ACE Load Balancing

Unanswered Question
May 20th, 2010

Hi all,

I´m configuring 2 ACE 4710 in failover, and I also need to balance 2 webservers at the momment. I have all of the IP address in the same subnet, is that a problem?

Server 1 192.168.1.1

Server 2 192.168.1.2

VIP 192.168.1.3

I have a VLAN for administration, and I have a VLAN for the client connection.

But when I try to connect to the VIP, It doesn't show the web page, but if I connect to the servers page directly they are working ok..

Does anybody know what can i check, or if there is any manual that really shows how to configure this type of connections.

Thanks..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
UHansen1976 Thu, 05/20/2010 - 12:45

Carlos,

This could be helpfull to you: http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide.

Other than that, I'd recommend going through the following sequence of troubleshooting:

1. Access-list - Make sure traffic is actually permitted and that an access-list is applied to your ingress-interface.

2. VIPs - Verify, that your vip-addresses are in the state IN-SRVC and that hitcounters are increasing (or dropscounts possibly)

3. Multimatch policy - Do a detailed show of your policy-configuration and see, how far traffic gets or if it's dropped.

4. Serverfarms/realservers - Make sure, they're operational and see if any connections has passed through and failed connections. You could also look

    at your probe-status.

What kind of error are you getting? Timeout, blank page, incomplete page etc. Also, have you tried to run a trace?

hth

/Ulrich

Sean Merrow Fri, 05/21/2010 - 06:23

Hello,

From your description, it sounds like you might have a one-armed configuration for load balancing.  If your management VLAN interface is only used for management, and you only have the client VLAN interface for load balancing, then this would be a one-armed config.  If this is indeed the case, then you would need to use either Policy-Based Routing to route the server response traffic back to the ACE rather than directly back to the client.  Or, the more common solution is to configure source NAT as shown below:

access-list ANYONE line 10 extended permit tcp any any

rserver host SERVER_01
  ip address 192.168.1.1
  inservice
rserver host SERVER_02
  ip address 192.168.1.2
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice

class-map match-all VIP-3
  2 match virtual-address 192.168.1.3 any

class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match CLIENT_VIPS
  class VIP-3
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance icmp-reply active
    nat dynamic 1 vlan 20

interface vlan 10
  description MANAGEMENT VLAN
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  no shutdown
interface vlan 20
  description CLIENT VLAN
  ip address 192.168.1.10 255.255.255.0
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.100 192.168.1.100 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.254

Hope this helps,

Sean

Actions

This Discussion

Related Content