Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
940
Views
0
Helpful
4
Replies

ACE - timeout inactivity problem

ciscocsoc
Level 4
Level 4

‎05-12-2009 12:57 AM

Hi All,

I've got a strange problem with session counts and timeout on an ACE (2.1.3).

I created a connection parameter-map to an existing configuration, added it to the load-balance configuration and then removed and re-added the service policy. The context is in bridge mode.

parameter-map type connection FINJAN

set timeout inactivity 60

set tcp timeout half-closed 60

policy-map multi-match Finjan-04-LB-policy

class VIP-production_class

loadbalance vip inservice

loadbalance policy production-8080_LB_policy

loadbalance vip icmp-reply

connection advanced-options FINJAN

class VIP-beta_class

loadbalance vip inservice

loadbalance policy beta-8080_LB_policy

loadbalance vip icmp-reply

connection advanced-options FINJAN

interface vlan 396

description slb vlan

bridge-group 396

access-group input BPDU

access-group input PERMIT-ALL

service-policy input Finjan-04-LB-policy

no shutdown

But I'm still seeing sessions with idle times of minutes.

For example:

27344 1 in TCP 397 10.199.253.103:3563 61.143.251.173:80 ESTAB

[ idle time : 00:16:47, byte count : 975 ]

[ elapsed time: 00:20:30, packet count: 14 ]

Is there anything else I need to do to make the timeout effective? I need to get this working before I can limit the number of connections to each real server.

Also the output of "sh serverfarm" shows many more current connections than a "sh conn de" command. Is this expected?

E.g:

ace2/finjan# sh serverfarm beta-farm-8080

serverfarm : beta-farm-8080, type: HOST

total rservers : 7

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: beta_blade-1

10.199.253.111:0 8 OPERATIONAL 44982 39669799 45323

rserver: beta_blade-2

10.199.253.112:0 8 OPERATIONAL 49594 42955799 60246

rserver: beta_blade-3

10.199.253.113:0 8 OPERATIONAL 51545 46098331 49868

rserver: beta_blade-4

10.199.253.114:0 8 OPERATIONAL 51659 46260307 57544

rserver: production_blade-2

10.199.253.102:0 8 OPERATIONAL 720 540878 41145

rserver: production_blade-3

10.199.253.103:0 8 OPERATIONAL 51270 45832507 45670

rserver: production_blade-4

10.199.253.104:0 8 OPERATIONAL 51870 45779920 47624

when the "sh conn de" reports about 14000 sessions.

Any help appreciated.

Thank you

Cathy

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-12-2009 02:28 AM

Possibly a match to :

CSCso93479: current connection counter under show serverfarm is not accurate

The paramater-map change only affects new connections.

In your output, is the connection you highlighted older than the parameter-map ??

Do you have frequent config changes and is it possible that the connection showing the long idle timeout was created during a config change ?

Gilles.

0 Helpful

ciscocsoc
Level 4
Level 4
In response to Gilles Dufour

‎05-12-2009 02:39 AM

Hi Gilles,

The parameter map was installed early this morning so all sessions should now be under its aegis. I haven't made changes in the last 45 minutes, but there are still idle sessions. E.g.

37 1 out TCP 396 69.63.176.184:80 10.199.253.104:4870 ESTAB

[ conn in reuse pool : FALSE]

[ idle time : 00:31:21, byte count : 164 ]

[ elapsed time: 00:31:47, packet count: 4 ]

The context is in bridge mode. I've only applied the policy to the "inside" VLAN. Would it make a difference if the policy were applied globally?

Thanks

Cathy

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to ciscocsoc

‎05-12-2009 05:01 AM

ok.

I now realised that what you are showing is the 'OUT' part of the connection.

A tcp connection has 2 flows.

If one of the flow is active, we keep both flows in the table.

So, if you see the OUT flow being idle longer than your idle timeout, check the associated IN flow.

G.

0 Helpful

ciscocsoc
Level 4
Level 4
In response to Gilles Dufour

‎05-12-2009 08:04 AM

I moved the service policy from the client vlan to the global config - in the hope of being able to apply the connection parameter-map. Just after I did that the whole ACE reloaded (failure in arp_mgr). Hopefully unrelated.

I do see unbalanced flows;

5078 1 in TCP 397 10.199.253.112:6005 211.166.10.66:80 ESTAB

[ idle time : 00:16:56, byte count : 1644 ]

[ elapsed time: 00:19:17, packet count: 29 ]

35 1 out TCP 396 211.166.10.66:80 10.199.253.112:6005 CLOSED

[ conn in reuse pool : FALSE]

[ idle time : 00:19:14, byte count : 28504 ]

[ elapsed time: 00:19:17, packet count: 21 ]

Is there anything I can do about this or is it dependent on the server-side doing something?

Thank you

Cathy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents