VIP still reachable even if primary server farm is down

Unanswered Question
Nov 10th, 2009
User Badges:

Hi,


I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).

For that I have the following configuration :


serverfarm host NCL_FARM_TEST

probe NCL_PROBE_HTTP

rserver CHPAUN028 443

inservice


policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP

description *** Load balancing rule for test in http mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

compress default-method gzip

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT


policy-map multi-match VIP_PROD_AND_TEST

class L4_CLASS_NCL_TEST_HTTP

loadbalance vip inservice

loadbalance policy L7_POLICY_NCL_TEST_HTTP

loadbalance vip icmp-reply active primary-inservice

nat dynamic 2 vlan 115

appl-parameter http advanced-options NCL_HTTP_PARAM



While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).


Here is the server farm status, while PING is still possible :


CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail

serverfarm : NCL_FARM_TEST, type: HOST

total rservers : 1

active rservers: 0

description : *** Test Server Farm ***

state : INACTIVE

predictor : ROUNDROBIN

failaction : -

back-inservice : 0

partial-threshold : 0

num times failover : 27

num times back inservice : 28

total conn-dropcount : 0

Probe(s) :

NCL_PROBE_HTTP, type = HTTP


---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: CHPAUN028

10.240.3.128:443 8 PROBE-FAILED 0 609 8

description : -

max-conns : - , out-of-rotation count : -

min-conns : -

conn-rate-limit : - , out-of-rotation count : -

bandwidth-rate-limit : - , out-of-rotation count : -

retcode out-of-rotation count : -



In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.


I probably missed something, but what ?


Here is the service-policy status :


Policy-map : VIP_PROD_AND_TEST

Status : ACTIVE

-----------------------------------------

Interface: vlan 1 115

class: L4_CLASS_NCL_TEST_HTTP

nat:

nat dynamic 2 vlan 115

curr conns : 0 , hit count : 56

dropped conns : 0

client pkt count : 809 , client byte count: 231750

server pkt count : 1262 , server byte count: 1375334

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

loadbalance:

L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP

VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP

VIP State: INSERVICE

Persistence Rebalance: ENABLED

curr conns : 0 , hit count : 56

dropped conns : 0

client pkt count : 809 , client byte count: 231750

server pkt count : 1262 , server byte count: 1375334

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

compression:

bytes_in : 1052393

bytes_out : 309229

Compression ratio : 70.61%

Parameter-map(s):

NCL_HTTP_PARAM


Thank you for any hints,


Yves Haemmerli


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 11/10/2009 - 03:46
User Badges:
  • Cisco Employee,

Could you get a 'show cfgmgr internal table icmp-vip'


Thanks.


Gilles.

yves.haemmerli Tue, 11/10/2009 - 04:30
User Badges:

Gilles,


Here is the output of the requested command :


CH01AC03/P-115-A# show cfgmgr internal table icmp-vip



Index Ctx addr mask IfID flags

----------------------------------------------------------------

387 2 10.56.33.103 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active


1850 2 10.56.33.102 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active


7065 2 127.1.0.193 255.255.255.0 8 VIP up, primary sf down


13273 2 10.56.33.102 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active


14424 2 10.56.33.103 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active





CH01AC03/P-115-A# show serverfarm NCL_FARM_TEST

serverfarm : NCL_FARM_TEST, type: HOST

total rservers : 1

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: CHPAUN028

10.240.3.128:443 8 PROBE-FAILED 0 648 8



Note that the VIP in question is 10.56.33.103


Thank you


Yves

Gilles Dufour Tue, 11/10/2009 - 04:54
User Badges:
  • Cisco Employee,

Yves,


seems like the vip is considered UP for icmp manager.


Do you have mulitple policy using the same class-map but different serverfarm ?


Gilles.

yves.haemmerli Tue, 11/10/2009 - 05:12
User Badges:

Gilles,


I have effectively four diferent policy maps :


- one for PROD when the client arrives withh HTTP


- one for PROD when the client arrives with HTTPS


- one for TEST when the client arrives with HTTP


one for TEST when the client arrives with HTTPS


However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.


Here are the four polici maps :


policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP

description *** Load balancing rule for production in http mode ***

class L7_CLASS_PROD

serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_PROD_HTTP

policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS

description *** Load balancing rule for production in https mode ***

class L7_CLASS_PROD

serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_PROD_HTTPS

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP

description *** Load balancing rule for test in http mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

compress default-method gzip

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_TEST_HTTP

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS

description *** Load balancing rule for test in https mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_TEST_HTTPS



Yves

Gilles Dufour Tue, 11/10/2009 - 06:36
User Badges:
  • Cisco Employee,

Yves,


actually the rule is that all class-map using the same virtual ip should be configured with the same icmp reply command for the command to work.


Gilles.

yves.haemmerli Tue, 11/10/2009 - 07:13
User Badges:

Gilles,


It is the case I think. The VIP on which I test the feature is the 10.56.33.103. I have two L4 class-map for this VIP and, in the multi-match policy, I have the same icmp reply command for each of them.


I sent you the complete configuration via mail.


Yves

Actions

This Discussion