Application Delivery (ADX)

Reply
Contributor
Posts: 27
Registered: ‎03-02-2010

VIP not forwarding traffic to Real Servers

Hi

I have a simple setup , a VIP configured for two real servers , but Traffic is not being forwarded to Real Servers by SI.

I was testing remote IP healthcheck to monitor internet links and load balance on Proxy Servers but currently problem is that , SI simply doesnt forward traffic to real servers.

Here is the config:

healthck google icmp
  dest-ip 72.14.234.104

healthck yahoo icmp
  dest-ip 87.248.122.122

healthck proxy11 tcp
  dest-ip 10.5.14.11
  port 3128

healthck proxy21 tcp
  dest-ip 10.5.14.21
  port 3128                                                    

healthck proxy11final boolean
  and google proxy11

healthck proxy21final boolean
  and yahoo proxy21

server real proxy11.abc.com 10.5.14.11
port 3128
port 3128 healthck proxy11final
!
server real proxy21.abc.com 10.5.14.21
port 3128
port 3128 healthck proxy21final

server virtual proxy.abc.com 192.25.0.100
port 3128
bind 3128 proxy11.abc.com 3128 proxy21.abc.com 3128

I am able to ping the VIP from client address but unable to access service for port 3128 on proxy servers.

Real servers are accessible from client address and working prefectly for port 3128

I have checked the routing tables on SI and Real Servers and they seem to be correct

#show server bind

Virtual server: proxy.abc.com         Status: enabled  IP: 192.25.0.100
        3128 -------> proxy11.abc.com: 10.5.14.11,  3128 (Active)
                      proxy21.abc.com: 10.5.14.21,  3128 (Active)

#show server virtual 192.25.0.100
Virtual Servers Info

Name: proxy.abc.com       State: Enabled      IF DWN     IP:192.25.0.100:   1
Pred: round-robin            ACL-Id: 0                  TotalConn: 0
VIP state: healthy

Port    State     Sticky  Concur  Proxy  DSR   CurConn  TotConn  PeakConn 
----    -----     ------  ------  -----  ---   -------  -------  --------

default enabled   NO      NO      NO     NO    0        0        0        
3128    enabled   NO      NO      NO     NO    0        0        0

I am facing this problem on all of the VIPs configured on SI

Thanks in Advance

Brocadian
Posts: 70
Registered: ‎03-14-2009

Re: VIP not forwarding traffic to Real Servers

Hallo Kashif,

as the VIPs are up I think you have to tell us about your L3 setup.

Is the ServerIron connected to both Networks 10.5.14.x and 192.25.0.y directly?

Will the traffic from real servers pass the ServerIron?

Have you configured Source NAT?

Do you use Layer 2 or Layer 3 Code?

Have you configurd TCS?

Thanks

Alex

Contributor
Posts: 27
Registered: ‎03-02-2010

Re: VIP not forwarding traffic to Real Servers

Hi Alex



*as the VIPs are up I think you have to tell us about your L3 setup.

ClientMachine-->Switch-->Firewall-->LBR-->Switch->RealServers

i can see traffic being forwarded by firewall to LBR

*Is the ServerIron connected to both Networks 10.5.14.x and 192.25.0.y directly?

10.5.14.x are realservers are teminated in switch have Virtual interface on LBR... 192.25.0.0 is virtual VIP

*Will the traffic from real servers pass the ServerIron?

Yes it would . real servers have routes for clientmachines towards SI

*Have you configured Source NAT?

No

*Do you use Layer 2 or Layer 3 Code?

how can i check that?

*Have you configurd TCS?

No
Thanks

Alex
Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: VIP not forwarding traffic to Real Servers

Not sure with this one, but under show server virtual I do see 'IF DWN' Interface Down?

Suggest to strip the healtck's and see if the IF DWN goes away,

What SI are you using?

Contributor
Posts: 27
Registered: ‎03-02-2010

Re: VIP not forwarding traffic to Real Servers

Hi

I removed the boolean health check but IF DWN is still there.

however the output for : show server virtual 192.25.0.100 3128 is:::

ame: proxy.abc.com       State: Enabled             IP:192.25.0.100:   1
Pred: round-robin            ACL-Id: 0                  TotalConn: 0

Port    State     Sticky  Concur  Proxy  DSR   CurConn  TotConn  PeakConn 
----    -----     ------  ------  -----  ---   -------  -------  --------

