ACE: LDAP

Unanswered Question
Nov 4th, 2008
User Badges:

Hi,


Port 389 is configured on ACE to loadbalance to LDAP.


Test clients runn ok for approximately 2 minutes and then fails. Then every other test fails, untill clear connection all on ACE is applied.


Any suggestion as to what to check in this situatiobn, please?


Note: tried the followings


!!!!!!!tried both of these

parameter-map type connection TCP_PARAM

set timeout inactivity 600

exceed-mss allow

parameter-map type connection inactivity10

set timeout inactivity 0

set tcp timeout half-closed 0

parameter-map type connection inactivity1

set timeout inactivity 2


Also Back-to-back lDAP-to-Clients on a local network works fine.


Regards

SS




!!!!!!!!!!!!

serverfarm host zxxxxxxxFarm-SF78

failaction purge !-----------tried

predictor leastconns

rserver zxxx-L7 389

inservice

rserver zxxx-L8 389

inservice



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 11/04/2008 - 08:43
User Badges:
  • Cisco Employee,

Get a sniffer trace of the entire connection until the problem.

Get a 'show serverfarm host zxxxxxxxFarm-SF78 detail' before and after the problem occurs.


What is your sofware version ?


Gilles.

s.srivas Wed, 11/05/2008 - 06:44
User Badges:

Dear Gilles,


Please find two attachments in this reply.

for

1 client h/w run 5 clients, 1 thread each

Start: 13:55:21

reported by server

1st fail: 13:55:46

2nd fail: 13:55:46

3rd fail: 14:00:18

4th fail: 14:01:12

5th fail: 14:01:08 yes re[prted late


Thank you

SS

-----------


/Admin# sh ver


loader: Version 12.2[120]

system: Version 3.0(0)A1(6.3a) [build 3.0(0)A1(6.3a) adbuild_02:16:25-2008/

02/02_/auto/adbu-rel3/ws/rel_3_0_0_a1_6.3-throttle/REL_3_0_0_A]

system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_6_3a.bin

installed license: ACE-SEC-LIC-K9 ACE-SSL-10K-K9


Hardware

Cisco ACE (slot: n)

cpu info:

number of cpu(s): 2

cpu type: SiByte

cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz

cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz

memory info:

total: 957640 kB, free: 333336 kB

shared: 0 kB, buffers: 3384 kB, cached 0 kB

cf info:

filesystem: /dev/cf

total: 1014624 kB, used: 390560 kB, available: 624064 kB


==============

=================================== before test start

/Admin# sh serverfarm zSunTestFarm-SF78 detail


serverfarm : zSunTestFarm-SF78, type: HOST

total rservers : 2

description : -

predictor : LEASTCONNS

slowstart : 0 secs

failaction : purge

total conn-dropcount : 0

---------------------------------

----------connections-----------

real weight state current total

---+---------------------+------+------------+----------+--------------------

rserver: zSunTest-L7

10.193.143.17:389 8 OUTOFSERVICE 0 0

total conn-failures : 0


rserver: zSunTest-L8

10.193.143.18:389 8 OPERATIONAL 1 0

total conn-failures : 0

=========================================================

=======================================================after test stop


/Admin# sh serverfarm zSunTestFarm-SF78 detail


serverfarm : zSunTestFarm-SF78, type: HOST

total rservers : 2

description : -

predictor : LEASTCONNS

slowstart : 0 secs

failaction : purge

total conn-dropcount : 0

---------------------------------

----------connections-----------

real weight state current total

---+---------------------+------+------------+----------+--------------------

rserver: zSunTest-L7

10.193.143.17:389 8 OUTOFSERVICE 0 0

total conn-failures : 0


rserver: zSunTest-L8

10.193.143.18:389 8 OPERATIONAL 1 50

total conn-failures : 130023


!!!!!!!!



end



s.srivas Wed, 11/05/2008 - 07:40
User Badges:

When tcp-option set to

half-closed=1


The failures begin to occur at an interval bigger than when I had it set as 3600.


But sh serverfarm xxx detail

shows large failurees.

Gilles Dufour Wed, 11/05/2008 - 07:49
User Badges:
  • Cisco Employee,

I would need a libpcap capture file - not the text version.

Copy the capture file to the disk0: and extract if via ftp.


Is it possible that your traffic is asymetric ?

So the server traffic bypass the CSS or come back on a different vlan ?


G.

s.srivas Thu, 11/06/2008 - 08:00
User Badges:

Dear Giles,


Avoided all possible back doors, asymetric

Still problem.


Attaching a new capture file

with a client-int snoop file


-- can send server interface snoop for this if required.


Additional info as follows

This is the message displayed on LDAP client (tool), when failed



[11/06/2008:14:57:26] - JOB - Starting Modified LDAP Weighted SearchRate job 20081106145715-607099232

[11/06/2008 15:01:02] - JOB - client=know-suntest-C4:43420 job=20081106145715-607099232 - ERROR -- Could not connect to 10.193.143.10:389 (netscape.ldap.LDAPException: Unable to establish the connection: java.net.ConnectException: Connection refused (-1)) -- aborting thread

[11/06/2008 15:01:03] - JOB - client=know-suntest-C4:43414 job=20081106145715-607099232 - ERROR -- Could not connect to 10.193.143.10:389 (netscape.ldap.LDAPException: Unable to establish the connection: java.net.ConnectException: Connection refused (-1)) -- aborting thread

[11/06/2008:14:59:49] - JOB - Modified LDAP Weighted SearchRate job 20081106145715-607099232 completed



XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ACE collections

start s/farm failure 0, rest




/Admin# capture ztest5 stop




/Admin# sh serverfarm zSunTestFarm-SF78 detail





serverfarm : zSunTestFarm-SF78, type: HOST

total rservers : 2

description : -

predictor : ROUNDROBIN

failaction : purge

total conn-dropcount : 0

---------------------------------

----------connections-----------

real weight state current total

---+---------------------+------+------------+----------+--------------------

rserver: zSunTest-L7

10.193.143.17:389 8 OPERATIONAL 0 0

max-conns : 1000 , out-of-rotation count : 0

min-conns : 500

total conn-failures : 16791


rserver: zSunTest-L8

10.193.143.18:389 8 OPERATIONAL 0 0

max-conns : 1000 , out-of-rotation count : 0

min-conns : 500

total conn-failures : 16791



=====================================================================


/Admin# sh parameter-map i

inactivity1 inactivity10 inactivity2700

know-itpace-3ao/Admin# sh parameter-map inactivity1



Parameter-map : inactivity1

Type : connection

nagle : disabled

slow start : disabled

buffer-share size : 32768

inactivity timeout (seconds) : 30

embryonic timeout (seconds) : 5

ack-delay (milliseconds) : 200

WAN Optimization RTT (milliseconds): 65535

half-closed timeout (seconds) : 35

TOS rewrite : disabled

syn retry count : 4

TCP MSS min : 0

TCP MSS max : 1460

tcp-options drop range : 0-0

tcp-options allow range : 0-0

tcp-options clear range : 1-255

selective-ack : clear

timestamp : clear

window-scale : clear

window-scale factor : 0

reserved-bits : allow

random-seq-num : enabled

SYN data : allow

exceed-mss : drop

urgent-flag : allow





xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ACE capture file ztest5 is encloded



Attachment: 

Actions

This Discussion