Solved: First attempt with 4710

ahassiotis1 · ‎02-19-2010

Hi All,

I have configured my 4710 to load balance 3 servers for the following URL:

http://10.1.1.24:21080/cms/ui/pub:Login

For whatever reason this doesn't work.

access-list ACL_permit_all line 1 extended permit ip any any
access-list capture line 8 extended permit ip any any

probe tcp TCP
interval 5
faildetect 2
passdetect interval 10
open 3

rserver host chezane
ip address 10.130.32.16
inservice
rserver host raphael
ip address 10.130.32.17
inservice
rserver host vangongh
ip address 10.130.32.15
inservice

serverfarm host SF_web
predictor leastconns
probe TCP
rserver chezane 21080
    inservice
rserver raphael 21080
    inservice
rserver vangongh 21080
    inservice

class-map match-any VS_vcr
description l3_l4_load_balance
4 match virtual-address 10.1.1.24 any
class-map type http loadbalance match-any VS_vcr_l7
description l7 load balancing
2 match source-address 10.1.0.0 255.255.248.0
3 match source-address 192.168.233.0 255.255.255.0
class-map type management match-any management
201 match protocol snmp any
202 match protocol ssh any
203 match protocol telnet any
204 match protocol icmp any
205 match protocol http any
206 match protocol https any
207 match protocol xml-https any

policy-map type management first-match management
class management
permit

policy-map type loadbalance first-match PM_VS_vcr_l7
description l7 load balance
class VS_vcr_l7
serverfarm SF_web

policy-map multi-match int662
class VS_vcr
    loadbalance vip inservice
    loadbalance policy PM_VS_vcr_l7
    loadbalance vip icmp-reply

interface vlan 662
description Server_VLAN_662
ip address 10.130.32.19 255.255.255.0
no normalization
no icmp-guard
access-group input ACL_permit_all
service-policy input management
no shutdown
interface vlan 1000
description Management
ip address 10.1.1.17 255.255.255.0
access-group input ACL_permit_all
service-policy input management
service-policy input int662
no shutdown

domain VC_web_domain
add-object all

ip route 0.0.0.0 0.0.0.0 10.1.1.205

Connectivity seems to be ok with clients/servers.

a/VC_web# show stats loadbalance

+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch                       : 0
Total Layer4 decisions                       : 6
Total Layer4 rejections                      : 0
Total Layer7 decisions                       : 0
Total Layer7 rejections                      : 0
Total Layer4 LB policy misses                : 0
Total Layer7 LB policy misses                : 0
Total times rserver was unavailable          : 0
Total ACL denied                             : 0
Total IDMap Lookup Failures                  : 0
Total Cipher Lookup Failures                 : 0
Total Msg sent to Optimization               : 0
Total Direct Msg received from Optimization : 0
Total Indirect Msg received from Optimization: 0
Total Optimization Msg sent to Real Servers : 0

a/VC_web# show service-policy int662 detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 1000
service-policy: int662
    class: VS_vcr
     VIP Address:    Protocol: Port:
     10.1.1.24       any
      loadbalance:
        L7 loadbalance policy: PM_VS_vcr_l7
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 1         , hit count        : 1
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : PM_VS_vcr_l7
          class/match : VS_vcr_l7
            LB action :
               primary serverfarm: SF_web
                    state: UP
                backup serverfarm : -
            hit count        : 1
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%

a/VC_web# show conn serverfarm SF_web

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
20         1 in TCP   1000 10.1.5.206:4888       10.1.1.24:21080       SYNSEEN
8          1 out TCP   662 10.130.32.17:21080    10.1.5.206:4888       INIT
demo/VC_web#

Any clues?

A.

Sean Merrow · ‎02-19-2010

Hello,

The first thing that I notice is that the ACE is receiving the connection and making a load balancing decision. In your example, it has chosen rserver 10.130.32.17 to send the connection to. The state INIT means that the ACE has sent the SYN to that rserver and is waiting to receive a SYN/ACK.

a/VC_web# show conn serverfarm SF_web

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

20 1 in TCP 1000 10.1.5.206:4888 10.1.1.24:21080 SYNSEEN

8 1 out TCP 662 10.130.32.17:21080 10.1.5.206:4888 INIT

The first thing you must make sure of is that the server's response will be sent back to the 4710. One way to do this is to configure the 4710's IP address of 10.130.32.19 as the server's default gateway. The other way to do this if the first option won't work for you, is to configure source-NAT on the ACE so that it will change the source IP address of the connection to the server from the client's real IP address to a nat-pool address owned by the ACE. You can learn more about NAT on the 4710 here.

Hope this helps,

Sean

View solution in original post

Sean Merrow · ‎02-19-2010

Hello,

The first thing that I notice is that the ACE is receiving the connection and making a load balancing decision. In your example, it has chosen rserver 10.130.32.17 to send the connection to. The state INIT means that the ACE has sent the SYN to that rserver and is waiting to receive a SYN/ACK.

a/VC_web# show conn serverfarm SF_web

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

20 1 in TCP 1000 10.1.5.206:4888 10.1.1.24:21080 SYNSEEN

8 1 out TCP 662 10.130.32.17:21080 10.1.5.206:4888 INIT

The first thing you must make sure of is that the server's response will be sent back to the 4710. One way to do this is to configure the 4710's IP address of 10.130.32.19 as the server's default gateway. The other way to do this if the first option won't work for you, is to configure source-NAT on the ACE so that it will change the source IP address of the connection to the server from the client's real IP address to a nat-pool address owned by the ACE. You can learn more about NAT on the 4710 here.

Hope this helps,

Sean

ahassiotis1 · ‎02-24-2010

Thanks for this. NAT was the way to do this!

jphilope · ‎02-19-2010

Another option requires Policy Based Routing. You will need to set up PBR on the default gateway device for the

servers to redirect all traffic from the servers/ports back to the ACE. This is helpful when you must see the client IP address at the application.