ACE Load Balancing Problem

Unanswered Question
Dec 16th, 2009

Hi,

I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.

                                 

Internet

i

i

i

i

i

ACE--------------------------------WAN

i

i

i

i

LAN

I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.

192.168.200.66  FAX Server-1

192.1168.200.67 FAX Server-2

192.168.200.65   Virtual IP address

Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.

access-list acl-in remark ACCESS LIST FOR ACE-INSIDE

access-list acl-in line 1 extended permit ip any any

access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE

access-list acl-out line 1 extended permit ip any any

access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT

access-list acl-proxy line 1 extended permit ip any any

access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT

access-list acl-wan line 1 extended permit ip any any

probe tcp PROBE_5050

port 5050

interval 15

passdetect interval 60

open 1

probe tcp PROBE_5101

port 5101

interval 15

passdetect interval 60

open 1

probe tcp PROBE_TCP

port 80

interval 15

passdetect interval 60

open 1

parameter-map type http PARAMAP_CASE

case-insensitive

no persistence-rebalance

rserver host RS_BCPR01

ip address 192.168.0.103

inservice

rserver host RS_BCPR02

ip address 192.168.0.104

inservice

rserver host RT_fax1

description Right Fax Server-1

ip address 192.168.200.66

rserver host RT_fax2

description Right Fax Server-2

ip address 192.168.200.67

serverfarm host SF_BCPR

transparent

probe PROBE_5050

probe PROBE_5101

probe PROBE_TCP

rserver RS_BCPR01

inservice

rserver RS_BCPR02

inservice

serverfarm host SF_RT_fax

rserver RT_fax1

rserver RT_fax2

sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE

replicate sticky

serverfarm SF_BCPR

sticky ip-netmask 255.255.255.255 address source FAX-STICKY

replicate sticky

serverfarm SF_RT_fax

class-map type management match-any CM_ALL

2 match protocol snmp any

3 match protocol http any

4 match protocol https any

5 match protocol icmp any

6 match protocol telnet any

class-map match-any CM_BYPASS_FOR_LAN

3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www

8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www

9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www

10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www

class-map match-any CM_BYPASS_SUBNET

9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www

13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www

14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www

15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www

class-map match-any CM_IM

2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050

3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080

4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101

class-map match-all CM_SF_BCPR

255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

class-map match-any RT_FAX

2 match virtual-address 192.168.200.65 0.0.0.0 any

policy-map type management first-match PM_ALL

class CM_ALL

permit

policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP

class class-default

forward

policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP

class class-default

forward

policy-map type loadbalance first-match PM_LB_RT_FAX

class class-default

sticky-serverfarm FAX-STICKY

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY

class class-default

sticky-serverfarm STICKY-SOURCE

policy-map multi-match PM_BYPASS_FOR_LAN_HTTP

class CM_BYPASS_FOR_LAN

loadbalance vip inservice

loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP

policy-map multi-match PM_BYPASS_HTTP

class CM_BYPASS_SUBNET

loadbalance vip inservice

loadbalance policy PM_L7_BYPASS_HTTP

policy-map multi-match PM_MAIN_BCPROXY

class CM_SF_BCPR

loadbalance vip inservice

loadbalance policy PM_LB_SF_BCPROXY

loadbalance vip icmp-reply active

appl-parameter http advanced-options PARAMAP_CASE

class CM_IM

loadbalance vip inservice

loadbalance policy PM_LB_SF_BCPROXY

policy-map multi-match PM_RT_FAX

class RT_FAX

loadbalance vip inservice

loadbalance policy PM_LB_RT_FAX

service-policy input PM_ALL

interface vlan 100

description FW-INSIDE CONTEXT RACK1

ip address 192.168.0.5 255.255.255.224

alias 192.168.0.11 255.255.255.224

peer ip address 192.168.0.6 255.255.255.224

mac-address autogenerate

no icmp-guard

access-group input acl-out

no shutdown

interface vlan 200

description WAN-VLAN CONTEXT RACK1

ip address 192.168.0.33 255.255.255.224

alias 192.168.0.43 255.255.255.224

peer ip address 192.168.0.34 255.255.255.224

mac-address autogenerate

access-group input acl-wan

service-policy input PM_BYPASS_HTTP

service-policy input PM_MAIN_BCPROXY

no shutdown

interface vlan 300

description ACE-INSIDE CONTEXT RACK1

ip address 192.168.0.65 255.255.255.224

alias 192.168.0.73 255.255.255.224

peer ip address 192.168.0.66 255.255.255.224

mac-address autogenerate

access-group input acl-in

service-policy input PM_BYPASS_FOR_LAN_HTTP

service-policy input PM_BYPASS_HTTP

service-policy input PM_MAIN_BCPROXY

no shutdown

interface vlan 301

description BC-VLAN CONTEXT RACK1

ip address 192.168.0.97 255.255.255.224

alias 192.168.0.107 255.255.255.224

peer ip address 192.168.0.98 255.255.255.224

mac-address autogenerate

access-group input acl-proxy

no shutdown

ft track interface TRACKING_FOR_FT_VLAN

track-interface vlan 300

peer track-interface vlan 300

priority 255

peer priority 255

ip route 0.0.0.0 0.0.0.0 192.168.0.1

Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem. 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Thu, 12/17/2009 - 02:21

You should configure everything you did, without adding the service-policy to the interface.

Then add one policy at a time to one interface only.

See if it breaks anything.

See if it works.

Then proceed like this until you see which step create a problem.

We can then investigate further.

G

wasiimcisco Fri, 12/18/2009 - 04:15

I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.

rserver host RT_fax1
  description Right Fax Server-1
  ip address 192.168.200.66
  inservice
rserver host RT_fax2
  description Right Fax Server-2
  ip address 192.168.200.67
  inservice

serverfarm host SF_RT_fax
  rserver RT_fax1
    inservice
  rserver RT_fax2
    inservice

policy-map type loadbalance rdp first-match PM_LB_RT_FAX
  class class-default
    serverfarm SF_RT_fax

policy-map multi-match PM_RT_FAX
  class RT_FAX
    loadbalance vip inservice
    loadbalance policy PM_LB_RT_FAX
    loadbalance vip icmp-reply active

interface vlan 200
  description WAN-VLAN CONTEXT RACK1
  ip address 192.168.0.33 255.255.255.224
  alias 192.168.0.43 255.255.255.224
  peer ip address 192.168.0.34 255.255.255.224
  mac-address autogenerate
  access-group input acl-wan
  service-policy input PM_BYPASS_HTTP
  service-policy input PM_MAIN_BCPROXY
  service-policy input PM_RT_FAX
  no shutdown
interface vlan 300
  description ACE-INSIDE CONTEXT RACK1
  ip address 192.168.0.65 255.255.255.224
  alias 192.168.0.73 255.255.255.224
  peer ip address 192.168.0.66 255.255.255.224
  mac-address autogenerate
  access-group input acl-in
  service-policy input PM_BYPASS_FOR_LAN_HTTP
  service-policy input PM_BYPASS_HTTP
  service-policy input PM_MAIN_BCPROXY
  service-policy input PM_RT_FAX
  no shutdown

But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out.

wasiimcisco Fri, 12/18/2009 - 04:24

show stats loadbalance rdp

+------------------------------------------------------+
+------------- Rdp Loadbalance statistics -------------+
+------------------------------------------------------+
Total parse results received                  : 0
Total packets load balanced                   : 0
Total packets with routing token              : 0
Total packets with token matching no rserver  : 0

how service-policy  PM_RT_FAX

Status     : ACTIVE
-----------------------------------------
Interface: vlan 1 200 300
  service-policy: PM_RT_FAX
    class: RT_FAX
      loadbalance:
        L7 loadbalance policy: PM_LB_RT_FAX
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        curr conns       : 0         , hit count        : 0        
        dropped conns    : 0        
        client pkt count : 0         , client byte count: 0                  
        server pkt count : 0         , server byte count: 0                  
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0        
      compression:
        bytes_in  : 0                  
        bytes_out : 0                  
        Compression ratio : 0.00%

Gilles Dufour Mon, 12/21/2009 - 11:37

class-map match-any RT_FAX

2 match virtual-address 192.168.200.65 0.0.0.0 any

if this is your class map, it does not look right.

Remove the 0.0.0.0

Gilles.

wasiimcisco Mon, 12/21/2009 - 21:05

Thanks for the reply,i already tried last week and it is working fine for me.

Actions

This Discussion