First attempt with 4710

Answered Question
Feb 19th, 2010

Hi All,

I have configured my 4710 to load balance 3 servers for the following URL:

http://10.1.1.24:21080/cms/ui/pub:Login

For whatever reason this doesn't work.

access-list ACL_permit_all line 1 extended permit ip any any
access-list capture line 8 extended permit ip any any

probe tcp TCP
  interval 5
  faildetect 2
  passdetect interval 10
  open 3

rserver host chezane
  ip address 10.130.32.16
  inservice
rserver host raphael
  ip address 10.130.32.17
  inservice
rserver host vangongh
  ip address 10.130.32.15
  inservice


serverfarm host SF_web
  predictor leastconns
  probe TCP
  rserver chezane 21080
    inservice
  rserver raphael 21080
    inservice
  rserver vangongh 21080
    inservice

class-map match-any VS_vcr
  description l3_l4_load_balance
  4 match virtual-address 10.1.1.24 any
class-map type http loadbalance match-any VS_vcr_l7
  description l7 load balancing
  2 match source-address 10.1.0.0 255.255.248.0
  3 match source-address 192.168.233.0 255.255.255.0
class-map type management match-any management
  201 match protocol snmp any
  202 match protocol ssh any
  203 match protocol telnet any
  204 match protocol icmp any
  205 match protocol http any
  206 match protocol https any
  207 match protocol xml-https any

policy-map type management first-match management
  class management
    permit

policy-map type loadbalance first-match PM_VS_vcr_l7
  description l7 load balance
  class VS_vcr_l7
    serverfarm SF_web

policy-map multi-match int662
  class VS_vcr
    loadbalance vip inservice
    loadbalance policy PM_VS_vcr_l7
    loadbalance vip icmp-reply

interface vlan 662
  description Server_VLAN_662
  ip address 10.130.32.19 255.255.255.0
  no normalization
  no icmp-guard
  access-group input ACL_permit_all
  service-policy input management
  no shutdown
interface vlan 1000
  description Management
  ip address 10.1.1.17 255.255.255.0
  access-group input ACL_permit_all
  service-policy input management
  service-policy input int662
  no shutdown

domain VC_web_domain
  add-object all

ip route 0.0.0.0 0.0.0.0 10.1.1.205

Connectivity seems to be ok with clients/servers.

a/VC_web# show stats loadbalance

+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch                       : 0
Total Layer4 decisions                       : 6
Total Layer4 rejections                      : 0
Total Layer7 decisions                       : 0
Total Layer7 rejections                      : 0
Total Layer4 LB policy misses                : 0
Total Layer7 LB policy misses                : 0
Total times rserver was unavailable          : 0
Total ACL denied                             : 0
Total IDMap Lookup Failures                  : 0
Total Cipher Lookup Failures                 : 0
Total Msg sent to Optimization               : 0
Total Direct Msg received from Optimization  : 0
Total Indirect Msg received from Optimization: 0
Total Optimization Msg sent to Real Servers  : 0

a/VC_web# show service-policy int662 detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 1000
  service-policy: int662
    class: VS_vcr
     VIP Address:    Protocol:  Port:
     10.1.1.24       any
      loadbalance:
        L7 loadbalance policy: PM_VS_vcr_l7
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 1         , hit count        : 1
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : PM_VS_vcr_l7
          class/match : VS_vcr_l7
            LB action :
               primary serverfarm: SF_web
                    state: UP
                backup serverfarm : -
            hit count        : 1
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in  : 0
        bytes_out : 0
        Compression ratio : 0.00%

a/VC_web# show conn serverfarm SF_web

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
20         1  in  TCP   1000 10.1.5.206:4888       10.1.1.24:21080       SYNSEEN
8          1  out TCP   662  10.130.32.17:21080    10.1.5.206:4888       INIT
demo/VC_web#

Any clues?

A.

Correct Answer by Sean Merrow about 7 years 1 day ago

Hello,

The first thing that I notice is that the ACE is receiving the connection and making a load balancing decision.  In your example, it has chosen rserver 10.130.32.17 to send the connection to.  The state INIT means that the ACE has sent the SYN to that rserver and is waiting to receive a SYN/ACK.

a/VC_web# show conn serverfarm SF_web

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

20         1  in  TCP   1000 10.1.5.206:4888       10.1.1.24:21080       SYNSEEN

8          1  out TCP   662  10.130.32.17:21080    10.1.5.206:4888       INIT

The first thing you must make sure of is that the server's response will be sent back to the 4710.  One way to do this is to configure the 4710's IP address of 10.130.32.19 as the server's default gateway.  The other way to do this if the first option won't work for you, is to configure source-NAT on the ACE so that it will change the source IP address of the connection to the server from the client's real IP address to a nat-pool address owned by the ACE.  You can learn more about NAT on the 4710 here.

Hope this helps,

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Sean Merrow Fri, 02/19/2010 - 06:52

Hello,

The first thing that I notice is that the ACE is receiving the connection and making a load balancing decision.  In your example, it has chosen rserver 10.130.32.17 to send the connection to.  The state INIT means that the ACE has sent the SYN to that rserver and is waiting to receive a SYN/ACK.

a/VC_web# show conn serverfarm SF_web

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

20         1  in  TCP   1000 10.1.5.206:4888       10.1.1.24:21080       SYNSEEN

8          1  out TCP   662  10.130.32.17:21080    10.1.5.206:4888       INIT

The first thing you must make sure of is that the server's response will be sent back to the 4710.  One way to do this is to configure the 4710's IP address of 10.130.32.19 as the server's default gateway.  The other way to do this if the first option won't work for you, is to configure source-NAT on the ACE so that it will change the source IP address of the connection to the server from the client's real IP address to a nat-pool address owned by the ACE.  You can learn more about NAT on the 4710 here.

Hope this helps,

Sean

Actions

This Discussion