11-10-2009 03:31 AM
Hi,
I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).
For that I have the following configuration :
serverfarm host NCL_FARM_TEST
probe NCL_PROBE_HTTP
rserver CHPAUN028 443
inservice
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
policy-map multi-match VIP_PROD_AND_TEST
class L4_CLASS_NCL_TEST_HTTP
loadbalance vip inservice
loadbalance policy L7_POLICY_NCL_TEST_HTTP
loadbalance vip icmp-reply active primary-inservice
nat dynamic 2 vlan 115
appl-parameter http advanced-options NCL_HTTP_PARAM
While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).
Here is the server farm status, while PING is still possible :
CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail
serverfarm : NCL_FARM_TEST, type: HOST
total rservers : 1
active rservers: 0
description : *** Test Server Farm ***
state : INACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 27
num times back inservice : 28
total conn-dropcount : 0
Probe(s) :
NCL_PROBE_HTTP, type = HTTP
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: CHPAUN028
10.240.3.128:443 8 PROBE-FAILED 0 609 8
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.
I probably missed something, but what ?
Here is the service-policy status :
Policy-map : VIP_PROD_AND_TEST
Status : ACTIVE
-----------------------------------------
Interface: vlan 1 115
class: L4_CLASS_NCL_TEST_HTTP
nat:
nat dynamic 2 vlan 115
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP
VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 1052393
bytes_out : 309229
Compression ratio : 70.61%
Parameter-map(s):
NCL_HTTP_PARAM
Thank you for any hints,
Yves Haemmerli
11-10-2009 03:46 AM
Could you get a 'show cfgmgr internal table icmp-vip'
Thanks.
Gilles.
11-10-2009 04:30 AM
Gilles,
Here is the output of the requested command :
CH01AC03/P-115-A# show cfgmgr internal table icmp-vip
Index Ctx addr mask IfID flags
----------------------------------------------------------------
387 2 10.56.33.103 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active
1850 2 10.56.33.102 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active
7065 2 127.1.0.193 255.255.255.0 8 VIP up, primary sf down
13273 2 10.56.33.102 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active
14424 2 10.56.33.103 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active
CH01AC03/P-115-A# show serverfarm NCL_FARM_TEST
serverfarm : NCL_FARM_TEST, type: HOST
total rservers : 1
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: CHPAUN028
10.240.3.128:443 8 PROBE-FAILED 0 648 8
Note that the VIP in question is 10.56.33.103
Thank you
Yves
11-10-2009 04:54 AM
Yves,
seems like the vip is considered UP for icmp manager.
Do you have mulitple policy using the same class-map but different serverfarm ?
Gilles.
11-10-2009 05:12 AM
Gilles,
I have effectively four diferent policy maps :
- one for PROD when the client arrives withh HTTP
- one for PROD when the client arrives with HTTPS
- one for TEST when the client arrives with HTTP
one for TEST when the client arrives with HTTPS
However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.
Here are the four polici maps :
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP
description *** Load balancing rule for production in http mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS
description *** Load balancing rule for production in https mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTPS
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS
description *** Load balancing rule for test in https mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTPS
Yves
11-10-2009 06:36 AM
Yves,
actually the rule is that all class-map using the same virtual ip should be configured with the same icmp reply command for the command to work.
Gilles.
11-10-2009 07:13 AM
Gilles,
It is the case I think. The VIP on which I test the feature is the 10.56.33.103. I have two L4 class-map for this VIP and, in the multi-match policy, I have the same icmp reply command for each of them.
I sent you the complete configuration via mail.
Yves
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: