Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
3
Replies

Connection Failures between ACE and MS ISA

g.raymakers
Level 1
Level 1

‎08-07-2009 05:08 AM

Hi,

I'm using an ACE4710 to loadbalance client requests to a number of Microsoft ISA proxies. I seem to be getting connection failures when looking at the stats on the ACE4710, see example:

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: Gllnwis001

10.78.2.4:0 8 OPERATIONAL 0 43382 7

rserver: Gllnwis002

10.78.2.5:0 8 OPERATIONAL 0 42937 5

rserver: Gllnwis003

10.78.2.6:0 8 OPERATIONAL 0 43001 6

The effect on the client is that it's showing a conenction refused in Internet Explorer.

What could cause these failed connections? The servers are new and not being used at all, the ports are all fixed to 1000M FDX...

Many Thanks,

Guy

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-07-2009 05:52 AM

The failure is counted when the server does not respond to a SYN or sends a RST.

You have more or less 20 failures out of 130k connections.

That's 1 failure for 6500 connections.

I'm not sure your customers can really be impacted by this.

But if you want to be sure, you will need to capture sniffer traces on the servers and verify that every SYN is answered.

Capture a 'show serverfarm' and start the trace to catch SYN, SYN/ACK and RST.

As soon as you see the failure counter increments, stop the trace and check all SYN and RST.

Gilles.

0 Helpful

g.raymakers
Level 1
Level 1
In response to Gilles Dufour

‎08-07-2009 10:06 AM

Thanks Gilles, i'll start with the captures.

Clients connecting to the ISA proxies are sometimes getting a connection refused error. This doesn't happen when the clients connect direct to the ISA proxy, it only happens when the ACE is in between. I was therefore linking the connection failures to the connection refused messages that the clients are getting. Could you think of any reason why the ACE would deny a connection for a client?

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to g.raymakers

‎08-08-2009 02:58 PM

There could be many reasons.

You should probably capture 1 show tech now and another one when the problem is reported.

I can then have a look to both and check all the DROP counters.

I can also proactively look at show tech now if you want and see if there is anything suspicious.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents