[c-nsp] ACE & load-balancing of DNS / ALG / inspection
Ramcharan, Vijay A
vijay.ramcharan at verizonbusiness.com
Fri Jun 19 13:52:57 EDT 2009
Not sure if these are applicable but may be worth looking into. Just a
shot in the dark as I don't have ACEs to test with and I have not run
into this particular problem myself.
I think each feature is mutually exclusive.
UDP booster (high connection rates for UDP) and UDP fast-age (UDP
per-packet load balancing)
http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_servic
es/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1157547
http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_servic
es/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1281598
Vijay Ramcharan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: June 19, 2009 11:22
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACE & load-balancing of DNS / ALG / inspection
All,
We've recently deployed config on our ACE (blades in 6500s) to provide
resilient DNS.
However, the ACE seems to be doing some kind of DNS inspection, and is
(incorrectly I think) closing the SLB session the instant a DNS answer
comes back. This causes problems with clients that make 2 lookups very
quickly, from the same source port.
i.e. I am seeing:
client sport=5000 dport=53 query id=2346 hostname A
client sport=5000 dport=53 query id=4646 hostname AAAA
server dport=5000 sport=53 reply id=2346 A=192.168.x.y
...and that's it. The 2nd reply is dropped. If the client makes the
queries "slowly" they work fine:
client sport=5000 dport=53 query id=2346 hostname A
server dport=5000 sport=53 reply id=2346 A=192.168.x.y
client sport=5000 dport=53 query id=4646 hostname AAAA
server dport=5000 sport=53 reply id=4646 AAAA=...
Our old DNS servers (via static anycast routes) and a different service
(via eBGP multipath anycast) don't exhibit the problem, so I'm certain
it's the ACE.
FYI, this causes problems with the glibc changes present in 2.10 &
Fedora 11 - the glibc always tries two queries in quick succession for A
and AAAA records, and the timeouts can destroy kerberos/ldap logins...
I'm aware of the "inspect" commands, but they're off by default and I
can't "no inspect"; it tells me it's already turned off.
Does anyone know if and how I can persuade the ACE to stop being so
"clever" and just treat the DNS as "plain old UDP"?
version info is:
Software
loader: Version 12.2[120]
system: Version A2(1.1) [build 3.0(0)A2(1.1)
adbuild_00:25:02-2008/06/05_/auto/adbu-rel3/rel_a2_1_1_throttle/REL_3_0_
0_A2_1_1]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_1.bin
installed license: ACE-08G-LIC ACE-SEC-LIC-K9
...and the config we're using is:
serverfarm host RECURSIVE-DNS
transparent
predictor leastconns
probe TCP_53
rserver xxx 53
inservice
rserver yyy 53
inservice
rserver www 53
inservice
rserver zzz 53
inservice
class-map match-any VIP_SPONCON-DNS
2 match virtual-address 192.168.a.b udp eq domain
3 match virtual-address 192.168.a.b tcp eq domain
policy-map type loadbalance first-match SLB_RECURSIVE-DNS
class class-default
serverfarm RECURSIVE-DNS
policy-map multi-match VIPS_VLANxx
!.. various config, then
class VIP_SPONCON-DNS
loadbalance vip inservice
loadbalance policy SLB_RECURSIVE-DNS
loadbalance vip icmp-reply
loadbalance vip advertise
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________
More information about the cisco-nsp
mailing list