キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 

ACE: [事例] routing packet が drop する

ACE は負荷分散装置なので、負荷分散に関する処理についてはドキュメントに色々記載されているのですが、一般的な機能や動作に関してはあまり載っておらず、しかも router/switch と同じように考えると失敗することがあります。

ここで紹介するのは、そのような事例の 1 つです。

routing01.png

ACE4710a/c1# sh run

Generating configuration....

access-list all line 8 extended permit ip any any

access-group input all

interface vlan 777

  ip address 192.168.77.150 255.255.255.0

  no shutdown

interface vlan 778

  ip address 192.168.78.150 255.255.255.0

  no shutdown

上記のような構成で、client の default gateway を ACE の int vlan 777 へ、server の default gateway を int vlan 778 へ設定しておくと、client からの ping は ACE に到着し、ACE がそれを routing して server へ転送するはずですが、設定によってはこの ping が ACE で drop してしまいます。

arp table を確認すると、client, server 共に学習しており、ACE からの ping も成功します。 fib table も特に問題ありません。

acl も全ての ip packet を許可する設定になっていて、hitcount も上昇しているので、特に問題なさそうです。

ACE4710a/c1# sh arp

Context c1

================================================================================

IP ADDRESS      MAC-ADDRESS        Interface  Type      Encap  NextArp(s) Status

================================================================================

192.168.77.50   00.00.6c.4c.ab.c9  vlan777   LEARNED    104    14319 sec    up

192.168.77.150  00.12.43.dc.7f.02  vlan777   INTERFACE  LOCAL     _         up

192.168.78.50   00.00.6c.ab.45.13  vlan778   LEARNED    105    14391 sec    up

192.168.78.150  00.12.43.dc.7f.03  vlan778   INTERFACE  LOCAL     _         up

================================================================================

Total arp entries 4

ACE4710a/c1#

ACE4710a/c1#

ACE4710a/c1# ping 192.168.77.50

Pinging 192.168.77.50 with timeout = 2, count = 5, size = 100 ....

Response from 192.168.77.50 :  seq 1 time 0.417 ms

Response from 192.168.77.50 :  seq 2 time 0.291 ms

Response from 192.168.77.50 :  seq 3 time 0.275 ms

Response from 192.168.77.50 :  seq 4 time 0.330 ms

Response from 192.168.77.50 :  seq 5 time 0.271 ms

5 packet sent, 5 responses received, 0% packet loss

ACE4710a/c1#

ACE4710a/c1# ping 192.168.78.50

Pinging 192.168.78.50 with timeout = 2, count = 5, size = 100 ....

Response from 192.168.78.50 :  seq 1 time 0.000 ms

Response from 192.168.78.50 :  seq 2 time 1.308 ms

Response from 192.168.78.50 :  seq 3 time 0.287 ms

Response from 192.168.78.50 :  seq 4 time 0.295 ms

Response from 192.168.78.50 :  seq 5 time 0.287 ms

5 packet sent, 5 responses received, 0% packet loss

ACE4710a/c1#

ACE4710a/c1# sh ip fib

FIB for Context c1 (RouteId 1)

   Codes: H - host,   I - interface

          S - static,      N - nat

          A - need arp resolve,      E - ecmp

Destination         Interface         EncapId  Flags

------------------------------------------------------------------------

224.0.0.0/3         N/A                 DROP   N/A [0x100]

127.1.0.0/24        vlan1                102   SI [0x18]

127.1.2.0/24        vlan4095             101   SI [0x18]

192.168.77.0/24     vlan777                0   IA [0x30]

192.168.78.0/24     vlan778                0   IA [0x30]

192.168.77.50/32    vlan777              104   H [0x3]

127.1.0.0/32        N/A                 DROP   N/A [0x10]

192.168.77.150/32   N/A                 DROP   N/A [0x10]

127.1.0.128/32      vlan1                102   I [0x10]

192.168.78.50/32    vlan778              105   H [0x3]

127.1.0.192/32      vlan1                103   H [0x3]

127.1.0.255/32      N/A                 DROP   N/A [0x10]

192.168.77.0/32     N/A                 DROP   N/A [0x10]

192.168.78.150/32   N/A                 DROP   N/A [0x10]

192.168.77.255/32   N/A                 DROP   N/A [0x10]

192.168.78.0/32     N/A                 DROP   N/A [0x10]

127.1.2.0/32        N/A                 DROP   N/A [0x10]

127.1.2.128/32      vlan4095             101   I [0x10]

192.168.78.255/32   N/A                 DROP   N/A [0x10]

127.1.2.255/32      N/A                 DROP   N/A [0x10]

Total route entries = 20

ACE4710a/c1#

ACE4710a/c1# sh access-list all

access-list:all, elements: 1, status: ACTIVE

  remark :

access-list all line 8 extended permit ip any any (hitcount=400)

hitcount が上昇しており、icmp packet の受信はできているようなので、icm の情報を確認してみると、下記のように Drop [Proxy RL] が上昇しています。

ACE4710a/c1# sh np 1 me-stats -sicm

ICM Statistics (Current)

--------------

Frames Received:                           27685951             7

Close Receive:                               592167             1

Errors:                                        4270             0

IPCP Received:                                   20             0

Close Connection timeout:                         4             0

reap messages received:                          13             0

reap messages processed:                         13             0

reap IPCP Reply:                                 13             0

If lookup error:                                  1             0

(Context 1 Statistics)

Connection [Inserts]:                             4             0

Connection [Deletes]:                             4             0

Transmit -> fastpath:                             2             0

Drop [Proxy RL]:                                494             1

CP Init Received:                                 2             0

ACE4710a/c1#

ACE4710a/c1# sh np 1 me-stats -sicm

ICM Statistics (Current)

--------------

Frames Received:                           27686004             6

Close Receive:                               592177             1

Errors:                                        4270             0

IPCP Received:                                   20             0

Close Connection timeout:                         4             0

reap messages received:                          13             0

reap messages processed:                         13             0

reap IPCP Reply:                                 13             0

If lookup error:                                  1             0

(Context 1 Statistics)

Connection [Inserts]:                             4             0

Connection [Deletes]:                             4             0

Transmit -> fastpath:                             2             0

Drop [Proxy RL]:                                507             1

CP Init Received:                                 2             0

Resource Limit により drop しているようなので、resource を確認してみると、

ACE4710a/c1# sh resource usage

                                                     Allocation

        Resource         Current       Peak        Min        Max       Denied

-------------------------------------------------------------------------------

Context: c1

  conc-connections              0          0     199990     199990          0

  mgmt-connections              0          2       9990       9990          0

  proxy-connections             0          0          0          0        511

  xlates                        0          0       6554       6554          0

  acc-connections               0          0         11         11          0

  bandwidth                     0       2308   12375000  136125000          0

    throughput                  0       1488   12375000   12375000          0

    mgmt-traffic rate           0        820          0  123750000          0

  connection rate               0         15      11990      11990          0

  ssl-connections rate          0          0        750        750          0

  mac-miss rate                 0          0        200        200          0

  inspect-conn rate             0          0       4000       4000          0

  http-comp rate                0          0   26214400   26214400          0

  acl-memory                 7648       7648    4880304    4880304          0

  sticky                        0          0       8192       8192          0

  regexp                      457        457     104858     104858          0

  syslog buffer                 0          0     418816    4194304          0

  syslog rate                   0          0      10000      10000          0

ACE4710a/c1#

ACE4710a/c1# sh resource usage

                                                     Allocation

        Resource         Current       Peak        Min        Max       Denied

-------------------------------------------------------------------------------

Context: c1

  conc-connections              0          0     199990     199990          0

  mgmt-connections              0          2       9990       9990          0

  proxy-connections             0          0          0          0        515

  xlates                        0          0       6554       6554          0

  acc-connections               0          0         11         11          0

  bandwidth                   120       2308   12375000  136125000          0

    throughput                120       1488   12375000   12375000          0

    mgmt-traffic rate           0        820          0  123750000          0

  connection rate               1         15      11990      11990          0

  ssl-connections rate          0          0        750        750          0

  mac-miss rate                 0          0        200        200          0

  inspect-conn rate             0          0       4000       4000          0

  http-comp rate                0          0   26214400   26214400          0

  acl-memory                 7648       7648    4880304    4880304          0

  sticky                        0          0       8192       8192          0

  regexp                      457        457     104858     104858          0

  syslog buffer                 0          0     418816    4194304          0

  syslog rate                   0          0      10000      10000          0

ACE4710a/c1#

proxy-connections の Denied counter が上昇していることと、Allocation Min/Max が 0 となっており、proxy-connection の resource が割り当てられていないことが確認できます。

resource の設定は Admin context で行うので、Admin context で設定を確認すると、proxy-connections に全く resource が割り当てられていないことが確認できます。 resource の設定を変更することで、この問題は解決します。

ACE4710a/Admin# sh run context c1

Generating configuration....

context c1

  allocate-interface vlan 777-778

  member routing

ACE4710a/Admin# sh run resource-class

Generating configuration....

resource-class routing

  limit-resource all minimum 10.00 maximum equal-to-min

  limit-resource buffer syslog minimum 10.00 maximum unlimited

  limit-resource proxy-connections minimum 0.00 maximum equal-to-min

  limit-resource regexp minimum 10.00 maximum equal-to-min

  limit-resource sticky minimum 1.00 maximum equal-to-min

ここでのポイントは、ドキュメントを読むと proxy = L7 という印象を与えられますが、実際には L7 通信以外でも FastPath のみで処理できない通信は proxy resource が使用されます。

L4 通信も connection 確立時に FastPath -> ICM となりますので、一瞬 proxy resource を使用します。 routing packet も最初の packet を処理する際は fib table の lookup が必要であり、FastPath のみでは処理できないので、一瞬 proxy resource を使用します。

そのため、proxy resource を全く割り当てない context では ACE を介した通信ができないのでご注意ください。

バージョン履歴
改訂番号
1/1
最終更新:
‎03-27-2013 12:36 PM
更新者: