[f-nsp] ServerIronXL and Layer7 switching issue

Youssef Ghorbal youssef.ghorbal at netplus.fr
Fri Aug 11 05:46:50 EDT 2006


Hello,

	I set up a lab that is the exact image of my poduction envirenement.

	the configuration is like this (Layer 2 view)
									
							  Real Servers.
									|	
									|		
	Cisco 2600 (router) ----- Cisco Ethernet Switch ---- ServerIronXL
									|
									|
								Test Client

	The IP configuration is this way :
	
	* 172.16.0.0/24 the "Admin" VLAN (TAG 200)
	* 192.168.0.0/24 the Servers layed on two VLANS in order to force  
the paquets to flow throw the serverIron.
		VLAN 100 : between the Cisco Router and the ServerIron.
		VLAN 400 : between the ServerIron and the Real server.
		(I know it's better to attach the Real servers to the ServerIron  
directly but there are other notwrok considerations that force this  
configuration)
	* 10.1.1.0/24 : the client VLAN (300)

	A paquet flow from the client to a real server is like this :

	Client --- Switch --- Cisco Router --- Switch --- ServerIron ---  
Switch --- Real Server.
	Real Server --- Switch --- ServerIron --- Switch --- Cisco Router  
--- Switch --- Client.

	- All Vlan tagging is on the Switch.
	- The connectivity between all equipements is tested and approved.
	- A simple Roud Robin between the 2 real servers works perfectly.

	Now, I want Cookie-Switching or Cookie-Hashing enabled on the  
ServerIron, so here is the configuration :

	-------------------------
	!
	ver 07.5.00T12
	!
	!
	server session-limit 300000
	server max-url-switch 80000
	server predictor least-conn
	server icmp-message
	!
	!
	server real TEST-1 192.168.0.1
	port http
	port http keepalive
	port http url "HEAD /verif.html"
	!
	server real TEST-2 192.168.0.2
	port http
	port http keepalive
	port http url "HEAD /verif.html"
	!
	!
	server virtual TEST 192.168.0.100
	predictor round-robin
	port http
	port http cookie-hashing
	bind http TEST-1 http TEST-2 http
	!
	vlan 1 name DEFAULT-VLAN by port
	no spanning-tree
	!
	enable super-user-password .....
	hostname slbO1
	ip address 172.16.0.1 255.255.255.0
	ip default-gateway 172.16.0.254
	logging console
	!
	end
	------------------------------

	In this configuration, when I type somthing like "curl -i -b  
MyVar=1050 http://192.168.0.100/verif.html" on the Test Client I have  
this error message "curl: (52) Empty reply from server". Even If I  
use a conventional navigator on the Test Client I have the HTTP  
session terminated by server message.

	I tcpdumped on the client side, and here's what I get :

	----------------
	11:29:10.305361 IP 10.1.1.1.51013 > 192.168.0.100.80: S  
2689860319:2689860319(0) win 65535
	11:29:10.309656 IP 192.168.0.100.80 > 10.1.1.1.51013: S  
14654059:14654059(0) ack 2689860320 win 8000 <mss 1460>	
	11:29:10.309762 IP 10.1.1.1.51013 > 192.168.0.100.80: . ack 1 win 65535
	11:29:10.310008 IP 10.1.1.1.51013 > 192.168.0.100.80: P 1:194(193)  
ack 1 win 65535
	11:29:10.314478 IP 192.168.0.100.80 > 10.1.1.1.51013: R  
14654060:14654060(0) win 0
	11:29:10.314722 IP 192.168.0.100.80 > 10.1.1.1.51013: R  
14654060:14654060(0) win 0
	-----------------

	The mose important thing here is the two last Reset paquets, which  
are normally sent when any real server is up (to terminate the http  
session)... which is not the case here because healthck show them  
up... this gonna drive me crayzy...anyway...


	Conclusion :
		- When I activate cookie-hashing the ServerIron seems to not see  
the real servers anymore... I have the same sympthoms with Cookie- 
switching (all I have to do is to set Real servers IDs and the cookie  
name on the Virtual server)

		- Is it possible to have more debug messages on the serverIron,  
espacially relating to l7 swithching... somthing like a trace or  
something...which let me see why it decides to close the client http  
session...

thank you all
Ragrds,
Youssef
--------------------------------
On 8 août 06, at 18:37, Alex Blauvelt wrote:

> We do cookie switching here, so I can help you with that.  I'm not  
> sure about cookie-hashing though.
>
> You need to setup server-ids on your real servers that correspond  
> to a value in the cookie.  Then on the virtual server you need to  
> define the cookie-name to switch on.   I'm not sure about cookie- 
> hashing, but I imagine you would need something similar.  You need  
> to tell the switch what cookie to work with.
>
> For example:
>
> server virtual vs1
>  port http
>  port http cookie-name "SomeCookie"
>  port http cookie-switching
>  bind http rs1 http rs2 http
>
> server real rs1
>  port http
>  port http server-id 1000
>
> server real rs2
>  port http
>  port http server-id 1001
>
>
> Where 1000 and 1001 are values that real servers set in 'SomeCookie'
>
>
> On Aug 4, 2006, at 2:10 PM, Youssef Ghorbal wrote:
>
>> Hello,
>>
>> 	I'm trying to set up cookie hashing on a ServerIronXL switch
>> ( Version 07.5.00T12)
>> 	I followed the foundry documentation but I can't get it work. when I
>> activate cookie hashing I have a connection timeout :
>>
>> 	$ lynx http://vip.mydomain.com
>> 	Looking up vip.mydomain.com	
>> 	Making HTTP connection to vip.mydomain.com
>> 	Alert!: Unable to connect to remote host.
>> 	
>> 	lynx: Can't access startfile http://vip.mydomain.com/
>>
>> 	here what I've done :
>>
>> 	1) allocation of layer7 memory slots
>>
>> 	slb> conf t
>> 	slb> server max-url-switch 80000
>> 	slb> server session-limit 200000
>> 	slb> write mem
>> 	slb> reload
>>
>> 	2) servers configuration:
>>
>> 	slb> server real TEST-1 192.168.174.19
>>   	slb> port http
>>   	slb> port http url "HEAD /verif.html"
>> 	slb>!
>> 	slb> server real TEST-2 192.168.174.20
>>   	slb> port http
>>   	slb> port http url "HEAD /verif.html"
>>   	slb> !
>> 	slb> server virtual TEST 212.19.174.117
>> 	slb> predictor round-robin
>> 	slb> port http cookie-hashing
>>   	slb> bind http TEST-1 http
>> 	slb> bind http TEST-2 http
>> 	slb>!
>>
>> 	3) Global configuration:
>>
>> 	slb> conf t
>> 	slb> server l4-check
>>
>> 	After that (as said in the documentation) everyhing shoud be Okey...
>> but it's not my case...
>> 	I tested diffrent Layer7 switching technic (Cookie-switching) but I
>> have the same result, a "pretty timeout".
>> 	
>> 	The Switch restart responding after a "no port http cookie-
>> hashing"... and traffic is perfecly flowing for the two real  
>> servers...
>> 	
>> What am'I missing ?
>>
>> Regards,
>>
>> Youssef GHORABAL
>> Netplus Communication.
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>





More information about the foundry-nsp mailing list