ACE Server Load Balancing

Unanswered Question
Oct 7th, 2008
User Badges:

I am not able to brower the website by using the VIP. I can ping it or trace it. I enable

logging on the ACE but I do not see any web traffic coming through the vip. When I do a show

service-policy detail, there is no hits on the vip. Below is my configs for the admin context

and the virtual context. Please help!




Admin Context

-----------------


resource-class RS_web

limit-resource all minimum 10.00 maximum unlimited


boot system image:c4710ace-mz.A1_8_0a.bin


hostname ACE1

interface gigabitEthernet 1/1

description Client Connectivity on VLAN 100

switchport access vlan 100

no shutdown

interface gigabitEthernet 1/2

description Server Connectivity on VLAN 10

switchport access vlan 10

no shutdown

interface gigabitEthernet 1/3

shutdown

interface gigabitEthernet 1/4

shutdown


context VC_web

allocate-interface vlan 10

allocate-interface vlan 100

member RS_web


Virtual Context

-----------------


logging enable

logging console 7

logging trap 7

logging history 7

logging monitor 7


access-list ALL line 8 extended permit ip any any


rserver host RS_web1

description content server web-one

ip address 10.2.0.99

inservice


rserver host RS_web2

description content server web-two

ip address 10.2.0.98

inservice


serverfarm host SF_web

rserver RS_web1 80

inservice

rserver RS_web2 80

inservice


class-map type management match-any VC_web_Remote

description VC Web Remote Access

2 match protocol telnet any

3 match protocol https any

5 match protocol ssh any

6 match protocol icmp any

class-map match-all VS_web

2 match virtual-address 10.1.0.99 tcp eq www


policy-map type management first-match VC_web_MGMT_ALLOW_POLICY

class VC_web_Remote

permit


policy-map type loadbalance first-match PM_LB

class class-default

serverfarm SF_web


policy-map multi-match PM_multi_match

class VS_web

loadbalance vip inservice

loadbalance policy PM_LB

loadbalance vip icmp-reply active


interface vlan 10

description Server Connectivity on VLAN 10

ip address 10.2.0.101 255.255.252.0

nat-pool 1 10.2.0.200 10.2.0.204 netmask 255.255.252.0

no shutdown

interface vlan 100

ip address 10.1.0.101 255.255.252.0

service-policy input VC_web_MGMT_ALLOW_POLICY

service-policy input PM_multi_match

no shutdown


ip route 0.0.0.0 0.0.0.0 10.1.0.1


username admin password 5 xxxx role Admin domain default-domain


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 10/07/2008 - 06:05
User Badges:
  • Cisco Employee,

As mentioned in the previous discussion you opened on the same subject, you need to check the next-hop and see if it has an arp entry for the vip.

Check what is the mac-address.

Make sure your L2 networks has a valid path for this mac-address.

On which vlan is your client ?


Gilles.

allen.malanda_2 Tue, 10/07/2008 - 06:20
User Badges:

The arp entry is the same on the ACE and my layer 3 switch. Is my configuration looks ok?


ACE VIP ARP

--------------


10.1.0.99 00.1b.24.5b.b6.94 vlan100 VSERVER LOCAL _ up


L3 Switch ARP

----------------


Vlan Mac Address Type Ports

---- ----------- -------- -----

100 001b.245b.b694 DYNAMIC Fa0/1

10 001b.245b.b694 DYNAMIC Fa0/2


dario.didio Tue, 10/07/2008 - 06:57
User Badges:
  • Silver, 250 points or more

You've created an access-list ALL, but it isn't applied on your interfaces.


int vla 10

access-group input ALL

int vla 100

access-group input ALL



allen.malanda_2 Tue, 10/07/2008 - 07:46
User Badges:

I've created an access-list ALL permit ip any any, and applied it on the input of int vlan 10 and 100. The connection is getting build but something is dropping it. Thanks,


Here the log from the ACE

------------------------------


%ACE-6-302022: Built TCP connection 0x9 for vlan100:10.1.0.50/4624 (10.1.0.50/4624) to vlan10:10.1.0.99/80 (10.2.0.99/80)


%ACE-6-302023: Teardown TCP connection 0x9 for vlan100:10.1.0.50/4624 to vlan10:10.1.0.99/80 duration 0:00:06 bytes 48 SYN Timeout


show service-policy detail

--------------------------------




Interface: vlan 1 100

service-policy: PM_multi_match

class: VS_web

VIP Address: Protocol: Port:

10.1.0.99 tcp eq 80

loadbalance:

L7 loadbalance policy: PM_LB

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 12

dropped conns : 12

client pkt count : 18 , client byte count: 864

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : PM_LB

class/match : class-default

LB action :

primary serverfarm: SF_web

state: UP

backup serverfarm : -

hit count : 12

dropped conns : 0

compression : off

compression:

bytes_in : 0

bytes_out : 0

Syed Iftekhar Ahmed Tue, 10/07/2008 - 07:51
User Badges:
  • Blue, 1500 points or more

Its a sync timeout.


It looks as if response from server is bypassing ACE. What is the default gateway configured on the server?


I suspect that the response is bypassing ACE.


Syed Iftekhar Ahmed

allen.malanda_2 Tue, 10/07/2008 - 07:57
User Badges:

It worked. I've changed the default gateway on the server to the ip address of interface vlan 10 on the ace.


Great Job!

Actions

This Discussion