シスコサポートコミュニティ
キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 

ACE: [事例] probe down 後も、down した rserver へ packet を転送する

    今回紹介する事例は、ACE に設定している probe down し、rserver probe-failed 状態になったにもかかわらず、その rserver に対して、ACE packet を転送するという事例です。

    # 構成

    sfarm_01.png

    # 試験方法、結果 (ACE 出力)

    sv1: OPERATIONAL, sv2: OUTOFSERVICE 状態で traffic を流し、その後、sv1 icmp drop

    probe failed となった後の show service-policy を確認。 VIP state OUTOFSERVICE にも関わらず、client/ server pkt count/byte count が上昇。

    なぜ、show  service-policy VIP State OUTOFSERVICE であったにもかかわらず、counter が上昇したのでしょうか?

    ACE20/Admin# sh rserver

    rserver              : sv1, type: HOST

    state                : OPERATIONAL (verified by    arp response)

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.11:0       8      OPERATIONAL  0          17

    rserver              : sv2, type: HOST

    state                : OUTOFSERVICE

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.12:0       8      OUTOFSERVICE 0          14

    ACE20/Admin#

    ACE20/Admin# sh service-policy

    Policy-map :    client-vips

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 771

      service-policy: client-vips

        class: vip

          loadbalance:

            L7 loadbalance policy: lb

            VIP Route Metric     : 77

            VIP Route Advertise  : DISABLED

            VIP ICMP Reply       : ENABLED

            VIP State: INSERVICE

            curr conns       : 1         , hit count        : 18

            dropped conns    : 0

            client pkt count : 144       , client byte count: 7610

            server pkt count : 109       , server byte count: 19188

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE20/Admin#

    !___ server icmp packet drop

    ACE20/Admin#    sh rserver

    rserver              : sv1, type: HOST

    state                : OPERATIONAL (verified by    arp response)

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.11:0       8      PROBE-FAILED 1          18

    rserver              : sv2, type: HOST

    state                : OUTOFSERVICE

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.12:0       8      OUTOFSERVICE 0          14

    ACE20/Admin#    sh service-policy

    Policy-map :    client-vips

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 771

      service-policy: client-vips

        class: vip

          loadbalance:

            L7 loadbalance policy: lb

            VIP Route Metric     : 77

            VIP Route Advertise  : DISABLED

            VIP ICMP Reply       : ENABLED

            VIP state: OUTOFSERVICE

            curr conns       : 1         , hit count        : 18

            dropped conns    : 0

            client pkt count : 144       , client byte count: 7610

            server pkt count : 109       , server byte count: 19188

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE20/Admin# sh service-policy

    Policy-map :    client-vips

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 771

      service-policy: client-vips

        class: vip

          loadbalance:

            L7 loadbalance policy: lb

            VIP Route Metric     : 77

            VIP Route Advertise  : DISABLED

            VIP ICMP Reply       : ENABLED

            VIP state: OUTOFSERVICE

            curr conns       : 0         , hit count        : 18

            dropped conns    : 0

            client pkt count : 173       , client byte count: 8952

            server pkt count : 137       , server byte count: 22123

    !___ out of service にも関わらず、counter が上昇

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE20/Admin#

    # ACE 設定


    ACE20/Admin# sh run

    Generating    configuration....

    hostname    ACE20

    boot system    image:c6ace-t1k9-mz.A2_3_1.bin

    access-list    all line 8 extended permit ip any any

    probe icmp    ping

      interval 2

      faildetect 2

      passdetect interval 2

      passdetect count 2

    rserver host    sv1

      ip address 192.168.72.11

      inservice

    rserver host    sv2

      ip address 192.168.72.12

    serverfarm    host sf

      probe ping

      rserver sv1

        inservice

      rserver sv2

        inservice

    class-map    match-all vip

      2 match virtual-address 192.168.71.100 tcp    eq www

    policy-map    type loadbalance first-match lb

      class class-default

        serverfarm sf

    policy-map    multi-match client-vips

      class vip

        loadbalance vip inservice

        loadbalance policy lb

        loadbalance vip icmp-reply

    access-group    input all

    interface    vlan 771

      ip address 192.168.71.250 255.255.255.0

      service-policy input client-vips

      no shutdown

    interface    vlan 772

      ip address 192.168.72.250 255.255.255.0

      no shutdown

    # server


    sv1:/# iptables -A INPUT -p icmp -j DROP

    ### 答え

    ACE probe-failed 等で rserver down したとしても、既存 entry はそのまま connection table に残り続け、通信を行うことができます。

    VIP state out of service となっている show service-policy 出力を比較すると、curr  conns 1 から 0 になっています。 このことから、out of service の時に ACE connection 1 つ存在していたことがわかります。 つまり、pkt/byte  counter を上昇させたのは、既存 connection entry を使用した通信になり、これは ACE の実装上期待通りの動作になります。

    ACE20/Admin# sh service-policy

    Policy-map :    client-vips

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 771

      service-policy: client-vips

        class: vip

          loadbalance:

            L7 loadbalance policy: lb

            VIP Route Metric     : 77

            VIP Route Advertise  : DISABLED

            VIP ICMP Reply       : ENABLED

            VIP state: OUTOFSERVICE

            curr    conns       : 1         , hit count        : 18

            dropped conns    : 0

            client pkt count : 144       , client byte count: 7610

            server pkt count : 109       , server byte count: 19188

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE20/Admin# sh service-policy

    Policy-map :    client-vips

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 771

      service-policy: client-vips

        class: vip

          loadbalance:

            L7 loadbalance policy: lb

            VIP Route Metric     : 77

            VIP Route Advertise  : DISABLED

            VIP ICMP Reply       : ENABLED

            VIP state: OUTOFSERVICE

            curr    conns       : 0         , hit count        : 18

            dropped conns    : 0

            client pkt count : 173       , client byte count: 8952

            server pkt count : 137       , server byte count: 22123

    !___ vip 宛ての通信の場合、connection 切断時に上記 counter が上昇します。

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0


    rserver down 時に connection table entry を削除し、down した rserver packet を転送しないようにするためには、failaction purge の設定が必要になります。

    # failaction purge の設定


    ACE20/Admin# conf t

    Enter    configuration commands, one per line.  End with CNTL/Z.

    ACE20/Admin(config)#    serverfarm sf

    ACE20/Admin(config-sfarm-host)# failaction purge

    ACE20/Admin(config-sfarm-host)# do sh run serverfarm

    Generating    configuration....

    serverfarm    host sf

      failaction purge

      probe ping

      rserver sv1

        inservice

      rserver sv2

        inservice

    ACE20/Admin(config-sfarm-host)#

    # failaction purge 設定時の ACE 出力


    ACE20/Admin# sh rserver

    rserver              : sv1, type: HOST

    state                : OPERATIONAL (verified by    arp response)

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.11:0       8      OPERATIONAL  1          19

    rserver              : sv2, type: HOST

    state                : OUTOFSERVICE

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.12:0       8      OUTOFSERVICE 0          14

    ACE20/Admin# sh service-policy

    Policy-map :    client-vips

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 771

      service-policy: client-vips

        class: vip

          loadbalance:

            L7 loadbalance policy: lb

            VIP Route Metric     : 77

            VIP Route Advertise  : DISABLED

            VIP ICMP Reply       : ENABLED

            VIP State: INSERVICE

            curr conns       : 1         , hit count        : 19

            dropped conns    : 0

            client pkt count : 173       , client byte count: 8952

            server pkt count : 137       , server byte count: 22123

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE20/Admin#

    !___ server icmp drop

    ACE20/Admin# sh rserver

    rserver              : sv1, type: HOST

    state                : OPERATIONAL (verified by    arp response)

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.11:0       8      PROBE-FAILED 0          19

    !___ probe failed になると同時に RST が送信され、connection が切断される (current 0 になる)

    rserver              : sv2, type: HOST

    state                : OUTOFSERVICE

    ---------------------------------

                                                    ----------connections-----------

           real                  weight state        current    total

       ---+---------------------+------+------------+----------+--------------------

       serverfarm: sf

           192.168.72.12:0       8      OUTOFSERVICE 0          14

    ACE20/Admin# sh service-policy

    Policy-map :    client-vips

    Status     : ACTIVE

    -----------------------------------------

    Interface:    vlan 771

      service-policy: client-vips

        class: vip

          loadbalance:

            L7 loadbalance policy: lb

            VIP Route Metric     : 77

            VIP Route Advertise  : DISABLED

            VIP ICMP Reply       : ENABLED

            VIP state: OUTOFSERVICE

            curr conns       : 0         , hit count        : 19

    !___ probe failed になると同時に、curr    conns 0

            dropped conns    : 0

            client pkt count : 179       , client byte count: 9238

            server pkt count : 142       , server byte count: 22578

            conn-rate-limit      : 0         , drop-count : 0

            bandwidth-rate-limit : 0         , drop-count : 0

    ACE20/Admin#

    failaction purge の設定については、下記に記載があるのであわせてご参照ください。 purge option の説明では、client server RST を送信するとありますが、これは TCP の場合で、UDP の場合は、connection table から entry を削除するという動作のみ行います。

    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/servfarm.html#wp1107574

    まとめると、failaction  purge の設定の有無による動作は下記のようになります。

    failaction purge なし

    failaction purge あり

    TCP

    既存 connection

    既存 connection    (probe failed となった server) を使用

    client/server RST を送信。 ACE connection    table からも該当 entry を削除

    新規 connection

    別の rserver operational であればそれを使用

    別の rserver operational であればそれを使用

    UDP

    既存 connection

    既存 connection    (probe failed となった server) を使用

    ACE connection table から該当 entry を削除

    新規 connection

    別の rserver operational であればそれを使用

    別の rserver operational であればそれを使用

バージョン履歴
改訂番号
1/1
最終更新:
‎07-30-2010 11:48 AM
更新者: