Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
2
Replies

Interesting SLB Issue - CLOSING connections.

philip.neeson
Level 1
Level 1

‎01-31-2006 05:44 PM

We have an interesting issue with SLB that is somewhat perplexing. We have two Catalyst 6500s (CAT1 and CAT2) with the following build.

Mod Ports Card Type

--- ----- -------------------------------------- ------------------

1 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE

2 16 16 port 1000mb GBIC ethernet WS-X6416-GBIC

3 0 2 port adapter FlexWAN WS-X6182-2PA

4 0 SLB Application Processor Complex WS-X6066-SLB-APC

5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE

6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE

7 6 Firewall Module WS-SVC-FWM-1

8 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX

9 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX

They have been setup to run SLB and are load sharing across 4 proxy servers for corporate Internet traffic. The virtual server address is redistributed into eigrp and the SLB-APC in CAT1 is active.

ip slb probe PROXY-FAIL tcp

port 3128

interval 3

!

ip slb serverfarm INET-PROXIES

predictor leastconns

probe PROXY-FAIL

!

real 10.1.6.5

faildetect numconns 30

retry 30

inservice

!

[edit]

!

ip slb vserver INET-PROXY-VIP

virtual 10.5.0.1 tcp 3128

serverfarm INET-PROXIES

advertise active

inservice

!

module ContentSwitchingModule 4

ft group 1 vlan 905

priority 100

failover 3

preempt

!

HSRP is in-use on all the VLANs specifically on the VLAN to the proxies. From a config perspective both devices are effectively identical.

Fault:

If a user is using CAT2 and they browse to www.lastminute.com, they will typically get the main page, be able to click one or two pages in and then get a “this page cannot be displayed” error. If they click refresh the page will be displayed.

If they are using CAT1 and the browse then everything is ok.

This has been tested by swinging the active HSRP across to either CAT1 or CAT2 and taking the other vserver out-of-service. It has been verified using “show ip slb conn” that all traffic is going via the device under test, either CAT1 or CAT2.

The only difference that can been seen is on CAT2 when you issue the “show ip slb con” command all connections are shown as “CLOSING”

CAT2#sh ip slb CONNections

vserver prot client real state nat

-------------------------------------------------------------------------------

INET-PROXY-VIP TCP 10.2.6.252:54193 10.1.6.15 CLOSING none

INET-PROXY-VIP TCP 10.2.6.252:54192 10.1.6.20 CLOSING none

INET-PROXY-VIP TCP 10.2.6.252:54195 10.1.6.10 CLOSING none

INET-PROXY-VIP TCP 10.2.6.252:54194 10.1.6.5 CLOSING none

Etc..

.Jan 30 19:37:45: SLB_CONN_DEBUG: TCP event= RST_CLIENT, state= INIT -> ZOMBIE

.Jan 30 19:37:45: v_ip= 10.1.0.1:3128 ( 7), real= 10.1.6.20

.Jan 30 19:37:45: client= 10.7.34.84:1804

.Jan 30 19:37:45: SLB_CONN_DEBUG: TCP event= DATA_CLIENT, state= CLOSING -> CLOSING

.Jan 30 19:37:45: v_ip= 10.1.0.1:3128 ( 7), real= 10.1.6.5

.Jan 30 19:37:45: client= 10.7.34.84:1804

On CAT1 when all is working you see a heap of ESTABLISHED under the “show ip slb conn” and other expected states. Its almost as if the router is forcing the session to close?

All reals are operational as expected.

CAT2#sh ip slb reals

real farm name weight state conns

-------------------------------------------------------------------

10.1.6.5 INET-PROXIES 8 OPERATIONAL 9

10.1.6.10 INET-PROXIES 8 OPERATIONAL 8

10.1.6.15 INET-PROXIES 8 OPERATIONAL 8

10.1.6.20 INET-PROXIES 8 OPERATIONAL 12

Does anyone have any ideas here? What is this ZOMBIE state all about?

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎02-01-2006 05:27 AM

let me first talk about the config.

I see you have configured 'module contentswitching 4'.

Do you have a CSM ?

Is the SLB config used with the CSM or with the MSFC ?

I mean, what device is supposed to do the loadbalancing, CSM or MSFC ?

If CSM, just be aware that the ip slb commands are not supported anymore. We recommend to configure the CSM using the CSM commands.

About your issue, do you know how long it takes for the connections to go into CLOSING ?

Could you capture a sniffer trace of the CSM port-channel [or MSFC portchannel depending which device does the loadbalancing] when having the issue with cat2.

Is there any IDS [intrusion detection system] device in your network ?

Thanks,

Gilles.

0 Helpful

colin10086
Level 1
Level 1
In response to Gilles Dufour

‎02-03-2006 09:23 AM

Hello Gilles

Yes there is a CSM. It is configured for load balancing other farms but doesn't have any configuration related to the IOS SLB configuration.

Are there any issues in using a CSM and also SLB in the same chassis?

I do not believe there is an IDS in the network.

Regards

Colin

0 Helpful
Customers Also Viewed These Support Documents