10-31-2012 01:30 PM
I saw a strange beaviour in the ACE30 today.
We are configuring most of our VIP:s with "loadbalance vip icmp-reply active" and I haven't thought about it that much.
I just assumed it would do what the command says.
Today an Intel tech called and said that he had taken down the webservice on port 80 on both servers in a serverfarm and he could still ping the VIP.
I had a look in the ACE and saw that the VIP was marked OUTOFSERVICE. But he could still ping it at that moment.
What is the criteria for the VIP not to respond to ping with the above command set?
10-31-2012 03:46 PM
Hello,
can you ensure that only this one L3 VIP address is alive on the ACE? I mean, VIP can be IP:port1, IP:port2, but IP for both cases can be the same IP address. Reason of this is, first VIP can be out of service, but IP address is responding do ICMP.
If VIP is outofservice and you can 'ping' VIP (IP of the VIP), can you reach tcp port of this 'VIP'?
regards,
martin
11-01-2012 07:28 AM
Thank you for your answer.
The VIP address is only used in one "match virtual-address" command, listening for all ports.
Unfortunately I didn't have the chance to try anything while both servers were down.
The Intel tech just tested with ping.
And I don't know when we have the possibility to take down the entire service again.
/Torbjörn
10-31-2012 09:43 PM
Could you paste the entire configuration of the policy multimatch in question?
Jorge
11-01-2012 07:39 AM
Hello,
Here is the multimatch configuration.
There are 74 classes inside the multi-match. And all are configured in the same way.
I include only one (with a fake name) to prevent me from inventing 74 fake names.
policy-map multi-match PRODUCTION
class AIntern
loadbalance vip inservice
loadbalance policy AIntern
loadbalance vip icmp-reply active
connection advanced-options UDP_PARAM_MAP
/Torbjörn
11-02-2012 09:52 PM
Hi,
In your configuration if you had only "Load vip icmp-reply", you will get response from VIP even if all servers are down and service policy is out of service.
But if it is "loadbalance vip icmpreply active" as it is in your case you should not get reply when the service policy is out of service and servers are down.
If that is happening then either you have a similar IP in someother class listening on a different port which you have ruled out or it could be a BUG.I would suggest opening a TAC case for further investigation if you are sure that ACE misbehaved.
Regards,
Kanwal
01-24-2014 12:51 PM
hey,
actually i have this problem too so the simple thing is that my i configured aces with ssl terminations and bind my certificates to ip and cert with keys on ace. we have an dns and there was an entry too so in order to resolve the query for ip to name for ssl cert and vip, Now if even i disable the nodes i should be able to have the icmp reply becuase it being resolved by the dns however if you go to your layer policy where you define your vip address disable that and see the results if there is an entry do also review.
regards
01-24-2014 12:55 PM
Hi Usman,
Do you have loadbalance vip icmp-reply or icmp-reply active configured? If it is former than you will get the reply even if your serverfarm is down but with latter it will only reply when serverfarm is active or one server is active.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide