Application Delivery (ADX)

Reply
Contributor
steve14
Posts: 21
Registered: ‎07-06-2012

failed to delete port

Hello community,

I run couple of times into following problem and always was only able to resolve it by reloading the loadbalancer but wondering whether there is some cleaner way around it:

  • I have two units running in HA sym-active mode.
  • Initial config looks like:
lb1

server virtual fe XXX.YYY.ZZZ.139

sym-priority 100

sym-active

port http

port http keep-alive

port ssl sticky

port ssl keep-alive

bind http fe1 http fe2 http fe3 http fe4 http

bind http fe5 http

bind ssl fe1 ssl


server real fe1 192.168.129.140

source-nat access-list 99

port http

port http url "GET /"

port http content-match mymatch

port ssl

port 14139


server real fe2 192.168.129.141

! same as fe1

! server real fe3-5 - same as fe1

lb2

server virtual fe XXX.YYY.ZZZ.139

sym-priority 10

!rest is same as for lb1

  • Now I want to change the SSL configuration so it is balanced across the whole pool of feX servers and actually change the ssl port on real servers to 14139 (because of the way I run the SSL vhosts on the webservers)
  • from lb1 I do:
lb1 configure

SSH@lb1#conf sync-terminal

SSH@lb1(sync-config)#server virtual fe

SSH@lb1(sync-config-vs-fe)# no bind ssl fe1 ssl

SSH@lb1(sync-config-vs-fe)# bind ssl fe1 14139 fe2 14139 fe3 14139 fe4 14139 fe5 14139

SSH@lb1(sync-config-vs-fe)# show run | beg server virtual fe

server virtual fe XXX.YYY.ZZZ.139

sym-priority 100

sym-active

port http

port http keep-alive

port ssl sticky

port ssl keep-alive

bind http fe1 http fe2 http fe3 http fe4 http

bind http fe5 http

bind ssl fe1 ssl fe1 14139 fe2 14139 fe3 14139

bind ssl fe4 14139 fe5 14139

! ...

  • so now I realise the original SSL binding has not been removed (there is still the ssl -> fe1 ssl)
  • I then start trying repeating the procedure but getting nowhere
  • The I start all sort of attempts like deleting the port ssl on the real server, deleting all the ssl bindings and. I also tried disabling the port ssl on the virtual server, then deleting it, enabling/creating it again... The delete operation however now is reporting following error:
lb1 configure

SSH@lb1(sync-config-vs-fe)#no port ssl

Error: Failed to delete port 443, the port state is 2

  • and the config looks like:
lb1 configure

SSH@lb1(sync-config-vs-fe)#show run | beg server virtual fe

server virtual fe XXX.YYY.ZZZ.139

sym-priority 100

sym-active

port http

port http keep-alive

bind http fe1 http fe2 http fe3 http fe4 http

bind http fe5 http

! ...
  • so there is no ssl binding showing in the config but when I
lb1 status

SSH@lb1(sync-config-vs-fe)#show server virtual fe ssl

Name: fe                     State: Enabled             IP:XXX.YYY.ZZZ.139:   1

Pred: least-conn             ACL-Id: 0                  TotalConn: 0

Sym: group =  1 state =  3 priority = 100 keep =  0

     dyn priority/factor = 100/  0

Activates =    8, Inactive= 9 sym-active = 1

Active-mac: 000c.dba4.0a00

Port    State     Sticky  Concur  Proxy  DSR   CurConn  TotConn  PeakConn 

----    -----     ------  ------  -----  ---   -------  -------  -------- 

ssl     closing   NO      NO      NO     NO    0        618187   111      

Bind count for virtual port = 5

Active count for virtual port = 5

SLB state for vport = Healthy

Binding Information:

=====================

        ssl ------->  fe1: 192.168.129.140,  14139 (Active)

                      fe2: 192.168.129.141,  14139 (Active)

                      fe3: 192.168.129.142,  14139 (Active)

                      fe4: 192.168.129.143,  14139 (Active)

                      fe5: 192.168.129.239,  14139 (Active)      

  • so it shows it is actually bound as I wanted but the show running config doesn't reflect it and also the error of the no bind ssl as well as the closing state reported for the ssl port in the output above suggests it is in some inconsistent state which I so far was only able to resolve by rebooting.

Is that due to some active sessions on that port? Or how better to do changes like this? Is there any other way to recover from current state then reloading the device?

thanks a lot,

Steve.

Contributor
msahni
Posts: 28
Registered: ‎08-18-2011

Re: failed to delete port

Hi Steve,

Normally for these kind of operations it is recommended to disable the port under real server first and wait till the connection for that port goes to zero. A detailed procedure is mentioned in the section "Disabling or deleting VIPs and real ports" in the SLB user guide.

Also if you have H.A., then make sure connections are zero on both the boxes for that particular real server port.

Regards,

Mohit 

Contributor
steve14
Posts: 21
Registered: ‎07-06-2012

Re: failed to delete port

Hi Mohit,

thanks for the method, will follow that next time.

Cheers,

Steve.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.