VIP is still responding to ping when both servers are down

tvirtanen · ‎10-31-2012

I saw a strange beaviour in the ACE30 today.

We are configuring most of our VIP:s with "loadbalance vip icmp-reply active" and I haven't thought about it that much.

I just assumed it would do what the command says.

Today an Intel tech called and said that he had taken down the webservice on port 80 on both servers in a serverfarm and he could still ping the VIP.

I had a look in the ACE and saw that the VIP was marked OUTOFSERVICE. But he could still ping it at that moment.

What is the criteria for the VIP not to respond to ping with the above command set?

Martin Kyrc · ‎10-31-2012

Hello,

can you ensure that only this one L3 VIP address is alive on the ACE? I mean, VIP can be IP:port1, IP:port2, but IP for both cases can be the same IP address. Reason of this is, first VIP can be out of service, but IP address is responding do ICMP.

If VIP is outofservice and you can 'ping' VIP (IP of the VIP), can you reach tcp port of this 'VIP'?

regards,

martin

tvirtanen · ‎11-01-2012

Thank you for your answer.

The VIP address is only used in one "match virtual-address" command, listening for all ports.

Unfortunately I didn't have the chance to try anything while both servers were down.

The Intel tech just tested with ping.

And I don't know when we have the possibility to take down the entire service again.

/Torbjörn

Jorge Bejarano · ‎10-31-2012

Could you paste the entire configuration of the policy multimatch in question?

Jorge

tvirtanen · ‎11-01-2012

Hello,

Here is the multimatch configuration.

There are 74 classes inside the multi-match. And all are configured in the same way.

I include only one (with a fake name) to prevent me from inventing 74 fake names.

policy-map multi-match PRODUCTION
class AIntern
    loadbalance vip inservice
    loadbalance policy AIntern
    loadbalance vip icmp-reply active
    connection advanced-options UDP_PARAM_MAP

/Torbjörn

Kanwaljeet Singh · ‎11-02-2012

Hi,

In your configuration if you had only "Load vip icmp-reply", you will get response from VIP even if all servers are down and service policy is out of service.

But if it is "loadbalance vip icmpreply active" as it is in your case you should not get reply when the service policy is out of service and servers are down.

If that is happening then either you have a similar IP in someother class listening on a different port which you have ruled out or it could be a BUG.I would suggest opening a TAC case for further investigation if you are sure that ACE misbehaved.

Regards,

Kanwal

usman ali dar · ‎01-24-2014

hey,

actually i have this problem too so the simple thing is that my i configured aces with ssl terminations and bind my certificates to ip and cert with keys on ace. we have an dns and there was an entry too so in order to resolve the query for ip to name for ssl cert and vip, Now if even i disable the nodes i should be able to have the icmp reply becuase it being resolved by the dns however if you go to your layer policy where you define your vip address disable that and see the results if there is an entry do also review.

regards

Kanwaljeet Singh · ‎01-24-2014

Hi Usman,

Do you have loadbalance vip icmp-reply or icmp-reply active configured? If it is former than you will get the reply even if your serverfarm is down but with latter it will only reply when serverfarm is active or one server is active.

Regards,

Kanwal