01-31-2006 05:44 PM
We have an interesting issue with SLB that is somewhat perplexing. We have two Catalyst 6500s (CAT1 and CAT2) with the following build.
Mod Ports Card Type
--- ----- -------------------------------------- ------------------
1 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
2 16 16 port 1000mb GBIC ethernet WS-X6416-GBIC
3 0 2 port adapter FlexWAN WS-X6182-2PA
4 0 SLB Application Processor Complex WS-X6066-SLB-APC
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE
7 6 Firewall Module WS-SVC-FWM-1
8 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
9 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
They have been setup to run SLB and are load sharing across 4 proxy servers for corporate Internet traffic. The virtual server address is redistributed into eigrp and the SLB-APC in CAT1 is active.
ip slb probe PROXY-FAIL tcp
port 3128
interval 3
!
ip slb serverfarm INET-PROXIES
predictor leastconns
probe PROXY-FAIL
!
real 10.1.6.5
faildetect numconns 30
retry 30
inservice
!
[edit]
!
ip slb vserver INET-PROXY-VIP
virtual 10.5.0.1 tcp 3128
serverfarm INET-PROXIES
advertise active
inservice
!
module ContentSwitchingModule 4
ft group 1 vlan 905
priority 100
failover 3
preempt
!
HSRP is in-use on all the VLANs specifically on the VLAN to the proxies. From a config perspective both devices are effectively identical.
Fault:
If a user is using CAT2 and they browse to www.lastminute.com, they will typically get the main page, be able to click one or two pages in and then get a this page cannot be displayed error. If they click refresh the page will be displayed.
If they are using CAT1 and the browse then everything is ok.
This has been tested by swinging the active HSRP across to either CAT1 or CAT2 and taking the other vserver out-of-service. It has been verified using show ip slb conn that all traffic is going via the device under test, either CAT1 or CAT2.
The only difference that can been seen is on CAT2 when you issue the show ip slb con command all connections are shown as CLOSING
CAT2#sh ip slb CONNections
vserver prot client real state nat
-------------------------------------------------------------------------------
INET-PROXY-VIP TCP 10.2.6.252:54193 10.1.6.15 CLOSING none
INET-PROXY-VIP TCP 10.2.6.252:54192 10.1.6.20 CLOSING none
INET-PROXY-VIP TCP 10.2.6.252:54195 10.1.6.10 CLOSING none
INET-PROXY-VIP TCP 10.2.6.252:54194 10.1.6.5 CLOSING none
Etc..
.Jan 30 19:37:45: SLB_CONN_DEBUG: TCP event= RST_CLIENT, state= INIT -> ZOMBIE
.Jan 30 19:37:45: v_ip= 10.1.0.1:3128 ( 7), real= 10.1.6.20
.Jan 30 19:37:45: client= 10.7.34.84:1804
.Jan 30 19:37:45: SLB_CONN_DEBUG: TCP event= DATA_CLIENT, state= CLOSING -> CLOSING
.Jan 30 19:37:45: v_ip= 10.1.0.1:3128 ( 7), real= 10.1.6.5
.Jan 30 19:37:45: client= 10.7.34.84:1804
On CAT1 when all is working you see a heap of ESTABLISHED under the show ip slb conn and other expected states. Its almost as if the router is forcing the session to close?
All reals are operational as expected.
CAT2#sh ip slb reals
real farm name weight state conns
-------------------------------------------------------------------
10.1.6.5 INET-PROXIES 8 OPERATIONAL 9
10.1.6.10 INET-PROXIES 8 OPERATIONAL 8
10.1.6.15 INET-PROXIES 8 OPERATIONAL 8
10.1.6.20 INET-PROXIES 8 OPERATIONAL 12
Does anyone have any ideas here? What is this ZOMBIE state all about?
02-01-2006 05:27 AM
let me first talk about the config.
I see you have configured 'module contentswitching 4'.
Do you have a CSM ?
Is the SLB config used with the CSM or with the MSFC ?
I mean, what device is supposed to do the loadbalancing, CSM or MSFC ?
If CSM, just be aware that the ip slb commands are not supported anymore. We recommend to configure the CSM using the CSM commands.
About your issue, do you know how long it takes for the connections to go into CLOSING ?
Could you capture a sniffer trace of the CSM port-channel [or MSFC portchannel depending which device does the loadbalancing] when having the issue with cat2.
Is there any IDS [intrusion detection system] device in your network ?
Thanks,
Gilles.
02-03-2006 09:23 AM
Hello Gilles
Yes there is a CSM. It is configured for load balancing other farms but doesn't have any configuration related to the IOS SLB configuration.
Are there any issues in using a CSM and also SLB in the same chassis?
I do not believe there is an IDS in the network.
Regards
Colin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide