Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE same old thing cant ping VIP

here is config

we are trying to load balance non standard ports

rservers and vserver all show as up

but vip can not be pinged and no connections flow

logging enable

logging timestamp

logging buffered 3

resource-class RC1

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

login timeout 60

interface gigabitEthernet 1/1

  switchport access vlan 1000

  no shutdown

interface gigabitEthernet 1/2

  switchport access vlan 1001

  no shutdown

interface gigabitEthernet 1/3

  ft-port vlan 100

  no shutdown

interface gigabitEthernet 1/4

  shutdown

clock timezone standard EST

clock summer-time standard EDT

context Admin

  member RC1

ntp server 208.44.49.1

access-list ALL line 8 extended permit ip any any

access-list ALL line 9 extended permit icmp any any

probe http ghh-http

  port 8888

  interval 5

  passdetect interval 5

  request method head url /ProbeTrigger/probetrigger.htm

  expect status 200 200

  connection term forced

probe icmp ghh-icmp

  interval 5

  passdetect interval 5

rserver host ghh-1

  ip address 172.16.2.137

  conn-limit max 4000000 min 4000000

  inservice

rserver host ghh-2

  ip address 172.16.2.138

  conn-limit max 4000000 min 4000000

  inservice

rserver host ghh-3

  ip address 172.16.2.139

rserver host ghh-4

  ip address 172.16.2.140

rserver host ghh-5

  ip address 172.16.2.142

rserver host ghh-6

  ip address 172.16.2.143

rserver host ghh-7

  ip address 172.16.2.144

rserver host ghh-8

  ip address 172.16.2.145

serverfarm host ghh

  predictor leastconns

  probe ghh-icmp

  rserver ghh-1 30037

    inservice

  rserver ghh-2 30038

    inservice

  rserver ghh-3 30039

  rserver ghh-4 30040

  rserver ghh-5 30042

  rserver ghh-6 30043

  rserver ghh-7 30044

  rserver ghh-8 30045

parameter-map type http CASE_PARAM

  case-insensitive

  persistence-rebalance

parameter-map type generic case_generic

  case-insensitive

class-map type management match-any TO-CP-POLICY

  2 match protocol icmp any

  3 match protocol telnet any

  4 match protocol snmp any

  5 match protocol ssh any

class-map match-all ghh_CLASS

  2 match virtual-address 172.16.2.225 any

class-map type generic match-any ghh_generic

class-map type http loadbalance match-any ghh_http

  2 match http url [.]*

class-map type management match-any remote_access

  2 match protocol xml-https any

  3 match protocol icmp any

  4 match protocol telnet any

  5 match protocol ssh any

  6 match protocol http any

  7 match protocol https any

  8 match protocol snmp any

policy-map type management first-match TO-CP-POLICY

  class TO-CP-POLICY

    permit

policy-map type management first-match remote_mgmt_allow_policy

  class remote_access

    permit

policy-map type loadbalance generic first-match ghh_POLICY

  class class-default

    serverfarm ghh

policy-map multi-match ghhpolicy

  class ghh_CLASS

    loadbalance vip inservice

    loadbalance policy ghh_POLICY

    loadbalance vip icmp-reply

    appl-parameter generic advanced-options case_generic

service-policy input TO-CP-POLICY

interface vlan 1000

  bridge-group 15

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  service-policy input ghhpolicy

  no shutdown

interface vlan 1001

  bridge-group 15

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  service-policy input ghhpolicy

  no shutdown

interface bvi 15

  ip address 172.16.1.202 255.255.0.0

  peer ip address 172.16.1.203 255.255.0.0

  no shutdown

ft interface vlan 100

  ip address 192.168.10.11 255.255.255.0

  peer ip address 192.168.10.12 255.255.255.0

  no shutdown

ft peer 1

  heartbeat interval 300

  heartbeat count 20

  ft-interface vlan 100

ft group 1

  peer 1

  priority 200

  associate-context Admin

  inservice

ft track interface track_vlan1000

  track-interface vlan 1000

  peer track-interface vlan 1000

  priority 200

  peer priority 100

ip route 0.0.0.0 0.0.0.0 172.16.1.2

Everyone's tags (6)
20 REPLIES
Cisco Employee

ACE same old thing cant ping VIP

Hi,

Are you able to ping the gateway? Can you get the output of "show service-policy detail"?

-

Siva

New Member

ACE same old thing cant ping VIP

yes the ACE can ping gateway and all other servers

nothing can ping the VIP on the ACE

switch/Admin# sho service-policy detail

Policy-map : ghhpolicy

Status     : ACTIVE

Description: -----------------------------------------

Interface: vlan 1 1000 1001

  service-policy: ghhpolicy

    class: ghh_CLASS

     VIP Address:                              Protocol:  Port:

     172.16.2.225                              any

      loadbalance:

        L7 loadbalance policy: ghh_POLICY

        VIP ICMP Reply       : ENABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        curr conns       : 0         , hit count        : 0

        dropped conns    : 0

        conns per second    : 0

        client pkt count : 0         , client byte count: 0

        server pkt count : 0         , server byte count: 0

        conn-rate-limit      : 0         , drop-count : 0

        bandwidth-rate-limit : 0         , drop-count : 0

        L7 Loadbalance policy : ghh_POLICY

          class/match : class-default

            LB action :

               primary serverfarm: ghh

                    state: UP

                backup serverfarm : -

            hit count        : 0

            dropped conns    : 0

            compression      : off

      compression:

        bytes_in  : 0                          bytes_out : 0

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0

        Content size: 0               Content type       : 0

        Not HTTP 1.1: 0               HTTP response error: 0

        Others      : 0

switch/Admin#

Cisco Employee

ACE same old thing cant ping VIP

Hi,

It looks like the traffic is not even hitting the VIP. Can you check if the ARP entry for this VIP being learnt on the gateway? You also run a packet capture on ACE to check if the traffic is hitting VIP.

-

Siva

New Member

ACE same old thing cant ping VIP

Yes the arp is on the gateway (ASA firewall)

Packet captures dont seem to show packets reaching the ACE

Even when they are sourced from anouther DMZ server that doesnt go through the firewall

New Member

ACE same old thing cant ping VIP

final word for today

seems like vlan weirdness

this is bridge mode

vlan 1001 is target servers

when

service-policy input ghhpolicy

is on vlan 1001 target servers can ping the VIP

removed they cant

but that service policy is on vlan 1000 which is source clients and they cant ping the VIP

Cisco Employee

ACE same old thing cant ping VIP

Hi,

One reason could the subnet mismatch between the ACE and gateway. If it was configured as /24 then it wont work and should be in same subnet /16 as that of ACE for vlan 1000

Rest of the config looks good and since the ARP entries are learnt, i dont see any other problem unless the firewall is dropping the packet going towards ACE.

-

Siva

New Member

ACE same old thing cant ping VIP

subnets are all correct

I think the problem is because we have another ACE on the DMZ subnet and the vlans are confused

New Member

ACE same old thing cant ping VIP

Also something I noticed in the arp table

on our working ACE that also have lans 1000 and 1001

the vserver arp only appears on vlan 1001

on this ACE

the vserver arp for 172.16.2.225 appears on both the 1000 and 1001 vlan

172.16.2.225    00.0b.fc.fe.1b.01  vlan1000  VSERVER    LOCAL     _         up

172.16.2.225    00.0b.fc.fe.1b.01  vlan1001  VSERVER    LOCAL     _         up

Cisco Employee

ACE same old thing cant ping VIP

Because you might have applied the service-policy for the VIP on both the vlan's.

Can you change the config to a different vlan and subnet not used elsewhere in the netowrk and see if it works?

-

Siva

New Member

ACE same old thing cant ping VIP

That is what I'm going to try in morning during low traffic times

New Member

ACE same old thing cant ping VIP

no joy

and doesnt make any sense

vlans changed to 1010 and 1011

bvi changed to 20

here is what makes no sense

If I run the system offline on a test network it works fine

Aso soon as I hook it to our main DMZ network it stop responding to requests on the gigabit 1/1 or vlan 1010 interface

it however responds to requests on the gigabit 1/2 or vlan 1011 interface

here is relavent changes

interface gigabitEthernet 1/1

  switchport access vlan 1010

  no shutdown

interface gigabitEthernet 1/2

  switchport access vlan 1011

  no shutdown

interface gigabitEthernet 1/3

  ft-port vlan 100

  no shutdown

interface vlan 1010

  bridge-group 20

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

interface vlan 1011

  bridge-group 20

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

interface bvi 20

  ip address 172.16.1.202 255.255.0.0

  peer ip address 172.16.1.203 255.255.0.0

  no shutdown

ft interface vlan 100

  ip address 192.168.10.11 255.255.255.0

  peer ip address 192.168.10.12 255.255.255.0

  no shutdown

New Member

ACE same old thing cant ping VIP

Here is simple network map

FIREWALL (gateway)

     |

SWITCH

     |

WEB ACE load balancer

     |

SWITCH with web servers

     |

NEW ACE LB for search servers

     |

SWITCH with search servers

Cisco Employee

ACE same old thing cant ping VIP

The config seem to be fine as it works in your test setup until you hook it to the DMZ. A capture on ACE should tell you whether the packet is really hitting the VIP which i guess you already did. We have to make sure that the packet is hitting the VIP and check the upstream devices where its getting dropped.

Regards,
Siva

New Member

ACE same old thing cant ping VIP

captures dont work because so much data is going through that I cant find anything in it

the arp for the VIP shows up everywhere on the DMZ ,on firewall, switches, other ACE etc

it just never responds when it is placed on DMZ network

it responds fine offline

New Member

ACE same old thing cant ping VIP

More information and the question of what was changed in 5.x software from 3.x software

first is new lb with 5.x software

note it thinks it trunking to another vlan which doesnt exist in our network

vlan1010 is up, VLAN up on the physical port

  Hardware type is VLAN

  MAC address is e8:9a:8f:b2:94:b3

  Virtual MAC address is 00:0b:fc:fe:1b:01

  Mode : transparent

  Bridge group number: 20

  FT status is active

  Description:not set

  MTU: 1500 bytes

  Last cleared: never

  Last Changed: Tue Aug 21 08:03:57 2012

  No of transitions: 3

  Alias IP address not set

  Peer IP address not set

  Assigned on the physical port, up on the physical port

  Previous State: Tue Aug 21 08:03:18 2012, VLAN not up on the physical port

  Previous State: Tue Aug 21 07:48:36 2012, BVI up

this is from our other ACE with 3.x software

vlan1000 is up, BVI configured

  Hardware type is VLAN

  MAC address is 00:1b:24:3d:b3:66

  Virtual MAC address is 00:0b:fc:fe:1b:01

  Mode : transparent

  Bridge group number: 15

  FT status is active

  Description:not set

  MTU: 1500 bytes

  Last cleared: never

  Last Changed: Sun Jun 17 03:30:02 2012

  No of transitions: 1

  Alias IP address not set

  Peer IP address not set

  Assigned on the physical port, up on the physical port

Re: ACE same old thing cant ping VIP

Hi,

You got configuration seems to be have redundancy, then I assume that your design is indeed like this, correct?

FIREWALL (gateway)

     |

SWITCH

     |

ACE1/ACE2

     |

SWITCH with web servers

     |

(ACE3/ACE4)

     |

SWITCH with search servers

I assume you are working on ACE1/ACE2, right?

You may consider to apply these changes:

-------------------------------------------

interface gigabitEthernet 1/1

   switchport trunk allowed vlan 1010,1011

  no shutdown

interface gigabitEthernet 1/2

  switchport trunk allowed vlan 1010,1011

  no shutdown

interface bvi 20

  description Client and server bridge group 20

  ip address 172.16.1.202 255.255.0.0

  peer ip address 172.16.1.203 255.255.0.0

  no shutdown

interface vlan 1010

  mac-sticky enable

  mac-address autogenerate

  bridge-group 20

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

interface vlan 1011

  mac-sticky enable

  mac-address autogenerate

  bridge-group 20

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.X

New Member

ACE same old thing cant ping VIP

Yes its a FT group. and the FT group seems to work fine.

I have opened a TAC case.

Dave

ACE same old thing cant ping VIP

Hello Dave,

In general when you have a topology like with 2 groups of ACEs not related, it is recommended to try to have different ft group number for each one.

FIREWALL (gateway)

     |

SWITCH

     |

ACE1/ACE2

     |

SWITCH with web servers

     |

(ACE3/ACE4)

     |

SWITCH with search servers

I am happy the issue is fixed now

Jorge

New Member

ACE same old thing cant ping VIP

Yes changing the group ID fixed the problem

Dave

ACE same old thing cant ping VIP

Yep

1287
Views
0
Helpful
20
Replies
CreatePlease login to create content