Unable to Ping VIP address

AndyGB5150 · ‎10-14-2010

Hello All,

I have been given the task in trying to get a cisco ACE 4710 to work. below is the current config.

Also I have added a couple of screen shots of extra's.

Could anybody out there help.

SLB-P1/Admin# sh run
Generating configuration....

boot system image:c4710ace-mz.A3_2_0.bin

hostname SLB-P1
interface gigabitEthernet 1/1
description Client
switchport access vlan 210
no shutdown
interface gigabitEthernet 1/2
description No connection "Not Configured"
no shutdown
interface gigabitEthernet 1/3
description Server VLAN
switchport access vlan 220
no shutdown
interface gigabitEthernet 1/4
description Management access for gui console
switchport access vlan 200
no shutdown

access-list ALL line 8 extended permit ip any any

probe https Server1
ip address 10.11.22.10 routed
interval 15
passdetect interval 60
ssl version all
open 10

parameter-map type connection was-test

rserver host server3-P1
ip address 10.11.22.10
conn-limit max 4000000 min 4000000
inservice
rserver host server3
ip address 10.11.22.11
conn-limit max 4000000 min 4000000
inservice

serverfarm host WebApplicationServers
description Server Farm for server1 and server3
probe server1
rserver server1
    conn-limit max 4000000 min 4000000
    inservice
rserver server3
    conn-limit max 4000000 min 4000000
    probe server1
    inservice

class-map match-all VIPA
2 match virtual-address 10.11.21.10 tcp eq www
class-map match-all VIPAA
2 match virtual-address 10.11.21.10 tcp eq https
class-map match-all VIPB
2 match virtual-address 10.11.21.11 tcp eq www
class-map match-all VIPBB
2 match virtual-address 10.11.21.11 tcp eq https
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
class-map match-any was_access1
221 match any

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map type loadbalance first-match VIPA-l7slb
class class-default
    serverfarm WebApplicationServers
policy-map type loadbalance first-match VIPAA-l7slb
class class-default
    serverfarm WebApplicationServers
policy-map type loadbalance first-match VIPB-l7slb
class class-default
    serverfarm WebApplicationServers
policy-map type loadbalance first-match VIPBB-l7slb
class class-default
    serverfarm WebApplicationServers

policy-map multi-match AllowWASaccess
class was_access1
    connection advanced-options was-test
policy-map multi-match int210
class VIPA
    loadbalance vip inservice
    loadbalance policy VIPA-l7slb
    loadbalance vip icmp-reply active
class VIPB
    loadbalance vip inservice
    loadbalance policy VIPB-l7slb
    loadbalance vip icmp-reply active
class VIPAA
    loadbalance vip inservice
    loadbalance policy VIPAA-l7slb
    loadbalance vip icmp-reply active
class VIPBB
    loadbalance vip inservice
    loadbalance policy VIPBB-l7slb
    loadbalance vip icmp-reply active

interface vlan 200
description "MGMT VLAN"
ip address 10.11.20.2 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 210
description "Client Front VLAN 210"
ip address 10.11.21.2 255.255.255.0
no icmp-guard
access-group input ALL
service-policy input int210
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 220
description "Server VLAN 220"
ip address 10.11.22.2 255.255.255.0
no icmp-guard
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown

ip route 0.0.0.0 0.0.0.0 10.11.21.1
ip route 10.12.0.0 255.255.0.0 10.11.21.1

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community ro group Network-Monitor
snmp-server community public group Network-Monitor

snmp-server trap-source vlan 200

username admin password 5 $1$rwILxGER$DivbGN5nc5orFToqoCLNk0 role Admin domain
default-domain
username www password 5 $1$UQ5GIBhQ$/AomBaMRgyFzieuHCvEQK/ role Admin domain de
fault-domain

AndyGB5150 · ‎10-14-2010

kitanaka · ‎10-14-2010

Hello,

Could you pls try removing "loadbalance vip icmp-reply active" in those classes in the multimatch policy,

then configure "loadbalance vip icmp-reply" instead.

Or make VIP-State are INSERVICE and try ping to it.

Regards,

Kimihito.

Gilles Dufour · ‎10-14-2010

Your problem is that the vip is out of service.

Could you send us a 'show serverfarm' and a 'show probe details'

BTW, the probe does not look correct.

probe https Server1
ip address 10.11.22.10 routed <===== not good.
interval 15
passdetect interval 60
ssl version all
open 10

So try to remove the probe from the serverfarm.

Thanks,

Gilles.

AndyGB5150 · ‎10-14-2010

Thanks again for

all your help.

SLB-P1/Admin# show probe

probe       : server1
type        : HTTPS
state       : ACTIVE
----------------------------------------------
   port      : 443     address     : 10.11.22.10     addr type : ROUTED
   interval : 15      pass intvl : 60              pass count : 3
   fail count: 3       recv timeout: 10
                ------------------ probe results ------------------
   associations ip-address      port porttype probes   failed   passed   health

------------ ---------------+-----+--------+--------+--------+--------+------

   real        : server3[0]
     serverfarm: WebApplicationServers
                10.11.22.10     80    VIP      96       96       0        FAILED

10.11.22.10 443 VIP 96 96 0 FAILED

   serverfarm : WebApplicationServers
     real      : server1[0]
                10.11.22.10     80    VIP      96       96       0        FAILED

10.11.22.10 443 VIP 96 96 0 FAILED

real : server3[0]
10.11.22.10 80 VIP 96 96 0 FAILED

10.11.22.10 443 VIP 96 96 0 FAILED

SLB-P1/Admin# show se
security serverfarm service-policy
SLB-P1/Admin# show serverfarm

   serverfarm           type      rservers predictor          current conns
+--------------------+---------+--------+------------------+---------------
   WebApplicationServers
                        HOST      2        ROUNDROBIN         0

Gilles Dufour · ‎10-14-2010

probe https Server1
ip address 10.11.22.10 routed <===== not good.
interval 15
passdetect interval 60
ssl version all
open 10

So try to remove the probe from the serverfarm.

Gilles.

AndyGB5150 · ‎10-14-2010

How are the Cisco Ace devices setup.

Do they have direct connections from any of the 4 ethernet ports to a real server or do they connect to a switch and the vlans work that way.

we are using a 2960g switch which won't allow router on layer 3 if you type "no swithport" which would put a port into layer three mode.

All of the diagrams show that the Ace 4700's are connected to routers.

Gilles Dufour · ‎10-14-2010

you can either connect the server directly or go through a switch as described in your diagram.

Like any routing/switching device, check your L2 and L3 connectivity before trying extra features.

show interface

show arp

ping

...

Your probe config is wrong because it says to send all probes to ip address x.x.x.x in a routed mode.

This is not what you need.

So, start by removing the probe and see if that works.

Than you can focus on the probe.

Always start from easy setup and build from it.

Especially if you're new to the device.

Gilles.

AndyGB5150 · ‎10-14-2010

Thanks again for all your help.

I can now ping the vip but not the real server however this may due to a firewall rule.

Context Admin
================================================================================
IP ADDRESS      MAC-ADDRESS        Interface Type      Encap NextArp(s) Status
================================================================================
10.11.20.2      00.23.8b.03.99.2e vlan200   INTERFACE LOCAL     _         up
10.11.20.10     00.0d.56.7d.84.e5 vlan200   LEARNED    4      12587 sec    up
10.11.21.1      00.00.00.00.00.00 vlan210   GATEWAY    -                   dn
10.11.21.2      00.23.8b.03.99.2e vlan210   INTERFACE LOCAL     _         up
10.11.21.10     00.23.8b.03.99.2e vlan210   VSERVER    LOCAL     _         up
10.11.21.11     00.23.8b.03.99.2e vlan210   VSERVER    LOCAL     _         up
10.11.22.2      00.23.8b.03.99.2e vlan220   INTERFACE LOCAL     _         up
10.11.22.10     00.00.00.00.00.00 vlan220   RSERVER    -       * 2 req     dn
10.11.22.11     00.00.00.00.00.00 vlan220   RSERVER    -       * 2 req     dn
================================================================================
Total arp entries 9
SLB-P1/Admin# ping 10.11.22.10
Pinging 10.11.22.10 with timeout = 2, count = 5, size = 100 ....

No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
SLB-P1/Admin# ping 10.11.21.10
Pinging 10.11.21.10 with timeout = 2, count = 5, size = 100 ....

No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
SLB-P1/Admin# ping 10.11.22.1
Pinging 10.11.22.1 with timeout = 2, count = 5, size = 100 ....

No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
SLB-P1/Admin# ping 10.11.22.2
Response from 10.11.22.2 : seq 1 time 0.000 ms
Response from 10.11.22.2 : seq 2 time 0.000 ms
Response from 10.11.22.2 : seq 3 time 0.000 ms
Response from 10.11.22.2 : seq 4 time 0.000 ms
Response from 10.11.22.2 : seq 5 time 0.000 ms
SLB-P1/Admin# ping 10.11.21.2
Response from 10.11.21.2 : seq 1 time 0.000 ms
Response from 10.11.21.2 : seq 2 time 0.000 ms
Response from 10.11.21.2 : seq 3 time 0.000 ms
Response from 10.11.21.2 : seq 4 time 0.000 ms
Response from 10.11.21.2 : seq 5 time 0.000 ms

Thanks again for all you help.

Nearly there.

I'm considering having a crack at this Certification before my CCNP.

best regards

AndyGB5150 · ‎10-14-2010

Sorry Chaps.

Everything seems to be running and pinging however the real servers are still down.

Context Admin
================================================================================
IP ADDRESS      MAC-ADDRESS        Interface Type      Encap NextArp(s) Status
================================================================================
10.11.20.2      00.23.8b.03.99.2e vlan200   INTERFACE LOCAL     _         up
10.11.20.10     00.0d.56.7d.84.e5 vlan200   LEARNED    4      12587 sec    up
10.11.21.1      00.00.00.00.00.00 vlan210   GATEWAY    -                   dn
10.11.21.2      00.23.8b.03.99.2e vlan210   INTERFACE LOCAL     _         up
10.11.21.10     00.23.8b.03.99.2e vlan210   VSERVER    LOCAL     _         up
10.11.21.11     00.23.8b.03.99.2e vlan210   VSERVER    LOCAL     _         up
10.11.22.2      00.23.8b.03.99.2e vlan220   INTERFACE LOCAL     _         up
10.11.22.10     00.00.00.00.00.00 vlan220   RSERVER    -       * 2 req     dn
10.11.22.11     00.00.00.00.00.00 vlan220   RSERVER    -       * 2 req     dn
================================================================================

I can't get the real servers up and running at the moment

Gilles Dufour · ‎10-14-2010

10.11.22.10 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn
10.11.22.11 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn

Your rserver are not responding to arp request.

Make sure you have your cable correctly connected.

Check vlan configuration.

Check arp table on server and see if you have the ace mac-address.

At this point this is not a loadbalancing issue but a simply layer2 connectivity problem.

Follow standard procedure.

Use a sniffer on the server to see if the arp requests are coming in and if a response is sent.

Try to attach your pc in vlan 220 and see if you can the server and ace.

Gilles.