3128    enabled   NO      NO      NO     NO    0        0        0       

Binding Information:
=====================
        3128 -------> proxy11.iacgrp.com: 10.5.14.11,  3128 (remote) (Active)
                      proxy21.iacgrp.com: 10.5.14.21,  3128 (remote) (Active)
proxy11.abc.com: 10.200.14.11
3128    ACT 0  0       0          0         0         0          0          0

proxy21.abc.com: 10.200.14.21
3128    ACT 0  0       0          0         0         0          0          0

ServerIron is ServerIron GT-E

Contributor
Posts: 27
Registered: ‎03-02-2010

Re: VIP not forwarding traffic to Real Servers

this is show version and show flash..

telnet@SI1-alpha(config)#shwo ver
Unrecognized command
telnet@SI1-alpha(config)#show ver
  version                System status
telnet@SI1-alpha(config)#show version
  SW: Version 09.4.00mTD4 Copyright (c) 1996-2003 Foundry Networks, Inc.
      Compiled on May 03 2006 at 21:46:20 labeled as WXR09400m
  HW: ServerIronGT E-1 Router, SYSIF version 21, Serial #: Non-exist
==========================================================================
SL 1: B0GMR WSM6 Management Module, SYSIF 2, M6, ACTIVE
      Serial #:   CH28050059
    0 MB SHM, 1 Application Processors
16384 KB BRAM, SMC version 5, BM version 21
  SW: (1)09.4.00mTF2
==========================================================================
SL 2: J-BxG2 JetCore Gig Fiber Module, SYSIF 2 (Mini GBIC)
      Serial #:   CX11050265
4096 KB BRAM, JetCore ASIC IGC version 49, BIA version 8a
32768 KB PRAM and 2M-Bit*1 CAM for IGC  4, version 0449
==========================================================================
SL 3: J-BxG16 JetCore Gig Fiber Module, SYSIF 2 (Mini GBIC)
      Serial #:   CH35050234
4096 KB BRAM, JetCore ASIC IGC version 49, BIA version 8a
32768 KB PRAM and 2M-Bit*1 CAM for IGC  8, version 0449
32768 KB PRAM and 2M-Bit*1 CAM for IGC  9, version 0449
32768 KB PRAM and 2M-Bit*1 CAM for IGC 10, version 0449
32768 KB PRAM and 2M-Bit*1 CAM for IGC 11, version 0449
==========================================================================
Active management module:                                        
  1.0 GHz Power PC processor 750GX (version 7002/0101) 66 MHz bus
  512 KB boot flash memory
16384 KB code flash memory
  512 KB SRAM
  512 MB DRAM
The system uptime is 2 hours 2 minutes 19 seconds
The system : started=warm start   reloaded=by "reload"

telnet@SI1-alpha(config)#show flash
Active management module:
Code Flash Type: AMD 29LV033C, Size: 64 * 65536 = 4194304, Unit: 4
Boot Flash Type: AMD 29LV040B, Size: 8 * 65536 = 524288
Compressed Pri Code size = 4996136, Version 09.4.00mTD4 (WXR09400m.bin)
Compressed Sec Code size = 4996136, Version 09.4.00mTD4 (WXR09400m.bin)
Maximum Code Image Size Supported: 7011840 (0x006afe00)
Boot Image size = 273932, Version 09.04.00 (wsm-b9400.bin)
Used Configuration Flash Size=7143, Max Configuration Flash Size=327680.

WSM module slot 1 CPU 1:
Code Flash Type: AMD 29LV033C, Size: 64 * 65536 = 4194304
Boot Flash Type: AMD 29LV040B, Size: 8 * 65536 = 524288
Compressed Pri Code: size = 1632640 Version 09.4.00mTF2
Compressed Sec Code: size = 1636231 Version 09.4.00mTF2
Maximum Code Image Size Supported: 2096640 (0x001ffe00)
Boot Image size = 57444 Version 07.06.54 (wsp-b54.bin)
Maximum Boot Image Size Supported: 458752 (0x00070000)

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: VIP not forwarding traffic to Real Servers

Sorry,

-->   I removed the boolean health check but IF DWN is still there.

But from you output of 'show server virutal' it is gone (A good thing)

ok check your firewall and see if the healthchecks are taking place (moniter traffic from the VIP passing thought the firewall to google).

Brocadian
Posts: 70
Registered: ‎03-14-2009

Re: VIP not forwarding traffic to Real Servers

HI Kashif,

you are using L3 code.

The "IF DOWN" can be a reason for a non exsting IP Interface where the VIPs are in.

Can be solved via loopback interface

int lo1

ip add 192.25.0.x/y

Can you provide a "show ip int"?

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: VIP not forwarding traffic to Real Servers

Or please show a 'show run' so we can see the full config.

Contributor
Posts: 27
Registered: ‎03-02-2010

Re: VIP not forwarding traffic to Real Servers

telnet@SI(config)#show run
  running-config         Current running-config
telnet@SI1-alpha(config)#show running-config
!Building configuration...
!Current configuration : 7140 bytes
!
ver 09.4.00mTD4
!
module 1 bi-0-port-wsm6-management-module
module 2 bi-jc-2-port-gig-module
module 3 bi-jc-16-port-gig-fiber-module
!
global-protocol-vlan
!
!
healthck google icmp
  dest-ip 72.14.234.104

healthck yahoo icmp
  dest-ip 87.248.122.122

healthck proxy11 tcp
  dest-ip 10.5.14.11
  port 3128

healthck proxy21 tcp
  dest-ip 10.5.14.21                                         
  port 3128

healthck proxy11final boolean
  and google proxy11

healthck proxy21final boolean
  and yahoo proxy21

!
!
!
!
!
!
!
server session-limit 50000
server session-id-age 240
server predictor round-robin
server tcp-age 60

server port 3389
tcp keepalive 10 4
                                                               
server port 80
tcp keepalive 30 1

server port 8080
tcp keepalive 120 3

server port 389
tcp keepalive 120 5

server port 636
tcp keepalive 120 5

server port 123
tcp keepalive 10 4

server port 139
tcp keepalive 120 5

server port 445
tcp keepalive 120 5

server port 3268
tcp keepalive 120 5                                          

server port 137
udp

server port 138
udp

server port 3128
tcp keepalive 30 2

!
!
!
!
!
!
!
server real dmz-dns11 10.5.103.11
port dns
!
server real MS-ad11 10.5.12.11
port ldap
port dns                                                      
port ntp
port 137
port 138
port 139
port 445
port 3268
port ldaps
port 3389
!
server real proxy11.abc.com 10.5.14.11
port 3128
!
server real proxy21.abc.com 10.5.14.21
port 3128
!
!
server virtual MS-AD-vip 192.25.0.11
port ldap
port dns
port ntp
port 137
port 138
port 139                                                      
port 445
port 3268
port ldaps
bind ldap MS-ad11 ldap
bind dns MS-ad11 dns
bind ntp MS-ad11 ntp
bind 137 MS-ad11 137
bind 138 MS-ad11 138
bind 139 MS-ad11 139
bind 445 MS-ad11 445
bind 3268 MS-ad11 3268
bind ldaps MS-ad11 ldaps
!
server virtual MS-msapp-vip 192.25.0.13
port 3389
bind 3389 MS-ad11 3389
!
server virtual vip15 192.25.0.15
!
server virtual vip21 192.25.0.21
!
server virtual vip23 192.25.0.23
!                                                              
server virtual vip25 192.25.0.25
!
server virtual vip31 192.25.0.31
!
server virtual vip33 192.25.0.33
!
server virtual vip35 192.25.0.35
!
server virtual vip41 192.25.0.41
!
server virtual vip43 192.25.0.43
!
server virtual vip45 192.25.0.45
!
server virtual vip51 192.25.0.51
!
server virtual vip53 192.25.0.53
!
server virtual vip55 192.25.0.55
!
server virtual DMZ-dns-vip 192.25.0.103
port dns
bind dns dmz-dns11 dns                                        
!
server virtual vip101 192.25.0.101
!
server virtual proxy.abc.com 192.25.0.100
port 3128
bind 3128 proxy11.abc.com 3128 proxy21.abc.com 3128
!


!
!
!

!
vlan 1 name DEFAULT-VLAN by port
!
vlan 5 name "AppServers" by port                         
tagged ethe 3/1
router-interface ve 5
!
vlan 210 name "DNS " by port
tagged ethe 3/1
router-interface ve 210
!
vlan 211 name "Antivirus Servers" by port
tagged ethe 3/1
router-interface ve 211
!
vlan 212 name "NTP" by port
tagged ethe 3/1
router-interface ve 212
!
vlan 213 name "Gaming Servers" by port
tagged ethe 3/1
router-interface ve 213
!
vlan 214 name "Bluecoat Cache" by port
tagged ethe 3/1
router-interface ve 214
!                                                              
vlan 215 name ABC by port
tagged ethe 3/1
router-interface ve 215
!
vlan 216 name "Antispam" by port
tagged ethe 3/1
router-interface ve 216
!
vlan 217 name "H Servers" by port
tagged ethe 3/1
router-interface ve 217
!
vlan 218 name "Video " by port
tagged ethe 3/1
router-interface ve 218
!
vlan 219 name "Linux " by port
tagged ethe 3/1
router-interface ve 219
!
vlan 220 name "Project " by port
tagged ethe 3/1
router-interface ve 220                                       
!
vlan 221 name "Database " by port
tagged ethe 3/1
router-interface ve 221
!
vlan 222 name SAN by port
tagged ethe 3/1
router-interface ve 222
!
vlan 2 name Management by port
untagged ethe 3/2
router-interface ve 2
!
vlan 502 name " Msapp" by port
tagged ethe 3/3
router-interface ve 25
!
vlan 506 name Portal by port
tagged ethe 3/3
router-interface ve 26
!
vlan 507 name JD by port
tagged ethe 3/3                                               
router-interface ve 27
!
vlan 510 name SAN by port
tagged ethe 3/3
router-interface ve 28
!
vlan 505 name VDC by port
tagged ethe 3/3
router-interface ve 29
!
vlan 103 name DMZ by port
tagged ethe 3/4
router-interface ve 103
!
vlan 223 name "SS" by port
tagged ethe 3/1
router-interface ve 223
!
vlan 281 name "DAS by port
tagged ethe 3/1
router-interface ve 30
!
vlan 224 name IMS by port                                      
tagged ethe 3/1
router-interface ve 224
!
vlan 225 by port
tagged ethe 3/1
router-interface ve 225
!
vlan 226 by port
tagged ethe 3/1
router-interface ve 226
!
vlan 227 by port
tagged ethe 3/1
router-interface ve 227
!
vlan 228 by port
tagged ethe 3/1
router-interface ve 228
!
vlan 229 by port
tagged ethe 3/1
router-interface ve 229
!                                                              
vlan 230 by port
tagged ethe 3/1
router-interface ve 230
!
vlan 102 name WebServer by port
tagged ethe 3/4
router-interface ve 102
!
!
aaa authentication enable default local radius
enable super-user-password .....
hostname SI1-alpha
ip route 0.0.0.0 0.0.0.0 10.5.0.254
ip route 87.248.122.122 255.255.255.255 10.5.0.253
!
username #### password .....
username root password .....
username ### password .....
password-change any
!
!
interface ve 2
ip address 10.5.0.1 255.255.255.0                           
!
interface ve 25
ip address 10.10.2.254 255.255.255.0
!
interface ve 26
ip address 10.10.6.254 255.255.255.0
!
interface ve 27
ip address 10.10.7.254 255.255.255.0
!
interface ve 28
ip address 10.10.10.254 255.255.255.0
!
interface ve 29
ip address 10.0.5.254 255.255.255.0
!
interface ve 30
ip address 10.5.81.254 255.255.255.0
!
interface ve 102
ip address 10.5.102.254 255.255.255.0
!
interface ve 103                                               
ip address 10.5.103.254 255.255.255.0
!
interface ve 5
ip address 10.5.0.254 255.255.255.0
!
interface ve 210
ip address 10.5.10.254 255.255.255.0
!
interface ve 211
ip address 10.5.11.254 255.255.255.0
!
interface ve 212
ip address 10.5.12.254 255.255.255.0
!
interface ve 213
ip address 10.5.13.254 255.255.255.0
!
interface ve 214
ip address 10.5.14.254 255.255.255.0
!
interface ve 215
ip address 10.5.15.254 255.255.255.0
!                                                              
interface ve 216
ip address 10.5.16.254 255.255.255.0
!
interface ve 217
ip address 10.5.17.254 255.255.255.0
!
interface ve 218
ip address 10.5.18.254 255.255.255.0
!
interface ve 219
ip address 10.5.19.254 255.255.255.0
!
interface ve 220
ip address 10.5.20.254 255.255.255.0
!
interface ve 221
ip address 10.5.21.254 255.255.255.0
!
interface ve 222
ip address 10.5.22.254 255.255.255.0
!
interface ve 223
ip address 10.5.23.254 255.255.255.0                        
!
interface ve 224
ip address 10.5.24.254 255.255.255.0
!
interface ve 225
ip address 10.5.25.254 255.255.255.0
!
interface ve 226
ip address 10.5.26.254 255.255.255.0
!
interface ve 227
ip address 10.5.27.254 255.255.255.0
!
interface ve 228
ip address 10.5.28.254 255.255.255.0
!
interface ve 229
ip address 10.5.29.254 255.255.255.0
!
interface ve 230
ip address 10.5.30.254 255.255.255.0
!
!                                                              
!
!
!
end

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook