserver host QA-2.1
ip address 10.37.5.84
inservice
rserver host QA-2.2
ip address 10.37.5.89
inservice
rserver host QA-3.1
ip address 10.37.5.85
inservice
rserver host QA-3.2
ip address 10.37.5.90
inservice
rserver host QA-4.1
ip address 10.37.5.86
inservice
rserver host QA-4.2
ip address 10.37.5.81
inservice
rserver host QA-5.1
ip address 10.37.5.87
inservice
rserver host QA-5.2
ip address 10.37.5.92
inservice
rserver redirect QA-group_1_redirect_rserver
webhost-redirection https://10.37.5.93/ 302
inservice
rserver redirect QA-group_2_redirect_rserver
webhost-redirection https://10.37.5.94/ 302
inservice
rserver redirect QA-group_3_redirect_rserver
webhost-redirection https://10.37.5.95/ 302
inservice
rserver redirect QA-group_4_redirect_rserver
webhost-redirection https://10.37.5.96/ 302
inservice
rserver redirect QA-group_5_redirect_rserver
webhost-redirection https://10.37.5.97/ 302
inservice
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-1.1 443
inservice
rserver QA-1.2 443
inservice
serverfarm redirect SF_QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
serverfarm host SF_QA-group_2_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-2.1 443
inservice
rserver QA-2.2 443
inservice
serverfarm redirect SF_QA-group_2_REDIRECT
rserver QA-group_2_redirect_rserver
inservice
serverfarm host SF_QA-group_3_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-3.1 443
inservice
rserver QA-3.2 443
inservice
serverfarm redirect SF_QA-group_3_REDIRECT
rserver QA-group_3_redirect_rserver
inservice
serverfarm host SF_QA-group_4_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-4.1 443
inservice
rserver QA-4.2 443
inservice
serverfarm redirect SF_QA-group_4_REDIRECT
rserver QA-group_4_redirect_rserver
inservice
serverfarm host SF_QA-group_5_HTTPS
failaction reassign
predictor leastconns
probe probe_443
rserver QA-5.1 443
inservice
rserver QA-5.2 443
inservice
serverfarm redirect SF_QA-group_5_REDIRECT
rserver QA-group_5_redirect_rserver
inservice
serverfarm host SF_QA-group_HTTPS
serverfarm host SF_QA-group__HTTPS
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_1_STICKY
serverfarm SF_QA-group_1_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_2_STICKY
serverfarm SF_QA-group_2_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_3_STICKY
serverfarm SF_QA-group_3_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_4_STICKY
serverfarm SF_QA-group_4_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_QA-group_5_STICKY
serverfarm SF_QA-group_5_HTTPS
timeout 30
replicate sticky
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.93 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.93 tcp eq https
class-map match-all QA-group_2_HTTP
3 match virtual-address 10.37.5.94 tcp eq www
class-map match-all QA-group_2_HTTPS
3 match virtual-address 10.37.5.94 tcp eq https
class-map match-all QA-group_3_HTTP
3 match virtual-address 10.37.5.95 tcp eq www
class-map match-all QA-group_3_HTTPS
3 match virtual-address 10.37.5.95 tcp eq https
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.96 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
class-map match-all QA-group_5_HTTP
3 match virtual-address 10.37.5.97 tcp eq www
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.97 tcp eq https
class-map type management match-any remote-management
2 match protocol http any
3 match protocol https any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol ssh any
policy-map type management first-match remote-access
class remote-management
permit
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
serverfarm SF_QA-group_1_HTTPS
policy-map type loadbalance first-match QA-group_2_REDIRECT
class class-default
serverfarm SF_QA-group_2_HTTPS
policy-map type loadbalance first-match QA-group_3_REDIRECT
class class-default
serverfarm SF_QA-group_3_HTTPS
policy-map type loadbalance first-match QA-group_4_REDIRECT
class class-default
serverfarm SF_QA-group_4_HTTPS
policy-map type loadbalance first-match QA-group_5_REDIRECT
class class-default
serverfarm SF_QA-group_5_HTTPS
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
loadbalance vip icmp-reply
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
class QA-group_2_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
loadbalance vip icmp-reply
class QA-group_2_HTTP
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
class QA-group_3_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
loadbalance vip icmp-reply
class QA-group_3_HTTP
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
class QA-group_4_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
loadbalance vip icmp-reply
class QA-group_4_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
class QA-group_5_HTTPS
loadbalance vip inservice
loadbalance policy QA-group_5_REDIRECT
loadbalance vip icmp-reply
class QA-group_5_HTTP
loadbalance vip inservice
loadbalance policy QA-group_5_REDIRECT
interface vlan 25
ip address 10.37.5.98 255.255.255.0
access-group input everyone
service-policy input remote-access
service-policy input SERVICE_VIPS
no shutdown
ip route 0.0.0.0 0.0.0.0 10.37.5.1
CSC#
03-02-2014 03:36 PM
Hi John,
The configuration is still missing. You will have an issue without the correct configuration. You are putting in the wrong class-map name. Please look at my example i have given.
Regards,
Kanwal
03-03-2014 08:25 AM
hello,
When I attempt to use the configuration you provided I get the error "Error: class-map 'SF_QA-group_2_HTTPS' not configured"
Do i need to create a new class?
