05-12-2009 12:57 AM
Hi All,
I've got a strange problem with session counts and timeout on an ACE (2.1.3).
I created a connection parameter-map to an existing configuration, added it to the load-balance configuration and then removed and re-added the service policy. The context is in bridge mode.
parameter-map type connection FINJAN
set timeout inactivity 60
set tcp timeout half-closed 60
policy-map multi-match Finjan-04-LB-policy
class VIP-production_class
loadbalance vip inservice
loadbalance policy production-8080_LB_policy
loadbalance vip icmp-reply
connection advanced-options FINJAN
class VIP-beta_class
loadbalance vip inservice
loadbalance policy beta-8080_LB_policy
loadbalance vip icmp-reply
connection advanced-options FINJAN
interface vlan 396
description slb vlan
bridge-group 396
access-group input BPDU
access-group input PERMIT-ALL
service-policy input Finjan-04-LB-policy
no shutdown
But I'm still seeing sessions with idle times of minutes.
For example:
27344 1 in TCP 397 10.199.253.103:3563 61.143.251.173:80 ESTAB
[ idle time : 00:16:47, byte count : 975 ]
[ elapsed time: 00:20:30, packet count: 14 ]
Is there anything else I need to do to make the timeout effective? I need to get this working before I can limit the number of connections to each real server.
Also the output of "sh serverfarm" shows many more current connections than a "sh conn de" command. Is this expected?
E.g:
ace2/finjan# sh serverfarm beta-farm-8080
serverfarm : beta-farm-8080, type: HOST
total rservers : 7
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: beta_blade-1
10.199.253.111:0 8 OPERATIONAL 44982 39669799 45323
rserver: beta_blade-2
10.199.253.112:0 8 OPERATIONAL 49594 42955799 60246
rserver: beta_blade-3
10.199.253.113:0 8 OPERATIONAL 51545 46098331 49868
rserver: beta_blade-4
10.199.253.114:0 8 OPERATIONAL 51659 46260307 57544
rserver: production_blade-2
10.199.253.102:0 8 OPERATIONAL 720 540878 41145
rserver: production_blade-3
10.199.253.103:0 8 OPERATIONAL 51270 45832507 45670
rserver: production_blade-4
10.199.253.104:0 8 OPERATIONAL 51870 45779920 47624
when the "sh conn de" reports about 14000 sessions.
Any help appreciated.
Thank you
Cathy
05-12-2009 02:28 AM
Possibly a match to :
CSCso93479: current connection counter under show serverfarm is not accurate
The paramater-map change only affects new connections.
In your output, is the connection you highlighted older than the parameter-map ??
Do you have frequent config changes and is it possible that the connection showing the long idle timeout was created during a config change ?
Gilles.
05-12-2009 02:39 AM
Hi Gilles,
The parameter map was installed early this morning so all sessions should now be under its aegis. I haven't made changes in the last 45 minutes, but there are still idle sessions. E.g.
37 1 out TCP 396 69.63.176.184:80 10.199.253.104:4870 ESTAB
[ conn in reuse pool : FALSE]
[ idle time : 00:31:21, byte count : 164 ]
[ elapsed time: 00:31:47, packet count: 4 ]
The context is in bridge mode. I've only applied the policy to the "inside" VLAN. Would it make a difference if the policy were applied globally?
Thanks
Cathy
05-12-2009 05:01 AM
ok.
I now realised that what you are showing is the 'OUT' part of the connection.
A tcp connection has 2 flows.
If one of the flow is active, we keep both flows in the table.
So, if you see the OUT flow being idle longer than your idle timeout, check the associated IN flow.
G.
05-12-2009 08:04 AM
I moved the service policy from the client vlan to the global config - in the hope of being able to apply the connection parameter-map. Just after I did that the whole ACE reloaded (failure in arp_mgr). Hopefully unrelated.
I do see unbalanced flows;
5078 1 in TCP 397 10.199.253.112:6005 211.166.10.66:80 ESTAB
[ idle time : 00:16:56, byte count : 1644 ]
[ elapsed time: 00:19:17, packet count: 29 ]
35 1 out TCP 396 211.166.10.66:80 10.199.253.112:6005 CLOSED
[ conn in reuse pool : FALSE]
[ idle time : 00:19:14, byte count : 28504 ]
[ elapsed time: 00:19:17, packet count: 21 ]
Is there anything I can do about this or is it dependent on the server-side doing something?
Thank you
Cathy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: