basic ACE-config not working-1 rserver host for now

Unanswered Question
Jun 29th, 2010
User Badges:

Ive done this a few times so im not sure what I am missing.


When I hit my vip nothing happens. not even counters go up-

i attempt to telnet to the vip on port 443..and nothing. SSL will be installed later


traffice will come in on 443..than go to port 80 and talk to the web server-






class-map match-all ACTIVE-C-VIP
  2 match virtual-address 172.20.110.120 tcp eq https


serverfarm host ACTIVE-C
   rserver NY01 80
     probe PROBE_SERVICE_ICMP
     inservice


rserver host NY01
  ip address 172.20.212.10
  inservice


policy-map type loadbalance first-match ACTIVE-C-POLICY
  class class-default
    serverfarm ACTIVE-C


policy-map multi-match VIP
  class ACTIVE-C-VIP
    loadbalance vip inservice
    loadbalance policy ACTIVE-C-POLICY
    loadbalance vip icmp-reply






interface vlan 110
  description Web DMZ
  ip address 172.20.110.2 255.255.255.0
  alias 172.20.110.1 255.255.255.0
  peer ip address 172.20.110.3 255.255.255.0
  access-group input PERMIT_ALL
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown



ACE-L1-1/Admin# show serverfarm ACTIVE-CARE
serverfarm     : ACTIVE-C, type: HOST
total rservers : 2
---------------------------------
                                                ----------connections----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+--------
   rserver: NYC01
       172.20.110.50:80      8      OPERATIONAL  0          0          0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pablo Tue, 06/29/2010 - 17:10
User Badges:
  • Cisco Employee,

Hi,


I think the question here is if you're using port 80 as the encrypted port on the backend server? If not most likely you'll get a browser error and the page will never come up, for example FF will display something like "ssl_error_rx record too long" just because you're trying to access encrypted data over a clear text port.


My best guessing is that you're trying to do SSL termination and the ssl-proxy service is missing on the multi-match policy.


Perhaps you want to test LB on HTTP only and then implement SSL.


Tnx.

__ __

Pablo

Cisco TAC

nygenxny123 Tue, 06/29/2010 - 19:40
User Badges:

Hi Pablo,


The problem is we are not even getting a response from the VIP address.


there are no errors on the browser and there is no increase in the serverfarm stats that show a connection was even attempted.

UHansen1976 Wed, 06/30/2010 - 05:17
User Badges:
  • Bronze, 100 points or more

Maybe I'm missing something, but it looks like your multimatch policy has not been applied to interface.


I would expect to see something like this:


interface vlan 110
  description Web DMZ
  ip address 172.20.110.2  255.255.255.0
  alias 172.20.110.1 255.255.255.0
  peer ip  address 172.20.110.3 255.255.255.0
  access-group input PERMIT_ALL
   service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input VIP
  no shutdown


If that won't cut it, try and check the status of the VIP


'show service-policy summary' and verify, wether or not the VIP is State IN-SRVC and if the hit counters increment, when you throw traffic it's way.


hth


/Ulrich

nygenxny123 Wed, 06/30/2010 - 10:36
User Badges:

indeed I added   service-policy input VIP and now I am getting counters hits on the on the rserver


however i am getting failures on the connection counters..from what I am understand this is likely a server issue..will update

Actions

This Discussion