02-19-2010 04:34 AM
Hi All,
I have configured my 4710 to load balance 3 servers for the following URL:
http://10.1.1.24:21080/cms/ui/pub:Login
For whatever reason this doesn't work.
access-list ACL_permit_all line 1 extended permit ip any any
access-list capture line 8 extended permit ip any any
probe tcp TCP
interval 5
faildetect 2
passdetect interval 10
open 3
rserver host chezane
ip address 10.130.32.16
inservice
rserver host raphael
ip address 10.130.32.17
inservice
rserver host vangongh
ip address 10.130.32.15
inservice
serverfarm host SF_web
predictor leastconns
probe TCP
rserver chezane 21080
inservice
rserver raphael 21080
inservice
rserver vangongh 21080
inservice
class-map match-any VS_vcr
description l3_l4_load_balance
4 match virtual-address 10.1.1.24 any
class-map type http loadbalance match-any VS_vcr_l7
description l7 load balancing
2 match source-address 10.1.0.0 255.255.248.0
3 match source-address 192.168.233.0 255.255.255.0
class-map type management match-any management
201 match protocol snmp any
202 match protocol ssh any
203 match protocol telnet any
204 match protocol icmp any
205 match protocol http any
206 match protocol https any
207 match protocol xml-https any
policy-map type management first-match management
class management
permit
policy-map type loadbalance first-match PM_VS_vcr_l7
description l7 load balance
class VS_vcr_l7
serverfarm SF_web
policy-map multi-match int662
class VS_vcr
loadbalance vip inservice
loadbalance policy PM_VS_vcr_l7
loadbalance vip icmp-reply
interface vlan 662
description Server_VLAN_662
ip address 10.130.32.19 255.255.255.0
no normalization
no icmp-guard
access-group input ACL_permit_all
service-policy input management
no shutdown
interface vlan 1000
description Management
ip address 10.1.1.17 255.255.255.0
access-group input ACL_permit_all
service-policy input management
service-policy input int662
no shutdown
domain VC_web_domain
add-object all
ip route 0.0.0.0 0.0.0.0 10.1.1.205
Connectivity seems to be ok with clients/servers.
a/VC_web# show stats loadbalance
+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch : 0
Total Layer4 decisions : 6
Total Layer4 rejections : 0
Total Layer7 decisions : 0
Total Layer7 rejections : 0
Total Layer4 LB policy misses : 0
Total Layer7 LB policy misses : 0
Total times rserver was unavailable : 0
Total ACL denied : 0
Total IDMap Lookup Failures : 0
Total Cipher Lookup Failures : 0
Total Msg sent to Optimization : 0
Total Direct Msg received from Optimization : 0
Total Indirect Msg received from Optimization: 0
Total Optimization Msg sent to Real Servers : 0
a/VC_web# show service-policy int662 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 1000
service-policy: int662
class: VS_vcr
VIP Address: Protocol: Port:
10.1.1.24 any
loadbalance:
L7 loadbalance policy: PM_VS_vcr_l7
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 1 , hit count : 1
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : PM_VS_vcr_l7
class/match : VS_vcr_l7
LB action :
primary serverfarm: SF_web
state: UP
backup serverfarm : -
hit count : 1
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
a/VC_web# show conn serverfarm SF_web
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
20 1 in TCP 1000 10.1.5.206:4888 10.1.1.24:21080 SYNSEEN
8 1 out TCP 662 10.130.32.17:21080 10.1.5.206:4888 INIT
demo/VC_web#
Any clues?
A.
Solved! Go to Solution.
02-19-2010 06:52 AM
Hello,
The first thing that I notice is that the ACE is receiving the connection and making a load balancing decision. In your example, it has chosen rserver 10.130.32.17 to send the connection to. The state INIT means that the ACE has sent the SYN to that rserver and is waiting to receive a SYN/ACK.
a/VC_web# show conn serverfarm SF_web
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
20 1 in TCP 1000 10.1.5.206:4888 10.1.1.24:21080 SYNSEEN
8 1 out TCP 662 10.130.32.17:21080 10.1.5.206:4888 INIT
The first thing you must make sure of is that the server's response will be sent back to the 4710. One way to do this is to configure the 4710's IP address of 10.130.32.19 as the server's default gateway. The other way to do this if the first option won't work for you, is to configure source-NAT on the ACE so that it will change the source IP address of the connection to the server from the client's real IP address to a nat-pool address owned by the ACE. You can learn more about NAT on the 4710 here.
Hope this helps,
Sean
02-19-2010 06:52 AM
Hello,
The first thing that I notice is that the ACE is receiving the connection and making a load balancing decision. In your example, it has chosen rserver 10.130.32.17 to send the connection to. The state INIT means that the ACE has sent the SYN to that rserver and is waiting to receive a SYN/ACK.
a/VC_web# show conn serverfarm SF_web
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
20 1 in TCP 1000 10.1.5.206:4888 10.1.1.24:21080 SYNSEEN
8 1 out TCP 662 10.130.32.17:21080 10.1.5.206:4888 INIT
The first thing you must make sure of is that the server's response will be sent back to the 4710. One way to do this is to configure the 4710's IP address of 10.130.32.19 as the server's default gateway. The other way to do this if the first option won't work for you, is to configure source-NAT on the ACE so that it will change the source IP address of the connection to the server from the client's real IP address to a nat-pool address owned by the ACE. You can learn more about NAT on the 4710 here.
Hope this helps,
Sean
02-24-2010 01:58 PM
Thanks for this. NAT was the way to do this!
02-19-2010 11:50 AM
Another option requires Policy Based Routing. You will need to set up PBR on the default gateway device for the
servers to redirect all traffic from the servers/ports back to the ACE. This is helpful when you must see the client IP address at the application.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: