cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4250
Views
10
Helpful
6
Replies

ACE: How to have icmp-reply active ignore redirect rhosts?

CHAD SIMMONS
Level 1
Level 1

I'm wondering if anyone knows if I can have an ace4710 not reply to ICMP requests for a VIP unless atleast one of the host rservers is up. It appears to reply if just a single redirect service is online.

Thanks,

Chad

1 Accepted Solution

Accepted Solutions

Chad,

Can you verify this again at your side? the CSS does respond ICMP even when no services are UP and only the content doing the redirect is active.

  content Redirect
    vip address 10.198.16.105
    url "/*"
    port 80
    protocol tcp
    redirect "http://website.com/blah.htm"
    active

  content Web
    vip address 10.198.16.105
    port 80
    protocol tcp
    url "/blah*"
    add service Z

C:\Documents and Settings\>ping 10.198.16.105

Pinging 10.198.16.105 with 32 bytes of data:

Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=2ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126

View solution in original post

6 Replies 6

Pablo
Cisco Employee
Cisco Employee

Hi Chad,

Yes this can be done however it depends the way you configured the backup availability on the ACE.

As the best of my knowledge the only way you can have the ACE to reply ICMP queries only if "host" rservers are alive is if you configure a separate SF for your backup server then include it on the first-match policy as backup (can be included on the sticky group also, if configured), then you apply the command "loadbalance vip icmp-reply active  primary-inservice" under the multi-match policy, for example:

serverfarm host Sorry
   rserver SS
     inservice

serverfarm host Web
   probe HTTP
   rserver Web
     inservice

policy-map type loadbalance first-match  Web
   class  class-default
     serverfarm P backup Sorry

policy-map multi-match LB

  class HTTP

     loadbalance vip inservice

    loadbalance policy Web

   loadbalance vip icmp-reply active primary-inservice

****************************************************************

If you've configured the backup service as inservice standby under the same SF then most likely ICMP requests will be responded as the ACE only needs an rserver (host|redirect) to consider the SF "inservice"

serverfarm host Web
  probe HTTP
  rserver B
    inservice standby
  rserver N
    backup-rserver B
    inservice

Hope this helps.

__ __

Pablo

Cisco TAC

Pablo,

Thank you for your answer but I don't think it will accomplish what I want as the redirect isn't a sorry error page. I'm trying to replicate a CSS config on my ACE. Basically what I'm trying to do is this.

server x

ip addr 1.1.1.1

keep uri "/blah/blah.htm"

active

server y

ip addr 2.2.2.2

keep uri "/blah/blah.htm"

act

owner x

content x-redirect

redirect "/blah"

vip addr 3.3.3.3

act

content x

vip addr 3.3.3.3

url "/blah*"

add serv y

add serv x

act

In this config the VIP will be pingable if either of the servers are up(redirect doesn't matter)

Thanks,

Chad

Chad,

Thanks for the clarification regretably I'm pretty sure the ACE works alike as the CSS in this requirement.

The problem is that the content rules (CSS) and the class-maps (ACE) are not dependent with each other. i.e with a config like the one shown below regardless if you suspend the service SIP or the content Web, ICMP still is going to be answered as the MAC address is still allocated on the arp table of your SW, in this case for the content Redirect there's no way you can stop ICMP replies other than manually suspending the rule.

owner Web

  content Redirect
    vip address 10.10.10.10
    url "/*"
    port 80
    protocol tcp
    redirect "http://website.com/blah.htm"
    active

  content Web
    vip address 10.10.10.10
    port 80
    protocol tcp
    url "/blah*"
    add service SIP
    active

I had thought I would've been able to it with an ACL like this one buuuut this is not traffic directed to the VIP :S

acl 5
  clause 1 deny icmp any destination content Web/Redirect
  clause 2 permit icmp any destination content Web/Web
  clause 3 permit any any destination any
  apply circuit-(VLAN10)

*************************************************************************

Same happens with the ACE redirect services will always make the VIP show as "inservice" as they don't require a health check to check the aliveness, these ones were thought to be UP all the time.

serverfarm host Web
  probe HTTP
  rserver Web-1
    inservice
  rserver Web-2
    inservice

rserver redirect Redirect
  webhost-redirection https://%h/blah.htm
  inservice

serverfarm redirect Blah
  rserver Redirect
    inservice

class-map type http loadbalance match-any Any
  2  math http url  .*

class-map type http loadbalance match-any Blah
  2 match http url /blah.htm

policy-map type loadbalance first-match Insertion
   class Blah
     serverfarm Web
   class Any
     serverfarm Blah

*************************************************************************

OK I think that is the answer then. I'll have to submit a feature request. On CSS the VIP is only pingable
if an actual service is up(on css redirect is configured in a content rule not as a redirect service so I think this is the difference) you can have redirects on a VIP and the VIP wont respond to ICMP until atleast one service is up. We use this feature so that various tools can monitor VIP status with a simple ping script.

Thanks,

Chad

Chad,

Can you verify this again at your side? the CSS does respond ICMP even when no services are UP and only the content doing the redirect is active.

  content Redirect
    vip address 10.198.16.105
    url "/*"
    port 80
    protocol tcp
    redirect "http://website.com/blah.htm"
    active

  content Web
    vip address 10.198.16.105
    port 80
    protocol tcp
    url "/blah*"
    add service Z

C:\Documents and Settings\>ping 10.198.16.105

Pinging 10.198.16.105 with 32 bytes of data:

Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time=2ms TTL=126
Reply from 10.198.16.105: bytes=32 time=1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126
Reply from 10.198.16.105: bytes=32 time<1ms TTL=126

You are right one of my coworkers told me that they had tested this on the CSS but I just tried it and the redirect holds the VIP up so this is expected.

Thanks,


Chad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: