VIP still reachable even if primary server farm is down

Unanswered Question
Nov 10th, 2009

Hi,

I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).

For that I have the following configuration :

serverfarm host NCL_FARM_TEST

probe NCL_PROBE_HTTP

rserver CHPAUN028 443

inservice

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP

description *** Load balancing rule for test in http mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

compress default-method gzip

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

policy-map multi-match VIP_PROD_AND_TEST

class L4_CLASS_NCL_TEST_HTTP

loadbalance vip inservice

loadbalance policy L7_POLICY_NCL_TEST_HTTP

loadbalance vip icmp-reply active primary-inservice

nat dynamic 2 vlan 115

appl-parameter http advanced-options NCL_HTTP_PARAM

While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).

Here is the server farm status, while PING is still possible :

CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail

serverfarm : NCL_FARM_TEST, type: HOST

total rservers : 1

active rservers: 0

description : *** Test Server Farm ***

state : INACTIVE

predictor : ROUNDROBIN

failaction : -

back-inservice : 0

partial-threshold : 0

num times failover : 27

num times back inservice : 28

total conn-dropcount : 0

Probe(s) :

NCL_PROBE_HTTP, type = HTTP

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: CHPAUN028

10.240.3.128:443 8 PROBE-FAILED 0 609 8

description : -

max-conns : - , out-of-rotation count : -

min-conns : -

conn-rate-limit : - , out-of-rotation count : -

bandwidth-rate-limit : - , out-of-rotation count : -

retcode out-of-rotation count : -

In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.

I probably missed something, but what ?

Here is the service-policy status :

Policy-map : VIP_PROD_AND_TEST

Status : ACTIVE

-----------------------------------------

Interface: vlan 1 115

class: L4_CLASS_NCL_TEST_HTTP

nat:

nat dynamic 2 vlan 115

curr conns : 0 , hit count : 56

dropped conns : 0

client pkt count : 809 , client byte count: 231750

server pkt count : 1262 , server byte count: 1375334

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

loadbalance:

L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP

VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP

VIP State: INSERVICE

Persistence Rebalance: ENABLED

curr conns : 0 , hit count : 56

dropped conns : 0

client pkt count : 809 , client byte count: 231750

server pkt count : 1262 , server byte count: 1375334

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

compression:

bytes_in : 1052393

bytes_out : 309229

Compression ratio : 70.61%

Parameter-map(s):

NCL_HTTP_PARAM

Thank you for any hints,

Yves Haemmerli

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yves.haemmerli Tue, 11/10/2009 - 04:30

Gilles,

Here is the output of the requested command :

CH01AC03/P-115-A# show cfgmgr internal table icmp-vip

Index Ctx addr mask IfID flags

----------------------------------------------------------------

387 2 10.56.33.103 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active

1850 2 10.56.33.102 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active

7065 2 127.1.0.193 255.255.255.0 8 VIP up, primary sf down

13273 2 10.56.33.102 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active

14424 2 10.56.33.103 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active

CH01AC03/P-115-A# show serverfarm NCL_FARM_TEST

serverfarm : NCL_FARM_TEST, type: HOST

total rservers : 1

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: CHPAUN028

10.240.3.128:443 8 PROBE-FAILED 0 648 8

Note that the VIP in question is 10.56.33.103

Thank you

Yves

Gilles Dufour Tue, 11/10/2009 - 04:54

Yves,

seems like the vip is considered UP for icmp manager.

Do you have mulitple policy using the same class-map but different serverfarm ?

Gilles.

yves.haemmerli Tue, 11/10/2009 - 05:12

Gilles,

I have effectively four diferent policy maps :

- one for PROD when the client arrives withh HTTP

- one for PROD when the client arrives with HTTPS

- one for TEST when the client arrives with HTTP

one for TEST when the client arrives with HTTPS

However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.

Here are the four polici maps :

policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP

description *** Load balancing rule for production in http mode ***

class L7_CLASS_PROD

serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_PROD_HTTP

policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS

description *** Load balancing rule for production in https mode ***

class L7_CLASS_PROD

serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_PROD_HTTPS

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP

description *** Load balancing rule for test in http mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

compress default-method gzip

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_TEST_HTTP

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS

description *** Load balancing rule for test in https mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_TEST_HTTPS

Yves

Gilles Dufour Tue, 11/10/2009 - 06:36

Yves,

actually the rule is that all class-map using the same virtual ip should be configured with the same icmp reply command for the command to work.

Gilles.

yves.haemmerli Tue, 11/10/2009 - 07:13

Gilles,

It is the case I think. The VIP on which I test the feature is the 10.56.33.103. I have two L4 class-map for this VIP and, in the multi-match policy, I have the same icmp reply command for each of them.

I sent you the complete configuration via mail.

Yves

Actions

This Discussion