[f-nsp] ServerIronXL and Layer7 switching issue

Alex Blauvelt blauvelta at gmail.com
Mon Aug 14 22:44:31 EDT 2006


It looks like you're missing your 'server router-ports' command.    
Add a 'server router-ports #' where # is the port number that  
connections the SIXL to the cisco ethernet switch.  If you have more  
than one link between the SIXL and the other switch, make sure you  
have both listed.  You should _always_ have a router-ports command in  
your config of an SIXL.

Sometimes the switch will work without the line(s) in the config, but  
the results are not always consistent.    We've seen switches run  
fine without it for years, then one day stop working for no apparent  
reason.  Once the line gets added to the config, the L4 functions  
start working again.

-Alex


On Aug 11, 2006, at 4:46 AM, Youssef Ghorbal wrote:

> Hello,
>
> 	I set up a lab that is the exact image of my poduction envirenement.
>
> 	the configuration is like this (Layer 2 view)
> 									
> 							  Real Servers.
> 									|	
> 									|		
> 	Cisco 2600 (router) ----- Cisco Ethernet Switch ---- ServerIronXL
> 									|
> 									|
> 								Test Client
>
> 	The IP configuration is this way :
> 	
> 	* 172.16.0.0/24 the "Admin" VLAN (TAG 200)
> 	* 192.168.0.0/24 the Servers layed on two VLANS in order to force  
> the paquets to flow throw the serverIron.
> 		VLAN 100 : between the Cisco Router and the ServerIron.
> 		VLAN 400 : between the ServerIron and the Real server.
> 		(I know it's better to attach the Real servers to the ServerIron  
> directly but there are other notwrok considerations that force this  
> configuration)
> 	* 10.1.1.0/24 : the client VLAN (300)
>
> 	A paquet flow from the client to a real server is like this :
>
> 	Client --- Switch --- Cisco Router --- Switch --- ServerIron ---  
> Switch --- Real Server.
> 	Real Server --- Switch --- ServerIron --- Switch --- Cisco Router  
> --- Switch --- Client.
>
> 	- All Vlan tagging is on the Switch.
> 	- The connectivity between all equipements is tested and approved.
> 	- A simple Roud Robin between the 2 real servers works perfectly.
>
> 	Now, I want Cookie-Switching or Cookie-Hashing enabled on the  
> ServerIron, so here is the configuration :
>
> 	-------------------------
> 	!
> 	ver 07.5.00T12
> 	!
> 	!
> 	server session-limit 300000
> 	server max-url-switch 80000
> 	server predictor least-conn
> 	server icmp-message
> 	!
> 	!
> 	server real TEST-1 192.168.0.1
> 	port http
> 	port http keepalive
> 	port http url "HEAD /verif.html"
> 	!
> 	server real TEST-2 192.168.0.2
> 	port http
> 	port http keepalive
> 	port http url "HEAD /verif.html"
> 	!
> 	!
> 	server virtual TEST 192.168.0.100
> 	predictor round-robin
> 	port http
> 	port http cookie-hashing
> 	bind http TEST-1 http TEST-2 http
> 	!
> 	vlan 1 name DEFAULT-VLAN by port
> 	no spanning-tree
> 	!
> 	enable super-user-password .....
> 	hostname slbO1
> 	ip address 172.16.0.1 255.255.255.0
> 	ip default-gateway 172.16.0.254
> 	logging console
> 	!
> 	end
> 	------------------------------
>
> 	In this configuration, when I type somthing like "curl -i -b  
> MyVar=1050 http://192.168.0.100/verif.html" on the Test Client I  
> have this error message "curl: (52) Empty reply from server". Even  
> If I use a conventional navigator on the Test Client I have the  
> HTTP session terminated by server message.
>
> 	I tcpdumped on the client side, and here's what I get :
>
> 	----------------
> 	11:29:10.305361 IP 10.1.1.1.51013 > 192.168.0.100.80: S  
> 2689860319:2689860319(0) win 65535
> 	11:29:10.309656 IP 192.168.0.100.80 > 10.1.1.1.51013: S  
> 14654059:14654059(0) ack 2689860320 win 8000 <mss 1460>	
> 	11:29:10.309762 IP 10.1.1.1.51013 > 192.168.0.100.80: . ack 1 win  
> 65535
> 	11:29:10.310008 IP 10.1.1.1.51013 > 192.168.0.100.80: P 1:194(193)  
> ack 1 win 65535
> 	11:29:10.314478 IP 192.168.0.100.80 > 10.1.1.1.51013: R  
> 14654060:14654060(0) win 0
> 	11:29:10.314722 IP 192.168.0.100.80 > 10.1.1.1.51013: R  
> 14654060:14654060(0) win 0
> 	-----------------
>
> 	The mose important thing here is the two last Reset paquets, which  
> are normally sent when any real server is up (to terminate the http  
> session)... which is not the case here because healthck show them  
> up... this gonna drive me crayzy...anyway...
>
>
> 	Conclusion :
> 		- When I activate cookie-hashing the ServerIron seems to not see  
> the real servers anymore... I have the same sympthoms with Cookie- 
> switching (all I have to do is to set Real servers IDs and the  
> cookie name on the Virtual server)
>
> 		- Is it possible to have more debug messages on the serverIron,  
> espacially relating to l7 swithching... somthing like a trace or  
> something...which let me see why it decides to close the client  
> http session...
>
> thank you all
> Ragrds,
> Youssef
> --------------------------------
> On 8 août 06, at 18:37, Alex Blauvelt wrote:
>
>> We do cookie switching here, so I can help you with that.  I'm not  
>> sure about cookie-hashing though.
>>
>> You need to setup server-ids on your real servers that correspond  
>> to a value in the cookie.  Then on the virtual server you need to  
>> define the cookie-name to switch on.   I'm not sure about cookie- 
>> hashing, but I imagine you would need something similar.  You need  
>> to tell the switch what cookie to work with.
>>
>> For example:
>>
>> server virtual vs1
>>  port http
>>  port http cookie-name "SomeCookie"
>>  port http cookie-switching
>>  bind http rs1 http rs2 http
>>
>> server real rs1
>>  port http
>>  port http server-id 1000
>>
>> server real rs2
>>  port http
>>  port http server-id 1001
>>
>>
>> Where 1000 and 1001 are values that real servers set in 'SomeCookie'
>>
>>
>> On Aug 4, 2006, at 2:10 PM, Youssef Ghorbal wrote:
>>
>>> Hello,
>>>
>>> 	I'm trying to set up cookie hashing on a ServerIronXL switch
>>> ( Version 07.5.00T12)
>>> 	I followed the foundry documentation but I can't get it work.  
>>> when I
>>> activate cookie hashing I have a connection timeout :
>>>
>>> 	$ lynx http://vip.mydomain.com
>>> 	Looking up vip.mydomain.com	
>>> 	Making HTTP connection to vip.mydomain.com
>>> 	Alert!: Unable to connect to remote host.
>>> 	
>>> 	lynx: Can't access startfile http://vip.mydomain.com/
>>>
>>> 	here what I've done :
>>>
>>> 	1) allocation of layer7 memory slots
>>>
>>> 	slb> conf t
>>> 	slb> server max-url-switch 80000
>>> 	slb> server session-limit 200000
>>> 	slb> write mem
>>> 	slb> reload
>>>
>>> 	2) servers configuration:
>>>
>>> 	slb> server real TEST-1 192.168.174.19
>>>   	slb> port http
>>>   	slb> port http url "HEAD /verif.html"
>>> 	slb>!
>>> 	slb> server real TEST-2 192.168.174.20
>>>   	slb> port http
>>>   	slb> port http url "HEAD /verif.html"
>>>   	slb> !
>>> 	slb> server virtual TEST 212.19.174.117
>>> 	slb> predictor round-robin
>>> 	slb> port http cookie-hashing
>>>   	slb> bind http TEST-1 http
>>> 	slb> bind http TEST-2 http
>>> 	slb>!
>>>
>>> 	3) Global configuration:
>>>
>>> 	slb> conf t
>>> 	slb> server l4-check
>>>
>>> 	After that (as said in the documentation) everyhing shoud be  
>>> Okey...
>>> but it's not my case...
>>> 	I tested diffrent Layer7 switching technic (Cookie-switching) but I
>>> have the same result, a "pretty timeout".
>>> 	
>>> 	The Switch restart responding after a "no port http cookie-
>>> hashing"... and traffic is perfecly flowing for the two real  
>>> servers...
>>> 	
>>> What am'I missing ?
>>>
>>> Regards,
>>>
>>> Youssef GHORABAL
>>> Netplus Communication.
>>> _______________________________________________
>>> foundry-nsp mailing list
>>> foundry-nsp at puck.nether.net
>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>





More information about the foundry-nsp mailing list