odd behaviour with l4payload..

danilodicesare · ‎01-08-2010

Hi all,

i've got a pretty strange problem with load balancing with some l4payload criteria. i'll show you configuration (DNS stuff):

class-map type generic match-any dns_regex

5 match layer4-payload offset 20 regex ".*corp100.100.*"

class-map type generic match-any dns_regex2

5 match layer4-payload offset 20 regex ".*corp099.100.*"

class-map match-all DNS_VIP

5 match virtual-address 192.168.1.100 udp eq domain

parameter-map type dns DAS_TEST

timeout query 2

policy-map type loadbalance generic first-match dns_regex

class dns_regex

serverfarm DNS

class dns_regex2

serverfarm DNS

class DNS_VIP

loadbalance vip inservice

loadbalance policy dns_regex

loadbalance vip icmp-reply active

appl-parameter dns advanced-options DAS_TEST

inspect dns maximum-length 2048

quite easy...configuration, quite hard behaviour .

if i do first query with stuff like corp099.100 all works and i can see some hit on service policy. Strange thing is that if i do query with corp100.100 i cannot see any new hit on other server farm, most strange is that if i do a query for corp091.100 all works (is not allowed from class-map)....so if i perform a clear conn all and i try again to query to corp091.100 does'n't work. Odd again, if i do another query to allowed regex expression like corp100.100 all works (of course) and if i try again to unallowed query i can perform it. So if a conn is open other connection use same socket or it seems so...

DO you thing is a bug?

PS: ace module release A2.1(0)

Das

danilodicesare · ‎01-08-2010

hi all,

i've update release to A2(2.3) but same results.....so i've put fast-age on policy mm under class and all seem to work.

By now i have no idea if is a bug or expected ACE module behaviour.

Das

danilodicesare · ‎01-08-2010

so...just for resume:

if i put fast-age class-map works properly, but if a generate lots of query (dnsperf) almost all queries fail....without fast-age class-maps don't work properly but if i generate lots of queries i can see all response.

Das

Peter Koltl · ‎01-08-2010

From the udp-fast-age Guide: "By default, the ACE could load balance UDP packets using the same tuple to the same real server on an existing connection. " My effort to interpret it: in other sections, 'tuple' contains (dst VIP, dst port, protocol). A connection contains also the client src IP. Requests from another client might be directed to another farm (provided you don't use the same farm in both classes). Have you tested it from another client IP too? It may well be a documented feature.

Peter Koltl · ‎01-08-2010

Have you omitted some lines from the config? Is 'class DNS_VIP' section really under 'policy-map type loadbalance generic first-match dns_regex' ? I guess it should fit under a multi-match policy-map.

danilodicesare · ‎01-08-2010

Hi Peter,

yes it is under policy MM.

Das

Gilles Dufour · ‎01-11-2010

Das,

same problem as for your other query.

You have to understand that ACE by default only check the first query of a connection.

Once the server is identified, we assume we have to continue with that server until the connection is closed.

Therefore, we stop inspecting queries.

This is why if your first query hit server #1, all subsequent queries will also go to server #1 even those that are not allowed.

Byt enabling fast-age, you tell ACE to kill the connection after the first query/response.

Therefore the next query is like a new connection and ACE will need to make a new decision.

All this is normal.

Gilles.

danilodicesare · ‎01-15-2010

yes,

of course it makes sense but just if the full socket is the same.

Difficult thing is doing some test with queryperf or dnsperf 'cause client srcip/srcport --> and (of course) server dstip /dstport<53> is always the same.

With fast-age teorically all packet are inspected BUT for some reasons queryperf and fast-age enabled don't work as expected. maybe using always same socket get ACE stuck.

thx a lot

Das