01-13-2014 09:59 AM
I've searched..... I cannot figure out why my VIPs do not ping. I have two vlans that both replay to a ping on the interface IPs. And I'm new at this, thanks in advace.
GKEL2-ACE1/35568059-Axia# show run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging timestamp
logging trap 5
logging host 10.85.242.100 udp/514
login timeout 60
crypto chaingroup walnut-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto chaingroup .dom-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1000
email support
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1001
email support
access-list ANYONE line 10 extended permit ip any any
access-list ANYONE line 20 extended permit icmp any any
access-list All line 1 extended permit ip any any
probe http HTTP1025
port 1025
interval 2
faildetect 2
passdetect interval 2
request method get url /Login.css
open 1
probe icmp PING
interval 2
faildetect 2
passdetect interval 60
probe tcp PROBE-TCP
interval 2
faildetect 2
passdetect interval 10
passdetect count 2
open 1
rserver redirect REDIRECT-HTTPS
webhost-redirection https://%h%p 302
inservice
rserver host WL1
ip address 10.205.70.100
inservice
rserver host WL2
ip address 10.205.70.101
inservice
rserver host WLDev1
ip address 10.205.71.202
inservice
rserver host WLDev2
ip address 10.205.71.203
inservice
rserver host WLTest1
ip address 10.205.71.150
inservice
rserver host WLTest2
ip address 10.205.71.151
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-HTTPS
inservice
serverfarm host WEBLOGIC-7433
predictor leastconns
probe PING
rserver WL1 7433
inservice
rserver WL2 7433
inservice
serverfarm host WEBLOGIC-PROD
predictor leastconns
probe PING
rserver WL1 1025
inservice
rserver WL2 1026
inservice
serverfarm host WEBLOGIC-TEST-SSH
predictor leastconns
rserver WLTest1 22
inservice
rserver WLTest2 22
inservice
sticky http-cookie acecookie STICKY-INSERT-COOKIE
cookie insert
serverfarm WEBLOGIC-PROD
action-list type modify http REWRITE
header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request X-Forwarded-Proto header-value "%pd"
ssl url rewrite location "*.*"
ssl header-insert session Id
ssl-proxy service ssl-client
ssl-proxy service ssl-proxy
key netcracker.cal.dom.key
cert netcracker.cal.dom.cer
chaingroup netcracker.cal.dom-wcrt100
class-map match-any L4VIPCLASS
2 match virtual-address 10.205.70.80 any
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
loadbalance policy L7SLBPOLICY
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
service-policy input L4LSBPOLICY
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
access-group input All
access-group output All
nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41 role Admin domain default-domain
username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX. role Admin domain default-domain
01-13-2014 10:11 AM
Hi Axia,
Is it only ping which is not working or everything directed at VIP's doesn't work? If it is ping did you check if it allowed on FW etc?
Can you do "show service-policy
Are you able to ping it from same subnet or switch ? You have configured loadbalance vip icmp reply so it should reply to ICMP requests even if serverfarm is down.
Regards,
Kanwal
01-14-2014 10:33 AM
I have added two more VIPs since yesterday and they respond to to pings properly. The VIPs all work fine just no pings to 10.205.70.80. Thanks
GKEL2-ACE1/35568059-Axia# show service-policy summary
service-policy: L4LSBPOLICY
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
L4VIPCLASS 10.205.70.80 any any 1,3440,3516
10.205.71.80 any any 1,3440,3516
10.205.71.90 any any 1,3440,3516
OUT-SRVC 0 1080 45
service-policy: LB-VIP
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http 10.205.70.80 tcp eq 80 1,3440 IN-SRVC 0 50739 53
weblogic-https 10.205.70.80 tcp eq 443 1,3440 IN-SRVC 0 7384 112
weblogic-7433 10.205.70.80 tcp eq 7433 1,3440 IN-SRVC 0 145306 30
service-policy: LB-VIP-Dev
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http-dev 10.205.71.90 tcp eq 80 1,3516 IN-SRVC 0 0 0
weblogic-https-dev 10.205.71.90 tcp eq 443 1,3516 IN-SRVC 0 0 0
weblogic-7433-dev 10.205.71.90 tcp eq 7433 1,3516 IN-SRVC 0 0 0
service-policy: LB-VIP-Test
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
SSH_Test 10.205.71.80 tcp eq 22 1,3516 IN-SRVC 0 28 24
weblogic-http-test 10.205.71.80 tcp eq 80 1,3516 IN-SRVC 0 96 40
weblogic-https-test 10.205.71.80 tcp eq 443 1,3516 IN-SRVC 0 135 61
weblogic-7433-test 10.205.71.80 tcp eq 7433 1,3516 IN-SRVC 0 27 11
01-14-2014 11:24 AM
Hi Axia,
Ok. Here's the configuration:
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
loadbalance policy L7SLBPOLICY
You are missing "loadbalance vip inservice" and "loadbalance vip icmp reply". Please apply these commands and that should resolve the issue. You can see in above output it is OUT-SRVC
Regards,
Kanwal
01-14-2014 11:31 AM
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy L7SLBPOLICY
loadbalance vip icmp-reply
This policy-map isn't really in use I added the lines you mentioned but no effect.
01-14-2014 11:43 AM
Hi Axia,
Could you check if it is OUT-SRVC or IN-SRVC now?
show service-policy L4LSBPOLICY summary.
Can you try a different IP for VIP?
Regards,
Kanwal
01-14-2014 11:48 AM
I have removed that service policy completely. It was from some knowledgebase article when I was trying to get http redirection working.
There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...
GKEL2-ACE1/35568059-Axia# show service-policy summary
service-policy: LB-VIP
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http 10.205.70.80 tcp eq 80 1,3440 IN-SRVC 0 50773 53
weblogic-https 10.205.70.80 tcp eq 443 1,3440 IN-SRVC 0 7406 112
weblogic-7433 10.205.70.80 tcp eq 7433 1,3440 IN-SRVC 0 145321 30
service-policy: LB-VIP-Dev
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http-dev 10.205.71.90 tcp eq 80 1,3516 IN-SRVC 0 0 0
weblogic-https-dev 10.205.71.90 tcp eq 443 1,3516 IN-SRVC 0 0 0
weblogic-7433-dev 10.205.71.90 tcp eq 7433 1,3516 IN-SRVC 0 0 0
service-policy: LB-VIP-Test
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
SSH_Test 10.205.71.80 tcp eq 22 1,3516 IN-SRVC 0 29 24
weblogic-http-test 10.205.71.80 tcp eq 80 1,3516 IN-SRVC 0 117 40
weblogic-https-test 10.205.71.80 tcp eq 443 1,3516 IN-SRVC 0 161 61
weblogic-7433-test 10.205.71.80 tcp eq 7433 1,3516 IN-SRVC 0 27 11
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-7433-dev
2 match virtual-address 10.205.71.90 tcp eq 7433
class-map match-any weblogic-7433-test
2 match virtual-address 10.205.71.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-http-dev
2 match virtual-address 10.205.71.90 tcp eq www
class-map match-any weblogic-http-test
2 match virtual-address 10.205.71.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
class-map match-any weblogic-https-dev
2 match virtual-address 10.205.71.90 tcp eq https
class-map match-any weblogic-https-test
2 match virtual-address 10.205.71.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-dev-policy
class class-default
serverfarm WEBLOGIC-7433-Dev
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-7433-test-policy
class class-default
serverfarm WEBLOGIC-7433-Test
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-dev-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-test-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-dev-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-DEV
class class-default
serverfarm WEBLOGIC-DEV
action REWRITE
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map type loadbalance first-match weblogic-https-test-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-TEST
class class-default
serverfarm WEBLOGIC-TEST
action REWRITE
ssl-proxy client ssl-proxy-nctest
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Dev
class weblogic-http-dev
loadbalance vip inservice
loadbalance policy weblogic-http-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-dev
loadbalance vip inservice
loadbalance policy weblogic-https-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-7433-dev
loadbalance vip inservice
loadbalance policy weblogic-7433-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-http-test
loadbalance vip inservice
loadbalance policy weblogic-http-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-test
loadbalance vip inservice
loadbalance policy weblogic-https-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
class weblogic-7433-test
loadbalance vip inservice
loadbalance policy weblogic-7433-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
service-policy input LB-VIP-Dev
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
01-14-2014 11:51 AM
I added an IP to this one policy and it Pings properly. but still not .80
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
3 match virtual-address 10.205.70.81 tcp eq 7433
01-14-2014 12:25 PM
Hi Axia,
Let us concentrate on one.
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3440
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
no shutdown
Can you tell me what is the status of serverfarm here? You have loadbalance vip icmp-reply active which means that rserver in serverfarm should be active for VIP to reply to ping. If you just configure loadbalance vip icmp-reply, it will ignore serverfarm status and reply to ping. Can you check on that?
Regards,
Kanwal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: