Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Layer 7 Load Balancing
This article describes how to diagnose and troubleshoot ACE L7 load-balancing issues.
Overview of ACE Layer 7 Load Balancing
Layer 7 server load balancing (SLB) is the process that the load-balancing device uses to decide which server should fulfill a client request for an L7 service. For example, a client request may consist of a HyperText Transport Protocol (HTTP) GET for a web page or a File Transfer Protocol (FTP) GET to download a file. The job of the load balancer is to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole.
The ACE supports the load balancing of the following protocols:
- Generic protocols
- Remote Authentication Dial-In User Service (RADIUS)
- Reliable Datagram Protocol (RDP)
- Real-Time Streaming Protocol (RTSP)
- Session Initiation Protocol (SIP)
Depending on the load-balancing algorithm—or predictor—that you configure, the ACE performs a series of checks and calculations to determine which server can best service each client request. The ACE bases server selection on several factors including the source or destination address, cookies, URLs, HTTP headers, or the server with the fewest connections with respect to load.
For detailed information about ACE load balancing, see the Cisco Application Control Engine Module Server Load Balancing Configuration Guide.
The ACE uses the following predictors to select the best server to fulfill a client request:
- Application response—Selects the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured).
- Hash address—Selects the server using a hash value based on either the source or destination IP address or both. Use these predictors for firewall load balancing (FWLB). For more information about FWLB, see Configuring Firewall Load Balancing in the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide (Software Version A2(1.0)).
- Hash content—Selects the server using a hash value based on a content string in the Trusted Third Parties (TTP) packet body.
- Hash cookie—Selects the server using a hash value based on a cookie name.
- Hash header—Selects the server using a hash value based on the HTTP header name.
- Hash URL—Selects the server using a hash value based on the requested URL. You can specify a beginning pattern and an ending pattern to match in the URL. Use this predictor method to load balance cache servers.
- Least bandwidth—Selects the server that processed the least amount of network traffic based on the average bandwidth that the server used over a specified number of samples.
- Least connections—Selects the server with the fewest number of active connections based on the server weight. For the least-connections predictor, you can configure a slow-start mechanism to avoid sending a high rate of new connections to servers that you have just put into service.
- Least loaded—Selects the server with the lowest load based on information obtained from Simple Network Management Protocol (SNMP) probes. To use this predictor, you must associate an SNMP probe with it.
- Round-robin—Selects the next server in the list of real servers based on the server weight (weighted round-robin). Servers with a higher weight value receive a higher percentage of the connections. This is the default predictor.
|Note:||The hash predictor methods do not recognize the weight value that you configure for real servers. The ACE uses the weight that you assign to real servers only in the least-connections, application-response, and round-robin predictor methods.|
Classifying L7 Traffic for Server Load Balancing
You classify inbound network traffic destined to or passing through the ACE based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification, which is network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound or outbound traffic.
ACE traffic policies support the following server load-balancing (SLB) traffic attributes:
- Layer 3 and Layer 4 connection information—Source or destination IP address, source or destination port, virtual IP address, and IP protocol
- Layer 7 protocol information—Hypertext Transfer Protocol (HTTP) cookie, HTTP URL, HTTP header, Remote Authentication Dial-In User Service (RADIUS), Remote Desktop Protocol (RDP), Real-Time Streaming Protocol (RTSP), Session Initiation Protocol (SIP), and Secure Sockets Layer (SSL)
The three major steps in the traffic classification process are as follows:
- Create a class map using the class-map command and the associated match commands, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic classifications or Layer 7 protocol classifications.
- Create a policy map using the policy-map command, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria.
- Activate the policy map by associating it with a specific VLAN interface or globally with all VLAN interfaces using the service-policy command to filter the traffic received by the ACE.
Figure 1 provides a basic overview of the process required to build and apply the Layer 3, Layer 4, and Layer 7 policies that the ACE uses for SLB. The figure also shows how to associate the various components of the SLB policy configuration with each other.
- Figure 1. SLB Flow Diagram
Example of a L7 Load-Balancing Configuration
The following example shows a running configuration that includes multiple class maps and policy maps that define a traffic policy for SLB. In this configuration, when a server farm is chosen for a connection, the connection is sent to a real server based on one of several load-balancing predictors. The leastconns predictor method load balances connections to the server that has the lowest number of open connections.
access-list ACL1 line 10 extended permit ip any any probe tcp TCP interval 5 faildetect 2 passdetect interval 10 open 3 parameter-map type http PERSIST-REBALANCE persistence-rebalance <---------------------------- Enabled by default in the ACE appliance. Enabled by default in the ACE module in software version A4(1.0) and later. parameter-map type connection PRED-CONNS-UDP_CONN set timeout inactivity 300 rserver SERVER1 ip address 10.1.0.2 inservice rserver SERVER2 ip address 10.1.0.3 inservice rserver SERVER3 ip address 10.1.0.4 inservice rserver SERVER4 ip address 10.1.0.5 inservice rserver SERVER5 ip address 10.1.0.6 inservice rserver SERVER6 ip address 10.1.0.7 inservice rserver SERVER7 ip address 10.1.0.8 inservice rserver SERVER8 ip address 10.1.0.9 inservice serverfarm host PRED-CONNS predictor leastconns rserver SERVER1 inservice rserver SERVER2 inservice rserver SERVER3 inservice rserver SERVER4 inservice rserver SERVER5 inservice rserver SERVER6 inservice rserver SERVER7 inservice rserver SERVER8 inservice serverfarm host PRED-CONNS-UDP failaction purge predictor leastconns rserver SERVER1 inservice rserver SERVER2 inservice rserver SERVER3 probe ICMP inservice rserver SERVER5 inservice rserver SERVER6 inservice rserver SERVER7 inservice serverfarm host PREDICTOR probe TCP rserver SERVER1 inservice rserver SERVER2 inservice rserver SERVER6 inservice rserver SERVER7 inservice sticky http-cookie COOKIE_TEST STKY-GRP-43 cookie offset 1 length 999 timeout 30 replicate sticky serverfarm PREDICTOR class-map match-all L4PRED-CONNS-UDP-VIP_128:2222_CLASS 2 match virtual-address 192.168.120.128 udp eq 0 class-map match-all L4PRED-CONNS-VIP_128:80_CLASS 2 match virtual-address 192.168.120.128 tcp eq www class-map match-all L4PREDICTOR_117:80_CLASS 2 match virtual-address 192.168.120.117 tcp eq www policy-map type loadbalance first-match L7PLBSF_PRED-CONNS_POLICY class class-default serverfarm PRED-CONNS policy-map type loadbalance first-match L7PLBSF_PRED-CONNS-UDP_POLICY class class-default serverfarm PRED-CONNS-UDP policy-map type loadbalance first-match L7PLBSF_PREDICTOR_POLICY class class-default sticky-serverfarm STKY-GRP-43 policy-map multi-match L4SH-Gold-VIPs_POLICY class L4PREDICTOR_117:80_CLASS loadbalance vip inservice loadbalance policy L7PLBSF_PREDICTOR_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 120 appl-parameter http advanced-options PERSIST-REBALANCE class L4PRED-CONNS-VIP_128:80_CLASS loadbalance vip inservice loadbalance policy L7PLBSF_PRED-CONNS_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 120 appl-parameter http advanced-options PERSIST-REBALANCE class L4PRED-CONNS-UDP-VIP_128:2222_CLASS loadbalance vip inservice loadbalance policy L7PLBSF_PRED-CONNS-UDP_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 120 appl-parameter http advanced-options PERSIST-REBALANCE connection advanced-options PRED-CONNS-UDP_CONN interface vlan 120 description Upstream VLAN_120 - Clients and VIPs ip address 192.168.120.1 255.255.255.0 fragment chain 20 fragment min-mtu 68 access-group input ACL1 nat-pool 1 192.168.120.70 192.168.120.70 netmask 255.255.255.0 pat service-policy input L4SH-Gold-VIPs_POLICY no shutdown ip route 10.1.0.0 255.255.255.0 192.168.120.254
Troubleshooting Layer 7 Load Balancing
To troubleshoot L7 load-balancing issues, use the following steps:
1. Ensure that your load-balancing configuration is correct and that the following conditions exist:
- Real servers have valid IP addresses and are in service
- Servers are associated with server farms of the same type
- L7 load-balancing policy exists with an associated server farm and that the L7 load-balancing policy is associated with a L4 multimatch policy
- An L4 class map contains a valid match virtual-address command and is associated with the L4 multimatch policy map
- The L4 policy is applied to the appropriate active interface using a service policy
- A static route is configured for the server network
Use the following show commands to verify your load-balancing configuration:
- show running-config rserver
- show running-config serverfarm
- show running-config policy-map
- show running-config class-map
- show running-config interface
- show ip route
2. Check the ACE connectivity. See the Troubleshooting Connectivity section.
3. Verify that the L7 load-balancing policy is referenced in the L4 policy by entering the following command. Also, check the following fields:
- VIP address, protocol, and port
- VIP state
- Hit count
- Dropped connections
ACE_module5/Admin# show service-policy L4WEB_POLICY detail Status : ACTIVE Description: - ----------------------------------------- Interface: vlan 100 service-policy: L4WEB_POLICY class: L4WEB_CLASS VIP Address: Protocol: Port: 192.168.120.112 tcp eq 80 <------- VIP address, protocol, and port loadbalance: L7 loadbalance policy: LB_WEB_POLICY <-------L7 load-balancing policy referenced in the L4 multimatch policy VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : ENABLED VIP State: INSERVICE <------- VIP state should be INSERVICE curr conns : 0 , hit count : 56 dropped conns : 14 <------- Number of attempted connections to this VIP that the ACE discarded client pkt count : 6297 , client byte count: 1047583 server pkt count : 1238 , server byte count: 1325495 L7 Loadbalance policy : LB_WEB_POLICY <------- L7 policy statistics class/match : class-default LB action : serverfarm: SFARM1 hit count : 0 <-------|-- Check these counters to see if they are increasing dropped conns : 0 <-------|
4. Verify that the L4 policy is applied as a service policy to an active interface by entering the following command:
ACE_module5/Admin# show running-config interface Generating configuration.... interface vlan 100 ip address 192.168.120.1 255.255.255.0 access-group input ACL1 access-group output anyone service-policy input L4WEB_POLICY no shutdown . . .
5. Check the total conn-dropcount field for the primary server farm in the output of the following command. Also, check the IP address, state, and the connection statistics for each real server that is configured in the server farm.
ACE_module5/Admin# show serverfarm SFARM1 detail serverfarm : SFARM1, type: HOST total rservers : 3 active rservers: 3 description : - state : ACTIVE <------- Current state of the server farm predictor : ROUNDROBIN <------- Load-balancing method weight : - autoadjust : MAXLOAD failaction : - back-inservice : 40 partial-threshold : 40 num times failover : 0 num times back inservice : 0 total conn-dropcount : 0 <------- Total number of connection attempts to this server farm that the ACE discarded --------------------------------- ----------connections----------- real weight state current total failures ---+---------------------+------+------------+----------+----------+--------- rserver: SERVER1 192.168.252.245:0 10 INSERVICE 0 0 0 <------- Real server IP address, state, and connection statistics max-conns : 4000000 , out-of-rotation count : 0 min-conns : 4000000 conn-rate-limit : - , out-of-rotation count : - bandwidth-rate-limit : - , out-of-rotation count : - retcode out-of-rotation count : - load value : 0 rserver: SERVER2 192.168.252.246:0 20 INSERVICE 0 0 0 max-conns : 4000000 , out-of-rotation count : 0 min-conns : 4000000 conn-rate-limit : - , out-of-rotation count : - bandwidth-rate-limit : - , out-of-rotation count : - retcode out-of-rotation count : - load value : 0 rserver: SERVER3 192.168.252.247:0 30 INSERVICE 0 0 0 max-conns : 4000000 , out-of-rotation count : 0 min-conns : 4000000 conn-rate-limit : - , out-of-rotation count : - bandwidth-rate-limit : - , out-of-rotation count : - retcode out-of-rotation count : - load value : 0
|Note:||The connection failures counter increments only if the ACE attempts to load balance a connection and the ACE does not receive a SYN-ACK from the real server in response to a SYN or if the real server responds to the SYN with a RST.|
6. Check the L7 load-balance statistics by entering the following command:
ACE_module5/Admin# show stats loadbalance +------------------------------------------+ +------- Loadbalance statistics -----------+ +------------------------------------------+ Total version mismatch : 0 Total Layer4 decisions : 0 Total Layer4 rejections : 0 Total Layer7 decisions : 0 Total Layer7 rejections : 0 Total Layer4 LB policy misses : 0 Total Layer7 LB policy misses : 0 Total times rserver was unavailable : 0 Total ACL denied : 0 Total IDMap Lookup Failures : 0
7. If you are having problems with HTTP, check the HTTP statistics and error counters by entering the following command:
ACE_module5/Admin# show stats http +------------------------------------------+ +-------------- HTTP statistics -----------+ +------------------------------------------+ LB parse result msgs sent : 0 , TCP data msgs sent : 0 Inspect parse result msgs : 0 , SSL data msgs sent : 0 sent TCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0 SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 0 Drain msgs sent : 0 , Particles read : 0 Reuse msgs sent : 0 , HTTP requests : 0 Reproxied requests : 0 , Headers removed : 0 Headers inserted : 0 , HTTP redirects : 0 HTTP chunks : 0 , Pipelined requests : 0 HTTP unproxy conns : 0 , Pipeline flushes : 0 Whitespace appends : 0 , Second pass parsing : 0 Response entries recycled : 0 , Analysis errors : 0 Header insert errors : 0 , Max parselen errors : 0 Static parse errors : 0 , Resource errors : 0 Invalid path errors : 0 , Bad HTTP version errors : 0 Headers rewritten : 0 , Header rewrite errors : 0
8. If you suspect a probe issue, for example, a TCP probe, check the probe statistics and error counters by entering the following command:
ACE_module5/Admin# show stats probe type tcp +------------------------------------------+ +----------- Probe statistics -------------+ +------------------------------------------+ ----- tcp probe ---- Total probes sent : 0 Total send failures : 0 Total probes passed : 0 Total probes failed : 0 Total connect errors : 0 Total conns refused : 0 Total RST received : 0 Total open timeouts : 0 Total receive timeout : 0 Total active sockets : 0
9. Check the parameter map statistics for an HTTP parameter map by entering the following command:
ACE_module5/Admin# show parameter-map HTTP_PMAP Number of parameter-maps : 1 Parameter-map : HTTP_PMAP Type : http server-side connection reuse : disabled case-insensitive parsing : disabled persistence-rebalance : disabled <---------------------------- Enabled by default in the ACE appliance. Enabled by default in the ACE module in software version A4(1.0) and later. header modify per-request : disabled header-maxparse-length : 4096 content-maxparse-length : 4096 parse length-exceed action : drop urlcookie-delimiters : /&#+
10. Clear the L7 load-balancing statistics by entering the following commands:
- clear stats loadbalance [radius | rdp]
- clear service-policy policy_name
- clear stats http
- clear rserver server_name
- clear serverfarm serverfarm_name