03-03-2014 08:29 AM
Hi John,
Have a careful look below. If you see there is no class 'SF_QA-group_2_HTTPS', that is the serverfarm. Class map will be QA-group_1_HTTP or class class -default.
policy-map type loadbalance first-match QA-group_1_REDIRECT
Class QA-group_1_HTTP
serverfarm SF_ QA-group_1_REDIRECT
class class-default
serverfarm SF_QA-group_1_HTTPS
Look at bold portion. Those are class-map names that you need to associate with corresponding policy-map type loadbalance first-match x x x x x x
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.93 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.93 tcp eq https
class-map match-all QA-group_2_HTTP
3 match virtual-address 10.37.5.94 tcp eq www
class-map match-all QA-group_2_HTTPS
3 match virtual-address 10.37.5.94 tcp eq https
class-map match-all QA-group_3_HTTP
3 match virtual-address 10.37.5.95 tcp eq www
class-map match-all QA-group_3_HTTPS
3 match virtual-address 10.37.5.95 tcp eq https
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.96 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
class-map match-all QA-group_5_HTTP
3 match virtual-address 10.37.5.97 tcp eq www
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.97 tcp eq https
The HTTPS class-maps would come under policy-map multi match which are already there.
Let me know if that helps or you have any questions.
First time is tricky:)
Regards,
Kanwal
03-03-2014 12:11 PM
Fnu,
I must have pasted the wrong error in my last reply. Below is the correct error generated when I attemp to add the class.
CSC(config)# policy-map type loadbalance first-match QA-group_1_REDIRECT
CSC(config-pmap-lb)# class QA-group_1_HTTP
Error: Specified class-map is not consistent with the policy-map type
CSC(config-pmap-lb)# class QA-group_1_HTTPS
Error: Specified class-map is not consistent with the policy-map type
CSC5(config-pmap-lb)#
03-03-2014 12:44 PM
Hi John,
Forget this configuration. I will give you the configuration please try that. I will give you for one rserver, one serverfarm, one class map. You please do that same for rest of them. Test one first and replicate to others.
rserver redirect QA-group_1_redirect_rserver
webhost-redirection
inservice
This is the redirect server.
rserver host QA-1.1
ip address 10.37.5.111
inservice
rserver host QA-1.2
ip address 10.37.5.88
inservice
Normal servers to which the traffic would be loadbalanced.
serverfarm redirect SF_QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
This is redirect serverfarm
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
rserver QA-1.1 443
inservice
rserver QA-1.2 443
inservice
Normal serverfarm with two rservers in it to which we will loadbalance the traffic.
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.93 tcp eq www
The class-map is condition for redirection. If user comes on 10.37.5.93 on 80.
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.93 tcp eq https
Condition for user coming on port 443
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
serverfarm SF_QA-group_1_REDIRECT
This is a policy or action which ACE will take after the condition matches which is to redirect.
policy-map type loadbalance first-match QA_GROUP1_HTPPS
class class-default
serverfarm SF_QA-group_1_HTTPS
This is for HTTPS
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
loadbalance vip icmp-reply
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy QA_GROUP1_HTPPS
loadbalance vip icmp-reply
Same action is applied to the policy. If it matches class QA-group_1_HTTP, redirect it, since redirect policy is applied and if it matches class QA-group_1_HTTPS, loadbalance the traffic since LB policy is applied.
Hope this clears everything. My bad for not being clear. Also, note that i have not used sticky here. Just for example i have done this. This is how your configuration should look like for all the groups.
Again let me know if you have any questions.
Regards,
Kanwal
03-05-2014 05:43 AM
Fnu,
Thanks for getting me started in the right direction. I used the configuration you provided and added the access lists and interface info.
I can see that is redirecting traffic from http to https, however the page fails after redirection to https. I have verified that both real server addresses are accessible directly.
In Wireshark (II don't see an option to attach a file here) I can see the 3 way handshake for http, but when it redirects to https the connection is reset.
It appears something is missing that would forward the traffic after redirection.
Below is the current config.
CSC# show run
Generating configuration....
access-list everyone line 1 extended permit ip any any
access-list everyone line 2 extended permit icmp any any
rserver host QA-1.1
ip address 10.37.5.111
inservice
rserver host QA-1.2
ip address 10.37.5.88
inservice
rserver redirect QA-group_1_redirect_rserver
webhost-redirection https://10.37.5.93/ 302
inservice
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
rserver QA-1.1 443
inservice
rserver QA-1.2 443
inservice
serverfarm redirect SF_QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.93 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.93 tcp eq https
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
serverfarm SF_QA-group_1_REDIRECT
policy-map type loadbalance first-match QA_GROUP1_HTPPS
class class-default
serverfarm SF_QA-group_1_HTTPS
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
loadbalance vip icmp-reply
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy QA_GROUP1_HTPPS
loadbalance vip icmp-reply
interface vlan 25
ip address 10.37.5.72 255.255.255.0
access-group input everyone
service-policy input SERVICE_VIPS
no shutdown
ip route 0.0.0.0 0.0.0.0 10.37.5.1
CSC#
03-05-2014 07:40 AM
Hi John,
This configuration looks fine. What is the default gateway of servers here? If the default GW of servers is not ACE then you might need NAT or route. Do you see any traffic coming from ACE to the server? If you take client capture do you see SSL handshake happening?
What do you see in show conn address
Filter with client IP to see what happens.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide