Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
4
Replies

basic ACE-config not working-1 rserver host for now

nygenxny123
Level 1
Level 1

‎06-29-2010 11:35 AM

Ive done this a few times so im not sure what I am missing.


When I hit my vip nothing happens. not even counters go up-

i attempt to telnet to the vip on port 443..and nothing. SSL will be installed later

traffice will come in on 443..than go to port 80 and talk to the web server-

class-map match-all ACTIVE-C-VIP
  2 match virtual-address 172.20.110.120 tcp eq https

serverfarm host ACTIVE-C
   rserver NY01 80
     probe PROBE_SERVICE_ICMP
     inservice

rserver host NY01
  ip address 172.20.212.10
  inservice

policy-map type loadbalance first-match ACTIVE-C-POLICY
  class class-default
    serverfarm ACTIVE-C

policy-map multi-match VIP
  class ACTIVE-C-VIP
    loadbalance vip inservice
    loadbalance policy ACTIVE-C-POLICY
    loadbalance vip icmp-reply

interface vlan 110
  description Web DMZ
  ip address 172.20.110.2 255.255.255.0
  alias 172.20.110.1 255.255.255.0
  peer ip address 172.20.110.3 255.255.255.0
  access-group input PERMIT_ALL
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown


ACE-L1-1/Admin# show serverfarm ACTIVE-CARE
serverfarm     : ACTIVE-C, type: HOST
total rservers : 2
---------------------------------
                                                ----------connections----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+--------
   rserver: NYC01
       172.20.110.50:80      8      OPERATIONAL  0          0          0

Labels:
0 Helpful
4 Replies 4

Pablo
Cisco Employee
Cisco Employee

‎06-29-2010 05:10 PM

Hi,

I think the question here is if you're using port 80 as the encrypted port on the backend server? If not most likely you'll get a browser error and the page will never come up, for example FF will display something like "ssl_error_rx record too long" just because you're trying to access encrypted data over a clear text port.

My best guessing is that you're trying to do SSL termination and the ssl-proxy service is missing on the multi-match policy.

Perhaps you want to test LB on HTTP only and then implement SSL.

Tnx.

__ __

Pablo

Cisco TAC

0 Helpful

nygenxny123
Level 1
Level 1
In response to Pablo

‎06-29-2010 07:40 PM

Hi Pablo,

The problem is we are not even getting a response from the VIP address.

there are no errors on the browser and there is no increase in the serverfarm stats that show a connection was even attempted.

0 Helpful

UHansen1976
Level 1
Level 1

‎06-30-2010 05:17 AM

Maybe I'm missing something, but it looks like your multimatch policy has not been applied to interface.

I would expect to see something like this:

interface vlan 110
  description Web DMZ
  ip address 172.20.110.2  255.255.255.0
  alias 172.20.110.1 255.255.255.0
  peer ip  address 172.20.110.3 255.255.255.0
  access-group input PERMIT_ALL
   service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input VIP
  no shutdown

If that won't cut it, try and check the status of the VIP

'show service-policy summary' and verify, wether or not the VIP is State IN-SRVC and if the hit counters increment, when you throw traffic it's way.

hth

/Ulrich

0 Helpful

nygenxny123
Level 1
Level 1
In response to UHansen1976

‎06-30-2010 10:36 AM

indeed I added   service-policy input VIP and now I am getting counters hits on the on the rserver

however i am getting failures on the connection counters..from what I am understand this is likely a server issue..will update

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents