cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
936
Views
15
Helpful
16
Replies

ACE PAT Combination

cajalat
Level 1
Level 1

I want to do a simple load balance whereby anyone connecting to a VIP on Port X will be load balanced to a real server on Port X. The only exception is one port where I want for instance VIP:80 to balance to FARM:8080. How can I accomplish this? I created the following but it doesn't seem to work:

rserver host SERVER1

ip address 10.20.51.21

inservice

rserver host SERVER2

ip address 10.20.51.22

inservice

serverfarm host FARM

predictor leastconns

rserver SERVER1

inservice

rserver SERVER2

inservice

serverfarm host FARM80_8250

rserver SERVER1 8250

inservice

rserver SERVER2 8250

inservice

class-map match-any L4_VIP

2 match virtual-address 10.36.150.11 any

class-map match-all L4_VIP_80_8250

2 match virtual-address 10.36.150.11 tcp eq www

policy-map type loadbalance first-match L7_VIP_LB

class class-default

serverfarm FARM

policy-map type loadbalance first-match L7_VIP_LB_80_8250

class class-default

serverfarm FARM80_8250

policy-map multi-match L4_LB_VIP

class L4_VIP

loadbalance vip inservice

loadbalance policy L7_VIP_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_VIP_80_8250

loadbalance vip inservice

loadbalance policy L7_VIP_LB_80_8250

loadbalance vip icmp-reply active

loadbalance vip advertise active

Then I applied the policy to the appropriate interfaces. I then issue this command:

ACE/C1# sh service-policy L4_LB_VIP detail

Status : ACTIVE

Description: -

-----------------------------------------

Interface: vlan 1250 1261

service-policy: L4_LB_VIP

class: L4_VIP

VIP Address: Port:

10.36.150.11 any

loadbalance:

L7 loadbalance policy: L7_VIP_LB

VIP Route Metric : 77

VIP Route Advertise : ENABLED-WHEN-ACTIVE

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 189

dropped conns : 10

client pkt count : 814 , client byte count: 134831

server pkt count : 984 , server byte count: 714693

L7 Loadbalance policy : L7_VIP_LB

class/match : class-default

LB action :

serverfarm: FARM

hit count : 179

dropped conns : 0

class: L4_VIP_80_8250

VIP Address: Port:

10.36.150.11 eq 80

loadbalance:

L7 loadbalance policy: L7_VIP_LB_80_8250

VIP Route Metric : 77

VIP Route Advertise : ENABLED-WHEN-ACTIVE

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

L7 Loadbalance policy : L7_VIP_LB_80_8250

class/match : class-default

LB action :

serverfarm: FARM80_8250

hit count : 0

dropped conns : 0

ACE/C1#

I can telnet to 10.36.150.11 to any port (except 80) and will get load balanced to SERVER1 or 2 (provided the port is listening of course). However, when I attempt to telnet to 10.36.150.11 on port 80 I get an immediate connection refused message.

I would greatly appreciate any input on this.

Casey

16 Replies 16

Not applicable

Casey,

You mentioned you want to PAT incomming port 80 traffic to your server farm on port 8080 but your Server Farm is configured to PAT to 8250. Update your Server Farm for port 8080 and that should fix it.

Bill

Sorry for my confusing remarks Bill. 8080 was an example. In fact I wanted 80 to be PAT'd to 8250.

Not applicable

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

There is no traffic coming into the ACE module for the 2nd vip with port 80 -> 8250.

So, it seems to be denied by a firewall or an acl somewhere.

Gilles.

Gilles,

That's what puzzles me. There are no firewalls involved here I'm 100% certain of that. It is as if the ACE is refusing the connection coming in on port 80 for whatever reason.

Casey

Gilles Dufour
Cisco Employee
Cisco Employee

what software version do you have ?

We had some issue in the past similar to this I believe. Does the problem disappear if you do a reload ?

Gilles.

I'm currently running version 3.0(0)A1(4a). I have failed over the ACEs to no avail.

I believe the problem could be bug CSCsg89266 which is fixed in A1(4b).

You should try with this version and see if it makes any difference.

If not, try to capture a sniffer trace of the inbound and outbound ACE vlans to see if traffic is really coming in and what the ace does with it.

Gilles.

How can I get hold of this code? I only see A1(4a) on CCO.

you have to open a service request with the TAC.

Gilles.

Opened a TAC Case. I'll update once I get the new code installed/tested.

I opened a TAC Case and received the latest code A1(4L). I've installed the new code and unfortunately that hasn't fixed the problem I'm having. The TAC is currently working it and I'll report back what they find unless someone can see a glaring mistake in my config then I wouldn't mind some feedback.

Casey

did you try to configure a sniffer trace to confirm that the ACE module is receiving the traffic ?

Gilles.

I definitely did the sniffer (port mirror) and the ACE does receive the traffic. So I decided to re-order the multi-match policy from this:

policy-map multi-match L4_LB_VIP

class L4_VIP

loadbalance vip inservice

loadbalance policy L7_VIP_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_VIP_80_8250

loadbalance vip inservice

loadbalance policy L7_VIP_LB_80_8250

loadbalance vip icmp-reply active

loadbalance vip advertise active

to this:

policy-map multi-match L4_LB_VIP

class L4_VIP_80_8250

loadbalance vip inservice

loadbalance policy L7_VIP_LB_80_8250

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_VIP

loadbalance vip inservice

loadbalance policy L7_VIP_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

This did the trick for me. I'm not sure if this is a bug or an intended feature where the more specific class needs to come first.

Casey

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: