06-29-2010 11:35 AM
Ive done this a few times so im not sure what I am missing.
When I hit my vip nothing happens. not even counters go up-
i attempt to telnet to the vip on port 443..and nothing. SSL will be installed later
traffice will come in on 443..than go to port 80 and talk to the web server-
class-map match-all ACTIVE-C-VIP
2 match virtual-address 172.20.110.120 tcp eq https
serverfarm host ACTIVE-C
rserver NY01 80
probe PROBE_SERVICE_ICMP
inservice
rserver host NY01
ip address 172.20.212.10
inservice
policy-map type loadbalance first-match ACTIVE-C-POLICY
class class-default
serverfarm ACTIVE-C
policy-map multi-match VIP
class ACTIVE-C-VIP
loadbalance vip inservice
loadbalance policy ACTIVE-C-POLICY
loadbalance vip icmp-reply
interface vlan 110
description Web DMZ
ip address 172.20.110.2 255.255.255.0
alias 172.20.110.1 255.255.255.0
peer ip address 172.20.110.3 255.255.255.0
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ACE-L1-1/Admin# show serverfarm ACTIVE-CARE
serverfarm : ACTIVE-C, type: HOST
total rservers : 2
---------------------------------
----------connections----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+--------
rserver: NYC01
172.20.110.50:80 8 OPERATIONAL 0 0 0
06-29-2010 05:10 PM
Hi,
I think the question here is if you're using port 80 as the encrypted port on the backend server? If not most likely you'll get a browser error and the page will never come up, for example FF will display something like "ssl_error_rx record too long" just because you're trying to access encrypted data over a clear text port.
My best guessing is that you're trying to do SSL termination and the ssl-proxy service is missing on the multi-match policy.
Perhaps you want to test LB on HTTP only and then implement SSL.
Tnx.
__ __
Pablo
Cisco TAC
06-29-2010 07:40 PM
Hi Pablo,
The problem is we are not even getting a response from the VIP address.
there are no errors on the browser and there is no increase in the serverfarm stats that show a connection was even attempted.
06-30-2010 05:17 AM
Maybe I'm missing something, but it looks like your multimatch policy has not been applied to interface.
I would expect to see something like this:
interface vlan 110
description Web DMZ
ip address 172.20.110.2 255.255.255.0
alias 172.20.110.1 255.255.255.0
peer ip address 172.20.110.3 255.255.255.0
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input VIP
no shutdown
If that won't cut it, try and check the status of the VIP
'show service-policy summary' and verify, wether or not the VIP is State IN-SRVC and if the hit counters increment, when you throw traffic it's way.
hth
/Ulrich
06-30-2010 10:36 AM
indeed I added service-policy input VIP and now I am getting counters hits on the on the rserver
however i am getting failures on the connection counters..from what I am understand this is likely a server issue..will update
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: