Need help to Configure Cisco ACE 4710 Cluster Deployment - Page 2

Pathirage Don Amal Rajapakse · ‎12-07-2013

Dear Experts,

I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.

http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf

This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide

This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).

My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.

Thanks....!

-Amal-

Pathirage Don Amal Rajapakse · ‎12-18-2013

Dear Kanwal,

I know if I can find out the solution for my first concern above, it will automatically solve my second concern too. So please help me out for this

Thanks....!

-Amal-

Kanwaljeet Singh · ‎12-19-2013

Hi Amal,

With "no preempt" once ACE comes back up it should not take the control back from ACTIVE. If it is then this is ACE misbehaving. Ensure that FT vlan is used dedicatedly for only FT communication. I would also suggest to open a TAC case for further investigation since preempt is configured and still it is taking the control back.

Regads,

Kanwal

Pathirage Don Amal Rajapakse · ‎12-30-2013

Dear Kanwal,

I need quick help for you. Following are the Application LB requirements which I received from my clinet side.

Following detail required for configuring Oracle EBS Apps tier on HA:

LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
- IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
- ebiz.xxxx.lk [on port 80 for http protocol accessibility]
- This LBR IP & name must be resolve and respond on DNS network

Server Farm detail for LBR Setup

Following detail will be use for configuring the LBR:

LBR IP and Name :
- IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
- ebiz.xxxx.lk [on port 80 for http protocol accessibility]
- This LBR IP & name must be resolve and respond on DNS network
- Server Farm Detail for LBR setup:

Server 1 (EBS App1 Node, ap1ebs):
- IP : 172.25.45.19
- Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
- Protocol: http
- Port: 8000

Server 2 (EBS App2 Node, ap2ebs):
- IP : 172.25.45.20
- Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
- Protocol: http
- Port: 8000

Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?

Following are my latest config :

probe http Get-Method

description Check to url access /OA_HTML/OAInfo.jsp

interval 10

faildetect 2

passdetect interval 30

request method get url /OA_HTML/OAInfo.jsp

expect status 200 200

probe udp http-8000-iRDMI

description IRDMI (HTTP - 8000)

port 8000

probe http http-probe

description HTTP Probes

interval 10

faildetect 2

passdetect interval 30

passdetect count 2

request method get url /index.html

expect status 200 200

probe https https-probe

description HTTPS traffic

interval 10

faildetect 2

passdetect interval 30

passdetect count 2

ssl version all

request method get url /index.html

probe icmp icmp-probe

description ICMP PROBE FOR TO CHECK ICMP SERVICE

rserver host ebsapp1

description ebsapp1.xxxx.lk

ip address 172.25.45.19

conn-limit max 4000000 min 4000000

probe icmp-probe

probe http-probe

inservice

rserver host ebsapp2

description ebsapp2.xxxx.lk

ip address 172.25.45.20

conn-limit max 4000000 min 4000000

probe icmp-probe

probe http-probe

inservice

serverfarm host ebsppsvrfarm

description ebsapp server farm

failaction purge

predictor response app-req-to-resp samples 4

probe http-probe

probe icmp-probe

inband-health check log 5 reset 500

retcode 404 404 check log 1 reset 3

rserver ebsapp1 80

conn-limit max 4000000 min 4000000

probe icmp-probe

inservice

rserver ebsapp2 80

conn-limit max 4000000 min 4000000

probe icmp-probe

inservice

sticky http-cookie jsessionid HTTP-COOKIE

cookie insert browser-expire

replicate sticky

serverfarm ebsppsvrfarm

class-map type http loadbalance match-any default-compression-exclusion-mime-type

description DM generated classmap for default LB compression exclusion mime types.

2 match http url .*gif

3 match http url .*css

4 match http url .*js

5 match http url .*class

6 match http url .*jar

7 match http url .*cab

8 match http url .*txt

9 match http url .*ps

10 match http url .*vbs

11 match http url .*xsl

12 match http url .*xml

13 match http url .*pdf

14 match http url .*swf

15 match http url .*jpg

16 match http url .*jpeg

17 match http url .*jpe

18 match http url .*png

class-map match-all ebsapp-vip

2 match virtual-address 172.25.45.21 tcp eq www

class-map type management match-any remote_access

2 match protocol xml-https any

3 match protocol icmp any

4 match protocol telnet any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

policy-map type loadbalance first-match ebsapp-vip-l7slb

class default-compression-exclusion-mime-type

serverfarm ebsppsvrfarm

class class-default

compress default-method deflate

sticky-serverfarm HTTP-COOKIE

policy-map multi-match int455

class ebsapp-vip

loadbalance vip inservice

loadbalance policy ebsapp-vip-l7slb

loadbalance vip icmp-reply active

nat dynamic 1 vlan 455

interface vlan 455

ip address 172.25.45.36 255.255.255.0

peer ip address 172.25.45.35 255.255.255.0

access-group input ALL

nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat

service-policy input remote_mgmt_allow_policy

service-policy input int455

no shutdown

ft interface vlan 999

ip address 10.1.1.1 255.255.255.0

peer ip address 10.1.1.2 255.255.255.0

no shutdown

ft peer 1

heartbeat interval 300

heartbeat count 10

ft-interface vlan 999

ft group 1

peer 1

no preempt

priority 110

associate-context Admin

inservice

ip route 0.0.0.0 0.0.0.0 172.25.45.1

Hope you will reply me soon

Thanks....!

-Amal-

Kanwaljeet Singh · ‎12-30-2013

Hi Amal,

You have mentioned port 8000 for servers which your customer needs to access but you have mentioned port 80 under serverfarm for rservers. You should change it to 8000 if servers are listening on port 80. Your servers are working because they must be listening on port 80.

serverfarm host ebsppsvrfarm

description ebsapp server farm

failaction purge

predictor response app-req-to-resp samples 4

probe http-probe

probe icmp-probe

inband-health check log 5 reset 500

retcode 404 404 check log 1 reset 3

rserver ebsapp1 80------------>80 should be replaced with 8000

conn-limit max 4000000 min 4000000

probe icmp-probe

inservice

rserver ebsapp2 80------------>80 should be replaced with 8000

conn-limit max 4000000 min 4000000

probe icmp-probe

inservice

According to the below information the rservers seem to be listening on port 8000 and not 80 which you have configured.

Server 1 (EBS App1 Node, ap1ebs):
- IP : 172.25.45.19
- Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
- Protocol: http
- Port: 8000

Server 2 (EBS App2 Node, ap2ebs):
- IP : 172.25.45.20
- Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
- Protocol: http
- Port: 8000

Regards,

Kanwal

Kanwaljeet Singh · ‎12-30-2013

Hi Amal,

in above i wanted to say "you should change the port to 8000 under serverfarm for rservers if servers are listening on port 8000". By mistake i have mentioned 80:)

Regards,

Kanwal

Pathirage Don Amal Rajapakse · ‎12-30-2013

Dear Kanwal,

Seems like it's working for me, but still I didn't able to get their login page but I was able to recived following attached page. what else more I have to do for this ?

Thanks...!

-Amal-

Kanwaljeet Singh · ‎12-30-2013

Hi Amal,

If you click on that link does it redirect you to login page? May be server sends a redirect and client should come with new url and then lands on login page. Not sure how the application works. What is the url you use to access the server directly?

Regards,

Kanwal

Pathirage Don Amal Rajapakse · ‎12-30-2013

Dear Kanwal,

When I clicked it, it doesn't redirect to any where. My client gave me the (http://ebiz.xxxx.lk) as direct URL to access the App login page.

Thanks...!

-Amal-

Kanwaljeet Singh · ‎12-30-2013

Hi Amal,

Are you able to access the server directly with that URL and page opens? Can they provide you pcap of working session when client accessess the server directly. Do you see that your request is going to the correct serverfarm? Can you check in "show conn" output?

Regards,

Kanwal