11-10-2009 03:31 AM
Hi,
I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).
For that I have the following configuration :
serverfarm host NCL_FARM_TEST
probe NCL_PROBE_HTTP
rserver CHPAUN028 443
inservice
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
policy-map multi-match VIP_PROD_AND_TEST
class L4_CLASS_NCL_TEST_HTTP
loadbalance vip inservice
loadbalance policy L7_POLICY_NCL_TEST_HTTP
loadbalance vip icmp-reply active primary-inservice
nat dynamic 2 vlan 115
appl-parameter http advanced-options NCL_HTTP_PARAM
While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).
Here is the server farm status, while PING is still possible :
CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail
serverfarm : NCL_FARM_TEST, type: HOST
total rservers : 1
active rservers: 0
description : *** Test Server Farm ***
state : INACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 27
num times back inservice : 28
total conn-dropcount : 0
Probe(s) :
NCL_PROBE_HTTP, type = HTTP
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: CHPAUN028
10.240.3.128:443 8 PROBE-FAILED 0 609 8
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.
I probably missed something, but what ?
Here is the service-policy status :
Policy-map : VIP_PROD_AND_TEST
Status : ACTIVE
-----------------------------------------
Interface: vlan 1 115
class: L4_CLASS_NCL_TEST_HTTP
nat:
nat dynamic 2 vlan 115
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP
VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 1052393
bytes_out : 309229
Compression ratio : 70.61%
Parameter-map(s):
NCL_HTTP_PARAM
Thank you for any hints,
Yves Haemmerli
11-10-2009 03:46 AM
Could you get a 'show cfgmgr internal table icmp-vip'
Thanks.
Gilles.
11-10-2009 04:30 AM
Gilles,
Here is the output of the requested command :
CH01AC03/P-115-A# show cfgmgr internal table icmp-vip
Index Ctx addr mask IfID flags
----------------------------------------------------------------
387 2 10.56.33.103 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active
1850 2 10.56.33.102 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active
7065 2 127.1.0.193 255.255.255.0 8 VIP up, primary sf down
13273 2 10.56.33.102 255.255.255.255 13 VIP up, primary sf up, icmp reply-when-primary-sf-active
14424 2 10.56.33.103 255.255.255.255 8 VIP up, primary sf up, icmp reply-when-primary-sf-active
CH01AC03/P-115-A# show serverfarm NCL_FARM_TEST
serverfarm : NCL_FARM_TEST, type: HOST
total rservers : 1
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: CHPAUN028
10.240.3.128:443 8 PROBE-FAILED 0 648 8
Note that the VIP in question is 10.56.33.103
Thank you
Yves
11-10-2009 04:54 AM
Yves,
seems like the vip is considered UP for icmp manager.
Do you have mulitple policy using the same class-map but different serverfarm ?
Gilles.
11-10-2009 05:12 AM
Gilles,
I have effectively four diferent policy maps :
- one for PROD when the client arrives withh HTTP
- one for PROD when the client arrives with HTTPS
- one for TEST when the client arrives with HTTP
one for TEST when the client arrives with HTTPS
However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.
Here are the four polici maps :
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP
description *** Load balancing rule for production in http mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS
description *** Load balancing rule for production in https mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTPS
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS
description *** Load balancing rule for test in https mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTPS
Yves
11-10-2009 06:36 AM
Yves,
actually the rule is that all class-map using the same virtual ip should be configured with the same icmp reply command for the command to work.
Gilles.
11-10-2009 07:13 AM
Gilles,
It is the case I think. The VIP on which I test the feature is the 10.56.33.103. I have two L4 class-map for this VIP and, in the multi-match policy, I have the same icmp reply command for each of them.
I sent you the complete configuration via mail.
Yves
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide