Cisco ACE - Load balancing on Remote host

Answered Question
Apr 29th, 2010
User Badges:

Hi all,


I have a dual armed Load balancer, I have a requirement to have local and remote servers in the serverfarm, I configured rserver which is remote (connected via VPN), Probe status shows SUCCESS (return code 200).


When I use the VIP, I am getting a reply back from rservers which is local(as expected) and for remote server i get this error "Empty Reply from server" . When I try to debug I got this error "[bad tcp cksum c346!]".


While trying to connect to the VIP, I can telnet to port 8080, However, When I use HTTP/1.0 or help on that port it disconnects.

Any pointers would be really helpful.


Regards,

Naveen

Correct Answer by jason.espino about 6 years 11 months ago

Hello Naveen,


Do you have the ACE setup to SNAT connections to the hosts in your serverfarm to appear as though the connections originated as the VIP address?


If not, then that is most likely the reason why connections destined to the VIP when balanced to the remote hosts in the serverfarm fail.  The remote servers will see the connections coming from the client (not ACE IP address) and respond directly to the client rather then send the traffic back to the ACE.  The client will see the SYN/ACK from the remote server and simply RST the connection as it was not expecting traffic from that host (TCP connection broken).  When the ACE is setup to SNAT the traffic the remote server will see the connection originating from the ACE.  The remote server will respond directly to the ACE, which in turn the ACE will forward the response out to the client. The problem with this is you lose the abliity to track the client's true source IP, but this can be resolved through header-insert (only possible with HTTP connections).


The reason why the remote servers are passing their probe check is due to the fact that the checks are performed using the ACE's management IP address. The remote server knows to respond back to the ACE when the load balancer performs the probe check.


- Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
jason.espino Fri, 04/30/2010 - 00:27
User Badges:
  • Bronze, 100 points or more

Hello Naveen,


Do you have the ACE setup to SNAT connections to the hosts in your serverfarm to appear as though the connections originated as the VIP address?


If not, then that is most likely the reason why connections destined to the VIP when balanced to the remote hosts in the serverfarm fail.  The remote servers will see the connections coming from the client (not ACE IP address) and respond directly to the client rather then send the traffic back to the ACE.  The client will see the SYN/ACK from the remote server and simply RST the connection as it was not expecting traffic from that host (TCP connection broken).  When the ACE is setup to SNAT the traffic the remote server will see the connection originating from the ACE.  The remote server will respond directly to the ACE, which in turn the ACE will forward the response out to the client. The problem with this is you lose the abliity to track the client's true source IP, but this can be resolved through header-insert (only possible with HTTP connections).


The reason why the remote servers are passing their probe check is due to the fact that the checks are performed using the ACE's management IP address. The remote server knows to respond back to the ACE when the load balancer performs the probe check.


- Jason

mma Thu, 02/14/2013 - 10:28
User Badges:

I have the exact same problem with the ACE configured as routed mode and the rservers are on a network accessible by a router. Question is: can we use PBR on the remote router to send the return traffic to the ACE and let the ACE pass the taffic back to the client?

Actions

This Discussion