cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5064
Views
30
Helpful
30
Replies

NEED HELP WITH ACE LOAD BALANCING POLICY PLEASE

raul saurez
Level 1
Level 1

Hello,

 

I need create a policy that allows incoming connections between two servers I have configured for PLM. From what I noticed there is a jsession ID sticky predictor. Where do I configure the VIP? The policy process is confusing and I dont know where to begin. Here are my two server configs. can anyone help??

rserver host JAG-PLM9APP-02

  ip address 172.28.9.81

  inservice

rserver host JAG-PLM9WEB-02

  ip address 172.28.9.87

  inservice

 

 

serverfarm host PLM9-WEB-SF

  rserver JAG-PLM9APP-02

    inservice

  rserver JAG-PLM9WEB-02

    inservice

 

30 Replies 30

The VIP is now out of service as well as serverfarm. How do I bring backup?

Hi,

If the servers in serverfarm are down, then VIP will show out of service. You should check why servers are down. I see you have probes configured, so you should do the following:

show serverfarm <serverfarm name> detail

and if servers show probe failed, you should do show probe <probe name>detail and see why it is failing. Also, try to change the probe from HTTP to ICMP and see if it passes. Once the servers are "Operational" VIP will come inservice again.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

ICMP displays load balancing fully functional and pinging the VIP no problem but cant access http://172.28.18.81/tc/webclient  .. what am I missing that I cant access through http?

Hi,

Are you able to access the servers directly with http://realip/tc/webclientxxx? ICMP traffic doesn't get loadbalanced to the servers. ACE replies to the packets as long as serverfarm is operational. If you have configured "loadbalance icmp-reply" without ACTIVE statement, then even with SF down, ACE will reply to ICMP requests.

Now, if the same URL works directly on the server, then we need to further TS the problem. When you send the request, take a pcap on client and also take output of "show conn address <address  of the client>" and see if the ACE is forwarding the traffic to server or not. A quick capture on server should also be helpful or even on ACE itself to see what exactly is going on. Also, please paste the relevant configuration that you have currently right now and i will have a look again.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

This is what the Probe details are showing. I will switch to ICMP now

 

bri-200n-ace1/PLM9-TEST# sho probe PLM9-HTTP-PROBE-7010 detail

 probe       : PLM9-HTTP-PROBE-7010
 type        : HTTP
 state       : ACTIVE
 description :
----------------------------------------------
   port      : 7010    address     : 0.0.0.0         addr type  : -
   interval  : 10      pass intvl  : 15              pass count : 2
   fail count: 2       recv timeout: 10
   http method      : GET
   http url         : /HealthMonitor/probe.jsp
   conn termination : GRACEFUL
   expect offset    : 0         , open timeout     : 1
   regex cache-len  : 0
   expect regex     : -
   send data        : -
                ------------------ probe results ------------------
   associations ip-address      port  porttype probes   failed   passed   health
   ------------ ---------------+-----+--------+--------+--------+--------+------
   real        : JAG-PLM9APP-02[0]
     serverfarm: PLM9-WEB-SF
                172.28.9.81     7010  PROBE    4729     4729     0        FAILED

   Socket state        : CLOSED
   No. Passed states   : 0         No. Failed states : 1
   No. Probes skipped  : 0         Last status code  : 0
   No. Out of Sockets  : 0         No. Internal error: 0
   Last disconnect err : Server open timeout  (no SYN ACK)
   Last probe time     : Fri Dec 12 10:15:35 2014
   Last fail time      : Thu Dec 11 14:34:00 2014
   Last active time    : Never

bri-200n-ace1/PLM9-TEST# sho probe PLM9-HTTP-PROBE-7011 detail

 probe       : PLM9-HTTP-PROBE-7011
 type        : HTTP
 state       : ACTIVE
 description :
----------------------------------------------
   port      : 7011    address     : 0.0.0.0         addr type  : -
   interval  : 10      pass intvl  : 15              pass count : 2
   fail count: 2       recv timeout: 10
   http method      : GET
   http url         : /HealthMonitor/probe.jsp
   conn termination : GRACEFUL
   expect offset    : 0         , open timeout     : 1
   regex cache-len  : 0
   expect regex     : -
   send data        : -
                ------------------ probe results ------------------
   associations ip-address      port  porttype probes   failed   passed   health
   ------------ ---------------+-----+--------+--------+--------+--------+------
   real        : JAG-PLM9WEB-02[0]
     serverfarm: PLM9-WEB-SF
                172.28.9.87     7011  PROBE    4732     4732     0        FAILED

   Socket state        : CLOSED
   No. Passed states   : 0         No. Failed states : 1
   No. Probes skipped  : 0         Last status code  : 0
   No. Out of Sockets  : 0         No. Internal error: 0
   Last disconnect err : Server open timeout  (no SYN ACK)
   Last probe time     : Fri Dec 12 10:16:35 2014
   Last fail time      : Thu Dec 11 14:34:15 2014
   Last active time    : Never

Here is the sho conn from my PC with porbes and withought probes.

 

bri-200n-ace1/PLM9-TEST# sho conn address 172.28.18.81 netmask 255.255.255.0

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
846433     1  in  TCP   18   172.28.18.124:52020   172.28.9.81:8802      SYNSEEN
585042     1  out TCP   18   172.28.9.81:8802      172.28.18.124:52020   INIT
803035     1  in  TCP   18   172.28.18.124:53454   172.28.9.87:8801      SYNSEEN
1055157    1  out TCP   18   172.28.9.87:8801      172.28.18.124:53454   INIT
1129526    1  in  TCP   18   172.28.18.124:18954   172.28.9.87:8803      SYNSEEN
1724705    1  out TCP   18   172.28.9.87:8803      172.28.18.124:18954   INIT

 

 

bri-200n-ace1/PLM9-TEST# sho conn address 172.28.1.64 netmask 255.255.255.0

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
1392620    1  in  TCP   18   172.28.1.64:55045     172.28.18.81:8801     SYNSEEN
1270689    1  out TCP   18   172.28.9.81:8801      172.28.1.64:55045     INIT

Hi,

This output clearly indicates that ACE has seen the SYN and has forwarded the SYN to server but haven't got the SYNACK back. I would strongly recommend to check if the server replies to the URL directly or not. 

You can have more details about the similar outputs here:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_Connectivity

Regards,

Kanwal

Note: Please mark answers if they are helpful.

But both servers are running. I can ping them both.

172.28.9.81 & 172.28.9.87.

 

Where do you believe the issues lie? on the two real servers?

Hi,

Are you able to telnet to the servers on the port on which they are listening through VIP? No doubt, you are able to ping the servers from ACE but you are sending a HTTP request. I don't see it going to HTTP even, the tcp three way handshake itself is not completing which indicates that either the server is not listening on that port or server is replying to SYN with SYN-ACK but it never reaches ACE due to asymmetric routing in your network. You should take a pcap on server to see what is going on. At this point, yes i would doubt servers.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Iit looks like I can telnet into the servers on the specified ports then a black screen shows and it kicks me backout to the PC CLI

Hello Kanwal,

 

I wanted to see if I can run something by you real quick.  As we confirmed the loadbalancing is working, however, the client said that I am supposed to implement a config that will allow access to server via web browser. this is what we get when attempting....

Server Error

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

 

He gets the login through here http://jag-plm9web-02:8801/tc/webclient

But not when he tries to go through the VIP here  http://172.28.18.81/tc/webclient

He informed me that last time a policy had to be put in place to allow this link to work http://172.28.18.81/tc/webclient  … I thought that I did but I am still receiving the same server error. Can you check my config and see what is missing so that the load balancer can be put in production? I have bolded the changes that I made. Thank you!

 

bri-200n-ace1/PLM9-TEST(config)# do sho run

Generating configuration....

 

 

 

 

 

access-list ANYONE line 10 extended permit ip any any

 

 

 

probe icmp PING-PROBE

  interval 10

  faildetect 2

  passdetect interval 30

  passdetect count 2

  receive 4

probe http PLM9-HTTP-PROBE-8801

  port 8801

  interval 10

  faildetect 2

  passdetect interval 15

  passdetect count 2

  request method get url /HealthMonitor/probe.jsp

  expect status 200 200

  open 1

probe http PLM9-HTTP-PROBE-8802

  port 8802

  interval 10

  faildetect 2

  passdetect interval 15

  passdetect count 2

  request method get url /HealthMonitor/probe.jsp

  expect status 200 200

  open 1

probe http PLM9-HTTP-PROBE-8803

  port 8803

  interval 10

  faildetect 2

  passdetect interval 15

  passdetect count 2

  request method get url /HealthMonitor/probe.jsp

  expect status 200 200

  open 1

probe http PLM9-HTTP-PROBE-8804

  port 8804

  interval 10

  faildetect 2

  passdetect interval 15

  passdetect count 2

  request method get url /HealthMonitor/probe.jsp

  expect status 200 200

  open 1

 

parameter-map type http HTTP-MAP1

  persistence-rebalance

 

rserver host JAG-PLM9APP-02

  ip address 172.28.9.81

  inservice

rserver host JAG-PLM9WEB-02

  ip address 172.28.9.87

  inservice

 

 

serverfarm host PLM9-WEB-SF

  predictor leastconns

  rserver JAG-PLM9APP-02

    probe PLM9-HTTP-PROBE-8802

    probe PLM9-HTTP-PROBE-8804

    inservice

  rserver JAG-PLM9WEB-02

    probe PLM9-HTTP-PROBE-8801

    probe PLM9-HTTP-PROBE-8803

    inservice

 

class-map type http loadbalance match-any L7-PLM9-Enterprise

  2 match http url /tc/webclient.*

class-map type management match-any PM_MULTI_MATCH

  201 match protocol snmp any

  202 match protocol xml-https any

  203 match protocol telnet any

  204 match protocol ssh any

  205 match protocol icmp any

  206 match protocol https any

  207 match protocol http any

class-map match-all VS_Classmap

  2 match virtual-address 172.28.18.81 tcp any

 

policy-map type management first-match management

  class PM_MULTI_MATCH

    permit

 

policy-map type loadbalance first-match PLM9-WEB-LB-POLICY

  class L7-PLM9-Enterprise

    serverfarm PLM9-WEB-SF

 

policy-map multi-match PM_MULTI_MATCH

  class VS_Classmap

    loadbalance vip inservice

    loadbalance policy PLM9-WEB-LB-POLICY

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 109

    appl-parameter http advanced-options HTTP-MAP1

 

interface vlan 18

  description Client Vlan

  ip address 172.28.18.124 255.255.255.128

  access-group input ANYONE

  service-policy input PM_MULTI_MATCH

  no shutdown

interface vlan 109

  description Servers Vlan

  ip address 172.28.9.7 255.255.255.128

  nat-pool 1 172.28.9.8 172.28.9.8 netmask 255.255.255.0 pat

  no shutdown

 

ip route 0.0.0.0 0.0.0.0 172.28.18.1

 

snmp-server contact "ANM"

snmp-server location "ANM"

 

snmp-server trap-source vlan 18

 

Hi,

I see you have not specified ports for servers. Can you define the ports on which servers are listening?

serverfarm host PLM9-WEB-SF

  predictor leastconns

  rserver JAG-PLM9APP-02---------->8802 or whatever

    probe PLM9-HTTP-PROBE-8802

    probe PLM9-HTTP-PROBE-8804

    inservice

  rserver JAG-PLM9WEB-02-------->8801 or whatever port that service is running. 

    probe PLM9-HTTP-PROBE-8801

    probe PLM9-HTTP-PROBE-8803

    inservice

Regards,

Kanwal

Note: Please mark answers if they are helpful.

I didnt see this message before I sent you one but yes that was the problem!! Thank you!

Nevermind I figured it out, thank you so much for all of your help!!

Review Cisco Networking for a $25 gift card