Application Delivery (ADX)

Reply
New Contributor
Posts: 2
Registered: ‎12-01-2014

possible bug in virtual server port policy binding with two virtuals sharing common nodes

I have two Virtual Servers configured, essentially identically. I have two Real Servers, each configured with a few ports, and a very generic liveness checking configuration. The same two Real Servers are bound to each

 

I have a Port Policy for http that alters the liveness check URL- essentially, I wanted to understand how policy elements are overridden:

 

server port-policy 192.168.104.179VSP
 port http  
 protocol http
 protocol http url "GET /VSP"
 protocol http status-code 200 203
 retries 3  

 

If I bind this port policy to my first Real Server Port, I see the ADX immediately switch from "HEAD /" to "GET /VSP" requests, so all is well there. If I unbind the policy, it goes immediately back to "HEAD /".

 

If I bind the policy to BOTH vips, I see the policy take effect again immediately. However, if I unbind the policy from the first vip, the requests switch back to "HEAD /" again; the policy is ignored, even though its bound to the second VIP with the same set of nodes.

 

In fact, the only way to get the policy to take effect on the second vip is to unbind the nodes from the first vip. At that point, I see the requests go back to GET /VSP again. Once I've done that, the policy will then be ignored on the first vip, until I unbind the nodes from the second.

 

 Is this a bug? I've also reproduced the same effect when using a distinctly named port policy for each VIP- the issue seems to be that when the virtuals share a common set of real servers, a policy bound to the virtual server port will only take effect if it was the first one the policy was applied to.

 

Version information follows:

 

Copyright (c) 1996-2009 Brocade Communications Systems, Inc.
Boot Version 12.4.00T405 Nov 21 2011 15:10:38 PST label: dob12400
Monitor Version 12.4.00T405 Nov 21 2011 15:10:38 PST label: dob12400
System Version 12.4.00sT403 Oct 21 2014 21:30:45 PDT label: ASR12400s

 

 

Virtuals and Reals:

 

server virtual vip1 192.168.100.179
 description "dont delete this vip" 
 predictor round-robin 
 port http sticky
 port http tcp-only 
 port http reset-on-port-fail
 port ssl
 port ssl tcp-only
 no port ssl sticky
 port ssl reset-on-port-fail
 port dns sticky
 port dns reset-on-port-fail
 bind http web2 http web1 http
 bind ssl web2 ssl web1 ssl
 bind dns web2 dns web1 dns

 

server virtual vip2 192.168.100.181
 description "dont delete this vip"
 predictor round-robin
 port dns sticky
 port dns reset-on-port-fail
 port http sticky
 port http tcp-only
 port http reset-on-port-fail
 port ssl sticky
 port ssl tcp-only
 port ssl reset-on-port-fail
 bind dns web2 dns
 bind http web2 http web1 http
 bind ssl web2 ssl 

 

 

real server web1 is very generic:

 

 

server real web1 192.168.104.179
 port http  
 port http keepalive
 port http url "HEAD /"
 port 8443
 port 8443 keepalive
 port ssl
 port dns
 port dns keepalive
 port dns zone "example.com"
 port dns addr_query "www.example.com"

 

 

as is the port policy I'm testing:

 

 

 

 

 

 

 

 

Contributor
Posts: 74
Registered: ‎08-18-2011

Re: possible bug in virtual server port policy binding with two virtuals sharing common nodes

This is kind of a known limitation. In the configuration where one real server port is bound to more than one virtual server ports (called as multibinding), ADX does healthcheck for only one binding, i.e. the first binding. All other bindings use the result of that healthcheck.

So if the virtual port of the first binding has a healthcheck port policy configured, all the other bindings will use the outcome of healthcheck according to that policy.  

 

There is a work arround available for this kind of configuration. You can configure one dummy port on the real server for each additional binding and then bind that dummy port to additional vip ports using the the real-port command to indicate actual port that we want to use. 

Here is an example for this: 

 

ServerIron(config)# server real rs1
ServerIron(config-rs-rs1)# port 81
ServerIron(config-rs-rs1)# port 8081 <- alias port


ServerIron(config)# server real rs2
ServerIron(config-rs-rs2)# port 82
ServerIron(config-rs-rs2)# port 8082 <- alias port

 

ServerIronADX(config)# server virtual-name-or-ip vs1
ServerIronADX(config-vs-vs1)# port http
ServerIronADX(config-vs-vs1)# bind http rs1 81 rs2 82

 

ServerIronADX(config)# server virtual-name-or-ip vs2
ServerIronADX(config-vs-vs1)# port http
ServerIronADX(config-vs-vs2)# bind http rs1 8081 real-port 81 rs2 8082 real-port 82

 

In this configuration if you have a port policy bound to vip port then it will work as expected. 

 

-Mohit

-Mohit Sahni
New Contributor
Posts: 2
Registered: ‎12-01-2014

Re: possible bug in virtual server port policy binding with two virtuals sharing common nodes

aha, thanks Mohit! We can use that as a workaround if we need to configure such a vip.

 

My concern is that when a technician examines the ADX, if a Port Policy has been added and removed from a Virtual Server Port "A" in the past, the technician may unwittingly add a new Port Policy to Virtual Server Port "B" some time later (perhaps months or years). At this point, even though the device configuration will clearly show that the port policy is bound to the VSP, unless the technician actually looks at the HTTP health tests being conducted, he or she will not know that the port policy cannot take effect until the real servers are unbound and rebound to Virtual Server Port A.

 

I've opened an issue with Brocade to see what our options are. Thanks for the hints!!

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.