02-19-2014 07:40 PM
Hello,
I have been tasked with ACE configuration at work as the prior go-to guy for load balancing is no longer available. Trouble is, I have little idea what I’m doing when it comes to the ACE. So, forgive me if the question I have is super basic. After doing some research I put together a LB config, but its not working.
I was trying to load balance 10 servers, split into groups of 2 using 5 VIPS (1 VIP for each group of 2 servers). The servers serve an ssl web app.
Below is my configuration. What am I doing wrong? Does the config have any glaring errors? I've been staring at this thing on and off for a week and searching these forums trying to figure it out.
Any help provided will greatly appreciated.
probe tcp probe_443
port 443
interval 30
passdetect interval 5
probe https probe_https_test
interval 30
passdetect interval 5
ssl version all
request method get url /test.html
expect status 200 200
rserver host QA-1.1
ip address 10.200.162.126
inservice
rserver host QA-1.2
ip address 10.200.162.127
inservice
rserver redirect QA-group_1_redirect_rserver
webhost-redirection https://10.37.5.73/ 302
inservice
rserver host QA-2.1
ip address 10.200.162.22
inservice
rserver host QA-2.2
ip address 10.200.162.240
inservice
rserver redirect QA-group_2_redirect_rserver
webhost-redirection https://10.37.5.74/ 302
inservice
rserver host QA-3.1
ip address 10.200.162.181
inservice
rserver host QA-3.2
ip address 10.200.162.50
inservice
rserver redirect QA-group_3_redirect_rserver
webhost-redirection https://10.37.5.75/ 302
inservice
rserver host QA-4.1
ip address 10.200.162.23
inservice
rserver host QA-4.2
ip address 10.200.162.241
inservice
rserver redirect QA-group_4_redirect_rserver
webhost-redirection https://10.37.5.76/ 302
inservice
rserver host QA-5.1
ip address 10.200.162.182
inservice
rserver host QA-5.2
ip address 10.200.162.51
inservice
rserver redirect QA-group_5_redirect_rserver
webhost-redirection https://10.37.5.77/ 302
inservice
serverfarm host SF_QA-group_1_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-1.1 443
inservice
rserver QA-1. 2 443
inservice
serverfarm host SF_QA-group_2_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-2.1 443
inservice
rserver QA-2. 2 443
inservice
serverfarm host SF_QA-group_3_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-3.1 443
inservice
rserver QA-3. 2 443
inservice
serverfarm host SF_QA-group_4_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-4.1 443
inservice
rserver QA-4. 2 443
inservice
serverfarm host SF_QA-group_5_HTTPS
failaction reassign
predictor leastconns
probe probe_443
probe probe_https_test
rserver QA-5.1 443
inservice
rserver QA-5. 2 443
inservice
serverfarm redirect SF_ QA-group_1_REDIRECT
rserver QA-group_1_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_2_REDIRECT
rserver QA-group_2_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_3_REDIRECT
rserver QA-group_3_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_4_REDIRECT
rserver QA-group_4_redirect_rserver
inservice
serverfarm redirect SF_ QA-group_5_REDIRECT
rserver QA-group_5_redirect_rserver
inservice
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_1_STICKY
serverfarm SF_ QA-group_1_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_2_STICKY
serverfarm SF_ QA-group_2_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_3_STICKY
serverfarm SF_ QA-group_3_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_4_STICKY
serverfarm SF_ QA-group_4_HTTPS
timeout 30
replicate sticky
sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_5_STICKY
serverfarm SF_ QA-group_5_HTTPS
timeout 30
replicate sticky
class-map match-all QA-group_1_HTTP
3 match virtual-address 10.37.5.73 tcp eq www
class-map match-all QA-group_1_HTTPS
3 match virtual-address 10.37.5.73 tcp eq https
class-map match-all QA-group_2_HTTP
3 match virtual-address 10.37.5.74 tcp eq www
class-map match-all QA-group_2_HTTPS
3 match virtual-address 10.37.5.74 tcp eq https
class-map match-all QA-group_3_HTTP
3 match virtual-address 10.37.5.75 tcp eq www
class-map match-all QA-group_3_HTTPS
3 match virtual-address 10.37.5.75 tcp eq https
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.76 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.77 tcp eq www
class-map match-all QA-group_5_HTTPS
3 match virtual-address 10.37.5.77 tcp eq https
class-map type management match-any remote-management
2 match protocol http any
3 match protocol https any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol ssh any
policy-map type management first-match remote-access
class remote-management
permit
policy-map type loadbalance first-match QA-group_1_REDIRECT
class class-default
serverfarm SF_ QA-group_1_REDIRECT
policy-map type loadbalance first-match QA-group_2_REDIRECT
class class-default
serverfarm SF_ QA-group_2_REDIRECT
policy-map type loadbalance first-match QA-group_3_REDIRECT
class class-default
serverfarm SF_ QA-group_3_REDIRECT
policy-map type loadbalance first-match QA-group_4_REDIRECT
class class-default
serverfarm SF_ QA-group_4_REDIRECT
policy-map type loadbalance first-match QA-group_5_REDIRECT
class class-default
serverfarm SF_ QA-group_5_REDIRECT
policy-map multi-match SERVICE_VIPS
class QA-group_1_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_1_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_1_HTTP
loadbalance vip inservice
loadbalance policy QA-group_1_REDIRECT
class QA-group_2_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_2_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_2_HTTP
loadbalance vip inservice
loadbalance policy QA-group_2_REDIRECT
class QA-group_3_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_3_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_3_HTTP
loadbalance vip inservice
loadbalance policy QA-group_3_REDIRECT
class QA-group_4_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_4_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
class QA-group_5_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
loadbalance vip icmp-reply
nat dynamic 1 vlan 25
class QA-group_5_HTTP
loadbalance vip inservice
loadbalance policy QA-group_4_REDIRECT
interface vlan 25
ip address 10.37.5.72 255.255.255.0
access-group input everyone
service-policy input remote-access
service-policy input SERVICE_VIPS
no shutdown
ip route 0.0.0.0 0.0.0.0 10.37.5.1
Solved! Go to Solution.
03-05-2014 08:13 AM
Fnu,
The default gatway of the servers is not the ACE. The ace shares the same defautl gateway as the servers.
Below is the ouput from show conn address:
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
623415 2 in TCP 25 172.20.45.194:62665 10.37.5.93:443 SYNSEEN
1526026 2 out TCP 25 10.37.5.111:443 172.20.45.194:62665 INIT
1899590 3 in TCP 25 172.20.45.194:62664 10.37.5.93:443 SYNSEEN
1117936 3 out TCP 25 10.37.5.111:443 172.20.45.194:62664 INIT
340226 4 in TCP 25 172.20.45.194:62666 10.37.5.93:443 SYNSEEN
1785542 4 out TCP 25 10.37.5.111:443 172.20.45.194:62666 INIT
03-05-2014 08:18 AM
Hi John,
So that's a problem then. Return traffic from server should also pass through ACE. ACE is not seeing the return traffic. This is Asymmetric routing. You will either have to do src nat or change the default gateway of servers to ACE. Try changing for one serverfarm (two servers in a serverfarm) and test again. If that works you know this is the issue or you can add a route on the server as well.
Regards,
Kanwal
03-05-2014 09:30 AM
I added source nat and the redirection is working now. However, I have made an error in the configuration which is preventing one of the server farms from being used. I tried to delete the config line in questions, but the ACE said it was in use. Is there way to free it, so I can delete it and re enter with correct info?
I tried "no class-map match-all QA-group_4_HTTPS"
Error: class-map 'QA-group_4_HTTPS' is in use. Deletion not allowed
class-map match-all QA-group_4_HTTP
3 match virtual-address 10.37.5.96 tcp eq www
class-map match-all QA-group_4_HTTPS
3 match virtual-address 10.37.5.76 tcp eq https
03-05-2014 09:48 AM
Hi John,
Remove the class map from policy map and then remove it. That should do the trick.
Regards,
Kanwal
03-07-2014 11:26 AM
Hi Fnu,
I've been following this post to figure out the problem with my configuration. I have a VIP redirecting to 2 real servers 172.x.x.114 and 115 respectively. The url to be accessed is http://ofrv.a.b/portal/page. This has to be redirected to the 2 servers on ofr1.a.b and ofr2.a.b on port 8090. This is where I have a problem. I'm a newbie to ACE, so I'm lost with the configuration. The current configuration was configured by someone else and since the guy is on a vacation I'm having to fix this port redirection. Oracle support said it needs NAT bounce back rule on the cisco LBR. Is this the same as the one in this post. I'm not exactly sure how this is to be done. Kindly help me figure out the problem with the configuration.
Generating configuration....
resource-class COM
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_0.bin
hostname ACE
interface gigabitEthernet 1/1
no shutdown
interface gigabitEthernet 1/2
description Server-Side
switchport access vlan 2
no shutdown
interface gigabitEthernet 1/3
qos trust cos
no shutdown
interface gigabitEthernet 1/4
shutdown
context Admin
member COM
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe icmp ICMP_PROBE1
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 10
passdetect count 2
probe http OFR-HTTP3
interval 15
passdetect interval 60
request method get url http://ofr1.a.b:8090
expect status 200 201
open 1
probe http OFR-HTTP4
interval 15
passdetect interval 60
request method get url http://ofr2.a.b:8090
expect status 200 201
open 1
optimize
appscope-log
debug-level 5
rserver redirect OFR-Server-redirect
webhost-redirection http://ofrv.a.b/portal/page 302
inservice
rserver host OFR1-Server
description Form& Reports Server
ip address 172.x.x.114
inservice
rserver host OFR2-Server
description Form& Reports Server
ip address 172.x.x.115
inservice
serverfarm redirect OFR-Server_REDIRECT
rserver OFR-Server-redirect
inservice
serverfarm host Reports-SF2
description Forms&Reports Services Farm
rserver OFR1-Server 7001
probe ICMP_PROBE1
inservice
rserver OFR2-Server 7001
probe ICMP_PROBE1
inservice
serverfarm host Reports-SF2-3
rserver OFR1-Server 9002
probe ICMP_PROBE1
inservice
rserver OFR2-Server 9002
probe ICMP_PROBE1
inservice
serverfarm host Reports-SF2-4
rserver OFR1-Server 9003
probe ICMP_PROBE1
inservice
rserver OFR2-Server 9003
probe ICMP_PROBE1
inservice
serverfarm host Reports-SF2-5
probe OFR-HTTP3
probe OFR-HTTP4
rserver OFR1-Server 8090
probe ICMP_PROBE1
inservice
rserver OFR2-Server 8090
probe ICMP_PROBE1
inservice
serverfarm host Reports-SF2-two
rserver OFR1-Server 7002
probe ICMP_PROBE1
inservice
rserver OFR2-Server 7002
probe ICMP_PROBE1
inservice
sticky http-cookie Reports HTTP-Cookie-Sticky
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm Reports-SF2
sticky http-cookie Reports HTTP-Cookie-Foram-two
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm Reports-SF2-two
sticky http-cookie Portal HTTP-Cookie-Portal
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm Portal-SF1
sticky http-cookie Portal HTTP-Cookie-Portal-two
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm Portal-SF1-two
sticky http-cookie Reports HTTP-Cookie-SF2-3
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm Reports-SF2-3
sticky http-cookie Reports HTTP-Cookie-SF2-4
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm Reports-SF2-4
sticky http-cookie INFR HTTP-Cooki-SF1
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm INFR-SF1
sticky http-cookie INFR HTTP-Cooki-SF2
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm INFR-SF2
sticky http-cookie INFR HTTP-Cooki-SF3
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm INFR-SF3
sticky http-cookie INFR HTTP-Cooki-SF4
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm INFR-SF4
sticky http-cookie Reports HTTP-Cookie-SF2-5
cookie insert browser-expire
timeout 720
timeout activeconns
serverfarm Reports-SF2-5
class-map match-any OFR-VIP
4 match virtual-address 172.x.x.140 any
class-map match-any OFR-VIP-3
2 match virtual-address 172.x.x.140 tcp eq 9002
class-map match-any OFR-VIP-4
2 match virtual-address 172.x.x.140 tcp eq 9003
class-map match-any OFR-VIP-5
2 match virtual-address 172.x.x.140 tcp eq 8090
3 match virtual-address 172.x.x.140 tcp eq www
4 match virtual-address 172.x.x.140 tcp eq https
class-map match-any OFR-VIP-two
2 match virtual-address 172.x.x.140 tcp eq 7002
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match OFR-Server_REDIRECT
class class-default
serverfarm OFR-Server_REDIRECT
policy-map type loadbalance first-match OFR-VIP-l7
class class-default
sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb
class class-default
sticky-serverfarm HTTP-Cookie-Sticky
policy-map type loadbalance first-match OFR-VIP-l7slb-3
class class-default
sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb-4
class class-default
sticky-serverfarm HTTP-Cookie-SF2-4
policy-map type loadbalance first-match OFR-VIP-l7slb-5
class class-default
sticky-serverfarm HTTP-Cookie-SF2-5
policy-map type loadbalance first-match OFR-VIP-l7slb-two
class class-default
sticky-serverfarm HTTP-Cookie-Foram-two
policy-map multi-match int2
class OFR-VIP
loadbalance vip inservice
loadbalance policy OFR-VIP-l7slb
loadbalance vip icmp-reply
nat dynamic 1 vlan 2
class OFR-VIP-two
loadbalance vip inservice
loadbalance policy OFR-VIP-l7slb-two
loadbalance vip icmp-reply
nat dynamic 1 vlan 2
class OFR-VIP-3
loadbalance vip inservice
loadbalance policy OFR-VIP-l7slb-3
loadbalance vip icmp-reply
nat dynamic 1 vlan 2
class OFR-VIP-4
loadbalance vip inservice
loadbalance policy OFR-VIP-l7slb-4
loadbalance vip icmp-reply
nat dynamic 1 vlan 2
class OFR-VIP-5
loadbalance vip inservice
loadbalance policy OFR-Server_REDIRECT
loadbalance vip icmp-reply
nat dynamic 1 vlan 2
interface vlan 2
description MGT-Interface
ip address 172.x.x.142 255.255.0.0
access-group input ALL
nat-pool 1 172.x.x.143 172.x.x.143 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input int2
no shutdown
ip route 0.0.0.0 0.0.0.0 172.x.x.1
Any help would be greatly appreciated.
Thanks and regards
Sbegum
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide