cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
0
Helpful
6
Replies

VIP still reachable even if primary server farm is down

yves.haemmerli
Level 1
Level 1

Hi,

I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).

For that I have the following configuration :

serverfarm host NCL_FARM_TEST

probe NCL_PROBE_HTTP

rserver CHPAUN028 443

inservice

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP

description *** Load balancing rule for test in http mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

compress default-method gzip

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

policy-map multi-match VIP_PROD_AND_TEST

class L4_CLASS_NCL_TEST_HTTP

loadbalance vip inservice

loadbalance policy L7_POLICY_NCL_TEST_HTTP

loadbalance vip icmp-reply active primary-inservice

nat dynamic 2 vlan 115

appl-parameter http advanced-options NCL_HTTP_PARAM

While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).

Here is the server farm status, while PING is still possible :

CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail

serverfarm : NCL_FARM_TEST, type: HOST

total rservers : 1

active rservers: 0

description : *** Test Server Farm ***

state : INACTIVE

predictor : ROUNDROBIN

failaction : -

back-inservice : 0

partial-threshold : 0

num times failover : 27

num times back inservice : 28

total conn-dropcount : 0

Probe(s) :

NCL_PROBE_HTTP, type = HTTP

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: CHPAUN028

10.240.3.128:443 8 PROBE-FAILED 0 609 8

description : -

max-conns : - , out-of-rotation count : -

min-conns : -

conn-rate-limit : - , out-of-rotation count : -

bandwidth-rate-limit : - , out-of-rotation count : -

retcode out-of-rotation count : -

In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.

I probably missed something, but what ?

Here is the service-policy status :

Policy-map : VIP_PROD_AND_TEST

Status : ACTIVE

-----------------------------------------

Interface: vlan 1 115

class: L4_CLASS_NCL_TEST_HTTP

nat:

nat dynamic 2 vlan 115

curr conns : 0 , hit count : 56

dropped conns : 0

client pkt count : 809 , client byte count: 231750

server pkt count : 1262 , server byte count: 1375334

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

loadbalance:

L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP

VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP

VIP State: INSERVICE

Persistence Rebalance: ENABLED

curr conns : 0 , hit count : 56

dropped conns : 0

client pkt count : 809 , client byte count: 231750

server pkt count : 1262 , server byte count: 1375334

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

compression:

bytes_in : 1052393

bytes_out : 309229

Compression ratio : 70.61%

Parameter-map(s):

NCL_HTTP_PARAM

Thank you for any hints,

Yves Haemmerli

6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

Could you get a 'show cfgmgr internal table icmp-vip'

Thanks.

Gilles.

Gilles,

Here is the output of the requested command :

CH01AC03/P-115-A# show cfgmgr internal table icmp-vip

Index Ctx addr mask IfID flags

----------------------------------------------------------------

387 2 10.56.33.103 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active

1850 2 10.56.33.102 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active

7065 2 127.1.0.193 255.255.255.0 8 VIP up, primary sf down

13273 2 10.56.33.102 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active

14424 2 10.56.33.103 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active

CH01AC03/P-115-A# show serverfarm NCL_FARM_TEST

serverfarm : NCL_FARM_TEST, type: HOST

total rservers : 1

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: CHPAUN028

10.240.3.128:443 8 PROBE-FAILED 0 648 8

Note that the VIP in question is 10.56.33.103

Thank you

Yves

Yves,

seems like the vip is considered UP for icmp manager.

Do you have mulitple policy using the same class-map but different serverfarm ?

Gilles.

Gilles,

I have effectively four diferent policy maps :

- one for PROD when the client arrives withh HTTP

- one for PROD when the client arrives with HTTPS

- one for TEST when the client arrives with HTTP

one for TEST when the client arrives with HTTPS

However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.

Here are the four polici maps :

policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP

description *** Load balancing rule for production in http mode ***

class L7_CLASS_PROD

serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_PROD_HTTP

policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS

description *** Load balancing rule for production in https mode ***

class L7_CLASS_PROD

serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_PROD_HTTPS

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP

description *** Load balancing rule for test in http mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

compress default-method gzip

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_TEST_HTTP

policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS

description *** Load balancing rule for test in https mode ***

class L7_CLASS_TEST

serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY

insert-http Source-IP header-value "%is"

insert-http Remote-Port header-value "%pd"

ssl-proxy client NCL_SSL_CLIENT

class L7_CLASS_REDIRECT

serverfarm NCL_REDIRECT_FARM_TEST_HTTPS

Yves

Yves,

actually the rule is that all class-map using the same virtual ip should be configured with the same icmp reply command for the command to work.

Gilles.

Gilles,

It is the case I think. The VIP on which I test the feature is the 10.56.33.103. I have two L4 class-map for this VIP and, in the multi-match policy, I have the same icmp reply command for each of them.

I sent you the complete configuration via mail.

Yves

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: