ACE PAT Combination

Unanswered Question
May 17th, 2007
User Badges:

I want to do a simple load balance whereby anyone connecting to a VIP on Port X will be load balanced to a real server on Port X. The only exception is one port where I want for instance VIP:80 to balance to FARM:8080. How can I accomplish this? I created the following but it doesn't seem to work:


rserver host SERVER1

ip address 10.20.51.21

inservice

rserver host SERVER2

ip address 10.20.51.22

inservice


serverfarm host FARM

predictor leastconns

rserver SERVER1

inservice

rserver SERVER2

inservice

serverfarm host FARM80_8250

rserver SERVER1 8250

inservice

rserver SERVER2 8250

inservice


class-map match-any L4_VIP

2 match virtual-address 10.36.150.11 any

class-map match-all L4_VIP_80_8250

2 match virtual-address 10.36.150.11 tcp eq www


policy-map type loadbalance first-match L7_VIP_LB

class class-default

serverfarm FARM

policy-map type loadbalance first-match L7_VIP_LB_80_8250

class class-default

serverfarm FARM80_8250


policy-map multi-match L4_LB_VIP

class L4_VIP

loadbalance vip inservice

loadbalance policy L7_VIP_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_VIP_80_8250

loadbalance vip inservice

loadbalance policy L7_VIP_LB_80_8250

loadbalance vip icmp-reply active

loadbalance vip advertise active



Then I applied the policy to the appropriate interfaces. I then issue this command:


ACE/C1# sh service-policy L4_LB_VIP detail


Status : ACTIVE

Description: -

-----------------------------------------

Interface: vlan 1250 1261

service-policy: L4_LB_VIP

class: L4_VIP

VIP Address: Port:

10.36.150.11 any

loadbalance:

L7 loadbalance policy: L7_VIP_LB

VIP Route Metric : 77

VIP Route Advertise : ENABLED-WHEN-ACTIVE

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 189

dropped conns : 10

client pkt count : 814 , client byte count: 134831

server pkt count : 984 , server byte count: 714693

L7 Loadbalance policy : L7_VIP_LB

class/match : class-default

LB action :

serverfarm: FARM

hit count : 179

dropped conns : 0

class: L4_VIP_80_8250

VIP Address: Port:

10.36.150.11 eq 80

loadbalance:

L7 loadbalance policy: L7_VIP_LB_80_8250

VIP Route Metric : 77

VIP Route Advertise : ENABLED-WHEN-ACTIVE

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

L7 Loadbalance policy : L7_VIP_LB_80_8250

class/match : class-default

LB action :

serverfarm: FARM80_8250

hit count : 0

dropped conns : 0


ACE/C1#


I can telnet to 10.36.150.11 to any port (except 80) and will get load balanced to SERVER1 or 2 (provided the port is listening of course). However, when I attempt to telnet to 10.36.150.11 on port 80 I get an immediate connection refused message.


I would greatly appreciate any input on this.


Casey

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Anonymous (not verified) Thu, 05/17/2007 - 17:45
User Badges:

Casey,


You mentioned you want to PAT incomming port 80 traffic to your server farm on port 8080 but your Server Farm is configured to PAT to 8250. Update your Server Farm for port 8080 and that should fix it.


Bill

cajalat Fri, 05/18/2007 - 04:26
User Badges:

Sorry for my confusing remarks Bill. 8080 was an example. In fact I wanted 80 to be PAT'd to 8250.

Anonymous (not verified) Thu, 05/17/2007 - 17:48
User Badges:


Gilles Dufour Fri, 05/18/2007 - 04:22
User Badges:
  • Cisco Employee,

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0


There is no traffic coming into the ACE module for the 2nd vip with port 80 -> 8250.

So, it seems to be denied by a firewall or an acl somewhere.


Gilles.

cajalat Fri, 05/18/2007 - 04:28
User Badges:

Gilles,


That's what puzzles me. There are no firewalls involved here I'm 100% certain of that. It is as if the ACE is refusing the connection coming in on port 80 for whatever reason.


Casey

Gilles Dufour Fri, 05/18/2007 - 08:16
User Badges:
  • Cisco Employee,

what software version do you have ?

We had some issue in the past similar to this I believe. Does the problem disappear if you do a reload ?


Gilles.

cajalat Fri, 05/18/2007 - 08:35
User Badges:

I'm currently running version 3.0(0)A1(4a). I have failed over the ACEs to no avail.

Gilles Dufour Mon, 05/21/2007 - 01:24
User Badges:
  • Cisco Employee,

I believe the problem could be bug CSCsg89266 which is fixed in A1(4b).

You should try with this version and see if it makes any difference.

If not, try to capture a sniffer trace of the inbound and outbound ACE vlans to see if traffic is really coming in and what the ace does with it.


Gilles.

cajalat Mon, 05/21/2007 - 03:35
User Badges:

How can I get hold of this code? I only see A1(4a) on CCO.

Gilles Dufour Mon, 05/21/2007 - 04:50
User Badges:
  • Cisco Employee,

you have to open a service request with the TAC.


Gilles.

cajalat Mon, 05/21/2007 - 05:37
User Badges:

Opened a TAC Case. I'll update once I get the new code installed/tested.

cajalat Mon, 05/21/2007 - 09:44
User Badges:

I opened a TAC Case and received the latest code A1(4L). I've installed the new code and unfortunately that hasn't fixed the problem I'm having. The TAC is currently working it and I'll report back what they find unless someone can see a glaring mistake in my config then I wouldn't mind some feedback.


Casey

Gilles Dufour Mon, 05/21/2007 - 10:06
User Badges:
  • Cisco Employee,

did you try to configure a sniffer trace to confirm that the ACE module is receiving the traffic ?


Gilles.

cajalat Mon, 05/21/2007 - 14:54
User Badges:

I definitely did the sniffer (port mirror) and the ACE does receive the traffic. So I decided to re-order the multi-match policy from this:


policy-map multi-match L4_LB_VIP

class L4_VIP

loadbalance vip inservice

loadbalance policy L7_VIP_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_VIP_80_8250

loadbalance vip inservice

loadbalance policy L7_VIP_LB_80_8250

loadbalance vip icmp-reply active

loadbalance vip advertise active


to this:


policy-map multi-match L4_LB_VIP

class L4_VIP_80_8250

loadbalance vip inservice

loadbalance policy L7_VIP_LB_80_8250

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_VIP

loadbalance vip inservice

loadbalance policy L7_VIP_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active


This did the trick for me. I'm not sure if this is a bug or an intended feature where the more specific class needs to come first.


Casey

Roble Mumin Tue, 05/22/2007 - 02:36
User Badges:
  • Bronze, 100 points or more

This makes perfectly sense imho. If the ace gets traffic and the rule witch matches any port is first it will result in a match even for port 80.

So putting the port 80 rule in front of the general rule is the way to go. Works the same way as acl's then. Specific before general.


Roble


PS: Those type of problems are nasty i watched this thread and wondered why this happens. Couldn't find it either, but now you found the solution yourself.

cajalat Tue, 05/22/2007 - 06:38
User Badges:

I think part of the problem on my end is a lack of a good understanding of the policy-map multi-match rules. Once I figured out to treat them like ACLs the light bulb went on.


Thanks for everyone's suggestions.

Actions

This Discussion